Shido

Quick Summary

Access control issue leads to $4M Loss at ShidoGlobal




Details of the Exploit

ShidoGlobal recently encountered a transfer of ownership, resulting in a significant loss amounting to approximately $4 million.
The exploit occurred when the new owner swiftly upgraded the StakingV4Proxy contract by introducing a concealed withdrawToken()
function. This function enabled the attacker to execute withdrawals of the entire balance of 4,353,473,223.864904 $SHIDO tokens
from the contract. Subsequently, the attacker swapped a portion of the acquired $SHIDO tokens for $ETH and transferred 692.8 $ETH,
equivalent to $2.4 million, to address 0x4621e0cd8c91ecf1b0efcbf07f0838a5ee25c5dd. The remaining $SHIDO tokens, valued at $1.6
million, are still retained in the attacker's address 0x1982358c84da9d0b4b96fc9e8564d132f7d0041f.




Block Data Reference

Ownership Transfer Transaction: 

https://etherscan.io/tx/0xaa76ea503fadddf775b1ef7f195676440fdc3ac46ab642798ab6fa7ae3aafcbe

Attacker's ETH Address: 

0x4621e0cd8c91ecf1b0efcbf07f0838a5ee25c5dd