The DeFi project R0AR was recently hacked due to a contract backdoor, resulting in a theft of approximately $780,000.

PANews April 22 news, Web3 security company GoPlus stated on platform X that on April 16, the DeFi project R0AR (@th3r0ar) on Ethereum was hacked due to a contract backdoor, resulting in a theft of approximately $780,000. The project party released an incident report today (the report indicates that the funds have been recovered, but the address and transaction hash have not yet been made public). This is a typical contract backdoor incident, reminding users to be cautious of backdoor contracts (0xBD2Cd7) and not to interact with this contract. The contract (R0ARStaking) leaves a backdoor when it is deployed, and the malicious address (0x8149f) has a large amount of $1R0R built in at the beginning for withdrawal. The malicious address first performs a small amount of deposit() and harvest() to prepare for the execution of the malicious EmergencyWithdraw(). According to the code logic in the contract (as shown in the figure below), because rewardAmountr0arTokenBalance (contract balance), rewardAmount is assigned as the token balance in the contract, and then all the tokens in the contract are transferred to the malicious address (0x8149f), and similarly, all lpTokens in the LP Token contract are also transferred to the malicious address. Finally, set userInfo.amount to 0. The userInfo in the contract is a Mapping structure, and its address is a dynamic address calculated from the userInfo's key (uid and msg.sender) hash.