In November 2021, the Zenon Network’s BNB pool was exploited by an attacker.  The attacker took advantage of poor access control within the protocol to drain the $1 million BNB pool.

Inside the Attack

The Zenon Network hack was made possible by an unprotected burn function within the smart contract.  This function destroys tokens in the pool, which can cause the value of the remaining tokens to increase.  Access to burn functions should be restricted, but the Zenon Network’s was accidentally labeled as external, making it publicly callable.

The Zenon Network attacker took advantage of this in a flash loan attack.  They invested tokens in the protocol’s pool for wrapped ZNN (wZNN) tokens and then called the burn function to destroy over 26k wZNN tokens.

This decreased the supply of wZNN tokens, increasing their value dramatically.  As a result, when they redeemed their wZNN tokens, the pool believed that they were owed a massive number of WBNB tokens, enabling them to drain the pool.

Lessons Learned From the Attack

Access control vulnerabilities are some of the simplest vulnerabilities that can exist in smart contracts and are detectable by inspecting a single line of code (where the function is defined).  However, these simple vulnerabilities can have dramatic impacts if exploited as demonstrated in this hack.

Access control vulnerabilities are some of the first things that smart contract auditors look for in an assessment.  Undergoing a smart contract audit before launch is essential to protecting a protocol and its users against these types of attacks.

Rob Behnke
11.29.2021