X-explore

🚨 Solscan Address Resolution Misleading with SetAuthority Some malicious users have successfully interfered with Solscan's address resolution through the SetAuthority command, causing it to misinterpret the destination of transfers. Let's look at one example. solscan.io/tx/5ae4jX1aYNF… Notice that this transaction on Solscan is recorded as a transfer from "AEFfJ...." to "7Npep....". However, the real transaction is from "AEFfJ..." to "GYkjh...". The major problem is that such misleading data will result in wrong fund flow analysis. This risk could potentially cause difficulties in tracking illegal funds or pose a fake deposit risk to exchanges.

@hoanghalc_sol Thanks for the quick response. Glad to know it can be fixed soon~👍

@x_explore_eth Thanks for the report, this issue comes from the way we index transfer activity here, the account is correct but the owner need to be updated after set authority event. We will try to fix that asap

🚨 Solscan Address Resolution Misleading with SetAuthority Some malicious users have successfully interfered with Solscan's address resolution through the SetAuthority command, causing it to misinterpret the destination of transfers. Let's look at one example. solscan.io/tx/5ae4jX1aYNF… Notice that this transaction on Solscan is recorded as a transfer from "AEFfJ...." to "7Npep....". However, the real transaction is from "AEFfJ..." to "GYkjh...". The major problem is that such misleading data will result in wrong fund flow analysis. This risk could potentially cause difficulties in tracking illegal funds or pose a fake deposit risk to exchanges.

7/7 📚 Attack in Action (3/3) After staking, the attacker calls function burn in the attacker's contract. 🔥Within the function burn, it performs withdrawal of stake token 10,000 BSC-USD in INcufi. Then the attacker's contract asks contract B and contract C to call function swapComision to convert AKITADEF to BSC-USD.🔄 As a result, the attacker makes a profit of 1,500 BSC-USD. The attacker has done this process continuously and drained the funds in INcufi. 🏦

6/7 📚 Attack in Action (2/3) After the setup, now the attacker abuses the vulnerability in STAKE (uint amout ,uint day,uint countryid).💥 The attacker's contract performs buyNFT which basically performs STAKE with day =0 and amount with 10,000 BSC-USD. As the attacker's contract stakes the money, Contract B (0x1521d34ae3d85e2219bff49dd8fe2809e1ad07dd) earns 1,000 AKITADEF and Contract C (0x6976d28d21cba294377257eae04761fa5ce14eaf) earns 500 AKITADEF as shown below. Contract (Oxaa47b......6d5de) is an address from INcufi that costs the fees for using this protocol.📈

3/7 🔍 What was the loophole(1/2)? The loopholes lie in two functions of the smart contract 'INcufi': register(address referrer) and STAKE (uint amout ,uint day,uint countryid). First, the major vulnerability is in STAKE(uint amount, uint day, uint countryid). 🔓 The user can set how many days they want to stake in the contract. However, the problem is that there is no strict checking on the minimum days of staking, meaning the user can set the day to 0, allowing them to stake and withdraw rapidly. ⏱️ Note that when the user stakes, referrers earn a commission which can be converted to BSC-USD later on. 💸 As users can stake and withdraw without any restriction, commissions to referrers will be sent out every time users stake! 🔄

2/7 🔍What does the INcufi contract do? To understand where the loophole is, we need to understand what the INcufi contract is for. 🔍 The INcufi contract allows users to stake BSC-USD tokens and earn APY for staking the token to the contract. 📈 Once the user sets the day for staking, the amount will be locked by the contract until the set day passes and returned to the user with a certain interest rate. 📅 Moreover, to join as a participant, the user must be registered with the appointment of a referrer. 👥 To facilitate the staking environment, INcufi rewards a certain percentage of a token as a commission to referrers when the referred user stakes their money into the contract. 💸 Given how the INcufi contract works, let's look at the loophole in the system. 🔓

1/7 🚨 Referral Loophole in INcufi Yesterday, @Phalcon_xyz reported that an unknown contract (0x80df) on BSC drained ~$60K through interaction with a contract called 'INcufi' (0x80df77b2Ae5828FF499A735ee823D6CD7Cf95f5a). ⚠️ These transactions occurred from 2024-06-18 20:48 to 2024-06-18 21:07 UTC. 🕒 Our team conducted a quick research and discovered that the attacker gained profit by exploiting a loophole in the INcufi contract. 🔍 Our team believes that INcufi is related to this project holdonfordearlife.io

3/3 📚 Importance of Market Surveillance 🔍 According to our research, the price drop was likely due to higher timeframe arbitraging between the two exchanges. Currently, after the 66% drop in HIGH token value, Binance covers around 86% of the HIGH token market. 📊 Considering the market proportion of HIGH tokens was 74% on Binance (according to Crypto Quant), such a significant increase in market distribution raises questions about the market surveillance of transactions on Binance's side. 🛡️ Effective market surveillance is crucial to ensure fair trading practices and to detect any potential manipulative activities early on. The team is looking forward to the official announcement from @highstreetworld and will remain vigilant!

2/3 🔍 Who is this mysterious attacker? 🕵️♂️ Upon our investigation of two addresses, we have identified various intermediary wallets linked with these addresses. Initially, our team pinpointed these intermediary wallets as potential wallets utilized for price manipulation. 🔍 However, upon further research, our team has concluded that these addresses belong to normal users who have been engaging in arbitrage on the Binance exchange and Bithumb (specifically, selling on Bithumb and buying on Binance). Arbitrage is the act of buying tokens in one market and selling them in another at a higher price to make a profit. 📊 Our team concluded that the related intermediary wallets are normal users mainly due to two key factors: 📈 Transactions of various tokens 📆 Conducting transactions for over 6 months or more For further details check our attachment.

1/3 🚨 Potential Price Manipulation on HIGH Token? 📅 On June 12th, @highstreetworld shared an announcement on Telegram regarding a total of 66% drop in token value. According to the team's investigation, this movement was the result of a malicious attack on their community. 🕵️♂️ They stated that "an entity has withdrawn 20 million tokens, with 9 million originating directly from a Korean exchange (Bithumb)." Additionally, the team mentioned they have no intention of harming their own project to assure investors of the token's safety. 🔍 Without giving further detail, the team shared two wallet addresses and advised investors to "remain vigilant" upon further notice. 📈 Upon our investigation, our team confirmed multiple inflow transactions to Bithumb deposits from 3:10 pm (GMT +8) on June 8th until 2:28 pm (GMT +8) on June 12th. A total of over $20 million was sent to Bithumb's deposit wallet.

3/3 📚 Lesson of the Day When downloading extension files, remember that extensions have the ability to run executable files. To keep your environment safe, the team would like to provide 3 recommendations: 🖥️ Utilize a safe browsing environment - Isolate your trading environment to prevent unknown extensions from collecting your data. 🔒 Log out once used - Always remember to log out after you finish using your environment. This practice significantly decreases security risks. 🔗 Download files from trustworthy links - Always make sure you download extensions from trustworthy links and official websites.

2/3 🔍 How Cross Trading Happened The attack was executed by grabbing cookie data across all tabs to obtain the victim's login credentials. Upon deeper analysis by @Tree_of_Alpha, it was discovered that the extension contained malicious lines of code that sent all the cookie data to an external server. 🍪 Since cookies contain private information, including login credentials, the attacker was able to perform cross trading. 📉 For detail analysis check this article: chaincatcher.com/article/2127363

1/3 🚨 Danger of Chrome Extension 2 days ago, @CryptoNakamao shared a post about his tragic loss of $1 million. Due to a malicious Chrome extension such as Aggr, which he downloaded after seeing a recommendation in TG channels, he has become a victim of cross trading. 💸 However, upon our research, it seems such malicious attacks are not the first of their kind. We found that a fake Aggr extension was launched in 2020 and eneded it's service back in 2021. 🔍 Stay vigilant and always verify the extensions you install!

@llamaonthebrink Yeah, the X platform thought we were impersonating other accounts.

@x_explore_eth What happened to your account ser, it was suspended for awhile?

1/7 🕵️According to Scamsniffer's analysis, the first quarter of 2024 has seen a total of $173M lost to phishing scams. We found that scammers are using increasingly sophisticated methods to bypass security alerts and allure users. Check our comprehensive analysis of phishing attacks on blockchain for more details: mirror.xyz/x-explore.eth/…

7/7 🛡️ How to Protect Your Assets from Scammers: With two golden rules, you can secure your crypto assets: 🔐 Protect your seed phrase 📝 Understand what you sign on-chain Check our comprehensive analysis of phishing attacks on blockchain for more details: mirror.xyz/x-explore.eth/…

6/7 🌾 Restake Farming Attack ft. Angel Drainer : Our investigation into restake farming attacks on EigenLayer Protocol highlights how Angel Drainer exploits staking mechanisms to drain funds from users. Understanding these tactics is crucial for secure DeFi participation. 🌾💸

5/7 🚨 Bypassing Security Alerts ft. Angel Drainer: Discover how scammers use nested smart contracts to bypass security alerts from wallet providers. This advanced technique can catch users off guard. Stay one step ahead. 🔍🔔

4/7 🔍 Traditional Attack Methods: Our article examines classic phishing strategies like approve & transferFrom, permit, and private key extraction. These methods remain prevalent and pose significant risks. 🛡️🔑

3/7 🛡️ ERC-4337 Vulnerabilities?: We explore how attackers exploit new features in ERC-4337, leading to potential security breaches. Understanding these vulnerabilities is essential for safer blockchain interactions. 🔐🚨