August 1 to August 7
From August 1 2022 to August 7 2022, all security incidents that had occurred can be categorized by the following:
Security Hacks
Project Updates
Security Hacks:
1. Attackers Exploit Nomad’s Cross-chain Bridge
On August 2, a cross-chain bridge on Ethereum Nomad was attacked.
More than 700 addresses were drained within three hours, resulting in a loss of over US$150 million.
At the time of writing, 86 addresses of white-hat hackers had returned crypto assets worth ~US$32 million to Nomad’s team.
For more details, refer to: https://link.medium.com/DwZopqVsbsb
2. Attacker Exploits Missing Validation for Withdrawal Operations on Reaper Farm
On August 2, an attacker had leveraged a missing validation for withdrawal operations on Reaper Farm, a DeFi application found on the Fantom blockchain.
Around US$1.7 million were exploited in this incident.
The “withdraw” function defined in the ReaperVaultV2 contract had failed to check the validity of “vault share”, allowing anyone to withdraw assets from the vault.
This was how the attack was carried out:
Step 1: The attacker deployed an attacking contract to withdraw assets from multiple users from “Reapervault”.
Step 2: Due to the validity vulnerability of the share owner, the attacker withdrew assets from the vault using the attacking contract repeatedly.
Step 3: The attacker then exchanged all of the exploited assets to DAIs, ETHs, and Matics before cashing them out through Tornado.Cash.
Additional Details:
- Attacker’s Address: 0x5636e55e4a72299a0f194c001841e2ce75bb527a (Fantom)
- Attacking Contract: 0x8162A5E187128565Ace634E76FDd083CB04D0145 (Fantom)
3. Attackers Hack Miningverse Owner on Discord
On August 1, an NFT project MiningverseNFT reported that attackers had hacked one of its owners on Discord. As a response, they posted a tweet which further warned users not to click on any links in their Discord server until further notice.
4. Scammers Attack Cyber Crew’s Discord Server
On August 2, attackers had hacked NFT project Cyber Crew’s Discord server. They later reported that all assets that were lost had been recovered. They also conducted a full security audit and established other contingencies.
5. Attackers Hack Protocol: Gemini’s Discord Server
On August 2, an AR NFT project Protocol: Gemini reported that their Discord server was attacked by hackers. They later reported that a full security audit had been conducted and established other contingencies. Assets that had been lost were also recovered and returned to its’ rightful owners.
6. Hackers Attack Gas Guzzler’s Discord Server
On August 2, hackers attacked Gas Guzzlers’ Discord server. Gas Guzzlers is an NFT project.
7. ZB Exchange’s Hot Wallets Are Suspected to Be Compromised
On August 2, two of ZB exchange’s hot wallets were suspected to be compromised. Around $4.8million crypto assets were exploited in this incident.
8. Attackers Send Phishing Links to dTweenies’ Discord Server
On August 3, phishing links were sent to dTweenies’ Discord server. dTweenies is an NFT project.
9. Hackers Attack Solana Slope Wallet Project
On August 3, hackers attacked a Solana wallet project Slope. The project’s Sentry server had an issue that resulted in a leak of at least 9223 private keys. 1444 out of the total compromised addresses had directly suffered losses due to this issue and more than ~US$4 million worth of crypto assets were stolen from these addresses within two days.
It was confirmed that Slope’s mobile version had sent the wallet’s seed words to the Sentry server via TLS, allowing anyone to access the server and retrieve the private keys of its users. Slope had reported that they were working closely with Solana to fix the issue.
10. Sandbox’s Team Announces Possible Compromise of Instagram Account
On August 4, the Sandbox team announced on Twitter that its Instagram account was very likely compromised and warned users not to click on any links on its Instagram account or communicate with its Instagram account.
11. The Velodrome Team’s Private Key is Stolen
On August 4, the Velodrome team announced on Twitter that one of its wallets’ private keys was stolen. Around US$350, 000 worth of Crypto assets were exploited. Velodrome is an AMM protocol deployed on Optimism.
12. Attacker Carries Out Flashloan Attack on ANCH
On August 5, ANCH, a DeFi application deployed on the BNB chain suffered a flashloan attack.
The attacker had exploited a vulnerability on the swapTokenAmount function in the ANCHStakePool contract and stole crypto assets (~US$100,000) in this incident.
The attacker flashloaned a huge quantity of USDTs from the project’s LP and accordingly obtained a large quantity of ANCHs as rewards.
The attacker eventually obtained 107000 USDTs, and at the time of writing, exchanged 37872.53 USDTs to 120 BNBs and cashed out via Tornado.Cash. The remaining 69,058.47 USDTs were kept in its address (0x1fb3572e71c48b7c5c9dcb656d545bc29bb92dda on the BNB chain)
Additional Details:
- Attacker’s Address: 0x1FB3572e71c48B7c5c9dCb656D545bc29Bb92DDa (BNB chain)
- Attacking Contract: 0x8291002B6d43cBe08e780106020578d12b2C4620 (BNB chain)
- Attacked Contract: 0x0aef5a75F5e71a62337ed069eB3454Bf23bdcbc5 (ANCHStakePool deployed on the BNB chain)
13. Attacker Carries Out Flashloan Attack on EthProduct
On August 5, EthProduct, a DeFi application deployed on the BNB chain suffered a flashloan attack.
Around US$10,000 worth of crypto assets were exploited in this incident.
The attacker flashloaned 9400 USDTs to buy an NFT and immediately sent the NFT to EtnProduct for sale. The attacker proceeded to exploit a vulnerability in the contracts to get 606,091.527 U tokens, and exchanged 11,253.735 U tokens to USDTs to pay back the flashloan. The attacker eventually got $3,074 and an NFT worth $7,380.
Additional Details:
- Attacker’s Address: 0xde703797fe9219b0485fb31eda627aa182b1601e (BNB chain)
14. Doge Capital Reports Compromise on Discord Server
On August 5, an NFT project on the Solana blockchain Doge Capital reported that their Discord server had been compromised. Around 2.6 SOL was drained from the incident.
15. Hacker Attacks GenomesDAO
On August 6, a dApp deployed on Polygon GenomesDAO was attacked due to missing validations for access control.
Around US$43, 000 worth of crypto assets were exploited in this incident.
The “initialized” function defined in GenomesDAO’s LPSTAKING contract did not have validation for access control, resulting in the function to be publicly accessible and called repeatedly.
Here is how the attack was carried out:
Step 1: The attacker called the “initialized” function to set the “stakingToken” parameter to a fake LP token’s address.
Step 2: The attacker called the “stake” function to stake the fake LP token as collateral to receive the certificate token LPSTAKING .
Step 3: The attacker called the “initialized” function to set “stakingToken” back to the real LP token’s contract address, and then called the “withdraw” function to burn the LPSTAKING token obtained in Step 2 to get back the real LP.
Step 4: The attacker removed the LP from the DEX and ran away with the crypto assets contained in the LP.
Additional Details:
- Attacker’s Address: 0x43ec1d163cc4c15b574f86d8203c3b0f3ebed7a3 (Polygon)
- Attacked Contracts (all on Polygon):
0x3606cFa43f53098BC00b3FCFF3A333F6947F3c92;
0x28fc73E9D9f158E7DC57A4E81aa0175d6847f714;
0x48D1CcB09f771788F59c8aAAB613936eDfA267b7.
16. Smirnov Announced deBridge Finance Email System Target for Lazarus Group
On August 6, co-founder of deBridge Finance Alex Smirnov announced on Twitter that deBridge Finance’s email system had become the target of a potential network attack by Lazarus Group. He warned users not to open suspicious links sent by its email server.
Project Updates:
17. Twitter User Announces Bug in A NEAR Wallet Project
On August 4, Twitter user @Hacxyk announced that in as early as June this year, a bug similar to the recent one found in the Solana wallet project had been found. The bug would cause the seed words of users to be sent to a third-party website when they would choose their emails as a means to restore their seed words.
Conclusion-
17 notable incidents had occurred in the past week. 16 of them were security attacks and 1 was a project update.
The biggest incident for the recent week involved was the one with Slope. The project sent plain seed words to a server — a very dangerous way to handle highly sensitive information. As a foundational building block of a blockchain ecosystem, wallet security is always has a high priority. This issue could have been prevented if it was audited.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be aware of potential issues in governance mechanisms.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
Looking to strengthen the security of your project? Contact us at https://www.fairyproof.com/