Weekly Blockchain Security Watch
October 10 to October 16
From October 10 to October 16, 2022, all security incidents that have occurred are Security Hacks.
1. Hacker Exploits TempleDAO’s “migrateStake” Function for Crypto Assets
On 11 Oct, a hacker had exploited around US$2.37 million worth of crypto assets from TempleDAO, a dApp deployed on Ethereum.
The hacker was able to exploit these assets through a vulnerability in the dApp where its “migrateStake” function did not verify its parameter.
- Attackers’ Addresses (on Ethereum):
- Attacked Contract: 0xd2869042e12a3506100af1d192b5b04d65137941 (on Ethereum)
- Attacking Contract: 0x2Df9c154fe24D081cfE568645Fb4075d725431e0 (on Ethereum)
- Hash Value of Attack Transaction:
0x8c3f442fc6d640a6ff3ea0b12be64f1d4609ea94edd2966f42c01cd9bdcf04b5 (on Ethereum)
2. Hacker Attacks QAN Platform Using Compromised Private Keys
On 11 Oct, a hacker (0xF163A6cAB228085935Fa6c088f9Fc242AFD4FB11 on BNB Chain) had attacked QAN Platform, a dApp deployed on both the BNB Chain and Ethereum.
The hacker was able to use the compromised private keys of QAN Platform’s deployer, exploiting crypto assets worth at least US$2.1 million.
For more details, refer to:
3. Hacker Uses Flashloan to Attack Journey of Awakening
On 12 Oct, a hacker (0x3DF6cd58716d22855aFb3B828F82F10708AfbB4f on the BNB chain) leveraged a flash-loan to attack Journey of Awakening’s (0x96bF2E6CC029363B57Ffa5984b943f825D333614 on the BNB chain) contract to exploit the project’s token ATK. Journey of Awakening is a dApp deployed on the BNB Chain.
The attacker proceeded to exchange all the ATKs to BSC-USDs, and then to BNBs through the contract deployed at 0xf2ade5950cdfb43b47fdb0a7bf87e9c84467981f. The attacker eventually cashed out crypto assets worth around US$120,000 through Tornado Cash.
4. Hacker Attacks FTX
On 13 Oct, a popular centralize exchange FTX was attacked.
Prior to the attack, the hacker deployed an attack contract and transferred small amounts from an FTX’s hot wallet to the attack contract. The hacker then conducted the attack by calling the attack contract to deploy multiple new contracts and called these contracts. When these contracts are called, they would self-destroy and mint XENs. Since the caller used a hot wallet for FTX, the gas used to mint XENs was paid by FTX while the minted XENs were received by the hacker’s address. The process was repeated to mint huge amounts of XENs.
81 ETHs worth around US$100,000 were exploited in this incident
- Attacker’s Address: 0x1d371CF00038421d6e57CFc31EEff7A09d4B8760 on Ethereum
- Attack Contract: 0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3 on Ethereum
- Attacked address: 0xC098B2a3Aa256D2140208C3de6543aAEf5cd3A94 (FTX’s hot wallet on Ethereum)
5. Hacker Conducts Two Attacks on Earning Farm’s EFLeverVault Contract
On 15 Oct, a hacker launched two attacks on Earning Farm, a dApp deployed on Ethereum, targeting its EFLeverVault Contract
As the EFLeverVault Contract’s callback function was not able to verify its caller, an actor could manually trigger the callback function, retrieve the collateral by paying back stETH loans, exchange the stETHs to ETHs, and withdraw all the ETHs in the contract.
The first attack was intercepted by an MEV bot, with 480 ETHs being exploited while the second attack was completed by the attacker resulting in 268 ETHs exploited.
In total, around 748 ETHs (~US$960,000) were exploited in this incident.
- Attacker’s Address: 0xdf31f4c8dc9548eb4c416af26dc396a25fde4d5f on Ethereum
- Attack Contract: 0x140cca423081ed0366765f18fc9f5ed299699388 on Ethereum
- Hash Value of Attack Transaction:
6. Hacker Attacks Project Kaito’s Discord
On Oct 16, Project Kaito’s Discord server was attacked. Project Kaito is a community-driven project deployed on Ethereum.
7. Whisbe Vandalz Report Hack on Discord Server, Announced Server Secured Later
On Oct 16, Whisbe Vandalz (@WhisbeVandalz), an NFT art project on Ethereum, reported that their Discord server was attacked by hackers. The project later announced that they had managed to secure their Discord server.
7 notable security incidents related to security hacks have occurred in the past week.
Five of them were attacks on smart contracts or hot wallets and two on social media.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
To stay updated on notable security incidents in the world of Web3.0
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at