From August 29 to September 4, 2022, all security incidents that have occurred are Security Hacks.
SECURITY HACKS:
1. Hackers Attack Floaties’ Discord
On August 28, hackers attacked Floaties’ Discord server. Floaties is an NFT project.
2. Attackers Exploit General Bytes’ ATM Network Vulnerability
On August 29, attackers exploited a zero-day vulnerability uncovered in General Bytes’ ATM network’s UI. The attackers were able to gain admin’s access control and directed payments toward General Bytes to the hackers’ account.
3. Hacker Exploits Logic Vulnerability in CUPID Attack
On August 31, a hacker attacked CUPID, a DeFi application deployed on the BNB chain. The hacker flash-loaned a quantity of USDTs to exchange some VENUS and provided both tokens to the USDT-VENUS pool. He proceeded to exploit a logic vulnerability in the app’s attacked contract for CUPIDs as profits.
Around US$78, 000 were exploited in this incident.
Additional Details:
- Attacker’s Address: 0xDf2984CF49ff2944c019decbd2057c09e5b026b1 (on the BNB chain)
- Attacking Contract: 0x40bb1302efb223ba1f50495ea96ee7d1ad0cb6da (on the BNB chain)
- Attacked Contract: 0x40c994299fb4449ddf471d0634738ea79c734919 (on the BNB chain)
- Hash Value of the Attack Transaction:
0xed348e1d6ef1c26e0040c6c3f933ea51f953bdbafad7fb11c593f6837909c079 (on the BNB chain)
4. Hacker Attacks Kyber Swap’s Front-end
On September 1, an attacker injected a malicious program to Kyber Swap’s front-end. Around US$260, 000 were transferred to the hacker’s address during the incident.
Upon detection of the attack, the Kyber team disabled and removed the malicious code, and recovered the dApp’s UI.
The attacker’s address was 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80 on both Ethereum and Polygon.
5. Hacker Exploits Public Burn Function in ShadowFi (SDF) Attack
On September 2, hackers attacked BNB Chain-deployed DeFi application ShadowFi.
Around 1078 BBs (US$300, 000) were exploited in this incident and eventually cashed out through Tornado Cash deployed on the BNB chain.
ShadowFi’s “burn” function’s visibility was set to “public”. Generally, this visibility should not be set to public and should be an internal function instead. The attackers have leveraged this vulnerability for the attack.
This is how the attack was carried out:
Step 1: The attacker acquired a certain quantity of SDFs
Step 2: Consequentially, the attacker burned some SDFs in the token pair of SDF-WBNB to pump SDF’s price.
Step 3: The attacker exchanged all the SDFs obtained in step 1 to WBNBs
Additional Details:
- Attacker’s Address: 0x4daa3135b016ac37c46ed03423d314caea89ff5e (on the BNB chain)
- Attacking Contract: 0x6ed2175bc502f45499d233ea47e1201c1ad537de (on the BNB chain)
- Attacked Contract: 0x10bc28d2810dD462E16facfF18f78783e859351b (on the BNB chain)
- Hash Value of the Attack Transaction:
0xe30dc75253eecec3377e03c532aa41bae1c26909bc8618f21fb83d4330a01018 (on the BNB chain)
6. Bill Murray Reports Wallet Exploited, Crypto Assets Stolen
On September 3, it was reported that American comedian Bill Murray’s wallet was exploited. Some crypto assets were stolen and the NFTs in the wallet were transferred to a safe address by Project Venkman, an NFT consultant company.
Prior to the incident, Bill Murray launched an NFT auction “Beer with Bill Murray” on Coinbase for charity on September 1. The total bid amount was 119.2ETHs (US$185, 000) and the item was won by Coinbase user Brant Boersma.
7. Hackers Attack LCD Lab’s Discord
On September 3, hackers attacked LCD Lab’s Discord server. LCD Lab is an NFT project.
8. Hackers Mint 450 Malicious NFTs in BadGuys NFT Application
On September 4, two hackers maliciously minted 450 NFTs in their attack against Ethereum-deployed NFT application BadGuys.
The NFT’s contract did not have validation for a user-input parameter, allowing any user to bypass the rule that allowed individual addresses to mint only one NFT. Naturally allowing individual users to mint any quantity into the NFT project.
The attackers attacked the mint contract at 0xB84CBAF116eb90fD445Dd5AeAdfab3e807D2CBaC on Ethereum.
At the time of writing, the team had reached an agreement with the attackers to pay 2.5 ETHs to buy back the maliciously minted NFTs.
9. Hacker Attacks DAO Officials
On September 4, hackers attacked BNB chain-deployed dApp DAO Officials through a flashloan.
The attacker flash-loaned a large quantity of BSC-USDs, exchanged them to DAOs, deposited the DAOs to 0xea41bbd80ac69807289d0c4f6582ab73e96834d0, and exploited a vulnerability in the contract to acquire around US$580, 000 for profits.
Additional Details:
- Attacker’s Address: 0x00a62EB08868eC6fEB23465F61aA963B89e57e57 (on the BNB chain)
- Attacking Contract: 0x00a62EB08868eC6fEB23465F61aA963B89e57e57 (on the BNB chain)
- Attacked Contract: 0xea41BBD80Ac69807289d0C4F6582AB73E96834D0 (on the BNB chain)
CONCLUSION-
9 notable security incidents related to security hacks have occurred in the past week.
A large majority of them were attacks against smart contracts. It is also good to take note that there was an attack on the front-end of an established DeFi application. The other attacks were on social media or personal accounts.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, be more aware on the security of the front-end in a project’s daily operation.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
For a better understanding on all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at: https://www.fairyproof.com/