Weekly Blockchain Security Watch

Feb 20 to Feb 26

From 20 February 2023 to 26 February 2023, all security incidents that have occurred can be categorized into: Security Hacks and Rug-pulls.

SECURITY HACKS:

  • Hacker Exploits Dynamic Fi

On 22 Feb, a hacker attacked Dynamic Fi, an application deployed on the BNB Chain.

For more details please refer to this link:

Additional Details:

– Attacker’s Address: 0x0C925A25fDaaC4460CAb0CC7abc90Ff71f410094

– Address That Receives Exploited Assets: 0x35596bc57c0Cab856b87854EcC142020A47f6fdF

– Hash Value of Attack Transaction:

0xc09678fec49c643a30fc8e4dec36d0507dae7e9123c270e1f073d335deab6cf0

  • Vulnerability Found in CryptoNinja World

On 22 Feb, a vulnerability was reported to be found in CryptoNinja World, a dApp deployed on Ethereum.

Its “burn(uint256 tokenId) external virtual” function defined in the contract deployed at 0xd93704f2a0eA3Db109dE194D4a51ff3e5e77CEfd did not validate whether the owner of “tokenId” was the msg.sender. This resulted in a vulnerability where any address could burn the NFTs held by any address.

  • Hacker Exploits Level DaosaurNFT’s Discord Server

On 22 Feb, DaosaurNFT’s discord server had been exploited. DaosaurNFT(@DaosaurNFT) is an NFT project deployed on Ethereum.

  • BAYCs and CLONE X Are Stolen

On 23 Feb, popular NFTs including BAYC 6396, 4587 and CLONE X 3354 were stolen. CLONE X 3354 was sold for 5 ETHs, and BAYC 6396 was sold for 67.990 ETHs on Blur.

  • Hacker Exploits Level Finance’s Discord Server

On 23 Feb, Level Finance’s discord server had been exploited. Level Finance (@Level_Finance) is a DeFi application deployed on the BNB chain.

  • Hacker Exploits Rubic’s Discord Server

On 24 Feb, Rubic’s discord server had been exploited. Rubic (@CryptoRubic) is a cross-chain aggregator.

  • Hacker Exploits MurAll’s Discord Server

On 25 Feb, MurAll’s discord server had been exploited. MurAll (@MurAll_art) is a protocol for user created art on Ethereum. In response, MurAll urged users not to click any links from the MurAll Discord server.

A later update by MurAll stated that despite regaining control of the Discord server, scammers have hijacked the MurAll Discord invite. The invite takes users to a phishing verification bot. As of the time of writing, MurAll will be updated the website.

  • Otherdeed 96085 Is Stolen and Resold on Opensea

On 26 Feb, one famous NFT Otherdeed 96085 was stolen and resold on Opensea for 2.2 ETHs in less than 6 minutes.

RUG-PULLS:

  • Hope Finance Rug-pulls

On 21 Feb, Hope Finance, an application deployed on both Ethereum and Celer had been confirmed to be a rug-pull.

The team behind the project leveraged Celer and Uniswap to move all the held ETHs to Ethereum and sent 1095 ETHs from three addresses to Tornado Cash to cash out.

1095 ETHs worth around US $2 million were exploited in this incident.

Additional Details:

– Attacker’s Addresses

0x957D354d853a1FF03dDa608F3577d24eA18fCecE

0xB83dD80d040C0AB2cd9495E748915275713120a5

0x43B89dE77189b53f93BfF1c6DF8d3d6Fb97BA688

CONCLUSION-

9 notable security incidents have occurred in the past week. 1 was a rug-pull, 8 were attacks. 2 of 8 attacks were attacks against smart contracts and the rest were on social media or phishing attacks.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Leave a Reply

Your email address will not be published. Required fields are marked *