Weekly Blockchain Security Report by Fairyproof- Apr 25 to May 1
During the week from April 25 to May 1, 2022, security incidents that happened in the crypto space were all security hacks.
During the week from April 25 to May 1, 2022, security incidents that happened in the crypto space were all security hacks.
Here is a list of the security hacks:
1. BAYC
On April 26, the most popular NFT project BAYC’s Instagram was attacked.
Crypto assets valued at around $2.4 million were exploited.
This was a typical phishing attack. The hacker sent phishing links on BAYC’s Instagram, and some users were misled to sign a “safeTransferFrom” transaction which approved the hacker to spend the NFTs in these users’ wallets.
A total of 765 ETHs and 91 NFTs including BAYC, MAYC, BACK, and CloneX were exploited. Among these NFTs, 23 including 4 BAYCs, 6 MAYCs, and 2 CloneXs were sold out. The sold NFTs were valued at around $2.4 million.
2. Deus
On April 28, Deus, a DeFi application deployed on Fantom was attacked.
The attaker’s address was 0x701428525cbac59dae7af833f19d9c3aaa2a37cb on Fantom.
The attacking contract was deployed at 0x1f56CCfE85Dc55558603230D013E9F9BfE8E086C on Fantom.
The hash value of the attack transaction was:
0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5
The exploited assets in this incident were valued at around $13.4 million.
The vulnerability was the application’s implementation didn’t use a secure price oracle. The hacker leveraged a flash loan to manipulate the price of DEI, exploited a large number of DEIs, migrated these DEIs from Fantom to Ethereum, and cashed them out via Tornado Cash.
3. Saddle Finance
On April 30, Saddle Finance, a DeFi application deployed on Ethereum was attacked.
The attacker’s address was 0x63341ba917de90498f3903b199df5699b4a55ac0 on Ethereum.
The attacking contract was deployed at 0x7336f819775b1d31ea472681d70ce7a903482191 on Ethereum.
The attacker launched two attack transactions and the hash values of these two transactions were:
0x2b023d65485c4bb68d781960c2196588d03b871dc9eb1c054f596b7ca6f7da56 and
0xe7e0474793aad11875c131ebd7582c8b73499dd3c5a473b59e6762d4e373d7b8 respectively.
In this incident, a total of 3540 ETHs valued at around $10 million were exploited.
The root cause of this incident was an incorrect use of a smart contract. The implementation should use a newly deployed MetaSwapUtils’ lib however it used an obsolete MetaSwapUtils’ lib. This vulnerability was exploited, and the attack was enlarged by using a flash loan.
4. Rari Capital
On May 1, Rari Capital, a DeFi application deployed on Ethereum was attacked.
The attacker’s address was 0x6162759edad730152f0df8115c698a42e666157f on Ethereum.
The attacking contract was deployed at 0x32075bad9050d4767018084f0cb87b3182d36c45 on Ethereum.
The contract that had the vulnerability that was exploited was deployed at:
0xd77E28A1b9a9cFe1fc2EEE70E391C05d25853cbF on Ethereum.
Crypto assets valued at $79.21 million were exploited in this incident.
For more details about this incident please refer to:
https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-rari-capital-d8fb4538fbdf
5. Solana
On May 1, the Solana blockchain suffered from a DOS attack.
The incident was caused by a crawler application deployed by Metaplex, an NFT application. After this crawler application ran, Solana’s TPS hiked to 4 million which was far beyond what Solana could afford.
This issue caused Solana to shut down for nearly 7 hours. After Solana’s mainnet was restarted it resumed its work.
Closing thoughts
Among these 5 incidents, the incidents with Deus, Saddle Finance, and Rari Capital were all common issues that could have been prevented if they had undergone a thorough audit and system test.
The incident with Solana was not the first time in Solana’s development. And incidents of this kind may happen again if it is not carefully maintained and managed since Solana was designed to achieve high performance at the cost of relatively less decentralization.
Phishing attacks happen quite often these days as NFT projects keep gaining traction among people. It is easy to be exploited if users pay no attention to fake sites.
A reminder to smart contract developers: smart contracts should be thoroughly tested before being deployed. A third-party performed professional audit is a must-have step before being deployed.
A reminder to crypto users: be cautious about suspicious links, emails, or websites.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing