May 5
Table of Contents
😈On May 5, 2024, the decentralized computing platform @GnusAi was hacked for ~$1.27m when an attacker minted a fake GNUS token on the Fantom chain and sold it on the #ethereum chain.
The reason for the hack is not clear, but it is speculated that the hacker obtained illegal access, using which they copied the token manager’s salt deployed on the Ethereum and redeployed it on Fantom.
Subsequently, the attacker minted around 500k GNUS tokens, which were later bridged (using Axelar Bridge
@axelarnetwork
) to the Ethereum and Polygon chains and sold for 407 ETH ($1.27M).
The Hack Aftermath
Team @GnusAi acknowledged the hack through their X handle and stated that they would take a snapshot of the block before the exploit took place and issue a new token shortly.
It also strongly advised its users not to purchase $GNUS tokens, as these could be counterfeit tokens created by hackers.
Attacker address: https://ftmscan.com/address/0x548c63a6a7299ab54762e1bfa6b56c1b94c2a820
Mint fake $GUNS Txn:
https://ftmscan.com/tx/0xd7dbbf47e4454a94f30f0ff034e3fb0040895347a41d974d524f7af066b4677d
Bridging Minted Tokens to #Ethereum Txn:
https://ftmscan.com/tx/0x9fe599bfb8bd381b1f2d07b685e00e501828f68a9f9596050aa8f63a25c12ec6
Bridge Txn: https://etherscan.io/tx/0x28ae708cb7d05392fb260f465fd7170fe79a657328b775cca5c4ad76246d8672
May 8
😈On May 8, 2024, the $GPU token on the #BNB chain was exploited for ~$32K when the attacker exploited a smart contract vulnerability. Reacting to the news of the exploit, the price of $GPU crashed by 100%.
The vulnerability is rooted in the _balance update function, a crucial component of the smart contract, which allowed the attacker to manipulate the token transfer process. This was possible because the _balances for the recipient could overwrite _balances for the sender, a flaw that was exploited.
This means when transferring money to yourself, the balance will increase by the amount of the transfer.
Exploit Txn: https://bscscan.com/tx/0x2c0ada695a507d7a03f4f308f545c7db4847b2b2c82de79e702d655d8c95dadb
Exploiter:
https://bscscan.com/address/0xcc78063840428c5ae53f3dc6d80759984788cbc0
Malicious contract:
https://bscscan.com/address/0x5234001627a376f5e0accb082548a283b1fa1586
Exploited contract:
https://bscscan.com/address/0xf51cbf9f8e089ca48e454eb79731037a405972ce
May 10
😈On May 10, 2024, @GalaxyFoxToken on Ethereum mainnet was exploited for ~$330K.
It appears the exploiter was able to rake in profits by falsely claiming 1.33 GFOX tokens, worth 108 WETH, by exploiting a smart contract vulnerability. This led to a massive 77% drop in the token prices.
The attack included 2 transactions with the same target contract: 0x11a4a5733237082a6c08772927ce0a2b5f8a86b6
Attacker 1:
0xfce19f8f823759b5867ef9a5055a376f20c5e454
Attack contract 1:
0x86c68d9e13d8d6a70b6423ceb2aedb19b59f2aa5
Attack transaction 1, loss of 100 ETH (~$300K):
0x12fe79f1de8aed0ba947cec4dce5d33368d649903cb45a5d3e915cc459e751fc
Attacker 2:
0x14b362d2e38250604f21a334d71c13e2ed478467
Attack contract 2:
0x347ed8eae1fb74767d894dca327c92c2ec4b7287
Attack transaction 2, loss of ~27M $GFOX, swapped to 2.32ETH (~$7K):
0x6a3d91fbd0a865a56c4efa7c540f28adcf7b569df44c9d50e1f86ab51b177405
May 14
😈The Bitcoin Defi @ALEXLabBTC lost ~$4.3m worth of assets in an exploit on May 14, 2024.
The cause of the exploit is speculated to be a private key compromise, as initial analysis shows that the deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b carried out four malicious upgrades to the proxy contract associated with @ALEXLabBTC
The upgrades caused the address of the bridge endpoint contract to change to an unverified bytecode.
Attacker address:
https://bscscan.com/address/0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E
The attacker involved in this exploit was also involved in the attack on another defi
@Mars_DeFi412
Within an hour after the upgrade, the following withdrawals were made under these attack transactions.
- https://bscscan.com/tx/0x94746d33792aeb27d2066b6d8f3c8a8c7410fe15c9500059f35e0b21c9bfb416
- https://bscscan.com/tx/0x47e123af93add709bc2516f6a5db057dfbb1d66a75b693cd7980cd3eb28c7357
A total of $4.3 million worth of digital assets were transferred to:
- https://bscscan.com/address/0xa747af2a527e72ce303353b458a1c51ebcd53188
- https://bscscan.com/address/0x27055ae433e9dcb30f6ebcc1a374cf5cc03c484e
It is worth noting that these two addresses received their funding from Tornado Cash.
The Hack Aftermath
@ALEXLabBTC confirmed the hack through a post on their official X handle and communicated that a significant portion of stolen funds had been frozen with the close collaboration of crypto exchanges, partners, and contributors.
Team ALEX has also announced a 10% white hat bug bounty for the exploiter in return for the stolen funds by 18 May at 0800 UTC.
If the funds are not returned by the stated deadline, Team ALEX will go ahead with all possible legal remedies to find and punish the culprit responsible for the hack.
😈On May 14, 2024, the decentralized exchange @predyfinance on the ARB chain was attacked, resulting in the loss of $464K worth of crypto assets from its lending pool.
The attacker was funded by @FixedFloat 45 days ago.
Ref. https://arbiscan.io/address/0xe1783b01639818ec1069890eff251f26ea936653
The Hack Aftermath
Predy Finance acknowledged the hack through an official post on its X handle.
It stated that the hack is currently being investigated and advised its users (who have accessed the lending pool previously) to revoke access to the exploited contract to avoid loss of funds.
Predy Finance uses permit2 access without the need to approve Predy’s contract directly.
The contracts for which approval should be revoked are:
- 0x02C9Ad1Aa219BCF221C3f915c45595f1d24928a1
- 0x92027Eb7caa12EC06f9Ba149c9521A1A48921514
Users can revoke approvals by visiting the following link: https://arbiscan.io/tokenapprovalchecker?search
Predy Finance has left an on-chain message for the exploiter to urge them to return the stolen funds by May 17th at 0800 UTC for a 10% white hat bug bounty, failing in which strictest legal action will be initiated against the exploiter.
Ref: https://arbiscan.io/tx/0x3126bdf7adbd12a694f008001a0d7c9080cc7ab7ef12d436cf9104c9d595bc85
Movement of Stolen Funds
Post hack, around ~ 100 $ETH worth $293K was bridged to #ETH and is currently parked at https://etherscan.io/address/0xeDe4E01347C012BD57302ea606095FB1eC5c848E
The remaining funds of $217K $WETH is held at attacker’s address on #ARB https://arbiscan.io/address/0x76b02ab483482740248e2ab38b5a879a31c6d008
Technical Details
Attack transaction:
https://arbiscan.io/tx/0xbe163f651d23f0c9e4d4a443c0cc163134a31a1c2761b60188adcfd33178f50f
Attacker:
https://arbiscan.io/address/0x76b02ab483482740248e2ab38b5a879a31c6d008
Attack contract:
https://arbiscan.io/address/0x8affdd350eb754b4652d9ea5070579394280cad9
Targeted contract:
https://arbiscan.io/address/0x9215748657319B17fecb2b5D086A3147BFBC8613
😈Defi protocol @SonneFinance on the #Optimism chain came under a flash loan attack on May 14, 2024, and lost ~$20m worth of assets before being contained.
To contain the attack, it paused all of its markets on the Optimism chain. Team
@SonneFinance has also stated that its markets on the base chain are unaffected by this attack.
The soVELO, USDC, and WETH contracts were targeted in this attack.
Official Reason for the Exploit
Sonne Finance has released a post-mortem report for the hack, in which they have stated that the attack method was the donation attack to Compound v2 forks.
It was also made known that the exploiter could have stolen an additional ~$6.5M worth of assets if timely preventive measures had not been taken.
Team Sonne Finance is willing to negotiate a white hat bug bounty with the attacker in return for the stolen funds.
What Happened to the Stolen Funds?
At the time of writing this, the stolen funds have been parked at the following addresses:
- 0x02FA2625825917E9b1F8346a465dE1bBC150C5B9
- 0x5D0D99e9886581ff8fCB01F35804317f5eD80BBb
- 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43
- 0x6277ca71ffca08e691a6dd3ab05b98c0a8994c07
Other Addresses Involved
- 0x4ab93fc50b82d4dc457db85888dfdae28d29b98d
- 0xbd18100a168321701955e348f03d0df4f517c13b
- 0x7e97b74252b6df53caf386fb4c54d4fb59cb6928
- 0x9f09ec563222fe52712dc413d0b7b66cb5c7c795
- 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
- 0x6277ab36a67cfb5535b02ee95c835a5eec554c07
Technical Details:
Hack Txn: https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0
Attacker:
https://optimistic.etherscan.io/address/0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43
Attack contract:
https://optimistic.etherscan.io/address/0x02fa2625825917e9b1f8346a465de1bbc150c5b9
Targeted contracts:
- soVELO: https://optimistic.etherscan.io/address/0xe3b81318b1b6776f0877c3770afddff97b9f5fe5
- SoUSDC: https://optimistic.etherscan.io/address/0xec8fea79026ffed168ccf5c627c7f486d77b765f
- soWETH: https://optimistic.etherscan.io/address/0xf7b5965f5c117eb1b5450187c9dcfccc3c317e8e
😈On May 14, 2021, SX vault (http://vaults.sx) contract on the EOS mainnet was exploited through a re-entrancy attack and lost ~$13.5M in this security incident.
What is a re-entrancy attack in crypto here: https://immunebytes.com/blog/reentrancy-attack/
In the heist, a total of 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen. This was the biggest hack on the EOS mainnet at that time.
Exploited Contract
https://bloks.io/account/vaults.sx
The exploiter carried out the attack by exploiting a vulnerability in the smart contract, which could have been identified by a detailed and careful analysis of the smart contract before its deployment on the mainnet.
May 17
😈On May 17, 2024, the crypto coin launching platform @pumpdotfun was exploited for ~$1.9M when a former employee misused their security privileges (private key compromise) and stole away ~12.3K SOL.
The Hack Flow
To misappropriate funds, the rogue employee used flash loans on a Solana lending protocol to borrow SOL, then bought various coins to inflate their bonding curves to 100%.
After reaching the 100% mark, the exploiter took access to the bonding curve liquidity and repaid flash loans taken earlier.
The Attacker
An account on X, with the handle @STACCoverflow, claimed responsibility for the attack immediately after the exploit.
He posted that he had intended to redistribute the “remaining balances of bonding curves” to certain token users rather than keeping the stolen funds.
The account allegedly belongs to a doxxed developer previously employed at Pump.Fun.
The attacker has already conducted random airdrops of $SOL, and multiple addresses have received the windfall of $SOL.
The Hack Aftermath
To contain the hack and prevent further fund loss, trading was halted on http://pump.fun at 17:00 UTC, and
@pumpdotfun upgraded the contracts so that the attacker could not continue with the exploit.
Post-hack analysis revealed that a total of $45m of liquidity in the bonding curve contracts was at risk, but the exploiter could get hold of only ~$1.9m.
The Pump.Fun team has now successfully redeployed the contracts, and trading has also been unpaused.
The Mitigation
To tackle the FUD surrounding the platform Pump.Fun has decided to offer 0% trading fees for the next 7 days.
The exploited coins (and reached the 100% mark on bonding curves) between 15:21 and 17:00 UTC (the duration of the exploit) are currently untradable until LPs are deployed for them on Raydium.
The Pump.Fun team stated that the LPs all such affected coins would be seeded with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours.
Team Pump.Fun is committed to avoiding a repeat of such security incidents, and therefore, it is collaborating with blockchain security firms to put a security mechanism in place that would minimize the risks of similar exploits in the future.
May 20
😈In yet another setback for Web3 space, on May 20, 2024, Gala Games @GoGalaGames was exploited for a staggering ~$212M.
The hack resulted from a private key (with administrator privileges) compromise.
Using this unauthorized access, the attacker minted ~5B $GALA tokens worth ~$212M at the time of the hacks.
💡How to Tackle Threats of Compromised Private Keys?
According to the latest update, the attacker has already swapped 599 million $GALA for ~5.9K $ETH (worth ~$21.8m) via the decentralized exchange Uniswap.
It was found that a total of ~12B $GALA tokens were exposed to the exploit, but due to swift containment of the hack by blocking malicious unauthorized access, the hacker managed to mint $5B tokens only.
The price of $GALA took a hit of 20% before making a marginal recovery.
The Official Version
In a tweet two hours after the hack, the CEO of Gala Games (@Benefactor0101) acknowledged the hack and confirmed that it was contained within 45 minutes of its discovery.
He also stated that it was an isolated security incident, and the unauthorized access that was used to execute the hack has been removed. He also stated that Gala Games’ ETH smart contract is unaffected by the hack and is being secured using a multi-sig wallet.
Team Gala Games is in touch with law enforcement agencies (FBI, DOJ) to identify the culprit and recover the stolen funds.
It is Not the First Time for GALA Games
In November 2021, GALA Games lost around $130 million (~8.65 billion GALA tokens) in a security incident. This theft was also deemed an inside job involving Wright Thurston, one of the company’s foundered as an inside job as well, that involved Wright Thurston, one of the founders of GALA Games.
In 2023, the SEC charged him in a case involving the alleged selling of $18 million worth of unregistered securities in the form of a cryptocurrency (called GREEN) related to a public global decentralized power grid.
In another exploit in November 2023, GALA Games experienced a $1B exploit, but fortunately, it was a white-hat hack and didn’t eventually result in the loss of funds.
Technical Details
Attacker:
https://etherscan.io/address/0xe2ca471124b124831e231fb835778840ad100f97
Targeted contract:
https://etherscan.io/address/0xd1d2eb1b1e90b638588728b4130137d262c87cae
Hack Txn: https://etherscan.io/tx/0xa6d90abe17d17743a9cecab84bcefb0fd0bbfa0c61bba60fd2f680b0a2f077fe
May 22
😈$YON on BNB Chain was exploited on May 22, 2024, and lost 190 $BNB worth ~$118K as a result. The reason for the exploit was found to be the access control vulnerability.
The Vulnerability
The vulnerability in the transferFrom function of the target contract (YON) allowed the attacking contract to directly transfer $YON to the LP contract.
👀Must Read
👉What are Access Control Vulnerabilities in Smart Contracts?
👉List of Access Control Vulnerability Hacks
May 24
😈On May 24, 2021, Autoshark Finance was exploited in a flash loan attack to steal a massive $745k.
The attack on Autoshark was not an isolated incident. It was preceded by a similar hack on PancakeBunny, executed on May 19, 2021, 10:34:28 PM +UTC, using the same modus operandi.
The Hack Flow & Vulnerability
The primary reason for the exploit was a flaw in the incentive reward mechanism set in the SharkMinter contract.
The exploiter made a small deposit to the SHARK-BNB Vault, and borrowed 100K BNB of flash loan from PancakeSwap.
Out of 100K BNB, the attacker used 50K BNB to swap them for the SHARK token.
The remaining 50K BNB and swapped SHARK tokens were later sent to the SharkMinter contract by the hacker.
This huge amount of tokens sent to the contract confused the system and made it believe that it made the profits and became all set to generate rewards as per the defined business logic.
By calling the getReward function, the hacker manipulated the system to mint 100M SHARK as a reward, in addition to 15M for the dev and 20M for the referrer.
The hacker sold these collectively minted 135K SHARK tokens for 102K WBNB, thus making a profit of 2.2K WBNB.
Exploit Txn:
https://bscscan.com/tx/0xfbe65ad3eed6b28d59bf6043debf1166d3420d214020ef54f12d2e0583a66f13
May 26
😈On May 26, 2024, the memecoin Normie was exploited in a flash loan exploit aided by a smart contract vulnerability. The attacker apparently made a profit of 224 WETH (~$881,686).
The exploit had a huge impact on Normie’s market capitalization, which was reduced to a mere ~$35k from a peak of ~$41M. The token price also took a massive 96% nosedive. At the time of writing this, the market cap stands at ~$332.
A memecoin trader, who had invested a substantial $1.16 million to acquire 11.23 million Normie (NORMIE) meme coins, saw his investment shrink by a devastating 99% as token prices plummeted.
According to a report, the total number of impacted users/investors who suffered this exploit could be around 72,000.
