In February 2022, DeFi platform Titano Finance suffered a hack.  The attackers – alleged to be contractors hired by the crypto project – stole 4828.7 BNB worth over $1.9 million.

Inside the Attack

The Titano Finance project is composed of multiple smart contracts, some of which were developed in-house and some that used existing third-party code.  The Titano PLAY contract was an example of code that was based on other smart contracts.

To prepare and deploy the PLAY contract, the Titano Finance team relied on a contractor who had experience with working with this third-party code on other projects.  The contractor was responsible for deploying the smart contract to BSC and then transferred ownership to the Titano Finance team.

However, as security researcher Chiachih Wu pointed out, the smart contract code included a statement that allowed either the smart contract owner or the deployer of the contract to set the PrizeStrategy for the pool.  The Titano hack was allegedly performed by the contractor using the original deployment address.  The contractor was able to exploit these privileges to steal 4828.7 BNB from the contract.

Lessons Learned From the Attack

This hack was made possible by a project trusting contractors to deploy a smart contract without adequate oversight.  The smart contract code contained the ability for the contract deployer to set the pool’s strategy, enabling the contractor to drain value from the protocol even after transferring official ownership to the project.

Rob Behnke
02.20.2022