TronWeekly

Crypto World News

You are here: Home / Archives for Hack

Hack

DeFi Platform Pickle Finance Suffers Massive Hack; $20 Million Removed From Contract

by

The rising popularity of Decentralized Finance [DeFi] is not only attracting investors but is also attracting a lot of attention from hackers and online thieves. In the most recent case, Pickle Finance’s DeFi protocol has been the latest victim of what appears to be an exploit of an astounding $20 million.

As revealed by the user under the pseudonym “statelayer.eth.”, Pickle Finance deployed a new strategy in a bid to maximize returns from the stablecoin DAI. This was claimed to have been posted by a team member for Pickle on a Discord chat. It is important to note that the DeFi platform essentially moves investors’ money around different protocols to maximize returns.

However, many users noticed that Pickle Finance’s yield-bearing vault which it calls cDAI jar had been emptied as someone allegedly drained $19.7 million in the stablecoin from that wallet. The attackers in question reportedly swapped the funds between his “evil jar” and the real cDAI jar, making off with the stolen funds in deposits.

Pickle Finance’s breach is the 13th largest hacking attack on decentralized finance platforms revealed so far in 2020. Several DeFi protocols have been the victims of flash loan-based oracle attacks, while the most attacked platform was bZx Protocol, the project with the biggest loss was Harvest. Additionally, Maker also lost funds worth $ 8.3 million for the attack in March this year.

This month itself, three cases of flash loan attacks were observed. Acropolis lost $2 million, which it has not yet recovered. Just two days later, Value protocol was drained off a $ 7.4 million in an attack. This was followed by Origin Protocol’s yield-generating stablecoin protocol attacked and drained by nearly $7 million.

But unlike the prior flash loan attacks that have plagued the DeFi realm over the past couple of months, Pickle Finance’s hackers basically leveraged a bug related to Pickle’s Swap Jar functionality, which allowed yield farming strategies to be swapped. According to experts, there was no check to determine that the Jar the funds were being swapped into was not malicious.

DeFi Protocol Harvest Finance Takes Full Responsibility of Economic Attack

by

Decentralized finance [DeFi] Harvest Finance suffered a $24 million economic attack on October 26. A day later, the platform published its post-mortem report, in which it took full responsibility for the engineering error and ensured that such incidents would be mitigated in the future.

Following the breach, Harvest Finance reportedly withdrew all the funds from the shared pools which included DAI, USDC, USDT, TUSD as well as WBTC and renBTC.  The report further claimed that the funds were currently present in the vaults and cannot suffer from further market manipulation while notifying that the attack did not involve DAI, TUSD, WBTC, and renBTC, and the depositors in these vaults were not affected.

According to Harvest Finance, the share price of the USDC and USDT vault decreased from 0.980007 to 0.834953, and 0.978874 to 0.844812, respectively. Nearly $33.8 million value was lost during the entire episode which corresponded to roughly 3.2% of the total value locked in the protocol at the time before the attack.

As possible remediation techniques, Harvest Finance is planning to implement a commit-and-reveal mechanism for deposits which would remove the ability to perform deposits and withdrawals within a single transaction. This, in turn, would make flash-loan-based attacks infeasible.

The company was also planning to deploy a stricter configuration of the existing deposit arb check in the strategies. Since the current threshold, which was set to 3%, was not sufficient to protect the vault against tye economic attack, Harvest Finance opined that a stricter threshold could make such an attack “economically infeasible”.

Some of the other steps include withdrawals in an underlying asset to prevent the attacking entity from generating a profit and using oracles for determining asset price. Besides, it asserted that additional remediation methods will be analyzed and voted on in governance in the coming days.

The DeFi platform had previously stated that there was a “significant amount of personally identifiable information on the attacker”, and that the attacker was “well-known” in the crypto community. Harvest Finance concluded,

“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”

Harvest Finance Says Attacker Behind Hack -‘Well-Known in Community; Puts $100K Bounty

by

Harvest Finance has been in the spotlight for quite some time, and not for good reasons. According to the latest reports that emerged in the early hours of Monday morning, the DeFi yield farm protocol has been drained by nearly $24 million from its pools and swapped for renBTC [rBTC].

Confirming the news of the hack, Harvest Finance revealed “working actively” on the issue of mitigating the economic attack on the stablecoin and BTC pools. The hacker reportedly used Tornado Cash, which happens to be a privacy tool for obfuscating the history of Ether.

Following which the hacker[s] reportedly sent back nearly $2.5 million to the deployer in the form of Tether [USDT] and USD Coin [USDC]. These, according to Harvest Finance will be distributed to the affected depositors pro-rata using a snapshot. Besides, the attack was made possible by manipulating stablecoin prices on another DeFi platform, Curve Finance.

The Harvest Finance team joined forces with Ren Protocol to locate Bitcoin addresses where the funds were transferred. Harvest Finance’s representatives had also asked major exchanges to freeze the allegedly stolen funds and block the addresses.

Bounty Hunt

Harvest Protocol further tweeted,

“We will release a post mortem report within the next 16 hours, and work on future risk-mitigation strategies against flashloan economic attacks, including evaluating insurance options, as well as reparation strategies. For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar”

Furthermore, Harvest Finance stated that there was a “significant amount of personally identifiable information on the attacker”, who is “well-known” in the crypto community. Additionally, the platform went on to say that it was putting out a 100k bounty for the first person or team to reach out to the attacker. It further tweeted,

“We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users”

Harvest Finance is yet another DeFi protocol that seeks the highest-earning pools to farm, a concept very similar to Yearn Finance. The latest news comes just a day after popular DeFi analyst Chris Blec claimed that the platform held just one “admin key” that can potentially drain funds locked in the protocol’s contracts.

DeFi Hackers Drains $15 million From Unaudited Project Related to Yearn.Finance

by

The DeFi community woke up to the news of a hacker draining $15 million from untested and unaudited codes of Andre Cronje’s latest project. Cronje, who happens to be the Founder of Yearn.Finance, was working on a new economy for a gaming multiverse, called Eminence, and wasn’t planning on releasing the project for at least another three weeks.

Following which he revealed deploying staging contracts on ETH to continue developing on it. The unaudited version was launched on the decentralized platform, Uniswap. Cronje tweeted the project’s logo last night.

However, he woke up in the middle of the night to find that almost $15 million was deposited into the contracts as speculators driven by FOMO rushed in to purchase the platform’s native EMN tokens.

A hacker discovered a rogue function that allowing the minting of unlimited EMN tokens, burn an equal amount of EMN tokens against another crypto-asset, and sell that to those rushing in to buy the token. The hacker went ahead and exploited the flaw in the contracts leading to a loss of $15 million. In a rather bizarre event, Cronje revealed that the hacker returned over $8 million of the stolen funds to his own deployer contracts.

The returned funds will be directed to all those who rushed into buying the EMN token. Despite this, he continued to receive threats. Revealing the same, Cronje tweeted,

“As I am receiving a fair amount of threats, I have asked yearn treasury to assist with refunding the 8m the hacker sent. The multisig is safer and as such I feel more comfortable with them having the funds. Funds will be returned to holders pre-hack snapshot.”

Following this episode, the developer urged the community to wait for official announcements and further added,

“Given some of the responses, let me be clear, do not use random contracts I deploy unless I reference it in a medium article. The contracts I deployed yesterday were purely for myself to engage with, both GIL and EMN are staging and will not be used.”

Kucoin’s Hack Reignites Centralized-Decentralized Debates

by

Bitcoin was the world’s first-ever decentralized digital currency without a central authority or an overlord. “Truly Decentralized.” But since then, the industry grew and now we have a whole set of “decentralized” finance in response to the rise of centralized financial systems.

The endless centralization and decentralization tussle have once again gained prominence. This time, it was the popular AMM platform Ocean Protocol which got dragged into the mud in the recent Kucoin Hack. But It wasn’t until two days later that Ocean Protocol Foundation realized that out of the total $150 million stolen funds, over $8.6 million accounted for OCEAN tokens.

Abandoning decentralized principles to save a decentralized system

The foundation then revealed halting the OCEAN contract. It was this step than garnered significant criticism from the community. Many popular analysts questioned as to how decentralized are these DeFi projects.

TokenSoft’s Mason Borda took to Twitter to express his views regarding the whole episode and tweeted,

“If you can pause your token contract, it is a security. if you can pause your token contract, it is not decentralized. If an exchange with your projects’ tokens gets hacked, and there is nothing you can do to help token holders. It is decentralized.”

List goes on..

It’s not just Ocean Protocol that has come under the scanner. To minimize the risk and loss in this incident, the team behind several DeFi platforms made serious changes in response to the security breach on the centralized exchange. DeFi platform Orion Protocol, for instance, revealed taking an “executive decision to reissue all ORN tokens 1:1 via a token swap”.

Another decentralized notary service provider, SilentNotary decided to re-issue its SNTR tokens.

Interestingly, a popular decentralized exchange, Uniswap was reportedly leveraged to swap from altcoins to Ethereum. However, as yet there has been no notification from their end. The problem that could arise out of this is if the swapping continues, is that it could set off an alarm for the regulators.

Since the community remained entangled in the continuum of centralization and decentralization, it is important to note that 100% decentralization is probably not viable in the real world. Both factors can play a very important role in decision-making. While decentralization needs a powerful champion at the center to be successful, the world has yet to see such a system in place.

