SECURITY HACKS:
1. Hacker Leverages Logic Vulnerability in sDAO Attack
On November 21, sDAO, a dApp deployed on the BNB chain was attacked.
On 21 Nov, a hacker had leveraged on a logic vulnerability to attack sDAO, a dApp deployed on the BNB chain.
The vulnerability allowed the “withdrawTeam” function to be called publicly to send all the BNBs in the contract to an addressed specified by the contract.
The following details the hacker’s actions:
The hacker added LPs to the contract, then called the “withdrawTeam” function to transfer all LPs to a specified address.
The hacker added a small number of LPs to the contract and then called the “getReward” to get a huge number of reward tokens.
The hacker eventually exploited 13, 662 BUSDs worth around US $13, 662 in this incident.
Additional Details:
- Attacker’s Address: 0xa1b6d1f23931911ecd1920df49ee7a79cf7b8983 (BNB chain)
- Attacking Contract: 0x2b9efF2f254662E0f16B9AdC249aaa509B1C58d4 (BNB chain)
- Attacked Contract: 0x6666625Ab26131B490E7015333F97306F05Bf816 (sDAO on BNB chain)
Hash Value of Attack Transaction:
0xb3ac111d294ea9dedfd99349304a9606df0b572d05da8cedf47ba169d10791ed (BNB chain)
2. Hacker Attacks Aurum Through Function Validation Vulnerability
On Nov 22, a hacker had attacked Aurum, a dApp deployed on the BNB chain.
The root cause was that the “changeRewardPerNode” function did not validate the caller, resulting in the hacker being able to call the function to launch the attack.
Firstly, the hacker called the “changeRewardPerNode” function to set the daily reward to an extremely large value, and then deposited 1, 000 AURs to the contract. The hacker then proceeded to call the “claimNodeReward” function to withdraw the reward.
The hacker exploited 50 BNBs worth around US $14, 538.04 in this incident.
Additional Details:
- Attacker’s Address: 0x6903499751F973052155dF339116B6C6b24aC24b (BNB chain)
- Attacking Contract: 0x3d743b2f760A431CC20047CB5c7758c9a8860D6b (BNB chain)
- Attacked Contract: 0x70678291bDDfd95498d1214BE368e19e882f7614 (AurumNodePool on BNB chain)
Hash Value of Attack Transaction:
0xb3bc6ca257387eae1cea3b997eb489c1a9c208d09ec4d117198029277468e25d (BNB chain)
3. Hacker Attacks Sensei Labs’ Discord Server
On Nov 23, a hacker had attacked Sensei Labs’ discord server. Sensei Labs is an NFT project deployed on Solana.
4. Hacker Attacks Number Protocol
On 23 Nov, a hacker attacked Number Protocol, a dApp deployed on Ethereum, by targeting a wallet that granted unlimited permissions to Multichain.
An issue in Multichain Router’s anySwapOutUnderlyingWithPermit() function was leveraged to exploit crypto assets worth around US$1.4M in January. The same function was exploited again to attack NUM holders who were granted permissions.
A user lost a total of 557,754.45000198 NUMs (~US$13, 000). The hacker swapped all the NUM tokens for 13ETHs.
5. Hackers Attack Celebrities’ Wallets Using Phishing Links
On 26 Nov, a16 Crypto Security Officer “Nasse-nassyweazy.eth” claimed that hackers had paraded as Apple’s employees to launch phishing attacks on celebrities known to hold crypto assets.
These hackers made phone calls with numbers shown as “Apple, Inc” to the celebrities, and asked for the iCloud restoration passwords. Once the hackers gained access to the passwords, they would ask the victims to pay a ransom for the data stored in their iCloud, and also steal the wallet seed phrases or private keys stored in the victims’ iCloud. Crypto assets would then be transferred away from the victims’ wallets.
CONCLUSION-
5 notable security incidents have occurred in the past week.
It is worth noting that the root cause of the attack on Number Protocol was a repeated issue.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/