Weekly Blockchain Security Report by Fairyproof- May 9 to May 15
During the week from May 9 to May 15, 2022, security incidents that happened in the crypto space fell into two categories: security hacks…
During the week from May 9 to May 15, 2022, security incidents that happened in the crypto space fell into two categories: security hacks and rug-pulls.
Here is a list of the security hacks:
1. Google’s Vulnerability
On May 10, an attacker used a vulnerability detected in Google’s Ad system to display a fake website that showed its name as “http://x2y2.io/” which was the name of a popular NFT trading platform. Users that clicked on the fake site would be exploited.
Crypto assets valued at around 100 ETHs ($200,000 equivalently) were exploited in this incident.
2. OWNLY
On May 11, OWNLY, an NFT application deployed on the BNB Chain was attacked.
The attacker’s address was 0xba31058357ea2f474a2ed0d1b3f9183904ebd38a on the BNB Chain.
The attacking contract was deployed at 0xa81ea095e0c3708e4236c71146748fa15b620386 on the BNB Chain.
The attacked contract, which was the NFTStaking contract, was deployed at 0x41BF7F818F2Dc41c67932E63E87c86D05AB957e8 on the BNB Chain.
The hash value of the attack transaction was:
0x2cbe47edb040c710b7f139cbea7a4bced4d6a0d6c5aa4380f445880437ea072f
115 BNBs valued at around $36000 were explored in this incident.
The vulnerability was a lack of validation for a user’s status. The unstake function in the NFTStaking contract didn’t validate a user’s status such that the attacker launched a double-spend attack to exploit all the OWNLY tokens in the staking contract. The attacker exchanged the OWNLYs for 115 BNBs
3. Venus Protocol
On May 12, Venus Protocol, a DeFi application deployed on the BNB Chain was exploited.
The root cause was that the Chainlink oracle didn’t update LUNA’s price after LUNA’s price plummeted dramatically. This resulted in a large number of assets being borrowed by using LUNA as collateral at an obsolete price. Crypto assets valued at around $11.2 million were exploited in this incident.
4. Blizz Finance
On May 12, Blizz Finance, a DeFi application deployed on AVAX was attacked.
The root cause was that the Chainlink oracle didn’t update LUNA’s price after LUNA’s price plummeted dramatically. This resulted in a large number of assets being borrowed by using LUNA as collateral at an obsolete price. Crypto assets valued at around $8 million were exploited in this incident.
5. Spiritswap
On May 14, Spiritswap’s homepage that was deployed on AWS was attacked. The attacker modified some of the DEX’s parameters such that users would send crypto assets to the attacker’s designated address.
Crypto assets valued at around $18000 were exploited in this incident.
Here is a list of the rug pulls:
1. Cashera
In May, Cashera, a dApp deployed on the BNB Chain turned out to be a rug pull.
The dApp’s Twitter account was @CasheraOfficial.
Its token was deployed at 0x6e8ff72962750f0fa57a906f7833d1c657614abe on the BNB Chain.
The address of the token contract’s deployer was:
0xBaA0C3523877C68d26B88930AEe3FC1C44801344
The token’s symbol was CSR.
The hash value of an additional mint transaction that was related to this rug-pull was:
0x8d6b11a8584a148151fb2a1ca6f5c722b8da85d7839c5f48efc00e641c7adcc4
The admin withdrew 23 million CSR tokens from a “PinkLock” contract and exchanged the CSRs for BNBs. These operations led to CSR’s price plummeting hugely by 71% and caused a loss of around $90000.
Closing thoughts
In the past week, LUNA’s de-pegging was the biggest incident in the crypto space. Its de-pegging caused the Chainlink’s oracle to stop updating its price. DeFi applications that used Chainlink’s service but didn’t take corresponding actions to handle this case would suffer losses. Two incidents in our summary were of this kind. All other incidents were still commonly known issues or risks.
A reminder to project teams: besides smart contracts, the security of the front-end should be taken care of as well.
A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.