July 18 to July 24
From July 18 2022 to July 24 2022, the security incidents that had occurred can be categorized by the following:
Security Hacks
Rug-Pulls
SECURITY HACKS:
1. Attackers Send Phishing Links to Maximalist’s Discord Server.
On July 19, phishing links were sent to Maximalist’s Discord server. Maximalist is an NFT project.
2. Attackers Send Phishing Links to Tableland’s Discord Server.
On July 19, phishing links were sent to Tableland’s Discord server. A member had joined a third-party Discord group and clicked on a bookmark injected with a malicious Javascript during a verification process with a “Dyno” robot. This process had compromised the member’s account information which was used by the attacker to send phising links in the project’s Discord server.
3. Attackers Send Phishing Links to Derpy Punkz’s Discord Server.
On July 20, phishing links were sent to Derpy Punkz’s Discord server. Derpy Punkz is an NFT project.
4. Attackers Send Fake NFT News via Zeneca’s Discord Server and Twitter Account.
On July 20, a fake NFT airdrop news was sent out from Zenaca’s Discord server and Twitter account. Zenaca is the founder of ZenAcademy and is an influential NFT KOL. Both Zeneca’s Discord account and Twitter account were compromised in a phishing attack. The attacker used both accounts to send fake NFT news about “Zen Academy Founders Pass” and urged users to connect their wallets to participate in the fake airdrop event. At the time of writing, Zeneca’s Twitter account had been back to normal.
5. Attackers Send Phishing Links to Rabbit Hole’s Discord Server.
On July 22, phishing links were sent to Rabbit Hole’s Discord server. Rabbit Hole is a DeFi learning platform. The team behind Rabbit Hole warned users not to click on any links in the Discord server.
6. Audius Suffers Governance Attacks.
On July 24, a popular NFT music application deployed on the BNB chain Audius suffered governance attacks. The attacker got its gas for the attack from Tornado.Cash deployed on the BNB chain and the cross-chain of the attacking contract deployed on Ethereum. The attacker then called the initialize function defined in the Community Treasury contract via the attacking contract, set the attacking contract as the “guardian”, and successfully submitted a malicious contract to transfer 18.56 million Audius tokens to the attacking contract.
The attacker then exchanged the Audius tokens to ETHs (~US$1 million).
Additional details -
Attacker’s address (BNB Blockchain):
0xa0c7BD318D69424603CBf91e9969870F21B8ab4c
Addresses of the attacked smart contracts(BNB Blockchain):
- Proxy Contract: 0x4DEcA517D6817B6510798b7328F2314d3003AbAC
- Implementation Contract: 0x35dD16dFA4ea1522c29DdD087E8F076Cad0AE5E8
RUG-PULLS:
1. Number Swap Turns out to be a Rug-Pull
On July 19, NumberSwap, a DEX deployed on the BNB chain turned out to be a rug-pull. The deployer of the project’s token contract held more than 98% of the token’s total supply. Only 1% of the total supply was in circulation.
Additional detail -
Attacker/Contract Deployer’s address (BNB Blockchain):
0x916c81571fe022a58688d80d246546587b1ebe24
2. RaNumber Swap Turns out to be a Rug-Pull
On July 20, Raccoon Network and Freedom Protocol turned out to be rug-pulls. It is highly suspected that both projects were run by the same team.
20 million BUSDs were sent to 0xf800f2744FDe6BDA11e80b7DE0954AC3dC469336 (BNB blockchain).
CONCLUSION-
8 notable incidents had occurred in the past week. 6 were security attacks while 2 were rug-pulls.
It is worth noting that the vulnerability that was exploited in the Audius incident was an issue in its contract’s slot implementation. This issue is not easily discovered and can prove to be a big challenge to developers. It is highly suggested to have your code audited by professionals.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Awareness of potential issues in governance mechanisms are also needed.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
Looking to strengthen the security of your project? Contact us at