Low | Medium | High | Critical | Total | |
---|---|---|---|---|---|
Not fixed | 4 | 1 | - | - | 5 |
Fixed | 15 | 2 | 2 | 1 | 20 |
Total | 19 | 3 | 2 | 1 | 25 |
Click to show description
Quick Summary On October 24, 2024, Ramses Exchange on the Arbitrum network lost around $93,000 due to a flaw in its reward distribution system. The attacker repeatedly claimed rewards by leveraging multiple token IDs without reducing the overall reward pool supply. This exploit targeted Ramses’ reward accumulation process rather than affecting liquidity provider assets or user holdings. Ramses Exchange confirmed that liquidity provider funds and user NFTs remain secure despite the incident. Details of the Exploit The exploit stemmed from a vulnerability in the Ramses FeeDistributor contract, where the system failed to reduce the total reward supply after each reward claim. By repeatedly using the _getReward() function with multiple NFT token IDs, the attacker manipulated the reward calculations to gain excess rewards. The attacker’s strategy included resetting or splitting NFTs into new token IDs, effectively bypassing the tracking mechanism veWithdrawnTokenAmountByPeriod that restricts double-claiming within the same period. Additionally, the attacker used the getPeriodReward() function with arbitrary period values to retroactively access unclaimed rewards, exploiting a lack of timestamp validation in the contract. Block Data Reference Exploit tx: https://arbiscan.io/tx/0xb91c4e0debaf0feb1f20c979eebc1282c8024ae299ef5903591badcf1f4938bb Attacker: https://arbiscan.io/address/0x1d8b0ee375750839567f266fa75f6fbc9d6b977c