Weekly Blockchain Security Report by Fairyproof — June 20 to June 26
During the week from June 20 to June 26, 2022, security incidents that happened in the crypto space are either security hacks or rug-pulls.
During the week from June 20 to June 26, 2022, security incidents that happened in the crypto space are either security hacks or rug-pulls.
Here is a list of the security hacks:
1. Whaleswap Finance
On June 20, Whaleswap Finance, a DeFi application deployed on the BNB chain was attacked.
The attacker’s address was 0xD793FF8D744828c25DA7F80123B88Dd5c2Bf7A50.
The attacking contracts were deployed at the following address on the BNB chain:
0xAA85fc75f2534FAA2668EF40C88e1dAe841Be6ba and
0xAA85fc75f2534FAA2668EF40C88e1dAe841Be6ba
The attacked contracts were deployed at the following addresses on the BNB chain:
0x8Bfee2cAFF6b5D4Ac9F438F4b1f36FeeB5E76794 (WhaleswapPair) and
0x4000EC3810DFD0A0068b38F64795AE2d521A46f2 (WhaleswapPair)
The hash values of the attack transactions were:
0x9f5b02cb1ce2d75ba457a2d152d89b6d3932ff057c03739a0071fb816e0ebab3 and
0x43ddb5965733ee71c4b29fe685ae76bfc4d121dc606cbdf317fc59d61fec4fcf
Crypto assets valued at around $12000 were exploited.
The root cause is the validation of the K value in the AMM algorithm was incorrect.
In the swap function defined in the WhaleswapPair contract, the ratio of transaction fees should be either 4/10000 or 25/10000 based on the different “stable” values. However, the actual ratio value that was used was 2/10000. This led to the incorrect validation of the k value. The attacker exploited this vulnerability and leveraged a flash loan to borrow a large number of token A and paid back the loan with token B whose price was much lower than token A’s price.
2. Neo Hunters
On June 21, Neo Hunters’ team announced that its Discord server suffered from phishing attacks and phishing links were sent to its Discord server. Users should never click on these phishing links.
3. PandorachainDAO
On June 22, PandorachainDAO, an application deployed on the BNB chain was attacked.
The attacker’s address was 0xa11e104601582280672d6ed81eec3af2e4d21940 on the BNB chain.
The attacking contract was deployed at 0x51626f9a6cc5d55c042e43a3c0fa8cd2233a0098 on the BNB chain.
The attacked contract was deployed at 0x83757110409d993FCF3610260D7Af753e2423529 (PCDNFT) on the BNB chain.
The hash value of the attack transaction was:
0x1fff2189ef23e3c6dd3d643cbb91ee7ae20686fb6584e6d987f7fc55d98923be
Crypto assets valued at around $120,000 were exploited in this incident.
The root cause is that the implementation used an incorrect algorithm to calculate a token’s price.
The shouchan function defined in the PCDNFT contract would use the balances of USDT and PCD in the USDT-PCD trading pair to calculate the PCT’s price. The attacker exploited this vulnerability and leveraged a flash loan to manipulate the balance values and push the PCD’s price to an extremely low level such that the attacker used very few USDTs to purchase a large number of PCDs
4. Harmony ETH Cross-Chain Bridge
On June 23, Harmony’s ETH cross-chain bridge was attacked.
The attack was launched from the following three addresses on Ethereum:
0x0d043128146654C7683Fbf30ac98D7B2285DeD00,
0x9E91ae672E7f7330Fc6B9bAb9C259BD94Cd08715 and
0x58F4BACcb411ACef70A5f6DD174Af7854fc48Fa9
Crypto assets valued at around $100 million were exploited.
For more details please refer to:
https://medium.com/@FairyproofT/fairyproofs-analysis-of-the-attack-on-harmony-9f95bd76ab9d
5. Convex Finance
On June 24, Convex Finance’s team announced that the project’s website (http://convexfinance.com/) suffered from a DNS hijack. 215 ETHs valued at around $250,000 were exploited in this attack.
Here is a list of the rug pulls:
1. LV PLUS
On June 21, LV PLUS, an application deployed on the BNB chain turned out to be a rug pull.
The exploiter from 0x7721034753ebe6f5714a7c5ebd0d188fa4a3b167 on the BNB chain deployed the LVP token. The team behind the project claimed the project was part of “LV Metaverse” but it turned out that the project had nothing to do with LV. The exploiter distributed the tokens it held to multiple wallets, dumped them on the market, and got a profit of around $1.5 million.
All the profits were eventually sent to 0x0786e8682c11312cb547d6db46bc99a392050b26 on the BNB chain.
At the time of writing, 0x0786e8682c11312cb547d6db46bc99a392050b26 held crypto assets valued at around $8 million.
2. Justcows
On June 24, Justcows, a centralized platform that provided custody services turned out to be a rug-pull. The team behind the platform ran away with users’ crypto assets valued at around $5 million. The team distributed a large number of BUSDs via coin-join to thousands of addresses including Hunterswap, exchanges, etc.
Around one month ago, the team announced that it disabled the withdrawal of crypto assets.
Closing thoughts
There were five security attacks and two rug-pulls in the past week. Among the five attacks, the ones that happened to Whaleswap and PandorachainDAO were smart contract vulnerabilities that could have been prevented if they had undergone professional audits. The other three were more related to management and operations.
A reminder to project teams: always test thoroughly, do smart contract audits before deploying smart contracts on-chain, and employ comprehensive security solutions to daily operations and management.
A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing