Cointime

Cointime

Download App
iOS & Android

Weekly Blockchain Security Watch (November 28 to Dec 4)

Validated Project

From November 28 to December 4, 2022, all security incidents that have occurred are all Security Hacks.

SECURITY HACKS:

1. Hacker Attacks Prometheus

On Nov 28, Prometheus, a dApp deployed on the BNB chain was attacked.

In this incident, the hacker withdrew 467,398 PHI from the project’s OTC contract and exchanged them to 124,73 BNBs.

The Prometheus team got back 112.08 BNBs and kept them in a multi sig (0x69A03128a7cb580553acf1cf287d4A5Ce0A01c1F).

The hacker exploited 12.65 BNBs (worth around US $3,654.5) in this incident.

At the time of writing, the project’s gPHI and dPHI supply had not been exploited, and all the contracts had been paused, except the dividends pool.

Additional Details:

- Attacker’s Address: 0xc7233627c65f0dd1465938212a3adaa5dea50bf6 (BNB chain)

- Hash Value of Attack Transaction:

0x15472327df1fdace59c14eba5f4069ffb65c71c5f38f00355da990b68121d160

2. Hacker Attacks Shamanzs Discord Server

On Nov 28, a hacker had attacked Shamanzs’ discord server. Shamanzs is an NFT project deployed on Ethereum.

3. Hacker Leverages Flash-loan to Attack Seaman

On Nov 29, a hacker had attacked Seaman, a dApp deployed on the BNB chain.

The root cause was that its tokenomics design would result in price manipulation.

The attacker flash-loaned 500,000 BUSDs and exchanged them to GVCs. The hacker then called Seaman’s transfer function to transfer a small number of SEAMAN tokens and triggered the SEAMAN tokens to be exchanged to GVCs. This process would call the _splitlpToken() function to distribute the GVCs to lpUser and reduce the number of GVCs in the BUSD-GVC trading pair thus increasing the GVC’s price.

The hacker repeated the process and eventually exploited 7781 BUSDs worth US $7781 in this incident.

Additional Details:

- Attacker’s Address: 0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c (BNB chain)

- Attacked Contract: 0xDB95FBc5532eEb43DeEd56c8dc050c930e31017e(GVC Token on BNB chain)

4. Hacker Attacks SmallBros Discord Server

On Dec 1, a hacker had attacked SmallBros’ discord server. SmallBros is an NFT project deployed on Ethereum.

5. Hacker Attacks Brainless Spikes Discord Server

On Dec 1, a hacker had attacked Brainless Spikes’ discord server. Brainless Spikes is an NFT project deployed on Ethereum.

6. Hacker Attacks Ankr

On Dec 2, a hacker attacked Ankr, a dApp deployed on the BNB chain.

The root cause was very likely that the Ankr Deployer’s private key was compromised.

The attacker exploited crypto assets worth around US $5 million in this incident.

For more details about this incident refer to:

https://twitter.com/FairyproofT/status/1598535802463875072?s=20&t=G7OlCC57pHNU-Bsgdjcb7w

Additional Details:

- Attacker’s Address: 0xf3a465C9fA6663fF50794C698F600Faa4b05c777 (BNB chain)

- Malicious aBNBc Contract: 0xd99955B615EF66F9Ee1430B02538a2eA52b14Ce4 (BNB chain)

- Ankr Deployer: 0x2Ffc59d32A524611Bb891cab759112A51f9e33C0 (BNB chain)

- Attacked Contract: 0xE85aFCcDaFBE7F2B096f268e31ccE3da8dA2990A (aBNBc on BNB chain)

- Initiator of Attack Transaction: 0x71699d5BD28F5C834eEe8E365848df056915Baa6 (BNB chain)

- Hash Value of Attack Transaction:

0xd07b210b872bc952b9f2250d8272a789f89a2f7a3621112fdd73addd7bdb080b (BNB chain)

CONCLUSION-

6 notable security incidents have occurred in the past week. Four out of them were attacks on smart contracts and two were attacks on social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

Web3
Comments

All Comments

Recommended for you

  • zkSync ecological lending platform xBank Finance suspected of RUG

    xBank Finance, a zkSync ecosystem lending platform, was suspected of being a RUG, and the protocol's TVL was close to zero. The project's official Twitter account has been frozen.

  • Scammers use fake USDT balances to defraud cryptocurrency users

    SlowMist has partnered with Imtoken to uncover a new cryptocurrency scam that uses offline transactions and USDT. Scammers manipulate the Ethereum RPC to falsify the USDT balance in the victim's wallet. The scammer lures the victim to change their Ethereum RPC URL to a URL controlled by them, making it appear that the victim has deposited USDT funds, but in reality, the victim is left empty-handed when attempting to trade. In addition, the scam also deceives users through small transfers to gain trust, then manipulates account balances and contract information, posing serious risks to unsuspecting users and is related to a wider range of pig slaughter scam activities.

  • Cointime April 27th News Express

    1. ETH falls below $3,100

  • HKEX: Accepts BOS HashKey, Huaxia, Harvest Bitcoin and Ethereum ETFs as eligible securities for multiple counters in the central clearing system

    On April 27th, the Hong Kong Stock Exchange issued three notices, announcing the inclusion of Bo Shi HashKey Bitcoin ETF shares and Bo Shi HashKey Ethereum ETF shares, Huaxia Bitcoin ETF shares and Huaxia Ethereum ETF shares, and Jia Shi Bitcoin Spot ETF shares and Jia Shi Ethereum Spot ETF shares as Central Clearing System multi-counterparty eligible securities. It is reported that:

  • Russia’s Central Bank and Rosfinmonitoring unveil pilot of fiat-to-crypto tracking system

    According to reports, since 2023, Russia has been trying to track cryptocurrency transactions and their sources. The Russian Central Bank and the Federal Financial Monitoring Service (Rosfinmonitoring) revealed that there is currently a system that allows private banks to track the connection between fiat-based transactions and cryptocurrency business.

  • PolkaWorld: Coretime trading on Kusama has started

    On April 27th, PolkaWorld announced that Coretime trading on Kusama has begun, marking the end of the era of parallel chains. With the approval and implementation of Kusama proposal 373, the proposal will upgrade the Kusama relay chain runtime to v1.2.0 and bring Coretime functionality. Shortly thereafter, the Kusama community approved Kusmaa proposal 375 last Friday, allowing Coretime chain to begin selling Coretime. Currently, Kusama is in the Renew Period and is selling batches of Coretime.

  • Over $155 million worth of MEME will be unlocked on May 3, accounting for 31.96% of the circulating supply

    According to Token Unlocks data, 5.31 billion MEME tokens, worth over $155 million, will be unlocked on May 3, 2024, accounting for 31.96% of the circulating supply. These tokens will be unlocked and distributed to airdrops, advisors, and investors.

  • The total open interest of BTC options is $17.83 billion, and the open interest of ETH options is $8.07 billion.

    Coinglass data shows that the nominal value of unclosed BTC option positions on the entire network is 17.83 billion US dollars, which is the lowest point since February 26; the nominal value of unclosed ETH option positions is 8.07 billion US dollars, which is the lowest point since February 25.

  • Memeland: Runecoin airdrops for the Stakeland community are now complete

    On April 27th, Memeland posted on social media that their Runecoin airdrop for the Stakeland community has been fully completed.

  • Wu Jiezhuang, a member of the National Committee of the Chinese People's Political Consultative Conference, suggested that Hong Kong refer to IPO to provide innovative financing models for Web3

    Wu Jiezhuang, a member of the National Committee of the Chinese People's Political Consultative Conference and a member of the Hong Kong Legislative Council, wrote an article in the Hong Kong Wen Wei Po titled "Leading the Digital Economy by Adapting to the Web3 Trend". The article pointed out that developing Web3+ has both advantages and new challenges. The Hong Kong government has taken an important step in the direction of developing Web3 and the digital economy by formulating a short- to medium-term strategic development blueprint, ensuring that policies and resources are in place, and promoting the construction of Web3+ application scenarios. Focusing on Web3, establishing an international innovation financing platform can not only help Hong Kong leverage its traditional financial advantages, but also help it become a global digital technology center. It is suggested to refer to the mature mode of existing enterprises' IPOs in Hong Kong, provide an innovative financing model for Web3, and create a market trend and service competitive advantage to promote the development of the industry and attract upstream and downstream of the industry chain at home and abroad to gather in Hong Kong.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company