Weekly Blockchain Security Watch

Dec 5 to Dec 11

From December 5 to December 11, 2022, all security incidents that have occurred can be categorized intwo Security Hacks and Rug-pulls.

SECURITY HACKS:

1. Hacker Attacks Roast Football

On Dec 5, Roast Football, a dApp deployed on the BNB chain was attacked.

It was suspected that the attacker repeatedly exchanged RFBs to WBNBs back and forth to manipulate the rewards and eventually exploited 12 BNBs worth around US $3500.

Additional Details:

- Attacker’s Address: 0x5f7dB41E2196080F397CDCF8DD58e8ADFdaf2adE (BNB chain)

- Attacking Contract: 0xD5DE2914bC6D2f005228A04289e8D518c710a049 (BNB chain)

- Attacked Contract: 0x26f1457f067bF26881F311833391b52cA871a4b5(RFB token on BNB chain)

- Hash Value of Attack Transaction:

0xcc8fdb3c6af8bb9dfd87e913b743a13bbf138a143c27e0f387037887d28e3c7a (BNB chain)

2. Hacker Attacks SHINNOKI’ Discord Server

On Dec 5, a hacker had attacked SHINNOKI’s discord server. SHINNOKI is an NFT project deployed on Ethereum.

3. Hacker Attacks Option Room

On Dec 11, Option Room which is a dApp deployed on both Ethereum and the BNB chain announced that it was attacked on Dec 6.

The root cause was its private key was compromised.

The hacker (0x03fCC5375F7E01cadcaC2D0ef5374f925D1d9405) exploited all the assets in the contracts deployed on both Ethereum and the BNB chain.

After the incident happened, the team behind Option Room has been tracing the exploited assets and the hacker’s activities. The hacker was suspected to send the exploited assets to multiple CEXs including Binance.

A total of 12 ETHs on Ethereum and 785 BNBs on the BNB chain were exploited. They were worth around US $238,000.

4. Hacker Attacks Dexsport

On Dec 7, Dexsport, a Web 3 sport betting platform was attacked.

The root cause was a vulnerability in its off-chain system was leveraged by the hacker to exploit 400,000 BUSDs.

At the time of writing, the vulnerability was fixed and withdrawals and deposits were back to work.

5. Hacker Attacks AES

On Dec 7, AES, a dApp deployed on the BNB chain was attacked.

The root cause was that its “skim” function was inappropriately leveraged.

Here is how the hacker attacked the project:

The hacker send some AES tokens to the AES-USDT pair contract to break the balance of the two tokens and called the pair contract’s skim function to send the surplus tokens to the pair contract again. During this operation, some AES tokens would be burned thus causing AEX to deflation.

The hacker repeated the above process and eventually exchanged a small number of AES tokens to a large number of USDT tokens.

All the exploited assets were transferred to the hacker. Crypto assets worth around US $61,608 were exploited in this incident.

Additional Details:

- Attacker’s Address: 0x85214763f8eC06213Ef971ae29a21B613C4e8E05

- Hash Value of Attack Transaction:

0xca4d0d24aa448329b7d4eb81be653224a59e7b081fc7a1c9aad59c5a38d0ae19

6. Hacker Attacks Creepy Friends’ Discord Server

On Dec 8, a hacker had attacked Creepy Friends’ discord server. Creepy Friends is an NFT project deployed on Ethereum.

7. Hacker Attacks Super Normal’s Discord Server

On Dec 8, a hacker had attacked Super Normal’s discord server. Super Normal is an NFT project deployed on Ethereum.

8. Hacker Attacks Crypto Cannabis Club’s Discord Server and Twitter

On Dec 11, a hacker had attacked Crypto Cannabis Club’s discord server and twitter account. Crypto Cannabis Club is an NFT project deployed on Ethereum.

9. Hacker Suspected to Exploit WOG

On Dec 11, WOG, a dApp deployed on the BNB chain was attacked.

The hacker was suspected to acquired a large number of WOGs from the contract deployed at 0x146b0d9275d9619d5556940fa4daf08598767eea and exchanged them to 170,000 $BSC-USDs.

At the time of writing, the exploited assets were left in 0x36ecf288148e0840ea9dcfcae3a548144c253a9a

Additional Details:

- Hash Value of Suspicious Transaction:

0x55e14b8e5cdd01fa9e399b72419a4c34334a0d65e32c4ef52c5e528f5a1c6373

10. Investigation on 3Commas’s APIs

On Dec 11, Yuriy Sorokin, Founder and CEO of 3Commas, released an update about an investigation on possible attacks on its APIs.

It was claimed that some user accounts of CEXs including Binance, OKX and FTX were exploited to launch unauthorized transactions by using 3Commas’ service.

3Commas investigated these incidents and claimed that each of these cases was different and isolated. Many high value users who had been using its service had not encountered this issue. Therefore this was unlikely a vulnerability in 3Commas’ system.

11. Hacker Attacks Lodestar Finance

On Nov 11, a hacker had attacked Lodestar Finance, a dApp deployed on Arbitrum.

The team behind Lodestar Finance announced on Twitter that its protocol was attacked and the crypto assets were drained.

The root cause was the exchange rate defined in the plvGLP contract was manipulated and set to 1.83 GLP/plvGLP. The hacker leveraged this exchange rate to burn more than 3 million GLPs and exploited 2.8 million GLPs worth around US $2.4 million.

12. Hacker Attacks TRQ

On Dec 11, a hacker had attacked TRQ, a dApp deployed on the BNB chain.

A total of 75485 BSC-USDs worth around US $75485 were exploited in this incident.

Additional Details:

- Attacker’s Address: 0x0e7dA0a26749aDB7b5b448a8E0787edD3Bb1AdBA

- Hash Value of Attack Transaction:

0xaa0c7ccb56ec1d6510bcd9d223a57362d5b63d59b16f074343749e3337f42a35

Rug-pulls:

1. Nova Turns Out to Be a Rug-pull

On Dec 9, Nova, a dApp deployed on the BNB chain rug-pulled.

Before this rug-pull was confirmed, on Dec 4 a Nova token contract (0xB5B27564D05Db32CF4F25813D35b6E6de9210941) was deployed by a deployer. This contract had a backdoor that allowed the admin to mint the token at will.

On Dec 9, the deployer leveraged the backdoor by calling the rewardHolders function to mint 10,000,000,000,000,000,000,000,000,000 NOVAs to the deployer itself and drained the liquidity in the token pair on PancakeSwap.

363.7 BNBs worth around US $105,000 were exploited in this incident.

CONCLUSION-

13 notable security incidents have occurred in the past week. 12 out of them were attacks and 1 was a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/