Sunflower copies hackeds liquidity pool smart contract

I can't stand to see these games being hacked anymore. Sunflower was open source, and with that many people are using its source codes and creating version variations of the games, but it has a major flaw that all of them, or at least (almost all), are being hacked, being stolen from liquidity pool somehow.

Someone with more experience in blockchain contracts would be able to tell where this flaw is, which allows this hacker to run this exploit.

I will leave below the two wallets that the hacker uses and some of his actions that he performed to steal the liquidity pool.

r/OpenZeppelin - Sunflower copies hackeds liquidity pool smart contract

HFF - 0x36c0845773a6066a25f228e62248915ef481c38c

r/OpenZeppelin - Sunflower copies hackeds liquidity pool smart contract

CFG - 0xa1F8541DF23Cf0F3551BDc665E9Abd31f125Bc37

Above are 2 heists on 2 different tokens.

Hacker Address 1: 0x5750477413ba057e068d95f7043a313dc8a26c10
Hacker Address 2: 0x6c9244d2f9febf230f7be9de2d185b330e431261

TxId Hacker 1.1:
TxId Hacker 1.2:
TxId Hacker 2.1:

TxId Hacker 2.2:

TxId Hacker 3.1:

TxId Hacker 3.2:


I will list below all the versions that I know of and if they were stolen or not.

TOKEN: 0xdf9b4b57865b403e08c85568442f95c26b7896b0

TOKEN: 0xa2e05fee995d84e388111065f9da0e1fd0358a0b

TOKEN: 0xed2f85f446281a31bcae074938e867422f5074c8

TOKEN: 0x1816a91ee2e30aa39dee4fd24590faf0087b5a6c

TOKEN: 0xa1F8541DF23Cf0F3551BDc665E9Abd31f125Bc37

TOKEN: 0x36c0845773a6066a25f228e62248915ef481c38c

TOKEN: 0x1103f33c4aa272dd3fdd73724f492ee35f097644

TOKEN: 0x330db1dd6d150727eeb53feaf5d485bce2aa326f

The only copy that was not hacked was Fruit Farm.

What do you have to do to correct this huge flaw?

Copies have been appearing all over the world, and we need someone who can fix it, because we know it won't stop being released, and that only has to denigrate the image of "crypto", "blockchain", "NFT". With that, fewer people can come to this market, and we can't let this hacker get away with taking liquidity out of these contracts.

Anyone who knows how to fix this problem, let's try to publicize this fix so that people can stop losing money, because many enter these projects, and most of them lose, and yet they think it was rug pull, further staining our nft market .

Terrible as this is, it seems to me the initial flaw was blindly trusting someone else's contracts.
Opensource is open so that we all may build upon it.

Does it sound harsh, If I suggest this is what people get for being lazy and copying without concern?

If I was that quick to notice an exploit and that bad to exploit I'm sure I would have an escape.

You need to pick battles you can win.
Save the game, or fight with dust in the ethernet ?

The bad contracts ultimately need replaced or the game is already finished.
This is very sad I feel for them.

hello there is also the ignorance of reading a contract I think. on this screenshot you can see the passMinterRole function or you have to pass it the address of your farm.sol contract otherwise the burn and mint are open
then what I can notice is when the Farm.sol contract there is an uploadV1Farm function which is also open because by default the isMigrating parameter is set to true. it is absolutely necessary to invoke the finishMigration function to set it to false

nothing that these two things can do that the hacker has open doors and can use himself, so in itself it must surely correct this but there are still in Farm.sol the functions of the nfts to be deleted or corrected because we can make attacks there by overflow so a lot of mods to be 100% safe

1 Like