Launchpad Platform TrustPad's Staking Contract Attacked

The Launchpad platform TrustPad has announced on the X platform that one of its staking contracts was attacked, and the team is currently investigating the vulnerability. In the meantime, they have advised users not to trade TPAD.

The team will provide detailed information once their investigation is complete. They have assured users that wallets and funds are secure.

Phalcon, the transaction browser, has stated on the X platform that the attack on TrustPad was due to several design flaws in the staking logic. Specifically, it allowed manipulation of the lock-up period by untrusted external calls to obtain pending rewards. In the receiveUpPool function of the LaunchpadLockableStake contract, if an account is not locked, the depositLockStart time is set. The attacker manipulated it by making an immediate deposit (via the receiveUpPool function) and then withdrawing to accumulate pending rewards.

Additionally, another function called stakePendingRewards allowed the attacker to convert the accumulated pending rewards into staked amounts, thus permitting them to later extract staking rewards in the form of TPAD tokens and sell the tokens for profit.

According to Cyvers Alerts monitoring, the attacker of TrustPad has deposited 615.03 BNB (approximately $15,200) into the Tornado Cash mixer.