LaunchZone Hack
Incident Overview
LaunchZone platform was exploited for roughly 700,000 $USD. The platform paused operations with the $LZ token.
LaunchZone is a decentralized platform on the Binance Smart Chain. The platform paused trading and transfer operations after an exploit. $LZ token dropped by more than 80% after an incident.
The attacker exploited other projects as well and labeled DND Exploiter. According to the official LaunchZone website, the platform lost nearly 700,000 $USD worth of assets. It's interesting that the exploiter hacked several projects at the same time and almost the same way.
The attacker was able to transfer tokens using user approvals and the malicious contract with an unverified source code. Then the contract self-destructed, transferring the tokens to the exploiter address.
Attacker address:
https://bscscan.com/address/0x7d192fa3…86aa1f
Malicious contract:
https://bscscan.com/address/0x1c2b102f…ca3e92
Malicious transaction example:
https://bscscan.com/tx/0xaee8ef10…8c3cae
Self-destruct transaction:
https://bscscan.com/tx/0x5e57dd9c…1939da
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to LaunchZone, these are the critical security checks that could have prevented this incident (February 2023).
- Verify all logic paths related to Access Control Exploit / Other are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialPost-Incident Timeline
-
2023-03-07
The LaunchZone Team announced their compensation program to users. The program is implemented via vesting, and affected users will be paid in $iRD tokens that have 15 month vesting period. The token can be exchanged for $RD for transactions and the $iRD itself can be staked to get rewards in $USDC, said in official Twitter
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Proof-of-Concept Exploits
On-Chain Evidence & References
- Twitter/X Alert https://twitter.com/immunefi/status/1630210901360951296
- Twitter/X Alert https://twitter.com/launchzoneann/status/1631538253424918528
Sources & References
Learn to Prevent the Next LaunchZone
The LaunchZone hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.