\u00f0\u0178\u02dc\u02c6On Jan 1, 2022, DeFi Tinyman on Alogrand chain lost $3M worth of assets from its contract pools due to a smart contract vulnerability.<\/p>\n\n\n\n
The Smart Contract Vulnerability<\/strong><\/p>\n\n\n\n The protocol\u00e2\u20ac\u2122s burn function was designed to allocate two different tokens (GOBTC and ALGO tokens) to the user on being called.<\/p>\n\n\n\n The ratio in which these two were given out was based on the amounts of each token stored within the protocol.<\/p>\n\n\n\n Using the flaw in the Tinyman pools\u00e2\u20ac\u2122 contract code, the attacker was able to receive the GOBTC tokens alone instead of a mix of GOBTC and ALGO, as intended.<\/p>\n\n\n\n So, in other words, the exploiter received a GOBTC token every time they were supposed to receive an ALGO token.<\/p>\n\n\n\n Between GOBTC and ALGO, GOBTC was pricier and hence the attacker made a significant profit amounting to approximately $3M, over multiple transactions.<\/p>\n\n\n\n The stolen GOBTC tokens were later swapped for stablecoins and transferred to other exchanges and wallets.<\/p>\n\n\n\n The said vulnerability in the pool contract could have been discovered if the smart contracts were audited by an experienced and credible smart contract auditing<\/a>. <\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6In another major crypto exploit, on Jan 2, 2024, Radiant Capital @RDNTCapital on the Arbitrum chain was exploited for ~$4.5M (~1.9K ETH).<\/p>\n\n\n\n The root cause of the hack is the price manipulation, which was carried out by exploiting a rounding issue in the The Exploitation<\/strong><\/p>\n\n\n\n First, the index parameter (used as a denominator in the calculations) was inflated due to manipulation. The corresponding precision error also skyrocketed due to this inflation.<\/p>\n\n\n\n The attacker reaped profits through repeated deposit() and withdraw() operations.<\/p>\n\n\n\n The attack happened within the time frame of 6 seconds immediately after a new USDC market was deployed.<\/p>\n\n\n\n The rounding issue is a known issue in the current Compound\/Aave codebase, which is forked by lending markets for activating new marketing.<\/p>\n\n\n\n To mitigate this, Aave has a mandatory policy to deposit alongside any new listing. While forking, it seems this practice was not taken into consideration.<\/p>\n\n\n\n Attacker’s address:<\/strong> https:\/\/arbiscan.io\/address\/0x826d5f4d8084980366f975e10db6c4cf1f9dde6d<\/p>\n\n\n\n Malicious contract:<\/strong> The Aftermath<\/strong><\/p>\n\n\n\n The team @RDNTCapital is trying to initiate contact with the attacker by leaving an on-chain message for the attacker, but they are still waiting to receive a response.<\/p>\n\n\n\n Ref: https:\/\/arbiscan.io\/tx\/0xcd1865e3bf185fc5fe0b5fb055f6d74cfa68ee50335ff92ad721063538922664<\/p>\n\n\n\n While the hack is being investigated, the Radiant DAO Council has paused lending\/borrowing markets on Arbitrum temporarily.<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 4, 2024, the Defi Protocol Gamma Strategies was exploited for ~1535 $ETH (~$3.43M) in what seems to be the attack on Camelot pools, utilizing Gamma CLMM.<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/arbiscan.io\/tx\/0x025cf2858723369d606ee3abbc4ec01eab064a97cc9ec578bf91c6908679be75<\/p>\n\n\n\n Other than @GammaStrategies, decentralized exchanges (DEX), such as @Quickswap, @SushiSwap, and Gamma has strongly advised all its users to revoke all approvals to avoid a possible fund loss due to the exploit.<\/p>\n\n\n\n @CryptoAlgebra, which was earlier speculated to be exploited, has confirmed that the exploit is not connected with Algebra’s code, and it is safe to use services from its partners.<\/p>\n\n\n\n Beware of the phishing websites claiming to check for exposure and revoke access from @CryptoAlgebra<\/p>\n\n\n\n In an official statement, Gamma confirmed that the hacks were carried out using flash loan attacks.