Carbon Chain Value APP news, according to SlowMist security team intelligence, on November 23, 2022, the Numbers Protocol (NUM) token project on the ETH chain was attacked, and the attacker made a profit of about 13,836 US dollars.The SlowMist security team shared the following in the form of a text message: 1. The attacker created a malicious anyToken token, namely the attack contract (0xa68cce), and the underlying token of the malicious token contract points to the NUM token address; 2. Then called MultichainThe anySwapOutUnderlyingWithPermit function of the Router contract of the cross-chain bridge, the function of this function is to pass in anyToken and call the permit function of the underlying token for signature approval, and then exchange the underlying token of the authorized user to the specified address.However, since there is no permit function in the NUM token and it has a callback function, even if the attacker passes in a fake signature, it can return normally so that the transaction will not fail, and the NUM token at the victim's address can eventually be transferred to the specified attack contractMedium; 3. Then the attacker exchanged the profitable NUM tokens into USDC through Uniswap and then into ETH for profit;
The main reason for this attack is that the NUM token does not have a permit function and has a callback function, so a fake signature can be passed in to deceive the cross-chain bridge and cause the user's assets to be transferred out unexpectedly.