Weekly Blockchain Security Report by Fairyproof — June 27 to July 3
During the week from June 27 to July 3, 2022, security incidents that happened in the crypto space are all security hacks.
During the week from June 27 to July 3, 2022, security incidents that happened in the crypto space are all security hacks.
Here is a list of the security hacks:
1. Fishing Attack on Nickydooodles.eth
On June 28, the address 0xA97aB7a18133a13fEBeB33Dc661cf5bF3a2eebe1 (Nickydooodles.eth) suffered from a phishing attack.
The attacker’s address was 0x0730bCbd6Dfa86389eBF02109A5477fD65536175 on Ethereum.
17.8 ETHs valued at around 1,8000 and all the NFT (including Goblintowns, Doodles, and Sandbox Lands) held in the address were exploited.
The holder of Nickydooodles. eth was a famous NFT creator and also the founder of Meta bergs. Nickydooodles.eth claimed in its social media account that its address suffered from a phishing attack and lost ETHs and all the NFTs in the address. The attacker even controlled its Twitter account.
2. Goldfinch
On June 28, Goldfinch, a DeFi application deployed on Ethereum was attacked.
The attacker’s address was 0x86c595d81c8ab46d893065c3c674da72555fe7c0 on Ethereum.
The attacking contract was deployed at 0x541143d5eb30563a478eea23866e203b7c38c1ca on Ehtereum
The attacked contract (SeniorPool) was deployed at 0x9ffFAD7128152190065C800774443af102B62052 on Ethereum.
The hash value of the attack transaction was:
0xd56d801e07df9d8457973c3938f5d3e6343ec1ed11f4ebb76bc3f5cc73001707
Crypto assets valued at around $500,000 were exploited in the incident.
The root cause was the incorrect price calculation in USDC/FIDU in the implementation. This led to a big deviation between the price of FIDU in USDC in the SeniorPool contract and the price generated in Curve. The attacker leveraged a flash-loan to borrow USDCs, exchanged them for FIDUs in Curve, and then called “withdrawInFidu” in the SeniorPool contract to burn the FIDUs and get far more USDCs that were borrowed.
The attacker eventually exploited 28523 USDCs and the Goldfinch lost 541158 USDCs.
New to trading? Try crypto trading bots or copy trading
3. Quiuixotic
On July 1, Quiuixotic, an NFT application deployed on Optimism was attacked.
The attacker’s address was 0x0a0805082ea0fc8bfdcc6218a986efda6704efe5 on Optimism.
The attacking contract was deployed at 0xbe81eabdbd437cba43e4c1c330c63022772c2520 on Optimism.
The attacked contract(ExchangeV4) was deployed at:
0x065e8A87b8F11aED6fAcf9447aBe5E8C5D7502b6 on Optimism.
Crypto assets valued at $130,000 were exploited in this incident.
The root cause was the implementation didn’t correctly validate sell orders.
The attacked ExchangeV4 contract should ensure that a buyer’s order should match a seller’s order. But it didn’t. Therefore anyone could create an NFT and sell this NFT to a buyer that had been authorized in ExchangeV4 no matter whether or not this NFT was what the buyer expected to buy.
4. Ankr
On July 1, Ankr, a popular blockchain service provider suffered from a DNS hijack attack.
The news was published by Polygon’s chief information security officer Mudit Gupta. Both Polygon and Fantom’s gateway service provided by Ankr suffered from DNS hijack attacks.
At the time of writing the service had been recovered and back to normal.
5. Crema Finance
On July 2, Crema Finance, a DeFi application deployed on Solana was attacked.
The attacker’s address was Esmx2QjmDZMjJ15yBJ2nhqisjEt7Gqro4jSkofdoVsvY on Solana.
The attacker got its assets for the attack from 0x8021b2962dB803b73Aa874030B0B42c202E8458F on Ethereum
The attacker initiated a transaction to modify the “Tick Account” contract on Solana and its hash value was:
5kfoGgEvhBiHXz1MBVxn8rfJh3cf98m3D64YHE2Q1SsXLiaahvdK4hCJfkMA7jQFXLjP9YdNSTMSor3oXbKrLTev
Crypto assets valued at around $8.7 million were exploited in this incident.
The root cause was a lack of validation for Tick Account contracts in the implementation. The attacker exploited this vulnerability to deploy a fake Tick Account contract which would return a fake token price. The attacker used the fake token price and leveraged flash loans to do arbitrage transactions and eventually transferred the exploited assets to Ethereum.
Besides the security incidents, there was the latest security update from MetaMask.
On June 28, MetaMask announced that the “eth_decrypt” and “eth_getEncryption PublicKey” APIs had been deprecated and more secure APIs would be released soon. Although these two APIs hadn’t caused any issues, MetaMask suggested users should no longer use them.
Closing thoughts
There were five security attacks in the past week. Among the five attacks, three were smart contract vulnerabilities, one was a phishing attack, and one was a DNS hijack attack.
A reminder to project teams: always test thoroughly, do smart contract audits before deploying smart contracts on-chain, and employ comprehensive security solutions to daily operations and management. In addition, in daily operations, common attacks such as DNS hijack attacks, and DDOS attacks should always be watched.
A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.