TronWeekly

Crypto World News

You are here: Home / Archives for Hacks

Hacks

Cross-Chain Bridge Nomad Loses $200M In One Of The Most “Chaotic” Hack

by

Nomad, a cross-chain token bridge was exploited for nearly $200 million, draining most of the assets. Acknowledging the same, the Nomad team released a statement that it is working to identify the accounts involved and to trace and recover the funds.

According to DefiLlama, over $190 million in crypto has been emptied from the protocol, remaining only $651.5 in the wallet.

Online sleuths pin the blame on the platform’s flawed smart contracts. One such expert who works as a researcher in crypto investment firm Paradigm detailed how a recent update on one of Nomad’s smart contracts made it an easy target for exploiters to spoof transactions.

“Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all”, he said. Calling the attack one of the most chaotic in the history of web3, samczsun continued,

“You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

Echoing similar views, one of the newer clients of Nomad- Evmos, posted,

“A vulnerability in the bridge contract allowed it to accept arbitrary root hashes, allowing several entities to withdraw large amounts of assets. Currently, Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum.”

The platform further tweeted that it would be “brainstorming community solutions” given that it “significantly impacts initial Evmos [total value locked].”

Unlike other bridge attacks, where a single culprit is responsible for the entire exploit, the Nomad attack was an open loot.

Crypto Sleuths Termed Nomad Attack As A “Decentralized Robbery”

In what’s being called a “decentralized robbery” the vulnerability in Nomad’s coding allowed many to steal the money they didn’t own just by copying and pasting a script.

According to reports, some exploited their smart contract with public wallet addresses that are designed to be traceable. Many returned the funds back. Others claimed to be acting in good faith and sent back the funds while pledging to protect the smart contract.

Nomad allows users to send and receive tokens between different blockchains. The latest incident has cast serious doubt on the security of cross-chain bridges.

Multiple DeFi platforms succumb to a $90M Exploit

by

Not one or two but three DeFi platforms- Rari Capital, Fei Protocol, and Saddle Finance, came under a massive onslaught that resulted in draining roughly $90 million worth of crypto assets. Data provided by Whitehat hackers BlockSec. showed that multiple pools related to these platforms have been targeted.

Out of the three, Rari Capital, Fei Protocol suffered a combined loss of more than $80 million due to a typical reentrancy vulnerability, BlockSec shared via tweet.

According to experts, a re-entrance attack occurs when an execution of a smart contract gets interrupted in the middle and then initiated from the start once again, hence the term re-entered.

A good example of such attack was the DAO hack in June 2016, where over $60 million in Ethereum was stolen.

Cyber Security, Internet, Hacking

That said, Fei Protocol also confirmed the attack by saying that they are aware of the exploit on multiple Rari Fuse pools. For the time being, they have suspended all borrowing operations to prevent further exploitation of funds.

The author of the tweet has offered the hacker to keep $10 million from the stolen crypto as a bounty and return the rest of the funds that belong to their users.

If that wasn’t enough, the crypto community was woken up by another DeFi attack.

DeFi trio hacks- the latest update

Blockchain security firm Peckshield brought to light saying that automated market maker Saddle Finance was exploited in a flash loan attack, resulting in the protocol loss of about $10 million.

The hack was made possible due to the wrong MetaSwapUtils lib which was used for calculating the swap, it tweeted.

It also highlighted that the stolen funds from the 2017 @ParityTech Wallet Multisig hack were on the move as well.

Saddle responded by stating that the team is investigating the exploit and is pausing pool metapools withdrawals before adding that $3.8 million has been recovered.

Single-asset withdrawals are currently restricted, but balanced pool withdrawals are always possible. White hat hackers BlockSec Team were able to secure $3.8m. The team is in contact with them to return the funds.

The $90 million exploits on the trio platforms come exactly one month after the record-breaking $615 million Axie Infinity Hack carried out by the North Korean state-sponsored Lazarus group.

Another crypto hack; Synapse Protocol exploited, $8 million funds at risk

by

Synapse Protocol, known for its native token, the SYN token, is an automated market maker or simply AMM known for its trustless cross-chain bridge. Recently, according to the tweet by well-known Chinese crypto journalist Colin Wu, the “Synapse Protocol was exploited and lost approximately US$8 million.”

Synapse was introduced in the crypto space as the platform that would eradicate the need for a centralized exchange in the DeFi industry, allowing the users to become their own banks. However, it seems that the recent hack proves otherwise.

According to the Twitter account by the username “ricosoon”, the Chinese journalist made a mistake in reporting the exploit. It seems that the Synapse $8 million were not lost as the bridge is on hold. The bridges are the center of the Protocol and are responsible for the swapping of tokens.

Synapse bridges intact

According to “Ricosoon,” the problem wasn’t with the bridge or the bridge contracts but with the implementation of the AMM contracts “that a few different stableswaps used, forked from the Saddle.”

According to the statement by the developers on their Discord channel, the hacker tried to move the funds by converting them into USDC while the validators were not online. Upon this issue being noticed, the AMM contracts were all put to rest so that the vulnerability didn’t spread.

Furthermore, the Protocol notified Saddle, who also closed their bridges. As a result, “the validators, by consensus are now electing not to process this transaction as it was malicious against LPs and the network as a whole:~$8 million nUSD will therefore not be minted to the attackers’ address on the destination chain.”

It seems that the Synapse developers are now in control of the situation as they are working to re-deploy the pools ‘to an older, less-complex version’ of the bridge contracts, re-enabling liquidity, buying time to solve the issue, and restart the original bridges.

Such an increasing number of exploits in the blockchain industry is currently being reviewed by many protocols. The Polygon network was recently exploited by an arbitrary bot, turning 14 ETH into 218.5 ETH. Similar hacks also happened on the ThorChain network.

Cream Finance succumbs to third hack with a loss of $130M

by

The decentralized finance (DeFi) lending and borrowing protocol Cream Finance once again suffered a hack that led to a loss of $130 million. The DeFi protocol operates on the Ethereum network but has been facing a series of hacks and the latest one happened to be the third attack.

The blockchain security and data analytics company PeckShield Inc. identified the attack as a flash loan, resulting in the theft of mostly Cream tokens, CREAM.

Cream Finance witnessed two more attacks in the past. In February, a flash loan hack caused a loss of $37.5 million, which brought the price of CREAM down by 30% within an hour after the attack. The story continued to August when Cream Finance was exploited again, with hackers making over 418 million in Flexa Network’s native token AMP and around 1,300 Ethereum (ETH).

The latest hack caused the price of CREAM to crash by around 35% in less than two days. CREAM is currently trading at $102.10.

D6OvQX04LgDIv9E0VH2jOE129lWtUdY8jmB4vxhNg6jD9mWzm5KZmPEuF2 9Fn0WryaHB5coVNN3yeS85oj9EuJWnnkXdIxVFT9TW2wkYjxpjjZbkg

Cream Finance joins streak of DeFi attacks

Despite being hit several times by hackers, Cream Finance is not the biggest or only DeFi protocol facing a loss. 

As TronWeekly reported, Poly Network, the famous interoperability DeFi protocol, also suffered from a similar attack leading to a loss of over $600 million worth of funds in August. Unfortunately, this was deemed the biggest DeFi hack in the history of the crypto world.

These recurring hacks are bringing voices calling intense attention to consumer protection in the DeFi industry. Gary Gensler, the chair of the U.S. Securities and Exchange Commission (SEC), while talking at the Yahoo Finance All Markets Summit, said that the DeFi space requires robust consumer protection strategies for healthy survival.

“There’s a lot of lending going on. There’s a lot of trading going on. And without protection, I fear that it’s going to end poorly.”

Gary Gensler, SEC chair

Gensler has always been very particular about user protection in the crypto world. He recently called out unregulated crypto markets and previously termed DeFi a “misnomer.”

Cryptocurrency Exchange Bilaxy Suffers Fund Losses as Hackers Attack Hot Wallet

by

On Monday, the digital asset world woke up to the news of cryptocurrency exchange Bilaxy being hacked. Sources close to the exchange revealed that the hacker stole the funds by exploiting a bug in Bilaxy’s ERC-20 hot wallet. The exchange announced the details of the hack via a Telegram post early Monday morning.

During the hack, the perpetrator transferred 295 different ERC-20 tokens with the most recent transaction involving 50 ETH tokens. The address to which the funds were sent had a total grasp of 177.98 ETH or approximately $570,000. According to Bilaxy’s releases, the exchange suspended all activities to ensure the protection of the remaining funds.

The exchange contacted the affected users to inform them about their stolen funds with steps to recover them in the future. Bilaxy further assured its members that the unaffected funds were all moved to the cold wallet for safekeeping. In their official post, Bilaxy said:

“Bilaxy suffered heavy losses in this hacking incident and the problem has not been determined now, which will take lots of work and time to resume Bilaxy services. It may at least take 2 weeks to investigate the hack thoroughly and rebuild system architecture to secure the system and assets. We hope that users will have the necessary psychological preparation for it.”

The attack on Bilaxy comes a few weeks after the $100 million stings on Liquid. Fortunately, the exchange was able to recover the funds and transfer them back to the legal holders. Crypto fans kept their fingers crossed hoping that that is the case with Bilaxy too. Bilaxy also contacted CoinmarketCap, Coingecko, and Etherescan to put out notifications about the hack. As investigations for the funds’ progress, the company revealed that all the details have been divulged to the proper authorities.

$3.6B in Bitcoin disappears with South African crypto exchange owners after “hack”

by

Cryptocurrency investors of South African exchange AfriCrypt have reportedly lost $3.6 billion in Bitcoin after what was first reported to be a hack. However, along with the funds, the two founders of the crypto firm, who also happens to brothers, have vanished and there is no trace of them yet.

This is another major incident after last year’s fall of another South African Bitcoin trader, called Mirror Trading International. The platform had suffered losses of 23,000 digital coins, that summed up to approximately a whopping $1.2 billion. Hence, it went on to become the largest hack of 2020. If the funds are not recovered, the Africrypt investors are at a risk of losing three times as much.

Biggest Bitcoin Hack?

It all started in April this year when Bitcoin was rallying to record-breaking numbers. Hence, the disappearance of nearly 69,000 Bitcoin could be essentially turn out to be the biggest-ever dollar loss in a cryptocurrency hiest.

Africrypt Chief Operating Officer and the elder brother Ameer Cajee notified clients that the firm suffered a hack. However, he advised them to not report the incident to lawyers and authorities, as it could impede the recovery process of the missing funds. This message was sent on the 13th of April at a time when the crypto exchange raked in around $3.6 billion in Bitcoin.

However, not all of the investors compiled with this request. Some of the ones involved with the exchange also went on to onboard a law firm, Hanekom Attorneys. Additionally, a few also initiated the liquidation proceedings against Africrypt. After the Cape Town-based law firm failed to trace the two brothers, they alerted the South African police force, Hawks. Furthermore, it notified other cryptocurrency exchanges across the world if the brothers attempted to convert the coins to fiat.

However, the investigations also revealed that Africrypt’s pooled funds were moved from its South African accounts and client wallets. To top that, the digital coins were put through tumblers and mixers to essentially make them untraceable. The law firm was quoted saying,

“Africrypt employees lost access to the back-end platforms seven days before the alleged hack”

Another Binance Smart Chain-based DeFi Platform Loses Millions In Exploit

by

There is no respite for decentralized finance-based platforms on top of Binance Smart Chain [BSC]. This time, it was the AMM protocol called Belt Finance that suffered a loss of millions after software exploitation.

According to Belt Finance, a flash loan attack was initiated on the Binance Smart Chain’s 4Belt [USDT/USDC/BUSD/DAI] pool. The hacker reportedly created a smart contract that used popular decentralized exchange PancakeSwap for the purpose of flash loans and exploited its beltBUSD pool. The malicious entity, however, did not stop there and proceeded to attack its underlying strategy protocols as well as executed the contract 8 times to rake in a total profit of 6,234,753 BUSD.

The Binance Smart Chain-based defi protocol also revealed that beltBUSD vault users endured a loss of 21.36% of funds, while 4Belt pool users sustained a loss of more than 6% of funds. Other pools/vaults were not affected. Soon after detecting the attack, the defi platform paused withdrawals and deposits in a bid to prevent more losses. It added,

“While we are aware that this may cause our users inconvenience, it was done to prevent the same exploit from attacking our other vaults/pools. All other pools/vaults and all funds remain unaffected and safe from this attack, and we have now patched the attack vector that allowed this exploit of 4Belt and beltBUSD.”

Belt Finance also revealed that the team was devising a compensation plan that will be released within the next 48 hours.

According to the Rekt Blog, which analyses defi exploits, explained that the lost $6.3 million in a total of eight transactions.

Binance Smart Chain Weighs In

The bloodbath for the BSC does not seem to stop anytime soon. In just nine months, the network’s rise to prominence has attracted many platforms. However, several of these defi protocols operating on top of Binance Smart Chain’s decentralized finance ecosystem have suffered back-to-back hacks and exploits in a short period of time.

Binance Smart Chain had recently stated that the “well-organized hackers” behind the flash loan attacks and security breaches were targeting the platform specifically.

DeFi Options Platform FinNexus Exploited; FNX Token Crashes By 90%

by

DeFi hacks and rug pulls have become common by the day.

FinNexus, a decentralised finance [DeFi] options platform, was the most recent victim of a malicious entity’s exploit. While FinNexus has yet to publish a post-mortem report, the firm has cautioned users to withdraw their funds from the pools.. Its tweet regarding the same read,

“We regret to inform our traders and investors that the FinNexus erc20 contract appears to have been hacked. For safety reasons please withdraw your funds from the pools. The team is working on this issue and we will provide updates as they become available.”

The platform’s claims of the event being a smart contract hack was rebuffed by popular DeFi analyst and researcher, Chris Blec who speculated that either this is a case of a stolen admin key or was used maliciously by a team member.

What exactly happened with the DeFi Platform?

After digging deeper, another DeFi research analyst Igor Igamberdiev observed that FinNexus [FNX] contract deployer changed the token owner to some address on both Ethereum [ETH] as well as Binance Smart Chain [BSC] network. This address reportedly minted 323 million FNX [which was worth around $6M] on Ethereum and 60 million FNX [approximately $1.6 million] on Binance Smart Chain.

Following the minting, the attacker started dumping coins. In total, the decentralized options platform incurred a loss of $7.6 million.

1 1
DeFi Options Platform FinNexus Exploited; FNX Token Crashes By 90% 5

So now the community was left wondering if this was a case of rug pull or stolen private key and FinNexus is yet to provide a conclusive report on the same.

FNX Crashes

FNX
DeFi Options Platform FinNexus Exploited; FNX Token Crashes By 90% 6

Following the development of the exploit, the DeFi platform’s native token, FNX, crashed by more than 90% in the last 24-hours. Before the exploit, it was trading above $0.3 however, its price went on a downward spiral to a new low of $0.062, at press time. The crash could be attributed to the fact that a major portion of FinNexus’ token collateral was liquidated during the attack.

DeFi Protocol Rari Capital Loses ~$10M In High Profile Exploit

by

Decentralized finance [DeFi] protocol, Rari Capital was exploited on Saturday after an attacker siphoned off with nearly 2600 ETH, or approximately $10 million.

In a post-mortem report, the Co-Founder of Rari Capital, David Lucid revealed that the funds were extracted from the protocol’s Ethereum Pool before the malicious entity was stopped when the contracts were halted. The net loss equated to 60% of all users’ funds in the said Ethereum Pool.

What exactly unfolded at Rari Capital’s ETH Pool?

The Rari Capital Ethereum Pool deposits ETH into Alpha Finance’s ibETH token as one of the DeFi platform’s yield-generating strategies. This strategy is essentially involved in tracking the value of its ibETH as ibETH.totalETH() / ibETH.totalSupply(). The exploit was related to this ibETH vault inside which the attacker reportedly executed a few steps repeatedly. Following are the steps that were carried out on loop:

  1. Ether [ETH] flashloan from the non-custodial decentralized exchange, dYdX was noted.
  2. Ether [ETH] deposited into the Rari Capital Ethereum Pool.
  3. The value was manipulated by inflating it artificially high.
  4. More Ether [ETH] was withdrawn from the platform’s Ethereum Pool than the attacker deposited because its balances were artificially inflated.
  5. In the end of ibETH.work, the value of ibETH.totalETH() bounced back to its true value, which resulted in the Rari Capital Ethereum Pool’s balances to lower than they were prior to the exploit. The malicious entity ended up withdrawing a lot more than it deposited since the balance was artificially pumped.

The Rari Capital contributors were unable to understand that ibETH.totalETH() could be manipulated for the duration of these external calls from ibETH.work. Furthermore, the exploited code was reportedly audited by blockchain security platform, Quantstamp.

While talking about few steps to implement to mitigate the risks of attacks in the future, Lucid stated,

“Of course, we hope to enlist more top auditing firms other than Quantstamp and Omniscia. We already have another audit planned with OpenZeppelin.”

Rari 1
DeFi Protocol Rari Capital Loses ~$10M In High Profile Exploit 8

The native token behind the deFi protocol, the Rari Governance Token [RGT] crashed by more than 20% following the exploit. It was currently exchanging hands at $13.86 after the drop. It also negated its weekly gains by 5.96%.

Cryptocurrency Criminals Still Attempting to Ditch ETH from 2019 Hack

by

Back in November last year, South Korea-based Upbit digital currency exchange platform was attacked, resulting in the loss of 342,000 ETH coins, worth $50 million from the platform’s hot wallet. Efforts have been made since then to reclaim the lost Ethereum, however, some still remain with the crypto hackers.

Back then, it was the biggest cryptocurrency hack in a while, making headlines on mainstream media outlets. According to reports from blockchain analysis firms, the crypto hackers are moving the stolen ETH between exchange platforms, in an attempt to get cash or any other digital currency.

Upbit crypto hackers attempting to cash in on stolen Ethereum

According to crypto transactions tracking tracking firm, Whale Alert, a substantial chunk of the Ethereum stolen from the Korean exchange has been deposited to a little known exchange called BYEX. The specific amount of ETH deposited on the exchange was not disclosed, however, the involved account has recorded a string of $25,000 transactions over the last few weeks.

Hackers transferring cryptocurrencies to exchange platforms means only one thing, they are trying to cash out their stolen crypto, or convert into other assets to cover their trail. Regardless of the case,  it means that ETH will see some pressure to sell soon; due to the sale of the stolen ETH. This can cease from taking place, if the owners of the Upbit ETH are sent to intervene.

CZ vows to freeze any stolen crypto on Binance exchange

For example, Binance CEO Chanpeng “CZ” Zhao vowed to work closely with Upbit and other players in the industry to ensure stolen crypto that finds its way to Binance exchange platform is frozen instantly. If exchanges freeze the accounts of the crypto hackers, it prevents the stolen ETH from being sold; relieving some of the immediate selling pressure from the seller.

Currently, there seems to be sufficient demand for crypto, in the market; with the risk of stolen ETH finding its way to the market. In fact, Grayscale Investments has bought almost 756,540 ETH coins this year, which represents about 40 percent of all crypto mined in 2020 so far. On the other hand, long-term Ethereum positions have reached an all-time high, showing the optimism of investors in the altcoin.