Weekly Blockchain Security Watch
September 26 to October 2
From September 26 to October 2, 2022, all security incidents that have occurred are Security Hacks.
1. Astrobot Society Reports Admin in Discord Server Hacked
On September 27, NFT project Astrobot Society (@AstrobotSociety) reported on Twitter that one of their admins had been hacked on Discord and had scammed multiple people. They also reported that the posts sent by the attackers had been removed, transactions from smart contracts had been paused, and the stolen NFTs will be blacklisted on the marketplace.
Subsequently, Astrobot Society resumed smart contract transactions and that all operations had been operational.
2. Hacker Exploits callFunction() Function in MEV Bot for WETHs
On September 27, a hacker exploited a vulnerability in a Maximal Extractable Value (MEV) Bot to transfer WETHs. The attacker called the bot’s callFunction() function to approve a deployed attacking contract to spend its WETHs.
1101.6ETHs (~US$1.4million) were exploited in this incident.
- Attacker’s Address: 0xb9f78307ded12112c1f09c16009e03ef4ef16612 (on Ethereum)
- Attacking Contract: 0x6554ff0f2b6613bb2baa9a45788ad8574a805f6d (on Ethereum)
- Attacked Contract: 0xbaDc0dEfAfCF6d4239BDF0b66da4D7Bd36fCF05A (MEV Bot on Ethereum)
- Hash Values of Attacking Transactions:
0x59ddcf5ee5c687af2cbf291c3ac63bf28316a8ecbb621d9f62d07fa8a5b8ef4e (on Ethereum): this transaction obtained approval of WETHs
0x631d206d49b930029197e5e57bbbb9a4da2eb00993560c77104cd9f4ae2d1a98 (on Ethereum): this transaction transferred WETHs
3. Hacker Attacks SQL Decoder’s Discord Server
On September 28, a hacker attacked SQL Decoder’s discord server.
4. Hacker Attacks BXH’s TokenStakingPoolDelegate Contract
On September 28, hackers attacked BXH, a DeFi application deployed on the BNB chain, targeting its TokenStakingPoolDelegate contract.
The contract’s getReserves() function called in the getITokenBonusAmount function retrieved an instant token price which could be easily manipulated. The hacker had initiated a flash-loan and exploited this vulnerability to steal around US$30, 000 worth of crypto assets in this incident. BXH had lost about US$40, 000 worth of crypto assets during this incident.
This was not the first time BXH was hacked. Earlier this year, the same TokenStakingPoolDelegate contract was targeted by hackers earlier this year after the team had upgraded the contract.
- Attacker’s Address: 0x81C63d821b7CdF70C61009A81FeF8Db5949AC0C9 (on BNB chain)
- Attacking Contracts: 0x4e77DF7b9cDcECeC4115e59546F3EAcBA095a89f (on BNB chain)
- Attacked Contract: 0x27539B1DEe647b38e1B987c41C5336b1A8DcE663
(TokenStakingPoolDelegate on BNB chain)
- Hash Value of Attack Transaction:
0xa13c8c7a0c97093dba3096c88044273c29cebeee109e23622cd412dcca8f50f4 (on BNB chain)
5. Hacker Conducts Re-Entrancy Attack Against THB
On October 1, a hacker had launched a re-entrancy attack against THB, an NFT application deployed on the BNB chain.
A vulnerability in THB’s onERC721Received function in “THB_Roulette” was used by the hacker to conduct the attack.
Around 2.46 BNBs (~US$700) and 4 NFTs were exploited in this incident.
- Attacker’s Address: 0xbC62b9BA570aD783d21E5eB006F3665D3f6bBA93 (on the BNB chain)
- Attacking Contract: 0xfeD1B640633Fd0A4d77315d229918ab1f6E612f9 (on the BNB chain)
- Attacked Contract: 0x72e901F1bb2BfA2339326DfB90c5cEc911e2ba3C (THB_Roulette on the BNB chain)
- Hash Value of Attack Transaction:
6. Hacker Exploits Approval Mechanism Vulnerability in TransitSwap to Steal Crypto Assets
On October 1, a hacker had exploited a vulnerability found in Ethereum and BNB chain-deployed dApp TransitSwap’s approval mechanism of ERC-20 tokens to steal around US$21million worth of crypto assets.
After the incident, the TransitSwap team claimed that they possessed detailed information regarding the attacker such as its IP address, email, and more. They later urged the hacker to return all the stolen assets.
At the time of reporting, around 70% of the stolen assets were returned.
- Attacker’s Address: 0x5f0b31aa37bce387a8b21554a8360c6b8698fbef
- Attacking Contract:
0x17ff6c94ba3a49c72ef2f10782de8a6152f204ea (on Ethereum)
0x8ca8fd9c7641849a14cbf72faf05c305b0c68a34 (on the BNB chain)
- Hash Values of Attack Transactions:
0x743e4ee2c478300ac768fdba415eb4a23ae66981c076f9bff946c0bf530be0c7 (on Ethereum)
0x181a7882aac0eab1036eedba25bc95a16e10f61b5df2e99d240a16c334b9b189 (on the BNB chain)
6 notable security incidents related to security hacks have occurred in the past week.
Four of them were attacks on smart contracts, two on social media.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
To stay updated on notable security incidents in the world of Web3.0
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/