<\/p>\n\n\n\n The total fund loss in the exploit is 1535 ETH, worth ~$3.43M, which the attacker: https:\/\/arbiscan.io\/address\/0x5351536145610aa448a8bf85ba97c71caf31909c Ref: <\/strong>https:\/\/etherscan.io\/address\/0x5351536145610aa448a8bf85ba97c71caf31909c<\/p>\n\n\n\n Gamma Exploiter Malicious Contract: <\/strong>https:\/\/arbiscan.io\/address\/0x4b57adc00ac38f74506d29fc4080e3dc65b78a69<\/p>\n\n\n\n Mitigation Steps<\/strong><\/p>\n\n\n\n As a precautionary measure, Gamma has shut off all deposits on public-facing vaults. At the time of writing, the rebalances and management of the positions are active and operational, as they are not affected by the exploit.<\/p>\n\n\n\n What Caused the Exploit?<\/strong><\/p>\n\n\n\n Although multiple measures were in place to prevent flash loan attacks but out of those measures, there was one that had a flaw.<\/p>\n\n\n\n The measure\u00e2\u20ac\u201dwhere Gamma had set a price change threshold to disallow deposits on price change exceeding a certain threshold\u00e2\u20ac\u201dwas manipulated by the exploiter.<\/p>\n\n\n\n The threshold limits were set too high, which allowed up to 50-200% price change on specific LST and stablecoin vaults.<\/p>\n\n\n\n The attacker manipulated the price up to this high threshold limit and then minted a large number of LP tokens.<\/p>\n\n\n\n Corrective Measures<\/strong><\/p>\n\n\n\n To set things right, Gamma has taken the following steps:<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6Narwhal project on #BSC suffered an exploit on Jan 5 and Jan 6, 2024, for a total of ~$1.5M worth of NRW tokens ($970k on Jan 6 and $500k on Jan 5).<\/p>\n\n\n\n On Jan 7, @Narwhal_fyi confirmed in an official tweet that it was exploited and is in the process of rebuilding the liquidity pool in the next 3 days.<\/p>\n\n\n\n It also stated that they are working on a new platform with enhanced security to avoid such exploits in the future.<\/p>\n\n\n\n The stolen NRW was later swapped for ETH and bridged to the Ethereum Network.<\/p>\n\n\n\n The address 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30 deposited 375 ETH into TornadoCash and also received ETH from 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568<\/p>\n\n\n\n At the time of reporting, ~$1M out of the stolen ~$1.5M has already been deposited into Tornado Cash The remaining Stolen funds are currently at:<\/p>\n\n\n\n On Jan 6, the attacker called the withdraw() function with the signer info. In the decompiled contract, it has been found that the signer’s address was actually set by the contract owner, and it is possible that the signer\u00e2\u20ac\u2122s private key was either compromised or the information was forged.<\/p>\n\n\n\n Exploited Contract: 0x8A2DF808CCb0DB866C5C152412D1718929143f53<\/p>\n\n\n\n The Alternate Theory<\/strong><\/p>\n\n\n\n There are speculations that what seems to be an exploit by a malicious hacker could possibly be a cleverly executed exit scam in the shroud of an exploit.<\/p>\n\n\n\n To support the theory, the on-chain analysts have presented the following:<\/p>\n\n\n\n The NRW token price shows two major drops\u00e2\u20ac\u201dJan 5 and Jan 7.<\/p>\n\n\n\n The drop on Jan 5 is likely caused by the large transfer of NRW tokens to an EOA 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568 from multiple wallets.<\/p>\n\n\n\n Suspiciously, all these wallets received funding from the same address: 0x28B38A8B0b5AbEcE315a5064495056ad158DDDfF<\/p>\n\n\n\n The 0x28B38 address itself was initially funded by 0xfc8Cd26F86E6169e95A0256004B5c8FD1a6EFdDF, which received funds via FixedFloat.<\/p>\n\n\n\n The same address also funded the NRW deployer.<\/p>\n\n\n\n The Jan 7 price drop was triggered by EOA 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30, which called This contract was created by 0x6eA, which was, in fact, funded by 0xfc8C, which had earlier funded the NRW deployer.<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6MangoFarmSOL, a farming protocol on Solana, which promised unprecedented yield in the $SOL space to its investors, stole away ~$2M of its investors\u00e2\u20ac\u2122 wealth on Jan 7, 2024, in a well-orchestrated exit scam.