From October 17 to October 23, 2022, all security incidents that have occurred are Security Hacks.
SECURITY HACKS:
1. Hacker Attacks MTDAO
On 17 Oct, a hacker attacked MTDAO, a dApp deployed on the BNB chain.
Basically the dApp’s close-sourced contract deployed at 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 was attacked.
The hacker called two functions of the attacked contract to call the sendtransfer function of both the MT token and the ULM token to exploit 1930 BNBs. 1030 BNBs were subsequently transferred to 0xb2e83f01D52612CF78e94F396623dFcc608B0f86 and then cashed out via Tornado Cash. The remaining BNBs were exchanged to other tokens and transferred to multiple addresses.
Around 487,042.615 BUSDs were exploited in this incident.
Additional Details:
- Attacker’s Address: 0xD0665538e599B02CDB565EDB0A38813A88B31d9e (on BNB chain)
- Attacking Contract: 0x561d38206dD390e173B6236e6A2316687DfC31A9 (on BNB chain)
- Attacked Contract: 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 (on BNB chain)
- Hash Value of Attack Transaction:
0xb1db9743efbc306d9ba7b5b892e5b5d7cc2319d85ba6569fed01892bb49ea499 (on BNB chain)
2. Hacker Attacks LiveArtX
On Oct 17, a hacker had attacked LiveArtX, an NFT application deployed on Ethereum.
The root cause was the project team’s private key was compromised. Thea hacker exploited 197 Meta-morphic: Seven Treasures NFTs issued by the project. This incident caused the NFT’s floor price crashed by 80%. At the time of writing the LiveArtX team claimed that all the exploited NFTs were frozen.
Additional Details:
- Attacker’s Address: 0x5f7848EC0286304DC5FE6497AF4B3C0FeaD6A920 (on Ethereum)
- Attacked Contract: 0xcaf6d25fdcd304ec0817bb13a8359426e7b09f0c (on Ethereum)
- Hash Value of Attack Transaction:
0x4d990cfe3bc620a94d307eeae23a43a80be16a79b33389c138049e75fea18011 (on Ethereum)
3. Hacker Attacks BitKeepSwap
On 18 Oct, a hacker had attacked BitKeep Swap, a dApp deployed on the BNB chain.
The root cause was that there was a vulnerability in its access control. This caused a loss of $1 million to the project.
At the time of writing, the BitKeep team claimed that all transactions on the dApp had been paused, and its users’ assets would be safe; the team would propose a simple solution for its uses to fix possible issues found in their wallets; the team would work with security companies to trace and track the hacker and get back exploited assets as many as possible; the team would compensate for all affected users and would also give bounties to users who could help trace and track the hacker.
Additional Details:
- Attacker’s Address: 0x8A4172a718B7C6EDd97805f5c2585277dF11B8D0 (on BNB chain)
- Attacked Contract: 0x75eb01bf6e265e2a7dbba1644913b5adf0cc12de (on BNB chain)
- Attacking Contract: 0xc37589014E2294bc17578f1229CE5C95b01C2fD8 (on BNB chain)
- Hash Value of Attack Transaction:
0xb3d427ea5863380df10680a6467d4a848cc3af7ca414643f70ea48dafaedf9e7 (on BNB chain)
4. Hacker Attacks Moola Market
On 18 Oct, a hacker had attacked Moola Market, a dApp deployed on the Celo blockchain.
The hacker borrowed 243,000 CELOs from Binance, lent 60,000 CELOs to Moola, borrowed 1.8 million MOOs. The hacker then used the remaining CELOs to manipulate the MOO’s price and used the MOOs as collateral to borrow multiple other assets.
Eventually, the hacker exploited 8.8 million CELOs ($6.5 million), 765,000 cEUR ($700,000), 1.8 million MOOs ($600,000) and 644,000 cUSDs ($600,000).
At the time of writing, the dApp had been paused and its team claimed that 93.1% of the exploited assets had been returned to the team’s multi-sig wallet.
Additional Details:
- Attacker’s Address: 0x5DAE2C3d5a9f35bFaf36A2E6edD07c477f57789e
- Hash Value of Attack Transaction:
0x031d0858fdb2f3fa6809cd01cd7e039ce9dfe161b1d299a983cbf09acd330d47
5. Hacker Attacks XANA’s Discord
On Oct 18, XANA’s Discord server was attacked. XANA is a metaverse project.
6. Hacker Attacks Cross-chain Bridge Between BitBTC and Optimism
On Oct 18, a Twitter user (Lee Bousfield) claimed that a serious bug in the cross-chain bridge between BitBTC and Optimism had been fixed.
Lee Bousfield claimed in his twitter that the bug could be exploited to allow malicious actors to mint fake tokens on one chain and get real tokens on the other.
7. Hacker Attacks Vivity’s Discord
On Oct 21, Vivity’s Discord server was attacked. Vivity is an NFT project.
8. Hacker Attacks Shojira’s Discord
On Oct 22, Shojira’s Discord server was attacked. Shojira is a metaverse project on Ethereum
9. Hacker Attacks Layer2DAO
On Oct 23, Layer2DAO, a dApp deployed on Optimism was attacked.
The hacker exploited its multi-sig access control to steal 49.95 million L2DAO tokens and dumped them on the market resulting in L2DAO’s price crashing by 90%.
At the time of writing, the team had talks with the hacker and got back 31,239,677L2DAO tokens.
CONCLUSION-
9 notable security incidents related to security hacks have occurred in the past week.
4 of them were attacks on smart contracts, 3 on social media and others were misc incidents.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at
https://www.fairyproof.com/