According to CertiK, the TIME token was recently exploited, resulting in a loss of approximately $188,000.
The attack started when the operator converted 5 ETH into Wrapped Ether (WETH) and then exchanged it for more than 3.4 billion TIME tokens.
CertiK analysts reported that the root cause of the exploit was the manipulation of the Forwarder contract, which is designed to carry out transactions from any address. The attacker created a request with a spoofed sender address, which they controlled, and a matching signature. This misleading application has passed the freight forwarder contract verification process.
TIME Token was exploited for ~$188k due to a recently disclosed vulnerability around ERC2771 and Multicall
See our in-depth analysis on the TIME exploit belowhttps://t.co/NF8UPcRPfQ https://t.co/MGDnmFd56d
— CertiK Alert (@CertiKAlert) December 8, 2023
The attacker used a parsing errorwhere the TIME contract was tricked into recognizing an attacker-controlled address as legitimate. As a result, the TIME contract incorrectly burned a huge amount of tokens from the target pool controlled by the attacker, instead of the targeted address.
The attacker burned more than 62 billion TIME tokens, leading to a drastic reduction in the token pool. The tokens were then exchanged for a significant amount of WETH, eventually being converted back into ETH, including a portion used for bribes.
This incident highlights the underlying vulnerabilities in smart contracts, where even a minor error can lead to significant financial losses.
