Weekly Blockchain Security Watch

Apr 10 to Apr 16

From April 10, 2023 to April 16, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Terraport Finances Liquidity Wallet Breached

On April 10, Terraport Finance’s team announced that they had a breach of their liquidity wallet. At the time of writing, the Terraport team was still investigating the breach.

No specific amout of loss was reported.

Terraport Finance is a DeFi application deployed on the Terra Classic blockchain.

  • Meta Skyer Suffers Flash-loan Attack

On April 10, Meta Skyer (SKYER), a project deployed on the BNB chain suffered a flash-loan attack.

Its token SKYER is deployed at 0x6B77C9202d6E91B8f7B8F0372280db98406005E3 on the BNB chain.

Crypto assets worth around US $20,000 were exploited in this incident.

  • South Korean Exchange GDAC Suffers Wallet Compromise

On April 10, South Korean exchange GDAC experienced a private key compromise.

At the time of writing crypto assets worth around US $13,000,000 were exploited.

  • South Korean Exchange GDAC Suffers Wallet Compromise

On April 11, South Korean exchange GDAC experienced a private key compromise.

Crypto assets worth around US $13M were exploited in this incident.

  • Paribus Suffers Re-entrancy Attack

On April 11, Paribus, a project deployed on Cardano experienced an re-entrancy attack.

Crypto assets worth around US $67,000 were exploited in this incident.

  • Mean DAOs Discord Server Compromised

On April 11, the discord server of Mean DAO(@meanfinance) was compromised. Mean DAO is a DeFi application deployed on Solana.

  • MetaPoint Suffers Exploit

On April 12, MetaPoint, a project deployed on the BNB chain suffered an exploit.

The root cause of this issue was that it gave the caller of the function access to the $META tokens without any restriction.

2513 BNBs worth around US $811,000 were exploited in this incident.

  • Chimps Discord Server Compromised

On April 13, the discord server of Chimps(@chimpsverse) was compromised and a phishing link was sent in the discord server. Chimps is a project deployed on Solana.

  • Suteki – SAISEIs Discord Server Compromised

On April 13, the discord server of Suteki-SAISEI(@Suteki_NFT) was compromised. Suteki is an NFT project deployed on Solana.

  1. Saved Souls Discord Server Compromised

On April 14, the discord server of Saved Souls(@SavedSoulsNFT) was compromised. Saved Souls is an NFT project deployed on Ethereum.

  1. Bitrue Suffers Exploit

On April 14, Bitrue, a centralized crypto exchange suffered an exploit.

Actually, one of the exchange’s hot wallets was breached. Crypto assets including ETH, QNT, GALA, SHIB, HOT and MATIC were stolen.

The Bitrue’s team claimed that the affected hot wallet only held less than 5% of its overall funds and the rest of its wallets remained secure and had not been compromised.

Crypto assets worth around US $23,000,000 were exploited in this incident.

  1. Walker Worlds Twitter Account Compromised

On April 15, the twitter account of Walker World(@walkerworld_) was compromised and a phishing link was sent in the twitter account. Walker World is a project deployed on Ethereum.

  1. Hundred Finance Suffers Exploit

On April 15, Hundred Finance, a DeFi application deployed on Optimism suffered an exploit.

The team announced on their Twitter account that they had been hacked on Optimism. The exchange rate formula was manipulated through Cash value. The attacker exploited it to borrow a large amount of tokens and then got back the amount after the exchange rate was manipulated through redeeming 1 hToken.

Crypto assets worth around US $7,400,000 were exploited in this incident.

  1. Hundred Finance Suffers Exploit

On April 16, Swapos V2, a DeFi application deployed on Ethereum suffered an exploit.

Crypto assets worth around US $468,000 were exploited in this incident.

RUG-PULLS:

  1. SyncDexOG Confirmed to Be Rug-pull

On April 12, SyncDex(@SyncDex_Finance), a project deployed on zkSync was confirmed to be a rug-pull.

200 ETHs worth around US $ 383,000 were exploited in this incident.

CONCLUSION-

15 notable security incidents have occurred in the past week. 14 were security attacks and 1 was a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Apr 3 to Apr 9

From April 3, 2023 to April 9, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Sentiment Suffers Re-entrancy Attack

On April 4, Sentiment, a project deployed on Arbitrum suffered a re-entrancy attack.

At the time of writing, the Sentiment team had pushed a fix that remediated the vulnerability.

Crypto assets worth around US $1 million were exploited in this incident.

  • MOM Suffers Exploit

On April 8, MOM, a token deployed on Polygon suffered an exploit.

The root cause of this issue was that its claim function didn’t have a proper check for its parameter.

For more details please refer to the link:

Crypto assets worth around US $185,000 were exploited in this incident.

  • SushiSwap Suffers Exploit

On April 9, SushiSwap, a famous DeFi application deployed on multiple blockchains including Ethereum, Polygon, BNB Chain, Fantom etc was exploited.

The root cause of this incident was that its RouteProcess02 contract had a vulnerability in approval of token spending.

This vulnerability was exploited to steal crypto assets worth around US $3.3 million.

Users who have interacted with SushiSwap on Ethereum, BNB chain, Polygon, Fantom and AVAX during the last four to five days should revoke their approval as soon as possible.

RUG-PULLS:

  1. OG Fan Token Suspected to Be Rug-pull

On April 9, OG Fan token, a project deployed on the BNB chain was suspected to be a rug-pull.

For more details please refer to the link:

CONCLUSION-

4 notable security incidents have occurred in the past week. 3 were security attacks and 1 was a rug-pull.

It is worth noting that SushiSwap suffered an exploit due to an approval bug that should have been detected if it had been professionally audited. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Mar 27 to Apr 2)

From March 27, 2023 to April 2, 2023, all security incidents that had occurred are all Security Hacks.

SECURITY HACKS:

  1. SafeMoon Suffers From Flash-loan Attack

On March 29, SafeMoon, a project deployed on the BNB chain suffered from a flash-loan attack.

The root cause was the contracts were upgraded such that anyone could burn tokens from any address that held the token.

The hacker exploited this vulnerability to inflate the SafeMoon token’s price and exchanged the SafeMoon tokens it held to WBNBs

Crypto assets worth around US $8.9 million were exploited in this incident.

  • Phishing Link Posted in YogaPetzs Discord Server

On April 1, a phishing link was posted in the Discord server of YogaPetz(@Yogapetz), an NFT project deployed on Ethereum.

  • Phishing Link Posted in Mark Sunsets Twitter Account

On April 1, a phishing link was posted in the Twitter account of Mark Sunset(@sunsetventurer), an influencer in Twitter.

  • Allbridge Suffers From Flash-loan Attack

On April 2, Allbridge, a project deployed on multiple blockchains including the BNB chain suffered from a flash-loan attack.

The root cause was the token price of an Allbridge pool could be manipulated.

Crypto assets worth around US $574,000 were exploited in this incident.

  • Phishing Link Posted in Raise Finances Discord Server

On April 2, a phishing link was posted in the Discord server of Raise Finance(@raise_fi), a wallet project deployed on zkSync.

CONCLUSION-

5 notable security incidents have occurred in the past week. 3 were attacks on social media and 2 were attacks on smart contracts.

It is worth noting that the unaudited contracts lead to a loss of crypto assets worth around US $8.9 million to SafeMoon. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch Jan 16 to Jan 22

From 16 January 2023 to 22 January 2023, all security incidents that have occurred were all Security Hacks.

SECURITY HACKS:

  1. Hacker Attacks 520 on BNB Chain

On 16 Jan, 520, a dApp deployed on the BNB chain was flash-loan attacked.

The root cause was that the contract’s procBack function had a vulnerability.

Crypto assets worth around US $16000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x286e09932b8d096cba3423d12965042736b8f850

– Attacked Contract: 0x5200f3418B55E814315242a903A1d7C2d0d0B520

– Hash Value of Attack Transaction:

0xccb8c1cfef6de8a71d95886fe49914ca73689f9864286941960b4c23a5d542c6

  • Hacker Attacks OMNI Real Estate Token

On 17 Jan, the OMNI Real Estate token that was deployed on the BNB chain was attacked.

More than 236 BNBs worth around US $70705 were exploited in this incident.

For more details please refer to Fairyproof’s report at :

  • Hacker Attacks MEV Bot on BNB Chain

On 18 Jan, a hacker attacked an MEV Bot deployed on the BNB chain.

Crypto assets worth around US $ 108,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xa7F5B4A43B6AaED120f8e3C70e65B662d3352c05

– Attacking Contract: 0xF0BE9805fe8E393e8F768Fe8fE4D8b8531D2f61e

– Attacked Contract (MEV bot): 0x5f3239AA0553A5c496e1AEc831f1E41847faA3D0

– Hash Values of Attack Transactions:

0xab78dca427d84c018401873d18517027a00623b6ce20fab19c8c03b825fffb32, 0xab78dca427d84c018401873d18517027a00623b6ce20fab19c8c03b825fffb32

  • Hacker Attacks Quaternion

On 18 Jan, a hacker attacked an B2B and B2C service provider Quaternion.

The root cause was that there was a wrong conditional check in the QTN token. The hacker acquired its gas from Ankr Exploiter on the BNB chain to launch the attack.

2.546 WETHs worth around US $3800 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x88a2386e7ec97ad1e7a72176a66b6d0711ae3527

– Attacking Contract: 0xa33c965ca6d3bdc42bdb23a79081757090eb7700

  • Hacker Attacks UpSwing Finance

On 18 Jan, a hacker leveraged a flash-loan to attack UpSwing Finance, a dApp deployed on Ethereum.

The dApp had been inactive since Oct 2020.

22 ETHs worth around US $ 35500 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x8a2d94ea342cbdd6d57db614b24f20cae286cac6

– Hash Value of Attacking Transaction: 

0xd099a41830b964e93415e9a8607cd92567e40d3eeb491d52f3b66eee6b0357eb

  • Hacker Attacks Thoreum Finance

On 19 Jan, a hacker attacked Thoreum Finance, a dApp deployed on the BNB chain.

The root cause was that if a wallet sent tokens to itself the number of tokens it held would increase.

In addition it was suspected that the contract deployer’s private key was leaked allowing the hacker to deploy a new contract before upgrading the proxy contract to the malicious contract.

The attacker deposited BNBs to acquire WBNBs, leveraged the vulnerability to mint the THOREUM token and exchanged all the minted tokens on BiSwap to WBNBs and sent the assets back to himself.

2260 BNBs worth around US $580,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x1ae2dc57399b2f4597366c5bf4fe39859c006f99

– Hash Value of Attacking Transaction: 

0x5058c820fa0bb0daff2bd1b30151cf84c618dffe123546223b7089c8c2e18331

  • Kraken Freezes Solaris BTC Wallet

On 22 Jan, it was reported that a BTC wallet of Solaris was frozen by Kraken. Solaris is a darknet platform for illegal products and drugs. Before this Solaris occupied one fifth of all the darknet’s illegal transactions.

Kraken not only has frozen its BTC wallet but also has taken control of its infrastructure, Gitlab Repo and source code.

CONCLUSION-

7 notable security incidents have occurred in the past week. Most of them were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch Jan 2 to Jan 8

From 2 January 2023 to 8 January 2023, all security incidents that have occurred were Security Hacks.

SECURITY HACKS:

1. RTFKT’s COO Nikhil Gopalani Announces He Had Suffered Phishing Attack

On 3 Jan, RTFKT’s COO Nikhil Gopalani (@Nikgopalani) announced on Twitter that he had suffered a phishing attack and that the hacker had sold all his CloneX NFTs along with others.

He lost around US$300, 000 worth of crypto assets during this incident.

2. Worlds Beyond Announces Discord Hacked

On 3 Jan, NFT project on Ethereum Worlds Beyond (@WorldsBeyondNFT) announced on Twitter that their Discord account had been hacked and their server was temporarily compromised. The account also reported that all staff hand been banned from the server.

The account later reminded users that they will “never stealth mint” and urged users to only use their official links to avoid potential scams or hacks.

As of the time of writing, investigations are still ongoing, and the project has opened channels in Discord to aid affected users.

3. Hacker Exploits Vulnerability on Function Lacking Validation for Settings in Attack Against GDS

On 3 Jan, GDS Chain’s application deployed on the BNB chain was attacked.

The root cause of this incident was its “_lpRewardAmount” function had lacked validation for its settings. The hacker leveraged a flash-loan and exploited this vulnerability to launch the attack.

After the hack, the GDS’ price crashed by 84% and crypto assets worth around US $187,000 were exploited.

Additional Details:

– Attacker’s Address: 0xcF2362B46669E04B16D0780cf9B6e61c82De36a7

– Hash Value of Attack Transaction:

 0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694

4. Cirrus Announce Holders of CryptoPunks, BAYCs, Meebits Suffer Phishing Scams

On 4 Jan, NFT community member Cirrus (@CirrusNFT) announced on Twitter that holders of CryptoPunks, BAYCs, and Meebits suffered phishing scams. CryptoPunks 4607, 965, and BAYC 1723 were exploited.

Later, Twitter user @CryptoNovo311 claimed that 4 CryptoPunks in his possession were stolen.

CryptoPunks and BAYCs worth above 600 ETHs (US$748, 800) were exploited in these attacks.

It was also suspected that the hacker had also exploited 111 KUMALEON NFTs and used FixedFloat to cash out.

Additional Details:

– Attacker’s Address: 0x8E25Ab3382ad5bde35A09E72d3b9a851A7cC8d00

– Attacked Address: 0x52aD8f3C506aA25b954276c5456060DAd6f3Fd7b

5. Hacker Exploits Whale Holder of GMX Through Phishing Attack

On 4 Jan, a whale holder of GMX suffered from a phishing attack on the BNB chain.

The attacker exploited 82519 GMXs worth around US $3.4 million on the BNB chain, exchanged them to 2627 ETHs and cross-chain transferred them from the BNB chain to Ethereum.

6. Hacker Attacks Deviants’ Discord Server

On 4 Jan, a hacker attacked Deviants’ discord server. Deviants is an NFT project on Ethereum.

7. Inkwork Labs Announce Discord Server Compromised

On 5 Jan, NFT project on Solana Inkwork Labs (@InkworkLabs) announced on Twitter that their Discord server had been compromised. The account later posted a follow-up thread revealing that one of their “now older mods, Krypto King#0036” had clicked on a malicious link that caused a Dyno bypass. Dyno is a Discord bot used for various purposes like moderation and user verification.

The account also reported that although the attackers had gained access to the server earlier, the attack was not conducted until everyone was away.

Inkwork Labs also reported that the accounts associated with the exploited were identified and banned. They also urged users not to click on any links unless a drops is scheduled. Moreover, they advised users to “always double check the user who’s posting the announcement. ALWAYS.”.

Relevant channels for affected users have been opened for further assistance.

8. Hacker Attacks Twitter User @TheViralFever

On 6 Jan, a hacker launched a phishing attack against Twitter user @TheViralFever by sending the users a fake link to ENS airdrop.

9. Hacker Attacks PanksNotDed’s Discord Server

On 7 Jan, a hacker attacked PanksNotDed’s discord server. PanksNotDed is an NFT project on Ethereum.

10. Hacker Attacks Cyber Kongz’s Discord Server

On 7 Jan, a hacker attacked Cyber Kongz’s discord server. Cyber Kongz is an NFT project on Ethereum.

11. Mycelium Announces Attack Due to Issue with Price Feed for ETH-USD

On 7 Jan, the team behind a DeFi perpetual application deployed on Arbitrum Mycelium (@mycelium_xyz) announced on its Twitter a that it was attacked.

The team also announced that the attack came due to an issue with its price feed for ETH-USD. Its MLP was exploited by 4% ~ 6% of the total assets, totaling around US$300, 000.

At the time of writing, the issue had been fixed and the application was back to work.

12. Hacker Attacks Yaypegs’s Discord Server

On 8 Jan, a hacker attacked Yaypegs’s discord server. Yaypegs is an NFT project on Ethereum.

13. Hacker Attacks Mech’s Discord Server

On 8 Jan, a hacker attacked Mech’s discord server. Mech is an NFT project on Polygon.

CONCLUSION-

13 notable security incidents have occurred in the past week. Most of them were phishing attacks against Discord or Twitter accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/

Weekly Blockchain Security Watch (Dec 26 to Jan 1)

From 26 December 2022 to 1 January 2023, all security incidents that have occurred were all Security Hacks.

SECURITY HACKS:

  1. BitKeeps Client Gets Hacked

On 26 Dec, the team behind BitKeep, a popular wallet claimed that some of its wallet’s downloan links were hijacked by hackers and the normal links were replaced by malware.

It was reported that a lot of BitKeep users suffered from this hack and crypto assets worth around US $3 million were exploited.

The attacker’s address was 0xC6f70B2bC123936B486Bc89110243108FF93B21e on the BNB chain.  

  • Hacker Attacks PECO and DFI

On 26 Dec, Amun, an index product provider claimed that two of this applications PECO and DFI deployed on Polygon were attacked.

The attacker was identified to be 0xf8b17Df4da32FAfDdA970aE1f76D2DbfF7091913 on Polygon. The attacker exploited a vulnerability to take full control of the “relalance” manager, mint 80 billion tokens and dump all these tokens on all available DEXs. The hacker repeated this attack on the DFI token as well.

Right after the Amun team detected this incident, the team promptly rebalanced the contract manager such that it was controlled by the company’s multi-sigs.

The team would compensate all the affected token holders for their loss and will announce a repayment schedule soon.

After this incident happened, PECO’s price crashed to near zero.

Crypto assets worth around US $300,000 were exploited in this incident.

  • Hacker Attacks BTC.com

On 26 Dec, BIT Mining Limited announced that its child company BTC.com was attacked on December 3 and some crypto assets were exploited.

At the time of writing BTC.com had been back to work. BIT Mining Limited had reported this case to a local police office in Shenzhen, CHINA. This case had been under investigation. The company would do every effort to restore the exploited assets.

Crypto assets worth around US $700,000 were exploited in this incident.

  • Hacker Attacks Jaypeggerz

On 29 Dec, a hacker attacked Jaypeggerz, a dApp deployed on Ethereum.

The root cause was that the JAY contract allowed users to pass any ERC-21 token to the buyJay function. The hacker exploited this vulnerability to re-enter the JAY contract.

Basically the hacker flash-loaned 72.5 ETHs, bought JAYs with 22 ETHs and then called the buyJay function by passing a fake ERC-721 token with the remaining 50.5 ETHs. With this fake ERC-721 token, the hacker called the sell function to re-enter the JAY contract, manipulated the JAY’s price and sold all JAYs.

The hacker repeated this process and eventually exploited 15.32 ETHs worth around US $18,000 in this incident.

All exploited assets were cashed out via Tornado Cash.

Additional Details:

– Attacker’s Address: 0x0348d20b74ddc0ac9bfc3626e06d30bb6fac213b on Ethereum

– Attacking Contract: 0xed42cb11b9d03c807ed1ba9c2ed1d3ba5bf37340 on Ethereum

– Attacked Contract: 0xf2919d1d80aff2940274014bef534f7791906ff2 on Ethereum

– Hash Value of Attack Transaction: 

0xd4fafa1261f6e4f9c8543228a67caf9d02811e4ad3058a2714323964a8db61f6

  • Hacker Attacks Gummys Discord Server

On 29 Dec, a hacker attacked Gummys’ discord server. Gummys is a Web 3 steaming platform.

  • Hacker Attacks PartisiansNFTs Discord Server

On 30 Dec, a hacker attacked PartisiansNFT ’s discord server. PartisiansNFT is an NFT project.

  • Hacker Attacks Kenomis Discord Server

On 31 Dec, a hacker attacked Kenomi’s discord server. Kenomi is an NFT project.

  • Hacker Attacks Everybodys Discord Server

On 2 Jan, a hacker attacked Everybodys’ discord server. Everybodys is an NFT project on Ethereum.

CONCLUSION-

8 notable security incidents have occurred in the past week. It is worth noting that the BitKeep incident affected numerous wallet users.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations. Particularly we suggest crypto investors should have a cold wallet and put most of their crypto assets in their cold wallets.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Dec 19 to Dec 25)

From 19 December to 25 December, 2022, all security incidents that have occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Hacker Attacks Splattercats Discord Server

On 20 Dec, a hacker attacked Splattercat’s discord server. Splattercat is a game project.

  • Hacker Attacks xHamsters Discord Server

On 20 Dec, a hacker attacked xHamster’s discord server. xHamster is an NFT project on Ethereum.

  • Hacker Attacks Sol City Poker Clubs Discord Server

On 21 Dec, a hacker attacked Sol City Poker Club’s discord server. Sol City Poker Club is an NFT project on Solana.

  • Hacker Attacks David Di Francos Discord Server and Twitter Account

On 21 Dec, a hacker attacked David Di Franco’s discord server and twitter account. David Di Franco is a social media influencer.

  • Hacker Attacks DR/VRS Discord Server

On 22 Dec, a hacker attacked DR/VRS’ discord server. DR/VRS is an NFT project on Ethereum.

  • Hacker Attacks F1 Dogs Discord Server

On 23 Dec, a hacker attacked F1 Dog’s discord server. F1 Dog is an NFT project on Aptos.

  • Hacker Attacks Rubic

On Dec 25, Rubic, a cross-chain aggregator deployed on Ethereum was attacked.

The root cause was that it suffered from an injection attack.

For more details about this attack, please refer to:

Rug-pulls:

  1. Defrost Finance Suspected to be Rug-pull

On 25 Dec, Defrost Finance, a dApp deployed on the Snow blockchain was suspected to be a rug-pull.

For more details about it please refer to :

CONCLUSION-

8 notable security incidents have occurred in the past week. Seven of them were attacks on smart contracts and social media and one was suspected to be a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations. Particularly we suggest crypto investors should avoid investing in projects whose admins(owners) obtained their gases from Tornado Cash. If projects of this kind turn out to be rug-pulls, it is hard to take back/recover assets from them.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at:

https://www.fairyproof.com/

Solutions for Avoiding Bearing Burden of Debt for Lending Apps — — — Some Tentative Thoughts on Ankr’s Exploitation

On December 2, Ankr’s contract deployed on the BNB chain was attacked.

Basically the hacker managed to deploy a malicious implementation contract, minted 10,000,000,000,000 aBNBc tokens, dumped these tokens on a DEX and exchanged them to other crypto assets.

Dumping this huge number of aBNBc tokens dramatically crashed the token’s price which shortly went from $300 before the incident to less than $2 after the dumping.

The hacker exploited crypto assets worth around US $5 million in this incident.

While this action is for sure considered as illegitimate, another actor “legitimately” made a profit of around US $15 million from this incident.

Here is what this actor did:

After this incident happened it deposited 10 BNBs in exchange for 180,000 aBNBc tokens, used the aBNBc tokens as collateral to borrow a huge number of Hay stablecoins from the lending platform Helio and eventually exchanged all the Hay tokens to BUSDs.

The whole process was perfectly and legitimately organized and executed such that it was suspected that this actor was very likely the hacker itself.

The reason why the actor had successfully made this profit is that Helio’s oracle didn’t act promptly to the price’s sudden dip thus still using the lagged price as aBNBc’s valid price. This vulnerability was leveraged by the actor to borrow extraordinary assets and make a huge profit.

Actually this is not the first time that such an issue happened. Early this year, when the price of Luna crashed, there were quite a few cases in which actors borrowed less volatile crypto assets by using Luna as collateral in lending applications in which their oracles’ didn’t update Luna’s price promptly.

Apparently this is an oracle issue, however if we dive deep into this issue we think this is more or less a tokenomics issue as well.

Among all these existing issues, ERC-20 tokens on Ethereum or fungible tokens deployed on EVM blockchains are often the exploited assets.

These tokens can be minted in either of the following two ways depending on their contract designs:

Either a token’s total supply or max supply is all minted on deployment and after the token’s contract is deployed, no subsequent minting is allowed any more.

Or the token can still be minted after its contract is deployed.

For the latter, whenever the access control to the token’s mint function is compromised, malicious minting could happen. And when this happens the additionally minted tokens will very likely either be dumped in DEXs or CEXs, or used as collateral to borrow less volatile crypto assets such as stable coins in particular from lending applications.

Compared to dumping tokens on DEXs or CEXs, using them as collateral to borrow stable coins from lending applications causes a devastating damage to these lending applications. Quite often a lending application that lent assets in this case was drained shortly and bore a huge burden of debt.

So how can we avoid this issue?

A quick idea is to improve the responsiveness and promptness of the oracles these lending applications use.

This is good but this is not enough because it may greatly increase their operation costs and in addition no matter how responsive an oracle is it can hardly respond in real-time.

Therefore we propose the following solutions:

The first one is a carefully designed collateral ratio could be applied to collateral tokens which can be subsequently minted after their contracts are deployed.

Yes, many lending applications apply a collateral ratio to a token that is used as collateral however quite often the setting of such a ratio doesn’t take into account the risk that the token might be maliciously minted. Therefore the setting may not be that resilient or fault-tolerant to this risk.

The second is a lending application should not only trace a token’s price but also monitor a token’s mint activity especially those tokens that can be minted subsequently after their contracts are deployed.

When an abnormal mint activity such as a large number of tokens being minted happens for a token, a lending application could suspend its lending service for those that use this token as collateral. After this abnormal mint activity is confirmed fixed or normal could this lending service be resumed again.

The third is a lending application could charge relatively more service fees for collateral tokens that can be minted subsequently after their contracts are deployed.

This is to hedge the risk economically.

These are some tentative thoughts we got after learning the big lessons from these incidents.

When tackling a cyber-security risk or issue Fairyproof always tries to find solutions not just from a purely technical point of view, but from multiple facets including tokenomics, governance and more.

Hope these thoughts could be of some assistance to mitigate this issue in the future.

Weekly Blockchain Security Watch November 28 to Dec 4

From November 28 to December 4, 2022, all security incidents that have occurred are all Security Hacks.

SECURITY HACKS:

  1. Hacker Attacks Prometheus

On Nov 28, Prometheus, a dApp deployed on the BNB chain was attacked.

In this incident, the hacker withdrew 467,398 PHI from the project’s OTC contract and exchanged them to 124,73 BNBs.

The Prometheus team got back 112.08 BNBs and kept them in a multi sig (0x69A03128a7cb580553acf1cf287d4A5Ce0A01c1F).

The hacker exploited 12.65 BNBs (worth around US $3,654.5) in this incident.

At the time of writing, the project’s gPHI and dPHI supply had not been exploited, and all the contracts had been paused, except the dividends pool.

Additional Details:

– Attacker’s Address: 0xc7233627c65f0dd1465938212a3adaa5dea50bf6 (BNB chain)

– Hash Value of Attack Transaction:

0x15472327df1fdace59c14eba5f4069ffb65c71c5f38f00355da990b68121d160

  • Hacker Attacks Shamanzs Discord Server

On Nov 28, a hacker had attacked Shamanzs’ discord server. Shamanzs is an NFT project deployed on Ethereum.

  • Hacker Leverages Flash-loan to Attack Seaman

On Nov 29, a hacker had attacked Seaman, a dApp deployed on the BNB chain.

The root cause was that its tokenomics design would result in price manipulation.

The attacker flash-loaned 500,000 BUSDs and exchanged them to GVCs. The hacker then called Seaman’s transfer function to transfer a small number of SEAMAN tokens and triggered the SEAMAN tokens to be exchanged to GVCs. This process would call the _splitlpToken() function to distribute the GVCs to lpUser and reduce the number of GVCs in the BUSD-GVC trading pair thus increasing the GVC’s price.

The hacker repeated the process and eventually exploited 7781 BUSDs worth US $7781 in this incident.

Additional Details:

– Attacker’s Address: 0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c (BNB chain)

– Attacked Contract: 0xDB95FBc5532eEb43DeEd56c8dc050c930e31017e(GVC Token on BNB chain)

  • Hacker Attacks SmallBros Discord Server

On Dec 1, a hacker had attacked SmallBros’ discord server. SmallBros is an NFT project deployed on Ethereum.

  • Hacker Attacks Brainless Spikes Discord Server

On Dec 1, a hacker had attacked Brainless Spikes’ discord server. Brainless Spikes is an NFT project deployed on Ethereum.

  • Hacker Attacks Ankr

On Dec 2, a hacker attacked Ankr, a dApp deployed on the BNB chain.

The root cause was very likely that the Ankr Deployer’s private key was compromised.

The attacker exploited crypto assets worth around US $5 million in this incident.

For more details about this incident refer to:

Additional Details:

– Attacker’s Address: 0xf3a465C9fA6663fF50794C698F600Faa4b05c777 (BNB chain)

– Malicious aBNBc Contract: 0xd99955B615EF66F9Ee1430B02538a2eA52b14Ce4 (BNB chain)

– Ankr Deployer: 0x2Ffc59d32A524611Bb891cab759112A51f9e33C0 (BNB chain)

– Attacked Contract: 0xE85aFCcDaFBE7F2B096f268e31ccE3da8dA2990A (aBNBc on BNB chain)

– Initiator of Attack Transaction: 0x71699d5BD28F5C834eEe8E365848df056915Baa6 (BNB chain)

– Hash Value of Attack Transaction:

0xd07b210b872bc952b9f2250d8272a789f89a2f7a3621112fdd73addd7bdb080b (BNB chain)

CONCLUSION-

6 notable security incidents have occurred in the past week. Four out of them were attacks on smart contracts and two were attacks on social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/