Apr 10 to Apr 16

From April 10, 2023 to April 16, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

1. Terraport Finance’s Liquidity Wallet Breached

On April 10, Terraport Finance’s team announced that they had a breach of their liquidity wallet. At the time of writing, the Terraport team was still investigating the breach.

No specific amout of loss was reported.

Terraport Finance is a DeFi application deployed on the Terra Classic blockchain.

• Meta Skyer Suffers Flash-loan Attack

On April 10, Meta Skyer (SKYER), a project deployed on the BNB chain suffered a flash-loan attack.

Its token SKYER is deployed at 0x6B77C9202d6E91B8f7B8F0372280db98406005E3 on the BNB chain.

Crypto assets worth around US $20,000 were exploited in this incident.

• South Korean Exchange GDAC Suffers Wallet Compromise

On April 10, South Korean exchange GDAC experienced a private key compromise.

At the time of writing crypto assets worth around US $13,000,000 were exploited.

• South Korean Exchange GDAC Suffers Wallet Compromise

On April 11, South Korean exchange GDAC experienced a private key compromise.

Crypto assets worth around US $13M were exploited in this incident.

• Paribus Suffers Re-entrancy Attack

On April 11, Paribus, a project deployed on Cardano experienced an re-entrancy attack.

Crypto assets worth around US $67,000 were exploited in this incident.

• Mean DAO’s Discord Server Compromised

On April 11, the discord server of Mean DAO(@meanfinance) was compromised. Mean DAO is a DeFi application deployed on Solana.

• MetaPoint Suffers Exploit

On April 12, MetaPoint, a project deployed on the BNB chain suffered an exploit.

The root cause of this issue was that it gave the caller of the function access to the $META tokens without any restriction.

2513 BNBs worth around US $811,000 were exploited in this incident.

• Chimps’ Discord Server Compromised

On April 13, the discord server of Chimps(@chimpsverse) was compromised and a phishing link was sent in the discord server. Chimps is a project deployed on Solana.

• Suteki – SAISEI’s Discord Server Compromised

On April 13, the discord server of Suteki-SAISEI(@Suteki_NFT) was compromised. Suteki is an NFT project deployed on Solana.

1. Saved Souls’ Discord Server Compromised

On April 14, the discord server of Saved Souls(@SavedSoulsNFT) was compromised. Saved Souls is an NFT project deployed on Ethereum.

1. Bitrue Suffers Exploit

On April 14, Bitrue, a centralized crypto exchange suffered an exploit.

Actually, one of the exchange’s hot wallets was breached. Crypto assets including ETH, QNT, GALA, SHIB, HOT and MATIC were stolen.

The Bitrue’s team claimed that the affected hot wallet only held less than 5% of its overall funds and the rest of its wallets remained secure and had not been compromised.

Crypto assets worth around US $23,000,000 were exploited in this incident.

1. Walker World’s Twitter Account Compromised

On April 15, the twitter account of Walker World(@walkerworld_) was compromised and a phishing link was sent in the twitter account. Walker World is a project deployed on Ethereum.

1. Hundred Finance Suffers Exploit

On April 15, Hundred Finance, a DeFi application deployed on Optimism suffered an exploit.

The team announced on their Twitter account that they had been hacked on Optimism. The exchange rate formula was manipulated through Cash value. The attacker exploited it to borrow a large amount of tokens and then got back the amount after the exchange rate was manipulated through redeeming 1 hToken.

Crypto assets worth around US $7,400,000 were exploited in this incident.

1. Hundred Finance Suffers Exploit

On April 16, Swapos V2, a DeFi application deployed on Ethereum suffered an exploit.

Crypto assets worth around US $468,000 were exploited in this incident.

RUG-PULLS:

1. SyncDexOG Confirmed to Be Rug-pull

On April 12, SyncDex(@SyncDex_Finance), a project deployed on zkSync was confirmed to be a rug-pull.

200 ETHs worth around US $ 383,000 were exploited in this incident.

CONCLUSION-

15 notable security incidents have occurred in the past week. 14 were security attacks and 1 was a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Apr 3 to Apr 9

From April 3, 2023 to April 9, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

1. Sentiment Suffers Re-entrancy Attack

On April 4, Sentiment, a project deployed on Arbitrum suffered a re-entrancy attack.

At the time of writing, the Sentiment team had pushed a fix that remediated the vulnerability.

Crypto assets worth around US $1 million were exploited in this incident.

• MOM Suffers Exploit

On April 8, MOM, a token deployed on Polygon suffered an exploit.

The root cause of this issue was that its claim function didn’t have a proper check for its parameter.

For more details please refer to the link:

According to Fairyproof’s real-time decection system, on April 8, 2023, Polygon deployed token MOM was exploited due to a vulnerability in its implementation.

When the “claim” function of the its Farm contract deployed at 0xab13595b646b5b0ced929bc0ea335ec1ff7efba4 was called,

— Fairyproof Tech (@FairyproofT) April 8, 2023

Crypto assets worth around US $185,000 were exploited in this incident.

• SushiSwap Suffers Exploit

On April 9, SushiSwap, a famous DeFi application deployed on multiple blockchains including Ethereum, Polygon, BNB Chain, Fantom etc was exploited.

The root cause of this incident was that its RouteProcess02 contract had a vulnerability in approval of token spending.

This vulnerability was exploited to steal crypto assets worth around US $3.3 million.

Users who have interacted with SushiSwap on Ethereum, BNB chain, Polygon, Fantom and AVAX during the last four to five days should revoke their approval as soon as possible.

RUG-PULLS:

1. OG Fan Token Suspected to Be Rug-pull

On April 9, OG Fan token, a project deployed on the BNB chain was suspected to be a rug-pull.

For more details please refer to the link:

According to Fairyproof’s real-time detection system, BNB chain deployed OG Fan Token whose address is 0x737f1A8d3c85DBcda0169659e535aF66aFD844a9 is suspected to have a switch that can make it only be bought but not be sold. And this token can be minted infinitely by its admin.

— Fairyproof Tech (@FairyproofT) April 9, 2023

CONCLUSION-

4 notable security incidents have occurred in the past week. 3 were security attacks and 1 was a rug-pull.

It is worth noting that SushiSwap suffered an exploit due to an approval bug that should have been detected if it had been professionally audited. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

From March 27, 2023 to April 2, 2023, all security incidents that had occurred are all Security Hacks.

SECURITY HACKS:

1. SafeMoon Suffers From Flash-loan Attack

On March 29, SafeMoon, a project deployed on the BNB chain suffered from a flash-loan attack.

The root cause was the contracts were upgraded such that anyone could burn tokens from any address that held the token.

The hacker exploited this vulnerability to inflate the SafeMoon token’s price and exchanged the SafeMoon tokens it held to WBNBs

Crypto assets worth around US $8.9 million were exploited in this incident.

• Phishing Link Posted in YogaPetz’s Discord Server

On April 1, a phishing link was posted in the Discord server of YogaPetz(@Yogapetz), an NFT project deployed on Ethereum.

• Phishing Link Posted in Mark Sunset’s Twitter Account

On April 1, a phishing link was posted in the Twitter account of Mark Sunset(@sunsetventurer), an influencer in Twitter.

• Allbridge Suffers From Flash-loan Attack

On April 2, Allbridge, a project deployed on multiple blockchains including the BNB chain suffered from a flash-loan attack.

The root cause was the token price of an Allbridge pool could be manipulated.

Crypto assets worth around US $574,000 were exploited in this incident.

• Phishing Link Posted in Raise Finance’s Discord Server

On April 2, a phishing link was posted in the Discord server of Raise Finance(@raise_fi), a wallet project deployed on zkSync.

CONCLUSION-

5 notable security incidents have occurred in the past week. 3 were attacks on social media and 2 were attacks on smart contracts.

It is worth noting that the unaudited contracts lead to a loss of crypto assets worth around US $8.9 million to SafeMoon. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/