TronWeekly

Crypto World News

You are here: Home / Archives for Hacks

Hacks

Metamask Says, No Wallet Exploit Found In $10 Million Hack

by

The popular Ethereum wallet, MetaMask, has issued a statement stating that no wallet exploit was used in the recent $10 million hack. On April 15th, a hack was carried out that compromised the NFT marketplace, Nifty Gateway, a major NFT marketplace.

According to MetaMask, the investigation indicated that the breach was the result of a phishing effort that targeted a Nifty Gateway employee, granting the hacker access to the company’s infrastructure. No vulnerability or attack was discovered in the Meta wallet.

Metamask Clears Wallet Exploitation Of Loss Of Funds

On April 18, Meta Mask tweeted in response to Taylor Monahan, the founder of Ethereum wallet manager MyCrypto, who stated on April 17 that an unnamed wallet-draining vulnerability has stolen over $10.5 million in crypto and nonfungible tokens (NFTs) since December 2022

“Recent reporting on [Monahan’s] thread has incorrectly claimed that a massive wallet-draining operation is a result of a MetaMask exploit,”

MetaMask stated that the 5,000 ETH was drained from several addresses across 11 blockchains, implying that the claim about the assets being accessed due to a meta wallet vulnerability is false.

The security team at MetaMask revealed that they had been working nonstop to find the attack’s origin. Additionally, they are working with other teams in the Web3 wallet industry to unravel the mystery of the significant attack.

Monahan said that “no one knows how” this huge attempt was carried out in her post on the issue, but that her “best guess” was that a sizable amount of old data was retrieved and used to take the funds.

She initially claimed that the attacker was utilizing Meta Mask to eliminate expert users and staff members.

Later, Monahan claimed that the issue is not limited to Meta and that “users of all wallets, even those created on a hardware wallet,” have been affected.

A member of the cryptocurrency community named Jacky Goh stated that users switched to hardware wallets as a result of the breach. Goh pointed out that the anonymous breach serves as a reminder for consumers to store their cryptocurrency assets in a more secure manner. 

Ohm Shah, a co-founder of Wallet Guard, stated in a speech that although the MetaMask team has been conducting ongoing research, the specifics of the hack are still unknown. Shah mentioned that the inquiry into the enigmatic large-scale getting involves a number of more independent security researchers.

Shah continued by saying that although there isn’t any verified information on the disappearance of digital assets, speculation is beginning. They thought there might be some seed phrase or private key leakage. 

Source: Tradingview.com

Related Reading: | MetaMask Brings NFTs To Browser Extension In Latest Update|

DeFi: Yearn Finance Lost $11M After Attackers Exploited An Outdated Contract

by

DeFi protocols Yearn Finance and Aave suffered exploitation to the tune of over $11 million owing to a misconfigured yUSDT, blockchain security expert Peckshield revealed.

Initially, the attack was thought to be limited to Aave V1, but later on-chain sleuths found that the protocol was instead exploited to mint huge yUSDT from a small $10K USDT.

The massive amount of yUSDT was then converted to other stablecoins and cashed out. So far, the flash loan exploiter stole millions worth of USDT, TUSD, BUSD, USDC, and DAI.

Shortly after that, Yearn Finance’s team issued a public statement as it continues its investigation.

We’re looking into an issue with iEarn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iEarn and does not impact current Yearn contracts or protocols. iEarn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There’s no indication it’s affected. The current version, Yearn v2 Vaults [written in Vyper], remains unaffected as well.

As further information came to light, different security analysts pointed out that the issue is still specific to the liquidity pool and the 2020-launched iEarn legacy protocol. Vaults for Yearn v2 don’t appear to be affected.

Voicing a similar opinion, White-hat hacker samczsun said, “It seems like the iEarn USDT token [yUSDT] has been broken since deployment, which was *checks notes* over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.”

For those new, prominent Web3 developer Andre Cronje pioneered two DeFi projects — yEarn Finance and iEarn. Cronje renamed iEarn to Yearn Finance [YFI] in July 2020 after it showed success in yield aggregation.

Cyber experts have so far highlighted the vulnerability in Yearn’s predecessor’s contracts. Meanwhile, a similar incident of smart contract exploitation took place a few days back.

DeFi Protocol Sushi DEX Hack

Popular decentralized protocol Sushi DEX reported a loss of over $3 million due to a bug on the “RouterProcessor2” contract that is used to route trades on the SushiSwap exchange.

The issue seems to only impact customers who approved SushiSwap contracts in the previous four days, according to @0xngmi, a pseudonymous DefiLlama developer.

After the incident, SushiSwap chief developer Jared Grey requested users to remove access to any contracts on the platform as a security precaution.

Grey also assured that the team was “working with security teams to mitigate the issue.”

Cross-Chain Bridge Nomad Loses $200M In One Of The Most “Chaotic” Hack

by

Nomad, a cross-chain token bridge was exploited for nearly $200 million, draining most of the assets. Acknowledging the same, the Nomad team released a statement that it is working to identify the accounts involved and to trace and recover the funds.

According to DefiLlama, over $190 million in crypto has been emptied from the protocol, remaining only $651.5 in the wallet.

Online sleuths pin the blame on the platform’s flawed smart contracts. One such expert who works as a researcher in crypto investment firm Paradigm detailed how a recent update on one of Nomad’s smart contracts made it an easy target for exploiters to spoof transactions.

“Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all”, he said. Calling the attack one of the most chaotic in the history of web3, samczsun continued,

“You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

Echoing similar views, one of the newer clients of Nomad- Evmos, posted,

“A vulnerability in the bridge contract allowed it to accept arbitrary root hashes, allowing several entities to withdraw large amounts of assets. Currently, Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum.”

The platform further tweeted that it would be “brainstorming community solutions” given that it “significantly impacts initial Evmos [total value locked].”

Unlike other bridge attacks, where a single culprit is responsible for the entire exploit, the Nomad attack was an open loot.

Crypto Sleuths Termed Nomad Attack As A “Decentralized Robbery”

In what’s being called a “decentralized robbery” the vulnerability in Nomad’s coding allowed many to steal the money they didn’t own just by copying and pasting a script.

According to reports, some exploited their smart contract with public wallet addresses that are designed to be traceable. Many returned the funds back. Others claimed to be acting in good faith and sent back the funds while pledging to protect the smart contract.

Nomad allows users to send and receive tokens between different blockchains. The latest incident has cast serious doubt on the security of cross-chain bridges.

Multiple DeFi platforms succumb to a $90M Exploit

by

Not one or two but three DeFi platforms- Rari Capital, Fei Protocol, and Saddle Finance, came under a massive onslaught that resulted in draining roughly $90 million worth of crypto assets. Data provided by Whitehat hackers BlockSec. showed that multiple pools related to these platforms have been targeted.

Out of the three, Rari Capital, Fei Protocol suffered a combined loss of more than $80 million due to a typical reentrancy vulnerability, BlockSec shared via tweet.

According to experts, a re-entrance attack occurs when an execution of a smart contract gets interrupted in the middle and then initiated from the start once again, hence the term re-entered.

A good example of such attack was the DAO hack in June 2016, where over $60 million in Ethereum was stolen.

Cyber Security, Internet, Hacking

That said, Fei Protocol also confirmed the attack by saying that they are aware of the exploit on multiple Rari Fuse pools. For the time being, they have suspended all borrowing operations to prevent further exploitation of funds.

The author of the tweet has offered the hacker to keep $10 million from the stolen crypto as a bounty and return the rest of the funds that belong to their users.

If that wasn’t enough, the crypto community was woken up by another DeFi attack.

DeFi trio hacks- the latest update

Blockchain security firm Peckshield brought to light saying that automated market maker Saddle Finance was exploited in a flash loan attack, resulting in the protocol loss of about $10 million.

The hack was made possible due to the wrong MetaSwapUtils lib which was used for calculating the swap, it tweeted.

It also highlighted that the stolen funds from the 2017 @ParityTech Wallet Multisig hack were on the move as well.

Saddle responded by stating that the team is investigating the exploit and is pausing pool metapools withdrawals before adding that $3.8 million has been recovered.

Single-asset withdrawals are currently restricted, but balanced pool withdrawals are always possible. White hat hackers BlockSec Team were able to secure $3.8m. The team is in contact with them to return the funds.

The $90 million exploits on the trio platforms come exactly one month after the record-breaking $615 million Axie Infinity Hack carried out by the North Korean state-sponsored Lazarus group.

Another crypto hack; Synapse Protocol exploited, $8 million funds at risk

by

Synapse Protocol, known for its native token, the SYN token, is an automated market maker or simply AMM known for its trustless cross-chain bridge. Recently, according to the tweet by well-known Chinese crypto journalist Colin Wu, the “Synapse Protocol was exploited and lost approximately US$8 million.”

Synapse was introduced in the crypto space as the platform that would eradicate the need for a centralized exchange in the DeFi industry, allowing the users to become their own banks. However, it seems that the recent hack proves otherwise.

According to the Twitter account by the username “ricosoon”, the Chinese journalist made a mistake in reporting the exploit. It seems that the Synapse $8 million were not lost as the bridge is on hold. The bridges are the center of the Protocol and are responsible for the swapping of tokens.

Synapse bridges intact

According to “Ricosoon,” the problem wasn’t with the bridge or the bridge contracts but with the implementation of the AMM contracts “that a few different stableswaps used, forked from the Saddle.”

According to the statement by the developers on their Discord channel, the hacker tried to move the funds by converting them into USDC while the validators were not online. Upon this issue being noticed, the AMM contracts were all put to rest so that the vulnerability didn’t spread.

Furthermore, the Protocol notified Saddle, who also closed their bridges. As a result, “the validators, by consensus are now electing not to process this transaction as it was malicious against LPs and the network as a whole:~$8 million nUSD will therefore not be minted to the attackers’ address on the destination chain.”

It seems that the Synapse developers are now in control of the situation as they are working to re-deploy the pools ‘to an older, less-complex version’ of the bridge contracts, re-enabling liquidity, buying time to solve the issue, and restart the original bridges.

Such an increasing number of exploits in the blockchain industry is currently being reviewed by many protocols. The Polygon network was recently exploited by an arbitrary bot, turning 14 ETH into 218.5 ETH. Similar hacks also happened on the ThorChain network.

Cream Finance succumbs to third hack with a loss of $130M

by

The decentralized finance (DeFi) lending and borrowing protocol Cream Finance once again suffered a hack that led to a loss of $130 million. The DeFi protocol operates on the Ethereum network but has been facing a series of hacks and the latest one happened to be the third attack.

The blockchain security and data analytics company PeckShield Inc. identified the attack as a flash loan, resulting in the theft of mostly Cream tokens, CREAM.

Cream Finance witnessed two more attacks in the past. In February, a flash loan hack caused a loss of $37.5 million, which brought the price of CREAM down by 30% within an hour after the attack. The story continued to August when Cream Finance was exploited again, with hackers making over 418 million in Flexa Network’s native token AMP and around 1,300 Ethereum (ETH).

The latest hack caused the price of CREAM to crash by around 35% in less than two days. CREAM is currently trading at $102.10.

Cream Finance joins streak of DeFi attacks

Despite being hit several times by hackers, Cream Finance is not the biggest or only DeFi protocol facing a loss. 

As TronWeekly reported, Poly Network, the famous interoperability DeFi protocol, also suffered from a similar attack leading to a loss of over $600 million worth of funds in August. Unfortunately, this was deemed the biggest DeFi hack in the history of the crypto world.

These recurring hacks are bringing voices calling intense attention to consumer protection in the DeFi industry. Gary Gensler, the chair of the U.S. Securities and Exchange Commission (SEC), while talking at the Yahoo Finance All Markets Summit, said that the DeFi space requires robust consumer protection strategies for healthy survival.

“There’s a lot of lending going on. There’s a lot of trading going on. And without protection, I fear that it’s going to end poorly.”

Gary Gensler, SEC chair

Gensler has always been very particular about user protection in the crypto world. He recently called out unregulated crypto markets and previously termed DeFi a “misnomer.”

Cryptocurrency Exchange Bilaxy Suffers Fund Losses as Hackers Attack Hot Wallet

by

On Monday, the digital asset world woke up to the news of cryptocurrency exchange Bilaxy being hacked. Sources close to the exchange revealed that the hacker stole the funds by exploiting a bug in Bilaxy’s ERC-20 hot wallet. The exchange announced the details of the hack via a Telegram post early Monday morning.

During the hack, the perpetrator transferred 295 different ERC-20 tokens with the most recent transaction involving 50 ETH tokens. The address to which the funds were sent had a total grasp of 177.98 ETH or approximately $570,000. According to Bilaxy’s releases, the exchange suspended all activities to ensure the protection of the remaining funds.

The exchange contacted the affected users to inform them about their stolen funds with steps to recover them in the future. Bilaxy further assured its members that the unaffected funds were all moved to the cold wallet for safekeeping. In their official post, Bilaxy said:

“Bilaxy suffered heavy losses in this hacking incident and the problem has not been determined now, which will take lots of work and time to resume Bilaxy services. It may at least take 2 weeks to investigate the hack thoroughly and rebuild system architecture to secure the system and assets. We hope that users will have the necessary psychological preparation for it.”

The attack on Bilaxy comes a few weeks after the $100 million stings on Liquid. Fortunately, the exchange was able to recover the funds and transfer them back to the legal holders. Crypto fans kept their fingers crossed hoping that that is the case with Bilaxy too. Bilaxy also contacted CoinmarketCap, Coingecko, and Etherescan to put out notifications about the hack. As investigations for the funds’ progress, the company revealed that all the details have been divulged to the proper authorities.

$3.6B in Bitcoin disappears with South African crypto exchange owners after “hack”

by

Cryptocurrency investors of South African exchange AfriCrypt have reportedly lost $3.6 billion in Bitcoin after what was first reported to be a hack. However, along with the funds, the two founders of the crypto firm, who also happens to brothers, have vanished and there is no trace of them yet.

This is another major incident after last year’s fall of another South African Bitcoin trader, called Mirror Trading International. The platform had suffered losses of 23,000 digital coins, that summed up to approximately a whopping $1.2 billion. Hence, it went on to become the largest hack of 2020. If the funds are not recovered, the Africrypt investors are at a risk of losing three times as much.

Biggest Bitcoin Hack?

It all started in April this year when Bitcoin was rallying to record-breaking numbers. Hence, the disappearance of nearly 69,000 Bitcoin could be essentially turn out to be the biggest-ever dollar loss in a cryptocurrency hiest.

Africrypt Chief Operating Officer and the elder brother Ameer Cajee notified clients that the firm suffered a hack. However, he advised them to not report the incident to lawyers and authorities, as it could impede the recovery process of the missing funds. This message was sent on the 13th of April at a time when the crypto exchange raked in around $3.6 billion in Bitcoin.

However, not all of the investors compiled with this request. Some of the ones involved with the exchange also went on to onboard a law firm, Hanekom Attorneys. Additionally, a few also initiated the liquidation proceedings against Africrypt. After the Cape Town-based law firm failed to trace the two brothers, they alerted the South African police force, Hawks. Furthermore, it notified other cryptocurrency exchanges across the world if the brothers attempted to convert the coins to fiat.

However, the investigations also revealed that Africrypt’s pooled funds were moved from its South African accounts and client wallets. To top that, the digital coins were put through tumblers and mixers to essentially make them untraceable. The law firm was quoted saying,

“Africrypt employees lost access to the back-end platforms seven days before the alleged hack”

Another Binance Smart Chain-based DeFi Platform Loses Millions In Exploit

by

There is no respite for decentralized finance-based platforms on top of Binance Smart Chain [BSC]. This time, it was the AMM protocol called Belt Finance that suffered a loss of millions after software exploitation.

According to Belt Finance, a flash loan attack was initiated on the Binance Smart Chain’s 4Belt [USDT/USDC/BUSD/DAI] pool. The hacker reportedly created a smart contract that used popular decentralized exchange PancakeSwap for the purpose of flash loans and exploited its beltBUSD pool. The malicious entity, however, did not stop there and proceeded to attack its underlying strategy protocols as well as executed the contract 8 times to rake in a total profit of 6,234,753 BUSD.

The Binance Smart Chain-based defi protocol also revealed that beltBUSD vault users endured a loss of 21.36% of funds, while 4Belt pool users sustained a loss of more than 6% of funds. Other pools/vaults were not affected. Soon after detecting the attack, the defi platform paused withdrawals and deposits in a bid to prevent more losses. It added,

“While we are aware that this may cause our users inconvenience, it was done to prevent the same exploit from attacking our other vaults/pools. All other pools/vaults and all funds remain unaffected and safe from this attack, and we have now patched the attack vector that allowed this exploit of 4Belt and beltBUSD.”

Belt Finance also revealed that the team was devising a compensation plan that will be released within the next 48 hours.

According to the Rekt Blog, which analyses defi exploits, explained that the lost $6.3 million in a total of eight transactions.

Binance Smart Chain Weighs In

The bloodbath for the BSC does not seem to stop anytime soon. In just nine months, the network’s rise to prominence has attracted many platforms. However, several of these defi protocols operating on top of Binance Smart Chain’s decentralized finance ecosystem have suffered back-to-back hacks and exploits in a short period of time.

Binance Smart Chain had recently stated that the “well-organized hackers” behind the flash loan attacks and security breaches were targeting the platform specifically.

DeFi Options Platform FinNexus Exploited; FNX Token Crashes By 90%

by

DeFi hacks and rug pulls have become common by the day.

FinNexus, a decentralised finance [DeFi] options platform, was the most recent victim of a malicious entity’s exploit. While FinNexus has yet to publish a post-mortem report, the firm has cautioned users to withdraw their funds from the pools.. Its tweet regarding the same read,

“We regret to inform our traders and investors that the FinNexus erc20 contract appears to have been hacked. For safety reasons please withdraw your funds from the pools. The team is working on this issue and we will provide updates as they become available.”

The platform’s claims of the event being a smart contract hack was rebuffed by popular DeFi analyst and researcher, Chris Blec who speculated that either this is a case of a stolen admin key or was used maliciously by a team member.

What exactly happened with the DeFi Platform?

After digging deeper, another DeFi research analyst Igor Igamberdiev observed that FinNexus [FNX] contract deployer changed the token owner to some address on both Ethereum [ETH] as well as Binance Smart Chain [BSC] network. This address reportedly minted 323 million FNX [which was worth around $6M] on Ethereum and 60 million FNX [approximately $1.6 million] on Binance Smart Chain.

Following the minting, the attacker started dumping coins. In total, the decentralized options platform incurred a loss of $7.6 million.

So now the community was left wondering if this was a case of rug pull or stolen private key and FinNexus is yet to provide a conclusive report on the same.

FNX Crashes

Following the development of the exploit, the DeFi platform’s native token, FNX, crashed by more than 90% in the last 24-hours. Before the exploit, it was trading above $0.3 however, its price went on a downward spiral to a new low of $0.062, at press time. The crash could be attributed to the fact that a major portion of FinNexus’ token collateral was liquidated during the attack.