ZongZi Exploit Analysis

Intro

Detail

    function burnToHolder(uint256 amount,address _invitation) external {
        require(amount >= 0, "TeaFactory: insufficient funds");

        address sender = _msgSender();
        if(Invitation[sender] == address(0) && _invitation != address(0) && _invitation != sender){
            Invitation[sender] = _invitation;
            InvitationList[_invitation].add(sender);//add hacker addr
        }
        if (!userList.contains(sender)) {
            userList.add(sender);
        }
        address[] memory path = new address[](2);
        path[0] = address(_burnToken);
        path[1] = uniswapRouter.WETH();
        uint256 deserved = 0;
        deserved = uniswapRouter.getAmountsOut(amount, path)[path.length - 1];
        require(payable(address(_burnToken)).balance>=deserved,'not enough balance');
        _burnToken.zongziToholder(sender, amount, deserved);//burntoken is zongzi
        _BurnTokenToDead(sender,amount);
        burnFeeRewards(sender,deserved);
    }

        deserved = uniswapRouter.getAmountsOut(amount, path)[path.length - 1];

    function receiveRewards(address payable to) external {
        address addr = msg.sender;
        uint256 balance = balanceOf(addr);
        uint256 amount = balance.sub(burnAmount[addr]); //.sub(Rewards[addr]);
        require(amount > 0 );
        Rewards[addr] = Rewards[addr].add(amount);
        historyRewards[addr] = historyRewards[addr].add(amount);
        to.transfer(amount.mul(10**9)); // pay hacker 1296.961254356 bnb
        _transfer(addr, address(this), balance);
        burnAmount[addr]=0;
        totalReceive = totalReceive.add(amount);
        emit ReceiveReward(addr, amount, totalReceive);
    }

End