In March 2022, DeFi project Fantasm Finance was the victim of a hack.  The attacker exploited a vulnerability in the project’s smart contracts to steal over $2.6 million in tokens.

Inside the Attack

The Fantasm Finance hack took advantage of a flaw in the error-checking code of the protocol’s mint function.  The purpose of the error-checking code was to ensure that a user deposited FTM tokens into the contract when minting XFTM tokens.

However, the code actually compared the value of msg.value, which measures the amount of ETH sent along with a transaction, to the minimum amount of FTM tokens that would be accepted for minting.  The attacker was able to exploit this by performing a transaction that sent only FSM tokens (which are used as collateral in minting) and no FTM tokens.  The incorrect error checking code permitted the transaction, allowing the attacker to mint XFTM tokens without depositing any FTM.

As a result, the attacker was able to mint XFTM tokens when depositing only a fraction of their true value.  The minted XFTM tokens were then sold back to the project, enabling the attacker to extract value from the protocol and buy more FSM tokens for follow-on attacks.

Lessons Learned From the Attack

The Fantasm Finance hack was made possible by incorrect error checking code within the project’s smart contract.  The code appropriately verified that the user had input FSM tokens, but the FTM token verification was incorrect.  As a result, the attacker was able to mint XFM tokens for a fraction of their true value and sell them back to drain value from the project.

Rob Behnke