Weekly Blockchain Security Watch (Dec 19 to Dec 25)

From 19 December to 25 December, 2022, all security incidents that have occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Hacker Attacks Splattercats Discord Server

On 20 Dec, a hacker attacked Splattercat’s discord server. Splattercat is a game project.

  • Hacker Attacks xHamsters Discord Server

On 20 Dec, a hacker attacked xHamster’s discord server. xHamster is an NFT project on Ethereum.

  • Hacker Attacks Sol City Poker Clubs Discord Server

On 21 Dec, a hacker attacked Sol City Poker Club’s discord server. Sol City Poker Club is an NFT project on Solana.

  • Hacker Attacks David Di Francos Discord Server and Twitter Account

On 21 Dec, a hacker attacked David Di Franco’s discord server and twitter account. David Di Franco is a social media influencer.

  • Hacker Attacks DR/VRS Discord Server

On 22 Dec, a hacker attacked DR/VRS’ discord server. DR/VRS is an NFT project on Ethereum.

  • Hacker Attacks F1 Dogs Discord Server

On 23 Dec, a hacker attacked F1 Dog’s discord server. F1 Dog is an NFT project on Aptos.

  • Hacker Attacks Rubic

On Dec 25, Rubic, a cross-chain aggregator deployed on Ethereum was attacked.

The root cause was that it suffered from an injection attack.

For more details about this attack, please refer to:

Rug-pulls:

  1. Defrost Finance Suspected to be Rug-pull

On 25 Dec, Defrost Finance, a dApp deployed on the Snow blockchain was suspected to be a rug-pull.

For more details about it please refer to :

CONCLUSION-

8 notable security incidents have occurred in the past week. Seven of them were attacks on smart contracts and social media and one was suspected to be a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations. Particularly we suggest crypto investors should avoid investing in projects whose admins(owners) obtained their gases from Tornado Cash. If projects of this kind turn out to be rug-pulls, it is hard to take back/recover assets from them.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at:

https://www.fairyproof.com/

Weekly Blockchain Security Watch December 12 to December 18

SECURITY HACKS:

  • Hacker Attacks Baby Apes Society’s Discord Server

On 12 Dec, a hacker attacked Baby Apes Society’s discord server. Baby Apes Society is an NFT project deployed on Polygon.

  • Hacker Attacks Elastic Swap

On 13 Dec, a hacker attacked Elastic Swap, a DeFi application deployed on both Ethereum and Snow.

The root cause of the incident was its implementation did not validate the K value in the AMM algorithm.

The algorithms for adding and removing liquidity were different in Elastic Swap. On the Snow blockchain, the attacker added liquidity and then sent USDC.E tokens to the liquidity pool of the TIC-USDC. The attacker then removed the liquidity to exploit the contract by leveraging the vulnerability. This process was repeated to exploit the AMPL-USDC pool on Ethereum.

The attacker exploited 22,454 AVAXs (US $290,328) on Snow and 445 ETHs (US $564,000) on Ethereum.

At the time of writing the exploited assets on Snow were still in 0xDd8429b85a92b35712659bd945462a41BFd60cBD and some of exploited assets on Ethereum were still in 0xbeadedbabed6a353c9caa4894aa7e5f883e32967

Crypto assets worth around US $850,000 were exploited in this incident.

Additional Details:

– Attacker’s Addresses:

– 0xbeadedbabed6a353c9caa4894aa7e5f883e32967 (Ethereum)

  – 0x3bdf01ed32f07e8e843163b5d478d4502f5743cd (Snow)

Hash Values of Attack Transactions:

  – 0xb36486f032a450782d5d2fac118ea90a6d3b08cac3409d949c59b43bcd6dbb8f (Ethereum)

  – 0x782b2410fcc9449ead554a81f78184b6f9cca89f07ea346bc50cf11887cd9b18 (Snow)

  • NFT Project 1Minute Alpha Announce Hack on Discord, Collaboration Account

On 14 Dec, NFT project 1Minute Alpha reported on Twitter that their Collaboration Account “@0x1Minute” and Discord had been hacked. The project urged users not to click on any links and await further information.

Subsequently, the account announced that its Discord ID and channel had been successfully restored while the main Twitter account “@ONEMINNFT” had not been hacked. The account went on to report that “everything had been normalized” and gave opportunities for minimal compensation to those damaged by the hacking.