 

bZx Sustains iToken Duplication; Protocol Compromised for Third Time in a Year

by

On the one hand, DeFi shows no signs of stopping, on the other hand, some popular projects are being hacked due to a number of internal vulnerabilities. One such protocol is the bZx, which had a very difficult year.

In a yet another fresh trouble, the popular DeFi lending protocol encountered bug exploitation. bZx’s official blog post claimed that the platform sustained a duplication incident with several of the iTokens. The incident caused the protocol insurance fund to transiently accrue a debt. Calling the incident “surmountable”, bZx revealed that the insurance fund was backstopped by both the token treasury in addition to protocol cash flows.

It was the steep drop in bZx’s TVL that caught the attention of the platform’s developers which was then followed by a tweet stating that it was “investigating” the reason behind it.

Marc Thalen, Lead Engineer at Bitcoin.com found an exploit after noticing a user capable of duplicating iTokens who then contacted the team. But by the time the team’s founders got the word, the attacker had drained substantial amounts of Dai and USDC. Thalen further stated that the entire pool could have been drained “if the attacker had a bit more time”.

Funds are SAFU

However, the platform confirmed that no funds were at risk. Furthermore, the duplication bug in question was patched up after it was audited by two prominent security firms – Peckshield and Certik. bZx stated,

“The protocol was heavily audited by top security firms Peckshield and Certik. The Peckshield audit was 12 person weeks. This is the same amount of time that Peckshield audited the Multi-collateral DAI [MCD] contracts for MakerDAO. The Certik audit was 7 person weeks. Additionally, we performed extensive automated testing. Unfortunately, audits are not silver bullets.”

This is not an isolated case wherein an entity was able to compromise bZx. The protocol was compromised for the first time on the 14th of February when the team was at the ETH Denver industry event. The second attack followed a couple of days later. The two hacks saw the protocol lose more than $954K.

Slovakian Cryptocurrency Exchange Hacked; $5.4 Million Worth Assets Stolen

by

Hacks and security breaches happen on an almost daily basis. Cryptocurrency exchange hacks, in particular, are even more damaging since space is already seen with hostility across several jurisdictions despite its increasing popularity. While cryptocurrencies such as Bitcoin, Ethereum are themselves secure, it’s the exchanges that fall prey in the hands of malicious actors constantly hunting for vulnerabilities and loopholes.

In the latest development, hackers have managed to compromise a Slovakian cryptocurrency exchange, ‘Eterbase’, and siphoned off with assets worth nearly $5.4 million.

The platform’s official blog post regarding the compromise stated,

“Law enforcement authorities have been informed and we will assist as much as we can in the ongoing investigations. We want to inform our users that we have enough capital to meet all our obligations. At the same time, we want to reassure everyone that this event won’t stop our journey.

Hackers reportedly compromised hot wallets on Monday morning for Bitcoin, Ether, XRP, Tezos, Algorand, and TRON. They then transferred the stolen funds into public wallets of various exchanges that have since been emptied. However, no personal credentials have been stolen.

The exchange further revealed that it has reported the law enforcement for the investigation and assured its clients that necessary steps were being taken to ensure that the amount of their deposit does not suffer any damage as a result of the attack. On its official Telegram channel, Etherebase stated,

“Due to ongoing investigation more details can not be announced currently. Sorry for the inconvenience and please have some patience until we solve the issue.”

The Bratislava-based crypto exchange, which claims to be the first platform fully compliant with European regulations, said that it was under maintenance and after the security audit the operations will resume. It is unclear, at this point, if the exchange will manage to reclaim its user’s funds.

Twitter Hack That Saw Accounts of Gates, Musk, Obama Compromised Finally Has Few Suspects; Main Accused Pleads Not Guilty

by

The cryptocurrency market is no stranger to the controversies over a series of hacks and scams that have dominated the front pages for a long time. Some of the most recent attacks involving cryptocurrencies occurred a few weeks ago when major personalities’ Twitter accounts were hacked to scam people off their bitcoin holdings.

 The hacked Twitter accounts belonged to bigwigs like Barack Obama, Democratic Presidential nominee Joe Biden, Tesla CEO Elon Musk and Microsoft founder Bill Gates. After a massive investigation conducted by law enforcement agencies, a couple of suspects were rounded up in connection with the hack, all of whom have pleaded not guilty. 

One of the main suspects in the case was Graham Clark, a 17-year-old Florida resident who has vehemently plead not guilty in front of the city judge. Clark informed Circuit Court judge Christopher NMash that he was not guilty of the 30 felony charges leveled against him. Graham Clark is set to appear in court again today, where he will appeal to amend his $750,000 bail bond and release clauses. Clark’s lawyer, David Weisbrod is yet to divulge any information on how they will deal with the situation during the next hearing.

The hack took over multiple celebrity accounts and tweeted misinformation claiming that if their follower sent them Bitcoin, they would be doubled and sent back. By the time Twitter caught the rampant attack on the accounts, the hackers had already made off with more than $100,000. Clark was not the only person embroiled in the hack as he was also joined by two other individuals.

Mason Sheppard, a 19-year-old from Bognor Regis, Britain worked under the pseudonym Chaewom and has been charged with multiple counts of wire fraud and money laundering. It is not yet confirmed how Sheppard is related to Clark but investigations have revealed a money trail back to Sheppard. The third accused in the case was Orlando based Nima Fazeli. The 22-year-old goes by the nickname of Rolex and has been charged for being an accessory to the crimes.

Details of the final sentencing and fines will only be given out after the hearings on Wednesday and the coming days. Twitter claimed that the hackers used a method known as ‘social engineering’, which allowed them to access vulnerable information. Sources stated that Clark and his associates convinced Twitter support that they were IT officials who needed customer credentials to conduct routine checks.

Whale Alert Notices Millions Worth of Bitcoin Being Transferred to Unknown Wallets; Assets Linked to 2016 Bitfinex Hack

by

Hacks in the cryptocurrency industry have always taken centre stage, acting as a major hurdle for the field. Incessant scams have also been the reason for the exclusion of mainstream companies in the world of digital assets.

The 2016 Bitfinex hack was one of the most controversial hacks in the history of the industry, resulting in millions of dollars worth of crypto being stolen. After years of there being no trace of the stolen assets, Whale Alert recently detected movement of the massive amounts of Bitcoin in unknown factors. 

Four years back, hackers had made away with $72 million worth of Bitcoin with Bitfinex assuring users that they would be reimbursed. To aid in this process, Bitfinex had actually created a native token called BX, the last of which was bought back in April 2017. Genuine members of the community have been trying to track the stolen assets and finally succeeded this week. 

On June 27, holders on the blockchain noticed that large chunks of Bitcoin were being moved consistently. Whale Alert noticed a total of nine transfers on the Bitcoin blockchain, all of which were related to assets from the Bitfinex hack. The transfers occurred in batches of four transfers followed by another set of five transfers.

The first transfer involved 174.4 BTC worth $1.8 million being moved to an unknown wallet with an address of 3HC1QJpsNjRsqEiD5XWFUr5R4zrhmwZTUR. This was followed by transfers of 86.26 BTC, 183.5 BTC, 87.67 BTC, 473.32 BTC, 448.782 BTC, 476.32 BTC, 320.3 BTC and 299.99 BTC. 

All the aforementioned transactions came on the back of another set of transactions that occurred on June 10. Last month, the Bitcoin blockchain witnessed 20 transactions where the transfer amounts ranged from, $149,000 to $300,000. Authorities are still trying to track down the actual perpetrators of the hack after spotting the recent $27.8 million move. 

Authorities Out to Trace all Links Connected to Bitcoin Wallet Involved in Latest Twitter Hack

by

On Wednesday, Twitter users in the United States woke up to the shocking news that multiple bigwigs had their accounts hacked in one of the biggest social media security breaches in history. The Twitter accounts of personalities like Kanye West, Elon Musk and Bill Gates were hacked with the intention of scamming people of their holdings.

The hacked accounts asked users to deposit capital in Bitcoin to specific wallet addresses with the promise of doubling what they sent. By the time Twitter support realized what was happening, millions of dollars worth of transfers had occurred.

Two days after the attack, investigative authorities were trying to figure out who was behind the attacks and what it could mean for future security protocols. The attack was widespread, attacking not just pop celebrities but politicians such as Joe Biden and Benjamin Netanyahu as well. It can only be left to the imagination what would have happened if the hackers had done something more extreme.

To ensure that the hacker’s trail does not go cold, US blockchain forensics firm Chainalysis stated that a digital wallet used to consolidate the BTC had previous links to other merchant service providers. Maddie Kennedy, the spokesperson for Chainalysis had said:

“They have interacted with service providers that have know-your-customer processes, and law enforcement can work with those service providers to find out who can be behind those accounts.”

Twitter has been working with the Federal Bureau of Investigation [FBI] to uncover the trails of the heist. The main problem that law enforcement has faced is with regarding tracing the Bitcoin wallet. Since Bitcoin is completely decentralized it becomes difficult to track the exact location and owner of the Bitcoin wallet. The only information that is available right now is the Bitcoin wallet address to which some people transferred their capital to.

Tom Robinson, an official of blockchain analysis firm Elliptic admitted that the Bitcoin transfers left very few clues to trace it back to its source. One of the wallets involved even had some active transactions going back some time, making it a key lead.