<\/p>\n\n\n\n It had announced its MANGO token airdrop on Jan. 10, and to participate in the airdrop, users had to deposit their Solana SOL tokens in the protocol.<\/p>\n\n\n\n The TellTale Signs of the Scam<\/strong><\/p>\n\n\n\n \u00e2\u20ac\u0153Foobar,\u00e2\u20ac\u009d a pseudonymous developer recently appointed as MangoFarmSOL\u00e2\u20ac\u2122s security auditor, had warned users about MangoFarmSOL\u00e2\u20ac\u2122s compromised front end on Jan 6 through a post on X (formerly Twitter).<\/p>\n\n\n\n He also predicted that the protocol could be a potential rug pull.<\/p>\n\n\n\n The Disappearing Act<\/strong><\/p>\n\n\n\n The official website of MangoFarmSOL is now being flagged as a deceptive website. Their profile on X no longer exists, and the Telegram channel (with 1000 existing members) is not accepting new members anymore.<\/p>\n\n\n\n Is there Another Scam in Waiting?<\/strong><\/p>\n\n\n\n There have been reports about screenshots being circulated on social media in which the developer of the now-scam project @MangoFarmSOL is shown claiming that he was forced to create Ponzi schemes and that he is involved with another project, BananaMiner.<\/p>\n\n\n\n Representatives from BananaMiner have refuted all such allegations and have categorically denied any connection to MangoFarmSOL, except that they were approached for collaboration by them.<\/p>\n\n\n\n MangoFarmSOL must not be confused with another Solana-based project, Mango Markets, which was exploited in October 2022 for over $100 million.<\/p>\n\n\n\n The Conclusion<\/strong><\/p>\n\n\n\n The Solana ecosystem has been increasingly targeted by scammers using wallet drainers.<\/p>\n\n\n\n The seriousness of the security threat for Solana-based projects can be gauged by the fact that the cybercriminals have been selling Solana drainer kits since December, and one of the large communities for SOL’s wallet drainer kit maintained by these cybercriminals has over 6k members.<\/p>\n\n\n\n Beware of the scammers who lure novice #cryptoinvestors to invest in fake projects and tokens. You can get a great deal of knowledge about identifying such scams here:<\/p>\n\n\n\n Crypto & Defi Rug Pull: How to Spot?<\/a><\/p>\n\n\n\n World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors<\/a><\/p>\n\n\n\n Honeypot Scams in Crypto<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6A victim on #Ethereum fell victim to a zero-address transfer scam on Jan 10, 2024, when it accidentally sent 960,000 USDT to the scam address instead of the address it meant to transfer.<\/p>\n\n\n\n Zero transfer scams have become quite common in the crypto world. They are increasingly getting popular with scammers as it requires minimal effort on the scammer\u00e2\u20ac\u2122s part to steal money from novice #cryptoinvestors.<\/p>\n\n\n\n Victim: <\/strong>0x3dFf6f65Fd3354D2f98e065B814456Dc54435F0a<\/p>\n\n\n\n Intended Address:<\/strong> 0x9462B598aa7e45e6C2df22c35337Be248Df98CD6<\/p>\n\n\n\n Phishing Address:<\/strong> 0x946c8e51d95a1f1643c3617363aee83439f98cd6<\/p>\n\n\n\n What is a Zero Transfer Scam, and how do you avoid it?<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 10, 2023, the BRA token on #BSC was exploited for $225,000 when it lost 819 WBNB due to a smart contract vulnerability.<\/p>\n\n\n\n The Vulnerability<\/strong><\/p>\n\n\n\n Due to a logic vulnerability in the smart contract, every time the transfer function was invoked, the sender and recipient got twice the rewards if they were a pair.<\/p>\n\n\n\n The Attack Flow<\/strong><\/p>\n\n\n\n >>Step 1<\/strong><\/p>\n\n\n\n The attacker took a flash loan of 1,400 WBNB and exchanged 1,000 WBNB for 10.5K BRA tokens, which they later transferred to the Pancakeswap pair.<\/p>\n\n\n\n >>Step 2<\/strong><\/p>\n\n\n\n Using the skim() function, the attacker invoked the BRA contract\u00e2\u20ac\u2122s transfer function to receive rewards.<\/p>\n\n\n\n >>Step 3<\/strong><\/p>\n\n\n\n The \u00e2\u20ac\u02dcskim()\u00e2\u20ac\u2122 was set to work as a recovery mechanism whenever the number of tokens supplied to a pair exceeded the two uint112 storage spaces for reserves.<\/p>\n\n\n\n The attacker manipulated this and provided pair as the recipient address for receiving the BRA tokens.<\/p>\n\n\n\n Due to the vulnerability in the smart contract, the number of BRA tokens after every single skim became twice the intended amount.<\/p>\n\n\n\n The hacker repeatedly called skim() around 100 times to significantly increase the contract pair\u00e2\u20ac\u2122s BRA balance.<\/p>\n\n\n\n >>Step 4<\/strong><\/p>\n\n\n\n The attacker then returned 1.675K WBNB tokens and repaid the 1.4K WBNB token flash loan.<\/p>\n\n\n\n A profit of 675 WBNB was generated in this process, which the hacker sent to their address.<\/p>\n\n\n\n The whole sequence of attack was repeated one more time, and this time, the profit gained by the attacker was 144 WBNB.<\/p>\n\n\n\n Technical Info:<\/strong><\/p>\n\n\n\n Attack Transaction: <\/strong>https:\/\/bscscan.com\/tx\/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047<\/p>\n\n\n\n Attacker\u00e2\u20ac\u2122s Address<\/strong>:<\/p>\n\n\n\n BRA Token Code: https:\/\/bscscan.com\/token\/0x449fea37d339a11efe1b181e5d5462464bba3752#code<\/p>\n\n\n\n Pancake Swap Contract:<\/strong> How to Avoid Such Attacks?<\/strong><\/p>\n\n\n\n This attack would not have happened if the smart contract auditors had examined the contract for logical issues. By conducting thorough testing and reviews of the smart contract code, the auditors can discover and fix potential vulnerabilities before deployment.<\/p>\n\n\n\n BRA Token Detailed Hack Analysis<\/a><\/p>\n\n\n\n \u00f0\u0178\u2018\u00bfOn Jan 11, 2024, a victim on the Ethereum chain was scammed for over ~$772K worth of stETH when it signed a malicious ERC20 Permit signature.<\/p>\n\n\n\n An ERC20 token approval given on a scam website can be activated by the hacker to carry out illegitimate transfers from an address without the knowledge of the owner.<\/p>\n\n\n\n Victim:<\/strong> 0x551b30bc933e26e098bd2e68d436c24ed39b7312<\/p>\n\n\n\n Scammer:<\/strong> 0x1A42605D92C210E4bE47A6363046c591659ab444 (Fake_Phishing269883)<\/p>\n\n\n\n Hack Txn:<\/strong> https:\/\/etherscan.io\/tx\/0xa653ede5787d5ee4b869d01643c3178b38d470445cd2078c23a5f2cfed4ff37b<\/p>\n\n\n\n To stay protected from ERC20 token approval phishing scams, always:<\/p>\n\n\n\n Revoke the approval without losing time to protect your funds from being drained by an exploiter of the dApp approved previously.<\/p>\n\n\n\n ERC20 Permit2 approval and the associated risks<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6Defi WiseLending protocol @Wise_Lending on Rthereum came under a price manipulation attack on Jan 12, 2024, when the exploiter manipulated a rounding error and caused losses of ~$460K (~178ETH)<\/p>\n\n\n\n The hacker knew that WiseLending uses rounding up when calculating shares withdrawals.<\/p>\n\n\n\n The attacker repeatedly called the withdraw function with a unit amount to cause a mismatch between the protocol token balance and shares. This led to the price manipulation.<\/p>\n\n\n\n The stolen funds are currently held at 0x592856d68B3FEE1D2dAa34CdC9851f3477C52530<\/p>\n\n\n\n Manipulated Contract:<\/strong> https:\/\/etherscan.io\/address\/0xb90cf1d740b206b6d80854bc525e609dc42b45dc<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/etherscan.io\/tx\/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31<\/p>\n\n\n\n Rounding errors in smart contracts can lead to severe security vulnerabilities. To know how these can be mitigated, read:<\/p>\n\n\n\n How to Bypass the Integer Division Error in Smart Contracts?<\/a><\/p>\n\n\n\n Precision Loss Vulnerability in Solidity: A Deep Technical Dive<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6An address on the #Avalache chain lost 9.41 $BTC (~$433K) in a phishing attack on Jan 12, 2024. The victim transferred the stolen amount in two transfers in a single transaction.<\/p>\n\n\n\n Read: The Beginner\u00e2\u20ac\u2122s Guide to Phishing Attacks<\/a><\/p>\n\n\n\n Hack Txn:<\/strong> https:\/\/subnets.avax.network\/c-chain\/tx\/0xe00e4c8c11cff74c6a2296ef4e20cd0bc9811365022460f7207197923c4f51ed<\/p>\n\n\n\n Victim: <\/strong>0xda60167db93bfd982204a55afb7321a76afc419b<\/p>\n\n\n\n Contract Add:<\/strong> 0xf455878e14d435e23dd8a2000c8fac3fca2f33d5<\/p>\n\n\n\n Scammer Add 1: <\/strong>0xa3aa460C12713A000a33893b024D95db80945a2F (1.41147824 aAvaBTC.b)<\/p>\n\n\n\n Scammer Add 2: <\/strong>0x7666a59f3A38934cb1262d22Fac52A67fda4B123 (7.99837663 aAvaBTC.b)<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 15, 2023, Midas Capital was exploited using read-only Reentrancy. The losses in the attack were calculated to be ~$660K.<\/p>\n\n\n\n In the attack, the Polygon liquidity pool of the stablecoin protocol Jarvis was targeted.<\/p>\n\n\n\n Midas Capital had listed the WMATIC-stMATIC Curve LP token on their platform with supply caps of about 250,000.<\/p>\n\n\n\n The hacker was aware of it, and as the first step of the attack, they used Balancer V2, AAVE V3, and AAVE V2 to obtain WMatic flash loans in order to inflate the LP token price and borrow against it.<\/p>\n\n\n\n In the next step, they entered the Midas markets and added some liquidity to Curve (0 stMatic, 270000 of WMatic).<\/p>\n\n\n\n The hacker then deposited Curve LP as collateral (270K WMATIC) to Midas and added a large amount of liquidity (0 stMatic and 71M WMatic), which resulted in an imbalanced market state.<\/p>\n\n\n\n In the final step, the attack removed liquidity from Curve to trigger a callback using which they borrowed jCHF, jEUR, jGBP, and agEUR at an incorrect Curve LP price in Midas.<\/p>\n\n\n\n This led to the loss of 663,101 MATIC tokens, valued at over ~$660,000 at that time.<\/p>\n\n\n\n Hacker Address:<\/strong> 0x1863b74778cf5e1c9c482a1cdc2351362bd08611<\/p>\n\n\n\n Attack Txn: <\/strong>https:\/\/polygonscan.com\/tx\/0x0053490215baf541362fc78be0de98e3147f40223238d5b12512b3e26c0a2c2f<\/p>\n\n\n\n Exploited Contract: <\/strong>https:\/\/polygonscan.com\/address\/0x5bca7ddf1bcccb2ee8e46c56bfc9d3cdc77262bc#code<\/p>\n\n\n\n Reentrancy Attack: The Ultimate Guide<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 16, 2024, an address lost $229,553 worth of WBTC and ETH after signing malicious phishing signatures on a phishing website.<\/p>\n\n\n\n Hack Txn:<\/strong> Victim:<\/strong> 0x23f8c7db7a1b656652e9726ab264c5b181418b9f<\/p>\n\n\n\n Scammer:<\/strong> 0x145f2b66b7bf5ad64b4ae21d1c77a20c61bf45a9<\/p>\n\n\n\n The victim signed three ERC20 Permit signatures, and these token spenders are the temp address pre-computed by CREATE2.<\/p>\n\n\n\n CREATE2, although better than the previous CREATE, is now increasingly being used by scammers to carry out phishing attacks.<\/p>\n\n\n\n Explained: Create2 Opcode in Solidity<\/a><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6DeFi protocol Socket @SocketDotTech on Ethereum has been exploited for ~$3.3M on Jan 16 due to a bad route added 3 days ago.<\/p>\n\n\n\n Added Route tx: <\/strong>https:\/\/etherscan.io\/tx\/0x1df44e224c7a715da25fa33dcad2ca3a930d1a4dafd263e61c07b52673d505f4<\/p>\n\n\n\n This has affected users who had given infinite approval to the SocketGateway contract https:\/\/etherscan.io\/address\/0x3a23f943181408eac424116af7b7790c94cb97a5<\/p>\n\n\n\n The attacker took advantage of the incomplete user input validation to steal funds from the users who had approved the contract.<\/p>\n\n\n\n The Input Validation Vulnerability<\/strong><\/p>\n\n\n\n The attack was carried out by making an unsafe call in the performAction function.<\/p>\n\n\n\n Due to an input validation vulnerability in the contract, when transferring 0 WETH, the caller can specify other functions in the call and still pass the balance check validation.<\/p>\n\n\n\n Manipulating this flaw, the attacker constructed calldata to call transferfrom() of arbitrary tokens and transferred tokens approved to the contract by other users.<\/p>\n\n\n\n Attacker Add: <\/strong>https:\/\/etherscan.io\/address\/0x50df5a2217588772471b84adbbe4194a2ed39066<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/etherscan.io\/tx\/0x591d054a9db63f0976e533f447df482bed5f24d7429646570b2108a67e24ce54<\/p>\n\n\n\n To contain the hack, the exploited contract was paused, and Socket asked its users to revoke all approvals to avoid loss of funds.<\/p>\n\n\n\n The bad route was also removed by Socket.<\/p>\n\n\n\n Disable route tx:<\/strong> The Hack Aftermath<\/strong><\/p>\n\n\n\n As of writing this, @SocketDotTech has informed the community that they have bridged on @BungeeExchange , and most of their partner frontends have been resumed.<\/p>\n\n\n\n They also stated that they are conducting a detailed analysis of the exploit, the report of which would be shared later with the community.<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6DeFi protocol @BasketDAOOrg was hacked on Jan 17, 2024, for over $107K due to a vulnerability in its smart contract.<\/p>\n\n\n\n The attack was an arbitrary low-level call exploit that happened due to a bug in the contract’s approval process.<\/p>\n\n\n\n In March 2022, the same contract, along with another contract (0x01A903c12A2Dd87A5410173A29543504DF8bD14B), were found to have similar vulnerabilities, which had caused fund loss.<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/etherscan.io\/tx\/0x97201900198d0054a2f7a914f5625591feb6a18e7fc6bb4f0c964b967a6c15f6<\/p>\n\n\n\n Hacked Contract:<\/strong> https:\/\/etherscan.io\/address\/0x4622aff8e521a444c9301da0efd05f6b482221b8<\/p>\n\n\n\n Attacker Add:<\/strong> https:\/\/etherscan.io\/address\/0x63136677355840F26c0695dD6DE5C9E4f514f8e8<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 17, 2024, a victim on the Ethereum chain lost $149,435 worth of tokens due to signing malicious phishing signatures on a phishing site.<\/p>\n\n\n\n Hack Txn:<\/strong> Victim Add:<\/strong> Scammer Add 1:<\/strong> Scammer Add 2:<\/strong> 0x9fA7bB759641FCd37fe4aE41f725e0f653f2C726 (PinkDrainer: Wallet 2)<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6In another phishing incident on Jan 17, 2024, a victim on the Ethereum chain lost $178,030 worth ~6667 Auction tokens to the phishing maneuvers of the scammer.<\/p>\n\n\n\n Hack Txn:<\/strong> Jan-17-2024 01:37:59 PM +UTC Victim Add:<\/strong> 0xefbf320e8bc2e0a051db24f73b6f5756deeddcda<\/p>\n\n\n\n Scammer Add 1:<\/strong> 0xa2f10ccba0f5950eea846be601d7e0a627144b4e<\/p>\n\n\n\n Scammer Add 2:<\/strong> 0xa3aa460c12713a000a33893b024d95db80945a2f (Fake_Phishing270927)<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 18, 2022, Crosswise Finance (@crosswisefi)\u00e2\u20ac\u201dthe cross-chain decentralized exchange (DEX), suffered an exploit that saw it losing funds worth in excess of $879k.<\/p>\n\n\n\n Hack Txn:<\/strong> https:\/\/bscscan.com\/tx\/0xd02e444d0ef7ff063e3c2cecceba67eae832acf3f9cf817733af9139145f479b<\/p>\n\n\n\n Exploiter Add:<\/strong> 0x748346113B6d61870Aa0961C6D3FB38742fc5089<\/p>\n\n\n\n The Hack Methodology<\/strong><\/p>\n\n\n\n The Aftermath<\/strong><\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 21, 2024, a phishing attack on #ethereum cost a victim ~$4.2M worth of aEthWETH and aEthUNI.<\/p>\n\n\n\n The loss happened due to the victim’s signing of multiple ERC20 Permit signatures.<\/p>\n\n\n\n Attack Txn:<\/strong> https:\/\/etherscan.io\/tx\/0x93a0ce0711edaf7664c26b3654095f1052010bb7da62c135b6ef0c425c0c2f09<\/p>\n\n\n\n Victim:<\/strong> Attackers:<\/strong> The addresses created to transfer these tokens are the temp addresses pre-computed by CREATE2.<\/p>\n\n\n\n CREATE2 is now increasingly being used by scammers to carry out phishing attacks.<\/p>\n\n\n\n To Know What is CREATE2 and How it is Used by Scammers for Phishing Read \u00f0\u0178\u02dc\u02c6DeFi @ConcentricFi or Arbitrum chain suffered an exploit on Jan 22 and has reportedly lost ~$1.72M worth of crypto assets (715 $ETH).<\/p>\n\n\n\n The exploiters got unauthorized access to the protocol through a targeted social engineering attack on one of the team members holding the deployer wallet.<\/p>\n\n\n\n Although the smart contracts of the vault were duly audited before deployment but these contracts were upgradable, and the attackers manipulated this vulnerability to upgrade the vaults and minted LP tokens to drain the vault.<\/p>\n\n\n\n The Attack Methodology<\/strong><\/p>\n\n\n\n The attacker got hold of the private key through social engineering attacks on one of the team members with access to the deployer wallet.<\/p>\n\n\n\n As the vaults were upgradable, the attacker updated the implementation contract of the CONE-1 proxy contract from the original ConeCamelotVault contract to the attacker-controlled contract.<\/p>\n\n\n\n To mint LP tokens, the attacker added admin to the adminMint() function and subsequently drained the vaults.<\/p>\n\n\n\n Attacker Address 1<\/strong>: 0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1.<\/p>\n\n\n\n Attacker Address 2<\/strong>: 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b<\/p>\n\n\n\n The address which created 3 upgraded ConeCamelotVault contracts is Addresses Holding Stolen Funds:<\/strong><\/p>\n\n\n\n Address 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d, holding stolen funds, is labeled as OKX Exploiter 2 on #Etherscan<\/p>\n\n\n\n Other addresses holding funds: 0xFD681A9aA555391Ef772C53144db8404AEC76030 and 0x17865c33e40814d691663bc292b2f77000f94c34 both have previously received funds from OKX Exploiter 2 on Dec 13, 2023, as checked on #Etherscan.<\/p>\n\n\n\n Precautionary Measures<\/strong><\/p>\n\n\n\n To keep user funds safe, users are advised to revoke all approvals for the following addresses on $ARB:<\/p>\n\n\n\n Actions Taken:<\/strong><\/p>\n\n\n\n Post exploit Team @ConcentricFi:<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 22, 2024, the @GAMEEToken on Polygon was exploited for $7M (600M $GMEE tokens).<\/p>\n\n\n\n The primary reason for the hack was a lack of access control, which led to the compromise of the $GMEE deployer address.<\/p>\n\n\n\n In the attack, the attacker withdrew a significant amount $GMEE from Animoca.<\/p>\n\n\n\n The stolen funds were later swapped to $MATIC. The attacker later bridged some of the funds to $ETH chain.<\/p>\n\n\n\n Due to the exchange of stolen funds by the exploiter at various DEX, the $GMEE token price across various exchanges has taken a hit.<\/p>\n\n\n\n In an official communication, the team @GAMEEToken confirmed that the exploit has only affected proprietary team token reserves, and no community-owned assets have been impacted in the attack.<\/p>\n\n\n\n Their initial investigation revealed that the compromise of the Polygon $GMEE deployer address might have happened via unauthorized GitLab access.<\/p>\n\n\n\n Attacker Address:<\/strong> https:\/\/polygonscan.com\/address\/0x16afa519642c932b073cd21d82162bdc7a471b86<\/p>\n\n\n\n GAMEE Token Contract Address: <\/strong> https:\/\/polygonscan.com\/address\/0xcf32822ff397ef82425153a9dcb726e5ff61dca7<\/p>\n\n\n\n The Hack Aftermath<\/strong><\/p>\n\n\n\n Following are the actions taken by the team @GAMEEToken<\/p>\n\n\n\n Access control vulnerabilities can seriously impact a project’s stability, security, and integrity. Learn how such vulnerabilities can be mitigated at: \u00f0\u0178\u02dc\u02c6The phishing scams continue to bleed the crypto investors. On Jan 23, 2024, the address 0xf8ebfa lost ~$1.3m worth of stablecoins on multiple chains.<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/bscscan.com\/tx\/0x400b7583b892024db19940e2e74a26b22b188196e3c6cbff4e6663295a50daed<\/p>\n\n\n\n Victim:<\/strong> 0xf8ebfacb4768b4152dd38416c1ea5fd143f5f807<\/p>\n\n\n\n Scammer:<\/strong> 0xabd75cd4117fa7bfaa096f581abcec69b8d68f50<\/p>\n\n\n\n The phishing happened when the victim signed The addresses used for receiving stolen tokens are the temporary addresses pre-computed by CREATE2.