According to Foresight News, Beosin's security risk monitoring, warning, and blocking platform, Beosin EagleEye, detected an attack on the TIME token, with the hacker profiting around $188,000. Beosin's security team analyzed the attack and found that the hacker exploited a contract vulnerability to destroy TIME tokens in the TIME-ETH trading pair, thereby profiting from the attack.
The issue lies in the fact that the _msgSender() of the TIME token does not return msg.sender, but instead selects based on the caller. If the caller is a Forwarder contract, it returns the address specified by the caller. The Forwarder contract also has an arbitrary external call function. The attacker used the Forwarder contract to call the TIME contract's burn function and passed in the pair address, ultimately destroying the TIME tokens in the pair.
