Weekly Blockchain Security Watch

November 14 to November 20

From November 14 to November 20, 2022, all security incidents that have occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

1. Fairyproof Sends Warnings of Phishing Link Surge in Twitter

On 17 Nov, Fairyproof sent a warning following a surge of phishing links (such as arts-blocks.com) to Twitter users who have participated in NFT minting.

If these links were clicked, users would be prompted to approve spending their NFTs in their wallets.

For more details, refer to:

TAN, Yuefei @fairyproof @CryptoCat11

Recently many got phishing links like this. DON'T click on it. Once click on it you will be prompted to authorize your NFTs to be spent on your MetaMask. If unfortunately you click on it, close the page, refuse all the transactions on your MetaMask @FairyproofT @AngelaT0731

Derrick Hobbs @abou_dolley

NO WAY I MANAGED TO MINT A SQUIGGLE!🤯 @CryptoCat11 @GeorgeBowring @Chao_Bitcoin @koldkryp @YRGISmusic @kalynbeach @tea_eye1 @iagocvs @AndrewSama9 @SkyTree2021 @coinosseur @Russian50777234 https://t.co/Du1xhv4fwJ

3:29 PM ∙ Nov 17, 2022

2. Hacker Attacks Sheep Farm by Leveraging Register Function

On 15 Nov, a hacker attacked Sheep Farm, a dApp deployed on the BNB chain, by leveraging on the “register” function which could be called repeatedly.

The hacker called the register function to repeatedly increase the gems, then called the upgradeVillage function to increase the yield. The hacker then proceeded to call the sellVillage function to exchange the yield to “money” and cashed out.

262 BNBs worth around US$72,000 were exploited in this incident.

Additional Details:

- Attacker’s Address: 0x2131C67eD7b6AA01B7aA308c71991Ef5BaEdd049 (BNB chain)

- Attacking Contract: 0xf2db8665d82e1a23895ed78b213d36d62eec6bbc (BNB chain)

- Attacked Contract: 0x4726010da871f4b57b5031E3EA48Bde961F122aA (BNB chain)

Rug-pulls:

1. Boxer Inu Rug-Pulls Crypto Assets Worth Around US$146, 000

On 17 Nov, BNB chain-deployed Boxer Inu (@BoxerInuFinance) rug-pulled crypto assets worth around US$146, 000.

The project’s token (deployed at 0x192e9321b6244d204d4301afa507eb29ca84d9ef) was exchanged to WBNB and sent to 0x18078a777ddb681e2180945be9562cd11f989d3c.

At the time of writing, there were still some assets left in the address.

CONCLUSION-

3 notable security incidents have occurred in the past week.

2 of them were attacks on smart contracts and social media, and 1 was a rug-pull.

It is worth noting that a lot of crypto users suffered from the phishing links sent in Twitter.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/