Poolz project遭遇攻击，损失约66.5万美元

Recently, an attack on the multi-chain project Poolz has attracted industry attention. According to blockchain monitoring data, the attack occurred on March 15, 2023, involving Ethereum, Binance, and Polygon.

The attacker successfully stole various tokens, including MEE, ESNC, DON, ASW, KMON, POOLZ, etc., with a total value of approximately $665,000. Currently, some of the stolen assets have been exchanged for BNB, but have not yet been transferred out of the attacker's wallet.

The attack primarily exploited an arithmetic overflow vulnerability in the Poolz project's smart contract. The attacker cleverly utilized the integer overflow issue in the getArraySum function by calling the CreateMassPools function. Specifically, the attacker constructed a special array that caused the cumulative result to exceed the maximum value of uint256, resulting in the function returning a value of 1.

However, the contract used the original input value when recording the pool attributes instead of the actual number of tokens transferred in. This allowed the attacker to record a huge value in the system by transferring just 1 token. Subsequently, the attacker withdrew tokens far exceeding the actual amount deposited through the withdraw function, thus completing the attack.

This event highlights the importance of smart contract security once again. To prevent similar issues, developers should consider using newer versions of the Solidity compiler, which have built-in overflow checks. For projects using older versions of Solidity, the SafeMath library provided by OpenZeppelin can be used to avoid integer overflow risks.

This attack reminds us that even seemingly simple mathematical operations can pose serious security risks in a blockchain environment. Project teams need to design and audit smart contracts more carefully to ensure the safety of user assets.