August 15 to August 21
From August 15 to August 21 2022, all security incidents that had occurred can be categorized into:
Security Hacks
Rug-pulls
SECURITY HACKS:
1. Attacker Exploits Stader Staking Contract Vulnerability for 165, 000 NEARs
On August 16, an attacker gregoshes.near exploited around 165, 000 NEARs (~US$60, 000) from Stader, a DeFi application deployed on the NEAR blockchain.
As the Stader team was upgrading the staking contract, a vulnerability was found in the contract that had allowed the attacker to mint 20 million NearX tokens without staking NEARs. The attacker then exchanged the exploited NearX trokens to NEARS through the token pair NEAR/NearX on RefFinance and JumboExchange.
The Stader team immediately secured most of the assets when the attack was detected. At the time of reporting, around 2.5 million NEARs staked in the contract were safe. The team had also disabled all NearX-associated exchange activities and operations on the NearX contract. It was also reported that the team is working closely with Halborn and BlockSec to investigate the issue.
2. Hackers Attack LegendaryOwls’ Discord
On August 17, hackers attacked LegendaryOwls’ Discord server. LegendaryOwls is an NFT project.
3. Hackers Attack The Humanoids’ Discord
On August 20, hackers attacked The Humanoids’ Discord server. The Humanoids is an NFT project.
4. Lazarus Releases Fake Notice of Recruiting Web 3 Developers Containing Malicious File
On August 20, an infamous hacker team Lazarus released a fake recruitment notice for web 3 developers on behalf of Coinbase. The team broadcasted this fake notice which included a malicious “.pdf” file via LinkedIn and various recruitment platforms to Windows and Mac users. Once these users open the file their personal information will be stolen.
5. Llamaverse Reports Compromise of Staff Discord Server
On August 21, NFT project Llamaverse reported that their Discord server had been compromised by hackers. They urged users not to engage with any staff accounts as their server name had been changed. They subsequently reported that no damages had been incurred from the hack.
6. Hackers Attack CETS ON KREK’s Discord
On August 22, hackers attacked CETS ON KREK’s Discord server. CETS ON KREK is an NFT project.
RUG-PULLS:
1. BlueBenx Claims They Were Rug-pulled by Hackers
On August 22, a Brazilian centralized crypto service platform BlueBenx announced a new statement stating that the platform had lost crypto assets (~US$32 million) due to a rug pull by another CEX. The statement noted that BlueBenx paid US$200,000 and 25 million BENXs to the CEX for the BENX token to be listed before the assets paid were rug-pulled. 2500 clients out of BlueBenx’s 25, 000 clients were affected by this incident. BlueBenx planned to allow these affected clients to withdraw their assets from 2023.
In a previous announcement by BlueBenx, it claimed that these assets were exploited by hackers.
CONCLUSION-
6 notable incidents and 1 rug-pull had occurred in the past week.
Most of them were attacks on social media. The only attack on smart contracts occurred in the NEAR blockchain.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
Looking to strengthen the security of your project? Contact us at