Weekly Blockchain Security Report by Fairyproof- Mar 21 to Mar 27
It has truly been another eventful week!
It has truly been another eventful week!
During the week from March 21 to March 27, 2022, security incidents that happened in the crypto industry can be categorized into two security hacks and publicly announced vulnerabilities.
Here is a list of the security hacks:
1. OneRing
On March 21 UTC time, OneRing Finance, a DeFi application deployed on Fantom was attacked. In this attack, the attacker leveraged a flashloan to exploit a total of 1,454,672.244369 USDCs valued at around $1,454,672.24.
The vulnerability that was exploited was an inappropriate algorithm used to calculate an LP token’s price. This inappropriate algorithm caused the price of the LP token involved in this attack to be manipulated. And a flashloan was facilitated to enlarge the loss.
For more details about this attack please refer to Fairyproof’s article at:
https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-onering-finance-94d25b66f63c
2. Cashio Dollar
On March 23 UTC time, Cashio Dollar, a DeFi stable coin application deployed on Solana was attacked.
The attacker’s address was 6D7fgzpPZXtDB6Zqg3xRwfbohzerbytB2U5pFchnVuzw on Solana.
The hash value of the attack transaction was:
4fgL8D6QXKH1q3Gt9GPzeRDpTgq4cE5hxf1hNDUWrJVUe4qDJ1xmUZE7KJWDANT99jD8UvwNeBb1imvujz3Pz2K5
The vulnerability that was exploited was that the right to mint tokens was not properly verified.
Basically, the attacker exploited the vulnerability to mint 2 billion CASH tokens, exchanged them to 8.64 million USTs, 17.04 million USDCs, and 26.34 million USDT-USDC LP tokens, and exploited a total of around $50 million.
3.Revest Finance
On March 27 UTC time, Revest Finance, a DeFi application deployed on Ethereum was attacked.
The attacker’s address was 0xef967ECE5322c0D7d26Dab41778ACb55CE5Bd58B on Ethereum.
The attacking contract was deployed at 0xb480Ac726528D1c195cD3bb32F19C92E8d928519 on Ethereum.
The attacked contract was deployed at 0x2320a28f52334d62622cc2eafa15de55f9987ed9 on Ethereum.
The root cause of this attack was that there was a re-entrancy vulnerability in its ERC-1155 implementation.
In this attack, the attacker exploited 592 ETHs and some other crypto assets valued at around $120,000. The total loss was around $2 million.
Right after the attack was detected, the team behind the project promptly announced that emergent measures had been taken to protect the remaining crypto assets.
4. Maison Ghost’s Discord Server
Sometime near March 25 UTC time, Maison Ghost, an NFT project was attacked. Basically, the project’s Discord server suffered from a phishing attack.
Around 265 NFTs including those from Sandbox and 3Landers were exploited.
5. Wallet Compromised
On March 22 UTC time, Arthur Cheong, Founder of Defiance Capital claimed that his Ethereum wallet was exploited.
The attacker’s address was 0xe47E8cD58c8E95F765e642d7dCB898f622ceFA83 on Ethereum.
This was a typical phishing attack. The victim received an email containing a phishing link from a suspicious source that had a similar name to the name of a company which the victim was familiar with. The victim opened the malicious link and got exploited.
In this incident, 78 NFTs including Azukis, CloneX, and Second Self, and fungible tokens including 68 WETHs, 4349 stkDYDXs, and 1578 LOOKS were exploited. The total loss exceeded $1.5 million. The attacker cashed out 500 ETH at the time when the victim announced the incident.
Here is a list of the publicly announced vulnerabilities:
1. Chrome’s Vulnerability
On March 27 UTC time, Google announced that a zero-day vulnerability was detected in Chrome, and this vulnerability exposed plugins including MetaMask to huge risks. Google tagged this vulnerability as CVE-2022–1096. The vulnerability could be exploited by a hacker to insert malicious code to launch attacks.
This was the second zero-day vulnerability detected since 2022. The first one was tagged as CVE-2022–0609 and was fixed by Google in February 2022.
Google has released a patch for this bug and urged users of Chrome to install this patch as soon as possible.
Closing thoughts
There were five security hacks in the past week. The vulnerabilities that were uncovered in three of them including OneRing, Cashio Dollar and Revest Finance were commonly known issues and could have been uncovered and fixed without being exploited if these projects had undergone a professional audit. The other two hacks targeting a Discord server and an Ethereum Wallet could have been prevented if users operated these utilities with more caution and care.
The one publicly announces vulnerability could hardly be detected by third parties. The first and most important thing that users of Chrome need to do is to install the fix right after this bug was announced.
A reminder to smart contract developers: using an appropriate algorithm to calculate an LP token’s price, correctly handling access control to core token functions, and using effective measures to prevent re-entrancy risks in token implementation and always be kept in mind carried out in smart contract implementation.
A reminder to crypto users, always be cautious and alert to suspicious links, websites, and emails, watch for news about security issues with the tools and utilities often used, and install bug fixes as soon as possible.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing