Weekly Blockchain Security Watch (Jan 9 to Jan 15)

Jan 9 to Jan 15


  • Hacker Attacks Chimpers’ Twitter Account

On 10 Jan, a hacker attacked NFT project based on Ethereum Chimpers’ Twitter account (@ChimpersNFT). The project later reassured followers that their Twitter account has been safely secured.

In their follow-up tweet, they reiterated that the project would “NEVER spontaneously launch a surprise mint, claim or airdrop”. They have also commenced commutations for victims of the hack.

  • Hacker Attacks BRA on BNB Chain

On 10 Jan, a hacker attacked BRA, a dApp deployed on the BNB chain.

For more details please refer to:

820 BNBs worth around US $ 240,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B (on BNB chain)

– Attacked Contract: 0x449FEA37d339a11EfE1B181e5D5462464bBa3752 (on BNB chain)

– Hash Values of Attach Transactions:



  • Sui Name Service Announce Discord Server Attacked

On 10 Jan, a name service deployed on the Sui blockchain Sui Name Service (@snsstork) announced on Twitter that their Discord server was attacked by “a staff member who was paid off” and impersonating an admin.

The account also informed that they are “working on restoring roles” and offered support for those who need it.

  • Hacker Manipulates ROE Finance Oracle in Attack

On 11 Jan, ROE Finance (@RoeFinance), a DeFi application deployed on Ethereum was attacked.

The root cause of this incident was that the oracle was manipulated.

ROE Finance was built on top of AAVE. The hacker carried out this attack by following the steps below:

Step 1: the attacker-controlled address initially borrowed 5,673,090 USDCs from Balancer, and deposited them to the roeUSDC pool.

Step 2: The same address borrowed 2,953,841,283 UNI-V2s from the pool, left the debt to the contract creator, and deposited the borrowed assets to the pool.

Step 3: The hacker repeated the previous step roughly 49 times, burned 0.295 UNI-V2 and earned 2.96 WBTCs and 51,661 USDCs.

Step 4: The hacker gave 26,024 USDCs to UNI-V2 and called the Uniswap V2 sync function. This manipulated the price of the UNI-V2 obtained from the oracle.

Step 5: The hacker borrowed back 5,673,090 USDCs that had been put into the roeUSDC pool earlier, exchanged 14,345 USDCs to 0.66 WBTCs, and repaid the USDCs back to Balancer.

Crypto assets including 2.29 WBTCs and 39,982 USDCs worth around US $80,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x67a909f2953fb1138bea4b60894b51291d2d0795

– Hash Value of Attack Transaction:


  • Lendhub Announces Attack on 12 Jan

On 13 Jan, Lendhub (@LendHubDefi), a dApp deployed on HECO, announced on Twitter that their project had been attacked on 12 Jan.

The root cause was both the old and new IBSV tokens existed simultaneously in the market and both took their price feeds from the new IBSV.

The hacker leveraged the vulnerability to obtain old IBSV tokens by depositing HBSV tokens and borrowed assets from the new market, then redeemed HBSV back in the old market.

The attack resulted in Lendhub’s TVL decreasing from US $ 6 million to US $ 90,305.

Additional Details:

– Attacker’s Address: 0x9d0163e76bbcf776001e639d65f573949a53ab03


5 notable security incidents have occurred in the past week. Most of them were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at


Leave a Reply

Your email address will not be published. Required fields are marked *