Feb 27 to Mar 5
From 27 February 2023 to 5 March 2023, all security incidents that had occurred were Security Hacks.
SECURITY HACKS:
- Hacker Exploits SwapX’s Lack of Proper Validation for Access Control
On 27 Feb, a hacker attacked SwapX, an application deployed on the BNB Chain, by leveraging on a vulnerability in the implementation where it lacked proper validation for access control.
Here is how the attack was carried out:
Step 1: the attacker swapped 0.0581 BNB for 1 Million DND tokens.
Step 2: the attacker called the attacked contract’s 0x4f1f05bc function to swap the BUSDs of other users who had approved the contract’s spending for DNDs.
Step 3: the attacker repeated step 2 and swapped 1 million DNDs for 739.6 WBNBs.
The attacker repeated this process and eventually exploited crypto assets worth around US $1 million in this incident.
Additional Details:
– Attacker’s Address: 0x7d192fa3a48c307100c3e663050291fff786aa1f
– Attacking Contract: 0xc4bea60f5644b20ebb4576e34d84854f9588a7e2
– Attacked Contract: 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01
– Hash Value of Attack Transaction:
0x3ee23c1585474eaa4f976313cafbc09461abb781d263547c8397788c68a00160
- GangstaGuys Warns of Fake Discord Server Alert on Twitter
On 28 Feb, NFT project deployed on Polygon GangstaGuys (@gangstaguysnft) warned its followers on Twitter that a fake Discord server had been created to scam users. The project urged users not to join the Discord server as it is not official and that the legitimate official Discord server could be accessed through the project’s bio on Twitter.
- Hacker Attacks Wickens’ Discord Server
On 1 Mar, Wickens’ Discord server was attacked. Wickens (@WickensNFT) is an NFT project deployed on Ethereum.
- Hacker Attacks Doge Pound’s Discord Server
On 1 Mar, Doge Pound’s Discord server was attacked. Doge Pound (@TheDogePoundNFT) is an NFT project deployed on Ethereum.
- Aliquo Releases Post-Mortem in Light of Discord Server Attack
On 1 Mar, the Discord server of NFT project deployed on Ethereum Aliquo (@aliquoxyz) was attacked.
In a post-mortem, the project detailed how the scammer had waited in the official server for an opportune time to conduct the phishing attack. The attacker had created a phishing URL to scam users by charading the link as a “surprise ‘airdrop’”.
The project urged users to exit the Discord server as investigations are ongoing. They also assured users that there will not be plans to launch additional tokens above their flagship AQ1, and that “airdrops” to distribute royalty earnings will not be conducted.
- Hacker Attacks Metaclub Society’s Discord Server
On 2 Mar, Metaclub Society’s Discord server was attacked. Metaclub Society (@MetaclubSociety) is an NFT project deployed on Ethereum.
- Hacker Exploits Alexa Pro
On 5 March, a hacker had exploited Alexa Pro (@alexapro100), an application deployed on the BNB Chain.
45 BNB worth around US $13,046 were exploited in this incident.
- NFT Project Friends in High Places Announces Discord Server Attacked
On 5 Mar, an NFT project deployed on Ethereum Friends in High Places (@FiHPnft) announced on Twitter that their Discord server had been attacked. The account urged users not to sign up for the airdrop as one of their moderator’s accounts was hacked.
On a later update, the project announced that the Discord is back in operation, and invited users who had left the server to rejoin.
- Goofy Gophers Mining Club Announced Hack on Discord Server
On 5 Mar, an NFT project deployed on the Cardano Blockchain Goofy Gophers Mining Club (@GGMC_nft) announced on Twitter that their Discord server was breached.
The project detailed that the hacker had accessed the server over night when the team was asleep to ban the moderators, close all forms of communications and posted a few RTH airdrop scam links in the announcements channel. The links were ETH scams where Metamask wallets would be drained when accessed.
In a later update, Goofy Gophers Mining Club announced that the Discord is now fully back under the project’s control. Moving forward, they will be limiting the permissions of the teams’ ‘hot’ accounts. They have also asked users who were affected to “reach out to the team”.
CONCLUSION-
9 notable security incidents have occurred in the past week. 7 were attacks on social media or phishing attacks, 1 was on a smart contract and 1 was against an individual.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at