TronWeekly

Crypto World News

You are here: Home / Archives for Hack

Hack

Solana Hot Wallets Under Siege From An Ongoing Massive Exploit

by

Solana-based wallets have come under a widespread exploit after several users complained that their funds were being drained without their consent. While the exact number of affected wallets is unknown at the time of this post, independent investigators put the amount to be over 7000.

As per reports, the attack mainly targeted internet-connected “hot” wallets including Phantom, Slope, and Trust Wallet. Initial sources put the stolen funds to at least $5 million worth of SOL and other tokens.

According to crypto analyst and author @0xfoobar, the attacker is stealing both native tokens [SOL] and SPL tokens [USDC] and those particular wallets that have been inactive for more than 6 months.

Computer scientist and CEO of Ava Labs Emin Gün Sirer tweeted that the hacker has likely gained illegal access to private keys as the transactions were signed properly.

One expert flagged the attack as a possible nonce reuse bug in some signature library Solana projects. ” …this would allow any attacker looking at Solana to derive the private key regardless of where it was generated”, he added.

Nonce which stands for “number used once” implies that one is not supposed to reuse this number for different messages. Since the nonce used is always the same, a malicious actor can impersonate a trusted party by intercepting and recovering the authentication key.

Solana Price Drop By 10% In Response To The Attack

“We are evaluating the incident impacting Solana wallets and are working closely with other teams in the ecosystem to get to the bottom of this. We will issue an update once we gather more information,” a representative of Phantom said. “The team doesn’t believe this is a Phantom-specific issue at this time.”

The incident has caused SOL’s price to fall back by 10% within a few hours of the reports according to CoinMarketCap.

That said, DeFi protocol code auditor Foobar advised that the solution is to transfer assets into a hardware wallet that has never exposed a private key to potentially vulnerable browser extensions.

“Several have pointed out that transferring assets to a reliable CEX is another holdover strategy if you don’t have a hardware wallet. This is most approachable for less experienced users.”

BAYC Instagram Comes To A Halt After A $1M Exploit: More Details

by

Bored Ape Yacht Club or BAYC came under attack by a malicious actor who stole NFTs worth millions of dollars after compromising the official Instagram account of the acclaimed NFT collection. Sources revealed that hacker/s employed a phishing link that transferred tokens out of users’ crypto wallets.

Disclosing via Twitter in the early hours of 25th April, the platform announced by saying, “The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safe transfer from’ transaction. This transferred their assets to the scammer’s wallet.”

screenshot shared by one Twitter user depicted an OpenSea page of the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all likely stolen from users who connected their wallets after clicking on the phishing link.

Image

As of now, the profile page tied to the hacker’s wallet address was no longer visible on OpenSea. Head of communications at OpenSea Allie Mack confirmed that the hacker’s account had been blacklisted from the platform.

BAYC Hack is more complicated than it seems

Due to the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms like in Rarible, the wallet had 134 NFTs, among them four Bored Apes made by Yuga Labs, the creators of BAYC such as Mutant Apes and Bored Ape Kennel Club.

Still, it remains a mystery how the hacker was able to hijack the project’s Instagram account. As per a statement posted on Twitter, Yuga Labs said that two-factor authentication was active at the time of the attack and that the security of the Instagram account followed best practices.

Yuga Labs also said that the team was actively working to establish contact with affected users.

That said, it is generally advised that holders of NFT should never connect their wallets to an unknown or untrusted third party.

Seeing that the phishing link was sent via the official BAYC social media account, made the victims believe that it was legitimate and thus were tricked into clicking the fraudulent link,

Beanstalk’s $182M Hack Exposes The Risk of Malicious Governance Proposal

by

Beanstalk Farms, an Ethereum-based DeFi protocol suffered major exploitation to the tune of $182 million on 17th April. Blockchain security firm PeckShield was the first to identify the heist and reported that the attacker stole away at least $80 million in crypto, although the losses suffered by the protocol were much larger.

Beanstalk on its Discord server gave a brief outline of the attack that occurred. As per Beanstalk’s analysis, the attacker employed a flash loan on the lending platform Aave to manipulate the smart contract and amass a large amount of Beanstalk’s native governance token, Stalk.

With the voting power granted by these Stalk tokens, the attacker was able to quickly pass a sinister governance proposal siphoning all protocol funds into a private Ethereum wallet.

The attack caused the market for Beanstalk’s BEAN stablecoin to near annihilation. At the time of writing, the token was down by 77% from its $1 peg according to CoinGecko.

Image

In a post-mortem report, Beanstalk’s smart contracts auditor Omnicia said that the protocol experienced a flash-loan attack due to a flaw in its newly introduced Curve LP Silos that compromised the protocol’s governance mechanism.

But stated that the code exploited in the attack “has not been audited” by Omniscia “as it was introduced beyond our initial audits of the system”. Without mentioning whether funds would be reimbursed to users, the platform assured users that more news will be coming in an event scheduled for Sunday.

In a bizarre twist, Peckshield noted that the hacker appeared to donate $250,000 of the stolen funds to a Ukrainian relief wallet.

Beanstalk’s attack is the second nine-figure DeFi exploit in a month

The incident is the latest in a string of major decentralized finance [DeFi] exploits to occur in the past few weeks. Last month, Axie Infinity’s Ronin Blockchain was exploited for $625 million in an attack that U.S. officials found to have North Korea links.

In a previous coverage by TronWeekly, DeFi derivatives platform Deus Finance suffered an attack leading to the loss of over $3 million.  Attackers employed flash loans to artificially modify the prices on Deus’ offerings.

Inverse Finance Loses Over $15M In Oracle Manipulation

by

Ethereum based DeFi protocol Inverse Finance [INV] revealed that an anonymous attacker has stolen $15.6 million worth of cryptocurrency. Detailing the incident, Blockchain security firm PeckShield, noted that the attacker exploited a vulnerability in a Keep3r price oracle which Inverse uses to track token prices.

Through a series of tweets, Peckshield experts summarised that the attacker manipulated the oracle into believing that the price of Inverse Finance’s INV token was unusually high, and then extracted multi-million-dollar loans on Anchor using the inflated INV token as collateral.

Drilling deeper, researchers at Peckshield observed that the attacker first withdrew 901 ETH [about $3 million] from Tornado Cash, cleverly removing any trail of its activity. The hacker then used DEXs such as SushiSwap to transfer the stolen assets which resulted in a sharp increase in the price of INV, thus tricking the Keep3r price oracle.

Inverse Finance’s “High Risk” Attack

Using the manipulated price of INV, the malicious actor then took out INV-backed loans on money market Anchor before arbitrageurs brought the price of INV back to normal levels. A representative from PeckShield called the attack a high risk due to the usage of $3 million worth of crypto to deceive the price oracle.

The attacker managed to remove 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA. Although its difficult to track where the funds will end up, Peckshield noted that 73.5 ETH [about $250,000) still remains in the attacker’s original Ethereum wallet.

Image

Conceived in 2020, Inverse Finance is a suite of permissionless decentralized Finance [DeFi] tools that are said to be governed by Inverse DAO which is a decentralized autonomous organization running on the popular Ethereum blockchain.

Some of its major products include Anchor and DOLA. Anchor is nothing but a synthetic asset and a money market protocol that helps in facilitating capital-efficient lending and borrowing.

Inverse released a statement saying that it has temporarily halted all borrowing activities on Anchor, and is working with Chainlink to build a new INV oracle. The DeFi lender also announced that it plans to make a proposal to its decentralized autonomous organization [DAO] to “ensure all wallets impacted by the price manipulation are repaid 100%,” without providing any further details.

Deus Finance loses over $3M worth of cryptos in flash loan hack

by

DeFi derivatives platform Deus Finance suffered an attack leading to the loss of over $3 million worth of cryptocurrencies including 200,000 DAI and 1101.8 ETH tokens. This was revealed by security firm PeckShield while adding that the total losses could be much higher.

Researchers at PeckShield released a series of tweets sharing the details of the exploit. In it, the firm said the attack on Deus Finance occurred on its Fantom network iteration. Attackers employed flash loans to artificially modify the prices on Deus’ offerings.

“Hackers used flash loans to manipulate the contract that determined the price of DEI – one of the two tokens issued by Deus Finance – to falsely show that DEI had collapsed. This led to a loss of all funds of the users supplying liquidity to the DEI/USDC pool,” the firm tweeted.

Further, PeckShield cited Blockchain data showing more than 3 million USDC tokens were stolen from Deus Finance which was exchanged for 200k DAI and 1,101.8 ether [ETH] through decentralized exchange Multichain. The exploited funds were then washed using the crypto mixing tool Tornado, which hides the addresses of the hacker and makes it difficult to trace stolen assets back to their perpetrator.

Deus finance token DEUS plunged by 40%

The hack send prices of Deus’ native DEUS token on a downward spiral, plummeting nearly 40% after reports of the event began to circulate but seemed to recover at the time of writing.

Following the incident, Deus finance confirmed the attack via Twitter announcing that it has shut down affected smart contracts and assured the community that its developers were working on publishing a summary report. Adding that all information will be communicated once the full situation is thoroughly analyzed.

Flash loan attacks are a common threat and enable hackers to steal massive amounts of cryptocurrency with a low risk of exposure. Some of the largest and most expensive flash loan attacks to date include PancakeBunny. In May 2021, a bug in the price calculations for the BUNNY token was hacked allowing the attacker to steal $45 million from the protocol.

A few months prior, the Alpha Finance project was exploited for about $37.5 million in tokens using a malicious contract that the Alpha Homora code was tricked into believing was an internal contract.

Multichain reimburse $2.6M of the stolen assets; proposes a Security Fund

by

Web3 cross-chain router Multichain formerly Anyswap announced that it has recovered roughly $2.6 million which is 50% of the lost funds from the recent liquidity pool and router contract exploits first identified on Jan 10, 2022. Following the attack, Multichain ask users to withdraw approvals for the vulnerable smart contracts.

Unfortunately, the warning led to more attacks, with estimated losses above $3 million. Multichain was able to fix the vulnerability of the liquidity pool by upgrading the tokens’ liquidity to new contracts, stating,

“However, the risk remains for the users who have yet to revoke approvals for the affected router contracts. Notably, users themselves have to be the ones to revoke the approvals.”

As per the blog post, out of a total of 7,962 user addresses, 4861 addresses have revoked their approvals, while 3101 have not. The team initiated a compensation plan to restore user funds which expired on Feb. 18, 2022.

The blog went on to add that to qualify for a reimbursement, users had to revoke their approvals and submit a support ticket. Multichain said they would continue trying to recover the lost funds and reimburse users after Feb. 18, 2022, minus the miner fee.

Blockchain security firm Dedaub alerted Multichain about two soft spots in its liquidity pool and router contracts, which affected Wrapped ETH [WETH], Wrapped BNB [WBNB], Polygon [MATIC], and Avalanche [AVAX]. Almost 913 WETH and 125 AVAX were recovered. Over 976.8628 WETH is still unaccounted for.

Stablecoin issuer Tether too stepped in by freezing an Ethereum address holding over $715,000 worth of USDT, according to data from block explorer site Etherscan. Earlier in Feb. 2022, a DeFi infrastructure provider Meter had suffered a bridge vulnerability that saw large amounts of BNB and WETH minted, depleting bridge reserves.

Multichain future action

The team through the post assured that relevant measures have been put in place to avoid such future vulnerabilities. There would be increased rounds of security audits on contracts and cross-chain bridges to be conducted.

The cross-chain platform is also proposing a Security Fund subject to vote via governance tokens. The fund would be utilized to implement rescue schemes for digital assets lost caused by Multichain’s own infrastructure. Multichain decided to award Dedaub with $1M for each vulnerability identified and disclosed as part of their maximum bug bounty payment. 

Bitmart hacked; Estimated loss of $200M

by

Crypto exchange firm Bitmart suffered a large-scale hack incurring a total loss of approximately $200 million. The news was first brought to the attention by security analytics entity Pecksheild Inc who raised an alarm of the reported breach on Saturday night. Pechsheild sent out the tweet detailing the suspicious amount of outflows of a range of tokens that are valued at tens of millions of dollars, to an address called ‘Bitmart Hacker’.

Further, Peckshield researchers estimated the losses to be around $100 million in various cryptocurrencies on the Ethereum Blockchain, and $96 million on the Binance Smart Chain. The stolen funds have been siphoned off from a hot wallet using decentralized exchange aggregator 1inch to swap the assets and deposit into harder-to-trace privacy solution Tornado Cash. Initially Bitmart representatives refuted the news, terming the reports as ‘fake’ and claimed that the outflows were just routine withdrawals.

However, later founder and CEO Sheldon Xia admitted the incident to be a ‘large-scale security breach‘ in his official Twitter handle and stated,

We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 million.

In a series of tweets, the Exec assured that the trading platform would be conducting a thorough security check and that all withdrawals would be temporarily paused until “further notice.” 

Recent Hack in Badger DAO

The crypto ecosytem has been a target of a never ending onslaught of malicious attackers and rug pulls. On December 2, 2021 the latest to come under attack was decentralized finance [DeFi] protocol, Badger DAO. The platform was under a cyber attack that led to a loss of around $120 million. Confirming the exploit, the Badger DAO team later acknowledged that all smart contracts on its platform have been suspended in an effort to stop any further potential malicious withdrawals.

Last November, liquidity platform MonoX finance too was reportedly drained $31 million worth of asset. Despite receiving two separate audits, the vulnerabilities in MonoX’s smart contracts were not identified.

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

by

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

Several defi protocols built on top of Binance Smart Chain [BSC] decentralized finance ecosystem have suffered one after another hacks and exploits in a short period of time that has stemmed especially this past month. The platform believes that the recent flash loan hacks were orchestrated against BSC specifically.

The platform said on the 30th of May,

“There are >8 flashloan hacks recently, we believe, an well organized hackers are targeting Binance Smart Chain now. It is very challenging time for the BSC community.”

In a series of tweets, Binance Smart Chain also went on to urge the team behind the decentralized applications [DApps] to work with their audit companies to do another health check.

