Weekly Blockchain Security Report by Fairyproof- June 6 to June 12
During the week from June 6 to June 12, 2022, security incidents that happened in the crypto space were either security hacks or rug-pulls.
During the week from June 6 to June 12, 2022, security incidents that happened in the crypto space were either security hacks or rug pulls.
Here is a list of the security hacks:
1. Equalizer Finance
On June 7, Equalizer Finance, a DeFi application deployed on both the BNB chain and Ethereum was attacked.
The attacker’s address was 0x0000003502aa61A5f1B1fDaDFF2cf947DfDa526e on Ethereum.
The attacking contract was deployed at 0xf667e04A8D5910328aE92750c0459d2E9E29a67f on Ethereum.
The attacked contracts were deployed at 0xA2B5ee9645f6011b2d6E10f750aB47fB455316EE on Ethereum and 0xcd2d4938350ea9137c5eac19b08b546aa14df075 on the BNB chain.
The vulnerability was that its FlashLoanProvider contract was incompatible with its Vault contracts. The vulnerability was exploited by the attacker to leverage flash loans to withdraw a large number of tokens from the vaults and eventually drained the vaults.
2. OSMO
On June 8, Pool number 678 deployed on the Osmosis blockchain was attacked.
Crypto assets valued at around $5 million were exploited.
The vulnerability was a software bug that was exploited to withdraw additional large numbers of tokens.
For more details please refer to:
https://medium.com/@FairyproofT/analysis-of-the-attack-on-osmosis-by-fairyproof-1899997d5089
3. Apollox
On June 8, Apollox, a DeFi application deployed on the BNB chain was attacked.
The attacker’s address was 0x9e532b19abd155ae5ced76ca2a206a732c68f261 on the BNB chain.
The attacking contract was deployed at 0xcC6EEDeb5266AAe42A33b629380B78c570E29956 on the BNB chain.
The hash value of the attack transaction was:
0x21e5e6ee42906a840c07eb39fb788553a3fbb5794562825c2a1d37bfc910e5f7
In this incident, 53 million APX tokens valued at around $2.1 million were exploited.
The root cause was the Apollox system had a bug in its signature implementation and the attacker exploited this to generate 255 signatures and withdraw 5300 million APX tokens.
4. GYM
On June 8, GYM, a DeFi application deployed on the BNB chain was attacked.
The attacker’s address was 0xb2c035eee03b821cbe78644e5da8b8eaa711d2e5 on the BNB chain.
The attacking contracts were deployed at the following addresses on the BNB chain:
0x7cbfd7bccd0a4a377ec6f6e44857efe42c91b6ea,
0xa796406635272448fa30089cd4d71dadae01c169,
0xd36Ea4756cf157c1A57BFFC8d3F064a1e0EFBE9f,
0x8aedf4e03f70d0680b760a63c1b4acb0eb437874 and
0x2cdb504CEFE087e00F13F9283F2FcbbdE7C2A28D
The attacked contracts were deployed at the following addresses on the BNB chain:
0xA8987285E100A8b557F06A7889F79E0064b359f2 (GymSinglePool) and
0x0288FBA0BF19072d30490A0F3C81cD9B0634258a (GymSinglePool).
In this incident, crypto-assets valued at around $2.1 million were exploited.
The vulnerability was that the contract implementation didn’t execute a transfer transaction and didn’t check the transfer transaction’s status either.
The “GymSinglePool” contract’s “depositFromOtherContract” function would update a deposit’s
status but didn’t check whether or not that deposit was actually executed. Therefore a user could
call the “depositFromOtherContract” function to update a deposit status but didn’t deposit the tokens.
5. Optimism
On June 5, Optimism, a popular Ethereum layer 2 solutions was exploited.
The attacker’s address was 0x60B28637879B5a09D21B68040020FFbf7dbA5107 on Optimism.
The exploited address was 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81 on Optimism.
In this incident, 20 million OP tokens valued at around $17 million were exploited.
For more details about this incident please refer to:
Here is a list of the rug pulls:
1. Baby Elon
On June 8, Baby Elon, a dApp deployed on the BNB chain turned out to be a rug-pull.
623 BNBs valued at around $170,000 were exploited and cashed out via Tornado Cash.
Closing thoughts
In the past week, there were six incidents. Five of them were hacks and one was a rug pull.
The one that happened to Optimisim is a new type of attack which we name “contract hijacking” and can be prevented by following the suggestion raised in https://medium.com/@FairyproofT/analysis-solution-to-the-attack-on-optimism-by-fairyproof-95b09443dbf7.
The other four hacks could have been prevented if the teams behind these projects had done thorough tests and had their projects audited by professionals.
A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.
A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing