From September 5 to September 11, 2022, all security incidents that have occurred are Security Hacks.
SECURITY HACKS:
1. Hacker Exploits Price Calculation Vulnerability in Nereus Finance Attack
On September 6, a hacker attacked Nereus Finance, a DeFi application deployed on the AVAX blockchain.
The hacker flashloaned 51 million USDCs from AAVE, exchanged 260,000 USDCs to 13,401 WAVAXs, and acquired LP tokens by depositing 28,000 USDCs and 13,401 WAVAXs to the WAVAX/USDC token pair on Trader Joe.
The hacker then dumped the remaining USDCs to the token pair WAVAX/USDC on Trader Joe, pumped the price of AVAX and minted 998,000 NXUSDs by staking the previously acquired LP tokens as collateral.
The hacker eventually exchanged all the acquired tokens to USDCs, paid back the flashloan and got a net profit of more than 370,000 USDCs.
Additional Details:
- Attacker’s Address: 0x69992a2e5d6ec031ab16733975110f0b43a0b1af (on AVAX)
- Attacking Contract: 0x16b94c6358fe622241d055811d829281836e49d6 (on AVAX)
- Attacked Contract: 0x0B1F9C2211F77Ec3Fa2719671c5646cf6e59B775 (on AVAX)
- Hash Value of the Attack Transaction:
0x0ab12913f9232b27b0664cd2d50e482ad6aa896aeb811b53081712f42d54c026
2. Hackers Attack Dictators’ Discord
On September 6, hackers attacked Dictators’ Discord server. Dictators is an NFT project.
3. Hackers Attack Arts DAO’s Discord
On September 6, hackers attacked community project Arts DAO’s Discord server. The project released a statement in Twitter urging users not to interact with anything in their Discord server. They later announced that their treasury has not been affected as all their assets were held in cold storage.
4. Hackers Attack LCD Lab’s Discord
On September 8, hackers attacked LCD Lab’s Discord server. LCD Lab is an NFT project.
5. Hacker Launches Sybil Attack to Exploit Rewards from New Free DAO
On September 8, a hacker attacked New Free DAO, an application deployed on the BNB chain.
The hacker used an attacking contract to deploy new contracts repeatedly, flashloaned WBNBs to exchange NFDs, and deposited the NFDs to the new contract and claim airdrop rewards from the contract deployed at 0x8b068e22e9a4a9bca3c321e0ec428abf32691d1e.
Through this sybil attack, the hacker can exploit a large quantity of rewards to them for WBNBs. The hacker is paid back the flashloan, exchange 2,000BNBs to 556,000USDTs and kept the remaining 2,481BNBs. All of the USDTs and remaining BNBs are kept in the hacker’s address,
A total of 4,481 BNBs (~US$1.25 million) were exploited in this incident.
Additional Details:
- Attacker’s Address: 0x22C9736D4Fc73A8fa0EB436D2ce919F5849D6fD2 (on BNB)
- Attacking Contract: 0xa35ef9fa2f5e0527cb9fbb6f9d3a24cfed948863 (on BNB)
- Attacked Contract: 0x8B068E22E9a4A9bcA3C321e0ec428AbF32691D1E (on BNB)
6. Hacker Attacks DARK_POOL
On September 9, a hacker attacked DARK_POOL, an application deployed on the BNB chain.
The hacker exchanged a certain quantity of BSC-USDs to DPCs and deposited them to the liquidity pool for LP tokens. The hacker then proceeded to stake the LP tokens to the DPC token’s contract, repeatedly called the “claimStakeLp” function to claim rewards and accumulated them by exploiting a vulnerability in the “getClaimQuota” function (Specifically, the “getClaimQuota = ClaimQuota.add(oldClaimQuota[addr]);” statement).
The hacker eventually withdrew all of the DPC rewards by calling DPC’s “claimDpcAirdrop” function and exchanged them to BSC-USDs.
Crypto assets worth around US$100,000 were exploited in this incident.
Additional Details:
- Attacker’s Address: 0xf211Fa86CBc60d693D687075B03dFF3c225b25C9 (on BNB)
- Attacking Contract: 0x2109bbecB0a563e204985524Dd3DB2F6254AB419 (on BNB)
- Attacked Contract: 0xB75cA3C3e99747d0e2F6e75A9fBD17F5Ac03cebE (on BNB)
7. Hackers Attack LooksWhale’s Discord
On September 10, hackers attacked LooksWhale’s Discord server. LooksWhale is an NFT project.
CONCLUSION-
7 notable security incidents related to security hacks have occurred in the past week.
Three of them were attacks against smart contracts. All the smart contract attacks were caused by common logic vulnerabilities. The other four attacks were on social media or personal accounts.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
For a better understanding to all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/