It also asked the cloned and forked defi projects, to “double and triple check” the changes from the original version and employ necessary risk control measures to actively identify any peculiar activities in a real-time manner and halt the protocol if any such strange activity indeed occurs.

Binance Smart Chain’s Rise to Fame

Since its inception last September, BSC saw tremendous success. The activity on Binance Chain’s parallel blockchain has dramatically soared as it continued to make headlines as one of the more viable rivals to the Ethereum network which was riddled with scalability issues.

However, as BSC rose to popularity, so are the bad actors that have breached various protocols and managed to siphon off with billions in crypto.

Binance had recently stated that it was not responsible for exploits on BSC protocols. Samy Karim, who happens to be the coordinator of business and ecosystem development at the cryptocurrency exchange, had earlier stated that Binance Smart Chain is a public permissionless infrastructure that enables anyone to deploy. He went on to add,

“You have malicious actors there and hacks, and exploits in defi are not new and definitely not unique to BSC.”

In another related news, BSC had added the blockchain analytics and cryptocurrency intelligence company, CipherTrace for the purpose of tracking illicit transactions.

DeFi Platform Pickle Finance Suffers Massive Hack; $20 Million Removed From Contract

by

The rising popularity of Decentralized Finance [DeFi] is not only attracting investors but is also attracting a lot of attention from hackers and online thieves. In the most recent case, Pickle Finance’s DeFi protocol has been the latest victim of what appears to be an exploit of an astounding $20 million.

As revealed by the user under the pseudonym “statelayer.eth.”, Pickle Finance deployed a new strategy in a bid to maximize returns from the stablecoin DAI. This was claimed to have been posted by a team member for Pickle on a Discord chat. It is important to note that the DeFi platform essentially moves investors’ money around different protocols to maximize returns.

However, many users noticed that Pickle Finance’s yield-bearing vault which it calls cDAI jar had been emptied as someone allegedly drained $19.7 million in the stablecoin from that wallet. The attackers in question reportedly swapped the funds between his “evil jar” and the real cDAI jar, making off with the stolen funds in deposits.

Pickle Finance’s breach is the 13th largest hacking attack on decentralized finance platforms revealed so far in 2020. Several DeFi protocols have been the victims of flash loan-based oracle attacks, while the most attacked platform was bZx Protocol, the project with the biggest loss was Harvest. Additionally, Maker also lost funds worth $ 8.3 million for the attack in March this year.

This month itself, three cases of flash loan attacks were observed. Acropolis lost $2 million, which it has not yet recovered. Just two days later, Value protocol was drained off a $ 7.4 million in an attack. This was followed by Origin Protocol’s yield-generating stablecoin protocol attacked and drained by nearly $7 million.

But unlike the prior flash loan attacks that have plagued the DeFi realm over the past couple of months, Pickle Finance’s hackers basically leveraged a bug related to Pickle’s Swap Jar functionality, which allowed yield farming strategies to be swapped. According to experts, there was no check to determine that the Jar the funds were being swapped into was not malicious.

DeFi Protocol Harvest Finance Takes Full Responsibility of Economic Attack

by

Decentralized finance [DeFi] Harvest Finance suffered a $24 million economic attack on October 26. A day later, the platform published its post-mortem report, in which it took full responsibility for the engineering error and ensured that such incidents would be mitigated in the future.

Following the breach, Harvest Finance reportedly withdrew all the funds from the shared pools which included DAI, USDC, USDT, TUSD as well as WBTC and renBTC.  The report further claimed that the funds were currently present in the vaults and cannot suffer from further market manipulation while notifying that the attack did not involve DAI, TUSD, WBTC, and renBTC, and the depositors in these vaults were not affected.

According to Harvest Finance, the share price of the USDC and USDT vault decreased from 0.980007 to 0.834953, and 0.978874 to 0.844812, respectively. Nearly $33.8 million value was lost during the entire episode which corresponded to roughly 3.2% of the total value locked in the protocol at the time before the attack.

As possible remediation techniques, Harvest Finance is planning to implement a commit-and-reveal mechanism for deposits which would remove the ability to perform deposits and withdrawals within a single transaction. This, in turn, would make flash-loan-based attacks infeasible.

The company was also planning to deploy a stricter configuration of the existing deposit arb check in the strategies. Since the current threshold, which was set to 3%, was not sufficient to protect the vault against tye economic attack, Harvest Finance opined that a stricter threshold could make such an attack “economically infeasible”.

Some of the other steps include withdrawals in an underlying asset to prevent the attacking entity from generating a profit and using oracles for determining asset price. Besides, it asserted that additional remediation methods will be analyzed and voted on in governance in the coming days.

The DeFi platform had previously stated that there was a “significant amount of personally identifiable information on the attacker”, and that the attacker was “well-known” in the crypto community. Harvest Finance concluded,

“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”