  • Hacker Leverages Flash-Loan to Attack Nimbus Platform

On 14 Dec, a hacker leveraged a flash-loan to attack Nimbus Platform, a dApp deployed on the BNB chain.

The platform had a flaw in its reward computation, allowing the hacker to exploit 278 BNBs, worth approximately US $76,000.

Additional Details:

– Attacker’s Address: 0x86aa1c46f2ae35ba1b228dc69fb726813d95b597 (BNB chain)

– Hash Value of Attack Transaction:

 0x42f56d3e86fb47e1edffa59222b33b73e7407d4b5bb05e23b83cb1771790f6c1

  • Hacker Exploits Vulnerability in FRP LP’s Wallet in Attack Against FRP Token

On 15 Dec, an attacker exploited a vulnerability in FRP LP’s wallet to attack the FRP token deployed at 0xA9c7ec037797DC6E3F9255fFDe422DA6bF96024d. FRP is a dApp deployed on the BNB chain.

The attacker managed to exploit crypto assets worth around US $30,000.

  • Raydium Announces Compromise of Private Keys Leading to Attack

On 16 Dec, Raydium, a dApp deployed on Solana, had announced the compromise of the private keys of the owner of several liquidity pools, leading to an attack. The attacker accessed the owner’s wallet and called the withdrawalPNL function to withdraw the fees earned in transactions. Liquidity pools including SOL-USDC, SOL-USDT, RAY-USDC, and RAY-USDT were exploited.

Crypto assets worth around US$4.395million were exploited.

  • Hacker Attacks Mekawaii’s Discord Server

On 16 Dec, a hacker had attacked Mekawaii’s discord server. Mekawaii is an NFT project deployed on Ethereum.

  • Hacker Attacks Neo Tokyo’s Discord Server

On 18 Dec, a hacker had attacked Neo Tokyo’s discord server. Neo Tokyo is an NFT project deployed on Ethereum.

CONCLUSION-

8 notable security incidents have occurred in the past week. Four of them were attacks on smart contracts and the other four were attacks on social media.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/

Fairyproof Hosts First Ever Twitter Space with Guests from DfDunkNFT and Kraze Web3 Football, Discuss NFTs and Security Amidst World Cup

Blockchain Security Company Facilitates Healthy Discussion on NFT and their Safety as Football Season Reveals Rising Trend of Sports NFT Adoption.

Singapore, September 15, 2022 – Pioneering Blockchain Security Company Fairyproof hosted a live AMA on Twitter in light of the rising trend for sports NFT adoption amidst the world cup. The Twitter Space, titled “The World Cup is coming with NFTS! Fans please calm down”, was joined by DfDunkNFT[1] Community Manager Giselle, and Kraze Web3 Football[2] Founder and Sport8 International Ltd[3] CEO Bai Qiang. Hosting the session was Fairyproof’s CEO Tan Yuefei. The turnout was a healthy 52 participants.

In the discussion, Tan gathered useful and interesting insight from both engaging guests on how NFTs should be kept safe. Of which, keeping them on cold hardware wallets and looking for signs of pump-and-dump were among the many points that were raised.

Giselle emphasised users to adopt a “DYOR[4]” attitude, and being alert in discerning potential scams in the form of phishing links and impersonators of NFT technical teams. She also mentioned the stealing of IPs to be an emerging concern. Additionally, she agreed on the importance of projects to involve cybersecurity companies to improve security through triage and audits.

Meanwhile, Bai Qiang brought to light the matter of NFT utility to be an area of concern for adopters even though prominent football players have endorsed NFTs – Cristiano Ronaldo having launched his first NFT collection on Binance as one of the many emergent cases for adoption.

“Hearing from our two gracious guests, it is comforting to know that NFT security is an area that adopters will need to pay attention to. I am thankful that we have the privilege to host our guests at the time,” Tan comments post-discussion. “It was a productive, interesting Twitter Space discussion. I am positive that our users will find something they can learn from the one-and-a-half-or-so hours of our session.”.

Tan also expressed great enthusiasm and positivity for future Twitter Spaces that Fairyproof will host, “We are thinking of hosting AMAs like these at least once a month, or in the best-case scenario, once bi-weekly. Sessions like these not only help projects connect with one another and for us to get to know people better; but also help crypto users increase their knowledge on crypto security, in turn, strengthening the global NFT and crypto community.”.

To listen to the Twitter Space session: https://twitter.com/FairyproofT/status/1602996314047860737?s=20&t=TdwTbTAP-Scw7vb4NJJm-Q

About Fairyproof:

Fairyproof is a pioneering blockchain security company established in 2021 with the slogan “Make IT a Safer Place”. They have been actively developing blockchain security solutions and Ethereum standards, and have meaningfully contributed to established Web3.0 projects like Ethereum, BNB Smart Chain, and HECO.

For more information, consult the following channels:

Website – https://www.fairyproof.com
Telegram – https://t.me/Fairyproof_tech
Twitter – https://twitter.com/FairyproofT
Medium- https://medium.com/@FairyproofT

Contact:
Joey Leong
Fairyproof
Social Media Manager
+65 9663 5630
https://www.fairyproof.com


[1] DfDunkNFT is an NFT project created by the Hiroshima Dragonflies, a basketball team under Japanese men’s profesionall basketball “B League”. (Twitter: @DFDunk)

[2] Kraze Football is a Web3 platform for football fans, integrating real games and virtual experience. (Twitter: @KrazeFootball)

[3] Sport8 International Ltd is an International Sports Industry Platform (Twitter: @Sports8China)

[4] Do Your Own Research

Solutions for Avoiding Bearing Burden of Debt for Lending Apps — — — Some Tentative Thoughts on Ankr’s Exploitation

On December 2, Ankr’s contract deployed on the BNB chain was attacked.

Basically the hacker managed to deploy a malicious implementation contract, minted 10,000,000,000,000 aBNBc tokens, dumped these tokens on a DEX and exchanged them to other crypto assets.

Dumping this huge number of aBNBc tokens dramatically crashed the token’s price which shortly went from $300 before the incident to less than $2 after the dumping.

The hacker exploited crypto assets worth around US $5 million in this incident.

While this action is for sure considered as illegitimate, another actor “legitimately” made a profit of around US $15 million from this incident.

Here is what this actor did:

After this incident happened it deposited 10 BNBs in exchange for 180,000 aBNBc tokens, used the aBNBc tokens as collateral to borrow a huge number of Hay stablecoins from the lending platform Helio and eventually exchanged all the Hay tokens to BUSDs.

The whole process was perfectly and legitimately organized and executed such that it was suspected that this actor was very likely the hacker itself.

The reason why the actor had successfully made this profit is that Helio’s oracle didn’t act promptly to the price’s sudden dip thus still using the lagged price as aBNBc’s valid price. This vulnerability was leveraged by the actor to borrow extraordinary assets and make a huge profit.

Actually this is not the first time that such an issue happened. Early this year, when the price of Luna crashed, there were quite a few cases in which actors borrowed less volatile crypto assets by using Luna as collateral in lending applications in which their oracles’ didn’t update Luna’s price promptly.

Apparently this is an oracle issue, however if we dive deep into this issue we think this is more or less a tokenomics issue as well.

Among all these existing issues, ERC-20 tokens on Ethereum or fungible tokens deployed on EVM blockchains are often the exploited assets.

These tokens can be minted in either of the following two ways depending on their contract designs:

Either a token’s total supply or max supply is all minted on deployment and after the token’s contract is deployed, no subsequent minting is allowed any more.

Or the token can still be minted after its contract is deployed.

For the latter, whenever the access control to the token’s mint function is compromised, malicious minting could happen. And when this happens the additionally minted tokens will very likely either be dumped in DEXs or CEXs, or used as collateral to borrow less volatile crypto assets such as stable coins in particular from lending applications.

Compared to dumping tokens on DEXs or CEXs, using them as collateral to borrow stable coins from lending applications causes a devastating damage to these lending applications. Quite often a lending application that lent assets in this case was drained shortly and bore a huge burden of debt.

So how can we avoid this issue?

A quick idea is to improve the responsiveness and promptness of the oracles these lending applications use.

This is good but this is not enough because it may greatly increase their operation costs and in addition no matter how responsive an oracle is it can hardly respond in real-time.

Therefore we propose the following solutions:

The first one is a carefully designed collateral ratio could be applied to collateral tokens which can be subsequently minted after their contracts are deployed.

Yes, many lending applications apply a collateral ratio to a token that is used as collateral however quite often the setting of such a ratio doesn’t take into account the risk that the token might be maliciously minted. Therefore the setting may not be that resilient or fault-tolerant to this risk.

The second is a lending application should not only trace a token’s price but also monitor a token’s mint activity especially those tokens that can be minted subsequently after their contracts are deployed.

When an abnormal mint activity such as a large number of tokens being minted happens for a token, a lending application could suspend its lending service for those that use this token as collateral. After this abnormal mint activity is confirmed fixed or normal could this lending service be resumed again.

The third is a lending application could charge relatively more service fees for collateral tokens that can be minted subsequently after their contracts are deployed.

This is to hedge the risk economically.

These are some tentative thoughts we got after learning the big lessons from these incidents.

When tackling a cyber-security risk or issue Fairyproof always tries to find solutions not just from a purely technical point of view, but from multiple facets including tokenomics, governance and more.

Hope these thoughts could be of some assistance to mitigate this issue in the future.

Weekly Blockchain Security Watch November 28 to Dec 4

From November 28 to December 4, 2022, all security incidents that have occurred are all Security Hacks.

SECURITY HACKS:

  1. Hacker Attacks Prometheus

On Nov 28, Prometheus, a dApp deployed on the BNB chain was attacked.

In this incident, the hacker withdrew 467,398 PHI from the project’s OTC contract and exchanged them to 124,73 BNBs.

The Prometheus team got back 112.08 BNBs and kept them in a multi sig (0x69A03128a7cb580553acf1cf287d4A5Ce0A01c1F).

The hacker exploited 12.65 BNBs (worth around US $3,654.5) in this incident.

At the time of writing, the project’s gPHI and dPHI supply had not been exploited, and all the contracts had been paused, except the dividends pool.

Additional Details:

– Attacker’s Address: 0xc7233627c65f0dd1465938212a3adaa5dea50bf6 (BNB chain)

– Hash Value of Attack Transaction:

0x15472327df1fdace59c14eba5f4069ffb65c71c5f38f00355da990b68121d160

  • Hacker Attacks Shamanzs Discord Server

On Nov 28, a hacker had attacked Shamanzs’ discord server. Shamanzs is an NFT project deployed on Ethereum.

  • Hacker Leverages Flash-loan to Attack Seaman

On Nov 29, a hacker had attacked Seaman, a dApp deployed on the BNB chain.

The root cause was that its tokenomics design would result in price manipulation.

The attacker flash-loaned 500,000 BUSDs and exchanged them to GVCs. The hacker then called Seaman’s transfer function to transfer a small number of SEAMAN tokens and triggered the SEAMAN tokens to be exchanged to GVCs. This process would call the _splitlpToken() function to distribute the GVCs to lpUser and reduce the number of GVCs in the BUSD-GVC trading pair thus increasing the GVC’s price.

The hacker repeated the process and eventually exploited 7781 BUSDs worth US $7781 in this incident.

Additional Details:

– Attacker’s Address: 0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c (BNB chain)

– Attacked Contract: 0xDB95FBc5532eEb43DeEd56c8dc050c930e31017e(GVC Token on BNB chain)

  • Hacker Attacks SmallBros Discord Server

On Dec 1, a hacker had attacked SmallBros’ discord server. SmallBros is an NFT project deployed on Ethereum.

  • Hacker Attacks Brainless Spikes Discord Server

On Dec 1, a hacker had attacked Brainless Spikes’ discord server. Brainless Spikes is an NFT project deployed on Ethereum.

  • Hacker Attacks Ankr

On Dec 2, a hacker attacked Ankr, a dApp deployed on the BNB chain.

The root cause was very likely that the Ankr Deployer’s private key was compromised.

The attacker exploited crypto assets worth around US $5 million in this incident.

For more details about this incident refer to:

Additional Details:

– Attacker’s Address: 0xf3a465C9fA6663fF50794C698F600Faa4b05c777 (BNB chain)

– Malicious aBNBc Contract: 0xd99955B615EF66F9Ee1430B02538a2eA52b14Ce4 (BNB chain)

– Ankr Deployer: 0x2Ffc59d32A524611Bb891cab759112A51f9e33C0 (BNB chain)

– Attacked Contract: 0xE85aFCcDaFBE7F2B096f268e31ccE3da8dA2990A (aBNBc on BNB chain)

– Initiator of Attack Transaction: 0x71699d5BD28F5C834eEe8E365848df056915Baa6 (BNB chain)

– Hash Value of Attack Transaction:

0xd07b210b872bc952b9f2250d8272a789f89a2f7a3621112fdd73addd7bdb080b (BNB chain)

CONCLUSION-

6 notable security incidents have occurred in the past week. Four out of them were attacks on smart contracts and two were attacks on social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/