<\/p>\n\n\n\n \u00f0\u0178\u02dc\u02c6On Jan 25, 2024, a victim on Ethereum lost ~$164k worth of PudgyPenguins NFTs to a phishing attack.<\/p>\n\n\n\n The hack’s cause was the victim’s signing of a malicious Blur Bulk signature.<\/p>\n\n\n\n This phishing exploit method is not new and is based on a malicious Blur bulk listing signature used by scammers to steal NFTs with just one message signature.<\/p>\n\n\n\n What is Blur Bulk Listing Message Phishing<\/strong><\/p>\n\n\n\n Usually, NFT owners are tricked by a malicious website to sign a listing for selling their NFTs for 0 ETH.<\/p>\n\n\n\n Due to Blur’s unreadable bulk listing messages, it gets difficult for NFT owners to identify a malicious request from the marketplace, and they end up losing their NFTs to hackers.<\/p>\n\n\n\n To avoid falling for such traps, always check the source of the signature request before signing any approval for NFT transfers.<\/p>\n\n\n\n If the source doesn\u00e2\u20ac\u2122t show http:\/\/blur.io, do not proceed with the signing request. Never sign any Blur bulk listing signature that is not from the official website i.e., http:\/\/blur.io<\/p>\n\n\n\n Hack Txn: <\/strong>https:\/\/etherscan.io\/tx\/0x2c837d3abc13ab662c84d518b129d045417d2e55af54748d932d7607f5cec10a<\/p>\n\n\n\n Victim:<\/strong> Scammer:<\/strong> \u00f0\u0178\u02dc\u02c6In a massive phishing attack, a victim on #ethereum lost $1.1M worth of $LINK on Jan 25, 2024.<\/p>\n\n\n\n After the victim signed a malicious swap transaction, the victim suffered a sandwich attack during the swap (without slippage protection) of 58.2K $LINK (worth ~$813K) for 222.4 $ETH (worth ~$494K). This led to a loss of $300K.<\/p>\n\n\n\n In this attack, the MEV bot received a bribe of 135.56 ETH (equivalent to $301K).<\/p>\n\n\n\n Hack Txns:<\/strong><\/p>\n\n\n\n
\n\n\n\nJan 2<\/h2>\n\n\n\n
rayDiv()<\/code> function.<\/p>\n\n\n\n
https:\/\/arbiscan.io\/address\/0x39519c027b503f40867548fb0c890b11728faa8f<\/p>\n\n\n\n
\n\n\n\nJan 4<\/h2>\n\n\n\n
@CamelotDEX, could be affected due to this exploit.<\/p>\n\n\n\n
has now bridged to #Ethereum in the multiple transactions.<\/p>\n\n\n\n
\n\n\n\nJan 5<\/h2>\n\n\n\n
by the attacker.<\/p>\n\n\n\nwithdraw<\/code> on unverified malicious contract 0x814304B1e200b4D36B26f53358BbBA6D6136B2F5.<\/p>\n\n\n\n
\n\n\n\nJan 7<\/h2>\n\n\n\n
Equip yourself with knowledge on detecting such scams and avoid falling for them.<\/p>\n\n\n\n
\n\n\n\nJan 10<\/h2>\n\n\n\n
https:\/\/bscscan.com\/address\/0x8f4ba1832611f0c364de7114bbff92ba676adf0e<\/p>\n\n\n\n
\n\n\n\nJan 11<\/h2>\n\n\n\n
Jan 12<\/h2>\n\n\n\n
\n\n\n\nJan 15<\/h2>\n\n\n\n
\n\n\n\nJan 16<\/h2>\n\n\n\n
https:\/\/etherscan.io\/tx\/0x6d34b0f63da4f7402c467a657eb4c12894d1dfaa3b0095992d19eb64de2282fc<\/p>\n\n\n\n
https:\/\/etherscan.io\/tx\/0xac75adcc1cb3fef158c4f200c48fcbcbb9b6ce3250bdf3751d6231d41a9e604b<\/p>\n\n\n\n
\n\n\n\nJan 17<\/h2>\n\n\n\n
Jan-17-2024 09:42:35 PM +UTC
https:\/\/etherscan.io\/tx\/0x98480bb8e5c212b4f408a3f74fbb94dc60529a97d14fe2356372b170ab320773<\/p>\n\n\n\n
0x373adc79ff63d5076d0685ca35031339d4e0da82<\/p>\n\n\n\n
0x4f4314e1e81650497d46e5b2179f5f3430902011<\/p>\n\n\n\n
https:\/\/etherscan.io\/tx\/0x8f6cb49baa8886d1d1fef5146afbccdb6075b3f0cc0fd3a9cf604fb9b9f0b94f<\/p>\n\n\n\n
\n\n\n\nJan 18<\/h2>\n\n\n\n
\n\n\n\nJan 21<\/h2>\n\n\n\n
0x1749ad951fb612b42dc105944da86c362a783487<\/p>\n\n\n\n
0x0000372B2BC916D6c904495e53533Ae90740F688
0xf672775e124E66f8cC3FB584ed739120d32bBaad<\/p>\n\n\n\n
Explained: Create2 Opcode in Solidity<\/a><\/p>\n\n\n\n
\n\n\n\nJan 22<\/h2>\n\n\n\n
0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F.<\/p>\n\n\n\n
Access Control Vulnerabilities in Solidity Smart Contracts<\/a><\/p>\n\n\n\n
\n\n\n\nJan 23<\/h2>\n\n\n\n
increaseAllowance<\/code> transaction and multiple ERC20 Permit signatures\/<\/p>\n\n\n\n
\n\n\n\nJan 25<\/h2>\n\n\n\n
https:\/\/etherscan.io\/address\/0x57179b08bd29b441da18ba84c526c3f0be23dacc<\/p>\n\n\n\n
https:\/\/etherscan.io\/address\/0x9e09dc51ad3b33464093f5505b81bc96e2eccde0<\/p>\n\n\n\n