Weekly Blockchain Security Report by Fairyproof- May 2 to May 8
During the week from May 2 to May 8, 2022, security incidents that happened in the crypto space were security hacks and rug pulls.
During the week from May 2 to May 8, 2022, security incidents that happened in the crypto space were security hacks and rug pulls.
Here is a list of the security hacks:
1. MM Finance
On May 5, MM Finance, a DeFi application deployed on the Cronos blockchain was attacked.
The attacker’s address was 0xb3065fE2125C413E973829108F23E872e1DB9A6b on the Cronos blockchain.
The attacker injected a malicious contract address into the project website’s front-end, then exploited a vulnerability in its DNS and modified the project’s router contract address
In this incident, crypto-assets valued at around $2 million were exploited, transferred to Ethereum via cross-chain bridges, and cashed out via Tornado Cash.
The users that did swap transactions, add-liquidity transactions, or remove-liquidity transactions on its website were affected.
The team behind the project announced that it would use its collected transaction fees to buy MUSDs and put the MUSDs in a specific pool. All the victims will be able to claim the MUSDs in the pool within 45 days.
2. Fortress Finance
On May 8, 2022, Fortress Protocol, a DeFi application deployed on the BNB Chain suffered from a governance attack.
The attacker’s address was 0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad on the BNB Chain.
The attacking contract was deployed at 0xcd337b920678cf35143322ab31ab8977c3463a45 on the BNB Chain.
The attacked contract was deployed at 0xc11B687cd6061A6516E23769E4657b6EfA25d78E on the BNB Chain.
The hash value of the attack transaction was:
0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf
The vulnerability that was exploited in this incident lay in the project’s governance mechanism.
In this incident, 1048 ETHs and 400,000 DAIs were exploited. They were valued at $3 million.
For more details, please refer to:
https://medium.com/@FairyproofT/fairyproofs-analysis-of-the-attack-on-fortress-protocol-6fb2df687845
Here is a list of the rug pulls:
1. Opensea
On May 6, Opensea’s Discord was attacked. The hacker used bots to send phishing links to the Discord server and announced fake news claiming that Opensea was collaborating with Youtube to release 100 mint pass NFTs.
Closing thoughts
In the past week, all the incidents were not on smart contracts but were either conventional web 2.0 issues or DAO governance issues.
A reminder to project teams: besides smart contracts, awareness of governance security should be raised as well.
A reminder to crypto users: be cautious about suspicious links, emails, or websites.