Weekly Blockchain Security Report by Fairyproof- Apr 11 to Apr 17
During the week from April 11 to April 17, 2022, security incidents that happened in the crypto space were all security hacks.
During the week from April 11 to April 17, 2022, security incidents that happened in the crypto space were all security hacks.
Here is a list of the security hacks:
1. Creat Future
On April 11, Creat Future, an application deployed on the BNB Chain was attacked.
The attacker’s address was 0xde33456644c08c4CeFa05237D429CCDa158FE0b5 on the BNB Chain.
The hash value of the attack transaction was:
0x85b5a2f8210e499ff6a84d4e7d9969558418191c6aa9df2b2145edec13036fce
The attacked contract was deployed at 0x8B7218CF6Ac641382D7C723dE8aA173e98a80196 on the BNB Chain.
In this incident, the hacker exploited crypto assets valued at $1.9 million.
The vulnerability was its token contract didn’t have a proper validation for an input address.
The Creat Future’s token (CF) contract had a “_transfer” function whose visibility was public, and the function had a “from” parameter which was an address but wasn’t validated. Therefore, anyone could call this function to transfer the CF tokens from the “from” specified address.
The hacker exploited this vulnerability to launch 6 transactions to transfer a total of 4.2 million CF tokens and exchanged them into at least 4200 BNBs and cashed out via Tornado Cash.
2. Marvin Inu
Marvin Inu, a cross-chain application was attacked. Fortunately, the team behind the project promptly shut down its cross-chain bridge and fixed the issue. The team announced that it would take further actions to compensate for the loss.
3. Elephant Money
On April 12, Elephant Money, a stable coin deployed on the BNB Chain was attacked.
The attacker’s address was 0xe552133cc829a7f7e98e349763fac7ab0f3828b0 on the BNB Chain.
The attacking contract was deployed at 0xbceda90b2880fea5d511d54716229145508996da on the BNB Chain.
The attacked contract was deployed at 0xD520a3B47E42a1063617A9b6273B206a07bDf834 on the BNB Chain.
The hash value of the attack transaction was:
0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
The vulnerability lies in an unverified contract of the application. This contract used an instant price obtained from Uniswap and the price was manipulated by the hacker.
The hacker leveraged a flash loan to exploit this vulnerability and exploited 27416 BNBs valued at around $11 million.
4. Rikkei Finance
On April 15, Rikkei Finance, a DeFi application deployed on the BNB Chain was attacked.
The attacker’s address was 0x803e0930357ba577dc414b552402f71656c093ab on the BNB Chain.
There were two attacking contracts deployed at the following two addresses respectively:
0x9aE92CB9a3cA241D76641D73B57c78F1bCF0B209 and
0xe6df12a9f33605f2271d2a2ddc92e509e54e6b5f respectively.
The attacked contracts were deployed at 0xD55f01B4B51B7F48912cD8Ca3CDD8070A1a9DBa5 and 0x157822ac5fa0efe98daa4b0a55450f4a182c10ca respectively.
The hash values of the two attacking transactions were:
0x4e06760884fd7bfdc076e25258ccef9b043401bc95f5aa1b8f4ff2780fa45d44 and
0x93a9b022df260f1953420cd3e18789e7d1e095459e36fe2eb534918ed1687492.
In this incident, the hacker exploited 2671 BNBs valued at around $1.1 million.
The vulnerability was a lack of validation for access control in the function “setOracleData”. The hacker exploited this vulnerability to change the oracle contract to a malicious contract, exploited all the USDCs, BTCBs, DAIs, USDTs, BUSDs, and BNBs, and exchanged these tokens to BNBs and cashed out via Tornado Cash. After the hacker successfully finished the attack, it destroyed the attacking contracts.
5. FaceDAO
On April 16, FaceDAO, an application deployed on Ethereum was attacked.
The attacker’s address was 0xAAAA3467Ca1F70494Ca8B821Eef3E34DE2c139E5 on Ethereum.
The attacked address was deployed at 0xd432e8611377E307D3e5710132515be1E6AA6156 on Ethereum.
In this attack, the hacker exploited 121 ETHs valued at around $360,000.
For more details, please refer to:
https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-facedao-e34e24e711c0
6. Beanstalk
On April 17, Beanstalk, a stable coin deployed on Ethereum was attacked.
The attacker’s address was 0x1c5dCdd006EA78a7E4783f9e6021C32935a10fb4 on Ethereum
The attacking contract was deployed at 0x728ad672409da288ca5b9aa85d1a55b803ba97d7 on Ethereum
The hash value of the attack transaction was:
0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7
The attacked contract was deployed at 0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5 on Ethereum.
In this incident crypto assets valued at around $182 million were exploited.
The vulnerability lies in its governance mechanism. The hacker proposed a malicious BIP-18 proposal, leveraged flash loans to borrow 350 million DAIs, 500 million USDCs, 150 million USDTs, 32 million Beans, and 11.6 LUSDs, converted these tokens to 795,425,740 BEAN3Crv-f and 58,924,887 BEANLUSD-f, used them to vote and pass the BIP-18, and called the “emergencyCommit()” function to execute the BIP-18 and exploited the assets in the application.
Closing thoughts
Among these 6 incidents, 2 incidents including Creat Future and Rikkei Finance were attacked due to a lack of validations for either access control or an address parameter, Elephant Money was attacked due to using an insecure oracle, FaceDAO was attacked due to a phishing attack and Beanstalk suffered from a governance attack.
Lack of validation and insecure oracles could have been prevented if these projects had gone through a professional audit. The governance attack was not a smart contract issue but still could have been prevented if the governance mechanism had gone through a mechanism audit. All these issues are common and solvable.
A reminder to smart contract developers: there are already mature solutions to prevent risks such as lack of validation, insecure oracles, and governance attacks. It is better to do a professional audit before deploying contracts.
A reminder to crypto users-always be highly cautious about any suspicious links or emails.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing