Weekly Blockchain Security Report by Fairyproof- Mar 14 to Mar 20
What an eventful week! During the week from March 14 to March 20, 2022, security events that happened in the crypto industry are all…
What an eventful week! During the week from March 14 to March 20, 2022, security events that happened in the crypto industry are all security hacks.
Here is a list of the security hacks:
1. Deus Finance
On March 15, 2022, Deus Finance, a DeFi application deployed on Fantom suffered from a flashloan attack.
The attacker was from 0x1ed5112b32486840071b7cdd2584ded2c66198dd on Fantom.
The attacked contract was deployed at 0xeC1Fc57249CEa005fC16b2980470504806fcA20d on Fantom.
The hash value of the attack transaction was:
0xe374495036fac18aa5b1a497a17e70f256c4d3d416dd1408c026f3f5c70a3a9c
The attacker got its gas from Tornado.Cash deployed on Ethereum and initiated the subsequent cross-chain attack on Deus Finance on Fantom via AnySwap’s cross-chain bridge. The attacker then moved the exploited assets back to Ethereum, exchanged them to 1180 ETHs and 200,000 DAIs, and then cashed out via Tornado.Cash. During this incident, the total exploited crypto assets were valued at around $3 million.
The vulnerability was that the project’s implementation didn’t use a proper oracle such that the price of the DEI token in USDC could be manipulated. The vulnerability was exploited, and the exploit was enlarged by a flashloan.
2. Hundred Finance
On March 15, DeFi protocols Hundred Finance that was deployed on the Gnosis Chain suffered from a flashloan attack.
The attacker was from 0xD041Ad9aaE5Cf96b21c3ffcB303a0Cb80779E358.
The hash value of the attack transaction was:
0x534b84f657883ddc1b66a314e8b392feb35024afdec61dfe8e7c510cfac1a098
The attacked contracts were deployed at the following four addresses:
- 0x243E33aa7f6787154a8E59d3C27a66db3F8818ee
- 0xe4e43864ea18d5e5211352a4b810383460ab7fcc
- 0x8e15a22853a0a60a0fbb0d875055a8e66cff0235
- 0x090a00a2de0ea83def700b5e216f87a5d4f394fe
The attacker obtained its gas from Tornado.Cash deployed on Ethereum. During this incident, the attacker exploited 2363 ETHs and then cashed out via Tornado.Cash. The exploited ETHs were valued at around $6.9 million.
The incident’s root cause was a re-entrancy vulnerability centered on a function. The vulnerability was exploited, and the exploit was enlarged by a flashloan.
3. Agave
On March 15, nearly the same time when Hundred Finance was attacked, Agave, a DeFi application deployed on the Gnosis Chain, suffered from a flashloan attack.
The attacker was from 0x0a16a85be44627c10cee75db06b169c7bc76de2c.
The hash value of the attack transaction was:
0xa262141abcf7c127b88b4042aee8bf601f4f3372c9471dbd75cb54e76524f18e
The attacker obtained its gas from Tornado.Cash deployed on Ethereum. During this incident, the attacker exploited 2116 ETHs and then cashed out via Tornado.Cash. The exploited ETHs were valued at around $5.54 million.
4. NFTX
On March 17, NFTX’s BAYC vault deployed on Ethereum was exploited.
The actor’s address was 0x6703741e913a30D6604481472b6d81F3da45e6E8
The attacker withdrew 159.99 ETHs from FTX and used the ETHs to buy the BAYC vault tokens generated from the NFTX’s BAYC vault, used to vault tokens to redeem the BAYCs staked in the vault, used the BAYCs to claim the airdropped APE tokens, and then sold the BAYCs back to the vault.
The attacker exploited a total of 120,000 APE tokens, exchanged the APE tokens to around 239 ETHs, and eventually sent a total of 399 ETHs to:
0x29b8D7588674fAfBD6b5E3FeE2b86A6c927156B0
This was not a vulnerability, but a tricky feature provided by the NFTX platform that was exploited by the actor.
5. Umbrella
On March 20, Umbrella, a DeFi application deployed on both BNB Chain and Ethereum was attacked.
The attacker’s address was 0x1751E3E1aaF1A3E7b973C889b7531F43Fc59F7D0 on Ethereum.
The attacked contract was deployed at 0xB3FB1D01B07A706736Ca175f827e4F56021b85dE on Ethereum.
The attacking contract was deployed at 0x2d85f5c295760b0afe0b271b94254a8c58b513c5 on Ethereum.
The hash value of the attack transaction was:
0x33479bcfbc792aa0f8103ab0d7a3784788b5b0e1467c81ffbed1b7682660b4fa
The attacker exploited 8,792.87 UMB/WETH LP tokens on Ethereum, exchanged the 2.28 million UMB tokens in the LP tokens to 55.4 ETHs on Uniswap V3, and obtained a total of 145.7 ETHs. The attacker sent 145 ETHs to the BNB Chain via Celer Network’s cross-chain bridge and cashed them out via the Tornado.Cash deployed on the BNB Chain.
The incident’s root cause was an integer overflow vulnerability existing in its smart contracts.
6. Li.Fi
On March 20, Li.Fi, a DeFi cross-chain application was attacked. Since the contracts were not open-sourced, the vulnerability that was exploited was not publicly announced by third parties but was uncovered by the team. Fortunately, the team behind the project has fixed the issue.
The information Fairyproof could get was that, in the victims’ wallets, all the tokens that had been approved for spending were exploited.
Closing thoughts
Among the six incidents that happened during the week, four of them that happened to Deus Finance, Agave, Hundred Finance, and Umbrella respective were typical vulnerabilities that could have been uncovered if they had been carefully audited before being deployed.
The one that happened to NFTX was tricky. It might not be the first one that leveraged a flashloan to exploit but is the biggest one that has happened so far. This deserves more attention and awareness from both developers and security companies.
The one that happened to Li.Fi was promptly handled by the team. Although the root cause hasn’t been publicly announced, it could still be prevented if the users that interacted with the application properly handled token approvals.
A strong reminder to all token holders: review your approval for the tokens in your wallets often and revoke those excessive approvals whenever necessary.
Etherscan has a tool for users to review and revise token approvals:
https://etherscan.io/tokenapprovalchecker
A reminder for smart contract developers: when coding smart contracts, be aware of common vulnerabilities such as oracle issues, re-entrancy risks, integer overflows. They are common but they are easily overlooked.
Also, a reminder for project teams: conducting an audit is a must-have step before deploying. A small cost will prevent a much bigger loss.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing