Weekly Blockchain Security Report by Fairyproof- Mar 28 to Apr 3
During the week from March 28 to April 3, 2022, security incidents that happened in the crypto industry can be categorized into three…
During the week from March 28 to April 3, 2022, security incidents that happened in the crypto industry can be categorized into three security hacks, publicly announced vulnerabilities and rug-pulls.
Here is a list of the security hacks:
1. Cryptovoxels
On March 28, Cryptovoxels, a virtual social platform deployed on Ethereum was attacked.
The attacker’s address was 0x794ca38bc1e15e528a7991ce25707a25ad71b675 on Ethereum.
The platform’s Discord server suffered from a phishing attack. The attacker pretended to be a team member of Cryptovoxels and sent out a phishing link. Some users clicked on the link and approved their tokens to be spent.
In this incident, crypto-assets valued at around $171 thousand were exploited.
For more details about this attack please refer to Fairyproof’s report at:
https://twitter.com/FairyproofT/status/1508476086182502409
2. Ronin Network
On March 29, Ronin Network, an Ethereum sidechain was attacked.
The attacker’s address was 0x098b716b8aaf21512996dc57eb0615e2383e2f96 on Ethereum.
The attacked contract was Axie’s Ronin bridge deployed on Ethereum at:
0x1a2a1c938ce3ec39b6d47113c7955baa9dd454f2
The vulnerability that was exploited in this attack was in the system that managed its private key. The system more specifically, the gas-free RPC node had a backdoor such that the attacker eventually got the signature for the Axie DAO validator to abuse the system.
Crypto assets valued at around $610 million were exploited.
For more details, please refer to Fairyproof’s report at:
3. BasketDAO
On March 30, BasketDAO, an application deployed on Ethereum was attacked.
The attacked contract was deployed at 0x4622aFF8E521A444C9301dA0efD05f6b482221b8 on Ethereum.
The vulnerability was a lack of validation for the input parameters of a “call” in the “_primitiveToBMI” function. This was exploited such that the attacker passed a malicious address to take away all the approved crypto assets by the BMIZapper contract.
The total exploited assets were valued at around $1.1 million.
4. Ola Finance
On March 31, Ola Finance, a DeFi application deployed on both Fuse and Ethereum was attacked.
The attacker’s address was 0x371D7C9e4464576D45f11b27Cf88578983D63d75 on Ethereum.
The vulnerability was an incompatibility issue. The application’s lending protocol was not compatible with ERC-677 tokens therefore it suffered from a re-entrancy attack.
The total exploited crypto assets were valued at around $4.67 million.
5. Discord Servers
On around April 1, the Discord servers of various NFT projects including BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz suffered from phishing attacks. Quite a few users lost their NFTs. The biggest loss was with a famous pop star who lost his BAYC 3738 which was worth around $430,000.
Here is a list of the publicly announced vulnerabilities:
1. Jet Protocol
On March 30, the team behind Jet Protocol, a DeFi application, announced that a vulnerability was uncovered.
The vulnerability was a lack of validation for input parameters. If this vulnerability were exploited, the crypto assets of the users that interacted with this application would be withdrawn at will.
The team had already fixed this issue before it was exploited therefore no loss was caused.
Here is a list of the rug pulls:
1. Meerkat Finance
On March 30, Meerkat Finance, a DeFi application deployed on BSC was attacked.
The attacker’s address was: 0x9542966F1114eaA5859201aA8d34358BFedBFa79 on BSC.
The vulnerability was the contract’s upgradeability. And the team had the access control to upgrade the contract.
This vulnerability was exploited such that malicious contracts were deployed and then the attacker exploited all the crypto assets in the application’s vaults. The loss was around $30 million.
The whole process was like this:
Firstly, Meerkat Finance made an announcement saying that the application was attacked. Then two transactions were launched to take away crypto assets valued at around $31 million including BUSDs valued at $13.96 million, and BNBs valued at $17.4 million.
Soon after that, the application’s website couldn’t be opened, and the team members couldn’t be contacted either. Later on, the team’s Twitter was deleted as well.
Therefore, the incident was highly suspected to be a rug pull.
Closing thoughts
There were five security hacks in the past week. The vulnerabilities that were uncovered in BasketDAO and Ola Finance were commonly known issues that could have been uncovered and fixed without being exploited if they had undergone a professional audit. The one with Ronin Network was a leak of private keys. This incident should have been avoided if the team could have employed more stringent management of private keys. The other two hacks targeting Discord servers could have been prevented if the users participated in these activities with more caution and care.
The publicly announced vulnerability was a commonly known issue as well and it could have been uncovered if the project was audited before it was deployed.
The rug-pull project had a serious risk in its smart contract implementation. In general, if projects with this risk are audited by professional audit companies, this risk should be indicated. Therefore, this should remind users of the importance of checking a project’s audit report.
A reminder to smart contract developers: input parameters especially addresses should be handled with great care.
A reminder to project teams: always audit projects before deploying them.
A reminder to crypto users: always be cautious and alert to suspicious links, websites, and emails, and always be careful with interacting with applications whose teams don’t have established reputations or which haven’t gone through serious audits.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing