On June 06 2022, GYM Network deployed a new function to their smart contract, on June 08 2022, GYM Network was exploited. The exploit caused a loss of around 2,475.91 WBNB (~$716K at time of writing), through a vulnerability in the function. The attacker exploited a lack of authentication in depositFromOtherContract() and was able to create deposit records without actually transferring tokens to the contract.
As it was a new function added to their contracts after our audit had taken place, it was outside of our audit scope. This type of issue would be picked up during a CertiK smart contract audit. It’s important to have ALL your contracts audited and ecosystem pen-tested to prevent incidents like this.
GYM NETWORK is a DeFi Aggregator Investment System combining the best yields with high rewards for its users. Thus providing easy access and saving you a lot of precious time.
The project is owned by the users. Each user has voting power in the measure of your GYMNET token holdings. Once 75% of GYMNET tokens have been distributed, owning GYMNET means a user will be able to propose new “Exercise Routines” (proposals to improve the system) and vote on the routines proposed by others.
In the _autoDeposit function of GYM Network’s smart contract, there is no transfer function to transfer a users deposit to the contract This means a user can call the ‘deposit’ and ‘create deposit record’ functions without actually transferring tokens.
Through this, the attacker repeatedly ‘deposits’ 8,000,000 GYMNET tokens without depositing anything. They then withdraw the 8,000,000 tokens. In total the attacker obtains 2,475.91 WBNB.
GYM Network have already fixed the exploit by adding a ‘onlyBank’ modifier to their ‘depositFromOtherContract’ function. This means that only the bank address can now call this function. In addition to the fix they will also be using their treasury to recover the token price as much as possible after the exploit.
There are multiple transactions involved as the attacker repeated steps to deposit and withdraw. Here are some examples:
https://bscscan.com/tx/0x171a448161f2c438cca0502599a6784561d11099c9218e2125c5f3c7a6705dd3
https://bscscan.com/tx/0x91f5e625447da3e7d0d409d5c7762c94c4d5793ab34430b81a9889e5ef9f37dd
https://bscscan.com/tx/0x12970f3962b4bacd01bb4e3dc086804e4e5861134db5dd80d7e4671aa7f23d16
The attacker creates multiple contracts which they call to perform steps 1-3 multiple times.
The attacker calls depositFromOtherContract() with the deposit amount set to 8,000,000 GYMNET, but they did not transfer any tokens to the contract as there is no transfer function.
The attacker calls withdraw() to withdraw 8,000,000 GYM tokens.
The attacker swaps GYMNET tokens to BNB and sends them to this address https://bscscan.com/address/0xb2c035eee03b821cbe78644e5da8b8eaa711d2e5.
GYMNET single pool
https://bscscan.com/address/0x0288fba0bf19072d30490a0f3c81cd9b0634258a
In the ‘_autoDeposit’ function, there is no transfer function to transfer a user’s deposit to the contract, so a user can call ‘deposit’ and ‘create deposit record’ without actually transferring tokens.
GYMNET have updated their contract since the exploit
https://bscscan.com/address/0x7df0bc661b6a239ae2f41f9548f6b17f7bd8328b#code
The ‘depositFromOtherContract’ function added a  modifier, so that only the bank address can call this function.
Profit and assets tracing The attacker gained 2,475.91 BNB and used tornado cash to transfer the asset to other addresses.
This type of issue would be spotted during CertiK’s smart contract audits. This particular contract had only been deployed for 2 days before it was exploited so wasn’t part of the audit that we had already performed for GYM Network.