攻击交易:
https://bscscan.com/tx/0xa5b0246f2f8d238bb56c0ddb500b04bbe0c30db650e06a41e00b6a0fff11a7e5
合约代码:
https://bscscan.com/address/0x1befe6f3f0e8edd2d4d15cae97baee01e51ea4a4#code

函数migrate功能为池转移,将GYM-WBNB转换为GYMNET-WBNB.

function migrate(uint256 _lpTokens) public nonReentrant {
    
    
      require(_lpTokens > 0, "zero LP tokens sended");
      require(IERC20(lpAddress).transferFrom(_msgSender(), address(this), _lpTokens), "transfer failed");
      (uint256 amountTokenRecived, 
       uint256 amountEthRecived) = Router.removeLiquidityETH(
          v1Address,
          _lpTokens,
          0, 
          0, 
          address(this), 
          block.timestamp);
      
      (uint256 amountTokenStaked,
       uint256 amountEthStaked,
       uint256 LpStaked) = Router.addLiquidityETH{
    
    value:amountEthRecived}(
          v2Address, 
          amountTokenRecived, 
          0, 
          0, 
          _msgSender(), 
          block.timestamp);

      uint256 diffEth = amountEthRecived - amountEthStaked;
      if (diffEth > 0) {
    
    
        payable(_msgSender()).transfer(diffEth);
      }
        
      emit migration(_lpTokens, LpStaked);
  }

但是如果GYM-WBNB与GYMNET-WBNB的池深度相差过大,就会导致转换过程中出现亏损或盈利.
因为GYM-WBNB池相对GYMNET-WBNB池太浅,导致加池后(调用migrate)转换为GYMNET-WBNB撤池,再卖出GYMNET,相对(不转换)卖出GYM波动太小,即可盈利.