Vulnerability in TON withdrawal with platform advertising

In the smart contract responsible for withdrawing funds accumulated from displaying advertisements, a user discovered a drain bug that allowed them to obtain tokens without any limits and withdraw them to an exchange almost immediately.

A drain bug is a vulnerability in a smart contract that allows an attacker to drain the contract of its funds. This is typically achieved by calling a function within the contract that improperly checks the contract's balance or the caller's permissions.

The owner of one wallet made 55 withdrawals of 256 TON each (totaling $82,000), and approximately $150,000 was withdrawn in total. As a result, the exchange rate dropped by 10 percent—from $6 to $5.45.

Currently, the withdrawal of rewards has been suspended.