Weekly Blockchain Security Watch (Feb 13 to Feb 19)

Feb 13 to Feb 19

From 13 February 2023 to 19 February 2023, all security incidents that have occurred were Security Hacks.

SECURITY HACKS:

  • Hacker Leverages MEV Contract Front-Run in Attack Against Anyswap

On 15 Feb, a hacker attacked Anyswap, an application deployed on Ethereum.

The hacker leveraged an MEV contract to front-run a regular WETH transfer transaction by calling AnyswapV4Router’s anySwapOutUnderlyingWithPermit function to approve token spending. Although the function validated the permit signature, the transaction that exploited WETHs in this incident did not get validated. Therefore, in the subsequent function calls, the hacker could call the safeTransferFrom function to allow the _underlying address to approve spending of its WETHs by the hacker without validating signatures.

87 ETHs worth around US $130,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xfde0d1575ed8e06fbf36256bcdfa1f359281455a

– Hash Value of Attack Transaction:

0x192e2f19ab497f93ed32b2ed205c4b2frontff628c82e2f236b26bec081ac361be47f

  • Hacker Attacks Platypus Through Flash Loan

On 16 Feb, a hacker attacked Platypus, an application deployed on the Snow blockchain, by leveraging on a flash-loan.

The root cause of this incident was that the emergencyWithdraw function defined in the MasterPlatypusV4 contract did not validate whether a borrower had paid back the debt.

The attacker flash-loaned 44 million USDCs, called the Platypus Finance contract’s deposit function to mint LP-USDCs. The attacker then staked the LP-USDCs to MasterPlatypusV4’s fourth vault, called the positionView function and minted a large amount of USPs. According to normal logic the hacker should own a huge debt by staking USPs and, therefore, should not be able to withdraw his/her staked assets. However, the vulnerability in the emergencyWithdraw function allowed the hacker to withdraw his/her staked assets.

After paying back the flash-loan, the hacker acquired a profit of 41,794,533 USPs and exchanged them to stable coins worth around US $8,522,926.

Additional Details:

– Attacker’s Address: 0xeff003d64046a6f521ba31f39405cb720e953958

– Hash Value of Attack Transaction:

0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430

  • Hacker Attacks Dexible

On 17 Feb, a hacker attacked Dexible, an application deployed on Ethereum.

The root cause of this incident was that the one of its contracts had a vulnerability in its access control.

The hacker defined a “transferfrom” function and passed this function together with a user’s address (0x58f5f0684c381fcfc203d77b2bba468ebb29b098) and the hacker’s address (0x684083f312ac50f538cc4b634d85a2feafaab77a) to a “fill” function. This results in the user’s address to approve the hacker to spend the token. All the exploited assets were transferred to Tornado Cash.

Crypto assets worth around US $1.54 million were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x684083F312Ac50f538Cc4B634d85a2feafaAB77a

– Hash Value of Attack Transaction: 0x58f5f0684c381fcfc203d77b2bba468ebb29b098

  • Hacker Attacks Baby Doll

On 18 Feb, a hacker attacked Baby Doll, an application deployed on the BNB Chain.

25.049 BNBs worth around US $7900 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xebc58c96cef9fc91a4ae049f026f8076198e5f83

– Hash Value of Attack Transaction:

0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2

  • OkCat Announces Discord Server Hacked

On 18 Feb, NFT project deployed on Polygon OkCat (@OkCat_NFT) announced on Twitter that their Twitter had been hijacked.

In their most recent update, the NFT project also warned users that the current Discord server is all a scam and urged users to unsubscribe and spread the word.

  • Revert Finance Team Claims v3utils Contract Attacked

On 18 Feb, the team behind Revert Finance, an application deployed on Ethereum, claimed on Twitter that its v3utils contract had been attacked by a hacker.

90% of the exploited assets were stolen from single accounts and the exploited assets included 22983.235188 USDCs, 4106.316699 USDTs, 485.5786287699002 OPs, 0.18217977664322793 WETHs, 36.59093198260223 DAIs, 211.21463945524238 WMATICs and 22 Premias.

Most of the addresses that had approved this contract to spend their tokens had revoked their approvals. The team reminded those that had not revoked their approvals to revoke their approvals. The team planned to release a full report about this incident and compensate the victims.

Additional Details:

– Attacked Contracts:

Ethereum: 0x531110418d8591c92e9cbbfc722db8ffb604fafd

Polygon: 0x8c925768c793e00c095135b8656d6014ee2d07bb

Optimism: 0x2A017f2Fb369F4CA061B8D8A922Bb05100e8f8C3

Arbitrum: 0x95a8cc9ab71b26bdacbe6a7ccf519456edc2a164

CONCLUSION-

6 notable security incidents have occurred in the past week. 5 of 6 security incidents were attacks against smart contracts and one was on social media.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Leave a Reply

Your email address will not be published. Required fields are marked *