The Attack
- Step 1: The attacker swapped 171,955 NORMIE tokens for 2 WETH. https://basescan.org/tx/0xa618933a0e0ffd0b9f4f0835cc94e523d0941032821692c01aa96cd6f80fc3fd
- Step 2: The exploiter swapped 5 million NORMIE (similar to the deployer account’s balance). This was done to add the attack contract address to the _premarket_user list.
- Step 3: The attacker then flash-loaned 11,333,141 NORMIE tokens and swapped 9,066,513 NORMIE for 65.97 WETH.
They repeatedly transferred 2,266,628 NORMIE to the pair and subsequently called the skim() function to withdraw them.
The Outcome: Due to the addition of the attack contract address as a premarket_user in ⚡Step 1, the token contract was forced to mint NORMIE tokens to its own address.
Once the balance exceeded a certain threshold, the swapAndLiquify mechanism came into play and sold 4.65 million newly minted NORMIE for each transfer to the pair by the attacker.
In the end, the Normie contract address got over 650 billion NORMIE tokens although the total supply was only 1 billion.
The Good News
The attacker has offered to return 90% of the stolen assets while keeping the remaining funds as a bug bounty. The hacker communicated this through an onchain message to a Normie developer.
This return of funds is subject to a condition: Normie must spend the 600 $ETH in the developer’s wallet fairly to launch a new token and reimburse $NORMIE holders. In addition to that, there shouldn’t be any legal action towards the attacker.
Hacker Message Ref Txn: https://basescan.org/tx/0x587f14b7ffb30b5013ab0db02e9bc94183817ef34c24a9595f33277e752f81eb
The stolen funds are currently parked at https://basescan.org/address/0xbDfCaA1c260D35a57aE8C333AFff4D8dC6D90899 on the Base chain.
May 27
😈On May 27, 2021, the defi protocol @WildCredit on the #ethereum chain was exploited for ~$650k when the hacker exploited a smart contract vulnerability and stole 25k BNT tokens.
The specific vulnerability in the LP contract was an access control issue. This flaw allowed anyone to call the initialize function and gain ownership of the LP token contract.
Access Control Vulnerabilities in Solidity Smart Contracts
The hacker manipulated the said vulnerability and took ownership of the contract to mint tokens and withdraw funds.
Fortunately, the hack was a white hat operation and the stolen funds were later returned to the devs.
Hack Txn: https://etherscan.io/tx/0xdbef3b393a64608756c284568217355f694a0e5c8edf80eac75ec087d642ce07
Exploited Contract:
https://etherscan.io/address/0x7b3b69eab43c1aa677df04b4b65f0d169fcdc6ca
😈On May 27, 2021, BurgerSwap, a DEX on the #BNBChain, also suffered a flash loan attack, which cost it 💰$7.2M of user funds.
The flash loan was a result of the manipulation of a vulnerability in the BurgerSwap contract
Using this vulnerability, the attacker could do re-entrancy and transfer any amounts from the pool before the reserves were updated.
Reentrancy Attack: The Ultimate Guide
It took 14 such transactions for the attacker to siphon off a total of $7.2M worth of assets, including multiple cryptocurrencies.
Attacker’s Contract: https://bscscan.com/address/0xae0f538409063e66ff0e382113cb1a051fc069cd
Attack Txns:
https://bscscan.com/txs?a=0xae0f538409063e66ff0e382113cb1a051fc069cd
May 29
😈On May 29, 2021, defi Belt Finance @BELT_Finance on Binance Smart Chain (BSC) came under a flash loan attack and lost ~$6.2M worth of cryptocurrencies.
The exploiter deployed a smart contract leveraging PancakeSwap for flash loans and exploited the beltBUSD pool along with its underlying strategy protocols.
Subsequently, they executed the contract eight times, yielding a total profit of 6,234,753 BUSD.
😈On May 29, 2023, dex @EDE_Finance on the #Arbitrum chain fell victim to a white hat exploit, which was conducted using flash loans and Oracle price manipulation.
The white hat hacker who profited 597,694 USDC and 86,222 USDT (worth ~$520K at the time of the hack), offered to return 90% of the stolen funds in exchange for a 10% bug bounty.
Exploited contract: https://arbiscan.io/address/0x171c01883460b83144c2098101cd57273b72a054
Attacker Address: https://arbiscan.io/address/0x80826E9801420E19a948b8Ef477Fd20f754932DC
Attacker’s contract: https://arbiscan.io/address/0x6dd3d2fb02b0d7da5dd30146305a14190e6fb892