From October 24 to October 30, 2022, all security incidents that have occurred can be categorized into Security Hacks and Rug-pulls.
1. A Fake ZKSYNC Twitter Account Posts Fake Message
On Oct 24, a Twitter account @zksync_io paraded as zkSync’s official account to send fake airdrop links.
2. Hacker Exploits QuickSwap by Leveraging Flashloans
On Oct 24, QuickSwap, a DeFi application deployed on Polygon was attacked.
Basically, the hacker leveraged a flashloan and exploited a vulnerability in Curve’s oracle which was used by QuickSwap to launch this attack.
Crypto assets worth around $220,000 were exploited in this incident.
At the time of writing, only Market XYZ was affected and QuickSwap’s contracts were safe. Since the assets that were used to back Market XYZ were provided by QiDAO, no retail users were affected.
- Attacker’s Address: 0x4206d62305d2815494dcdb759c4E32FCA1D181a0 (Polygon)
- Attack Contract: 0xEb4c67E5BE040068FA477a539341d6aeF081E4Eb (Polygon)
- Hash Value of Attack Transaction:
3. Hacker Exploits ULME
On Oct 25, ULME, an application deployed on the BNB chain was attacked.
The root cause was one of its functions lacked validation for a parameter.
The attacker flashloaned a certain quantity of BUSDs, iterated all the addresses that had been authorized to spend their BUSDs, transferred all these addresses’ BUSDs and pumped the ULME’s price, sold the ULMEs, and returned the flashloan.
The hacker eventually exploited around 50646 BUSDs.
- Attacker’s Address: 0x056c20Ab7E25e4dd7E49568f964d98E415da63D3 (BNB chain)
- Attack Contract: 0x8523C7661850D0Da4D86587ce9674DA23369fF26 (BNB chain)
- Attacked Contract: 0xAE975a25646E6eB859615d0A147B909c13D31FEd (UniverseGoldMountain on BNB chain)
- Hash Value of Attack Transaction:
0xdb9a13bc970b97824e082782e838bdff0b76b30d268f1d66aac507f1d43ff4ed (BNB chain)
4. Hacker Attacks Melody
On Oct 25, a hacker attacked Melody, an application deployed on the BNB chain.
The root cause was its off-chain signature module had a vulnerability. The hacker exploited this vulnerability, bypassed its access control, and generated signatures to steal the SGS and SNS tokens.
Around 2225BNBs were exploited in this incident.
5. Hacker Attacks Bittrex
On Oct 25, a hacker attacked Bittrex, a famous centralized exchange.
Basically, Bittrex’s API was compromised and the hacker used the API to exploit 301 ETHs from the exchange.
6. Hacker Attacks Binance US
On Oct 25, a hacker attacked Binance US, a famous centralized exchange.
Basically, the CEX’s API was compromised and the hacker used the API to exploit 1053 ETHs from the exchange.
The hacker also exploited Bittrex.
7. Hacker Attacks Spookie Finance
On Oct 26, a hacker attacked Spookie Finance, an application deployed on Avalanche.
A Twitter account Mario Paladin claimed that Spookie Finance’s front-end was suspected to be attacked. Users would be tricked to authorize an address beginning with “0xe316Ba” to spend their tokens and all exploited tokens were transferred to “0x5451A25AFf1c14DDEF74D2AF703aaCc5d483782c”. At the time of writing Twitter account, @SpookieFinance had disappeared and the price of GHOST at WAVAX dropped to nearly 0.
8. Hacker Attacks Primordials’ Discord
On Oct 26, Primordials’ Discord server was attacked. Primordials is an NFT project.
9. Hacker Attacks UvToken
On 27 Oct, a hacker attacked UvToken, a wallet application that supports multiple blockchains.
The root cause was it have a vulnerability in its validation module. The hacker exploited 5011 BNBs ($1.5 million) and cashed them out via Tornado Cash on the BNB chain. At the time of writing, UVT’s price dropped by 99%.
- Attacker’s Address: 0xf3e3ae9a40ac4ae7b17b3465f15ecf228ef4f760 (on BNB chain)
- Attacking Contract: 0x99d4311f0d613c4d0cD0011709Fbd7eC1BF87Be9 (on BNB chain)
- Hash Value of Attack Transaction:
0x54121ed538f27ffee2dbb232f9d9be33e39fdaf34adf993e5e019c00f6afd499 (on BNB chain)
10. Hacker Attacks Team Finance
On 27 Oct, a hacker attacked Team Finance, a DeFi application deployed on Ethereum.
The root cause was its migrate function didn’t validate the “_id” and “params” parameters.
The hacker exploited this vulnerability to migrate the tokens of WTH, CAW, USDC, TSUKA from its V2 pool to its V3 pool illegitimately, manipulated V3 pool’s initialized prices through sqrtPriceX96 and eventually stole crypto assets worth around $14.5 million.
- Attacker’s Address: 0x161cebB807Ac181d5303A4cCec2FC580CC5899Fd (Ethereum)
- Attacking Contract: 0xCFF07C4e6aa9E2fEc04DAaF5f41d1b10f3adAdF4 (Ethereum)
- Attacked Proxy Contract: 0xE2fE530C047f2d85298b07D9333C05737f1435fB (LockToken on Ethereum)
- Attacked Implementation Contract: 0x48D118C9185e4dBAFE7f3813F8F29EC8a6248359 (on Ethereum)
- Hash Value of Attach Transaction:
11. Hacker Attacks VIctor the Fortune
On 27 Oct, a hacker from 0x57c112cf4f1E4e381158735B12aaf8384B60E1cE on the BNB chain had attacked Victor the Fortune, an application deployed on the BNB chain.
The root cause was that its function lacked validation for parameters. The hacker leveraged a flashloan and exploited this vulnerability to attack this project.
Crypto assets worth around $58,000 were exploited in this attack.
12. Hacker Attacks Oxya’s Discord
On Oct 28, Oxya’s Discord server was attacked. Oxya is an NFT project.
13. Hacker Attacks Eden Network
On Oct 29, a hacker from 0x5C95123b1c8d9D8639197C81a829793B469A9f32 on Ethereum had attacked Eden Network, an application deployed on Ethereum.
The root cause was the private key of the project’s deployer was compromised and the hacker hijacked the access control. The hacker deployed a new token named NEDEN and claimed that the Eden Network team should burn 300 million NEDEN to take back the access control.
On Oct 14, a Twitter user Supremacy claimed that Eden Network’s private key was compromised due to a vulnerability in Profanity. However since the access control to the EDEN token had been transferred, this compromise didn’t cause a loss.
14. Hacker Attacks Chimpsons’ Discord
On Oct 30, Chimpsons’ Discord server was attacked. Chimpsons is an NFT project.
1. A6 Rug-pulls
On Oct 24, A6, a token project deployed on the BNB chain was confirmed to be a rug-pull. The team exploited crypto assets worth around $56000 and the token’s price dropped by 91.38%.
The token contract’s address is 0xE77D77309027c71F006DfF5d2F1b76060F4F5F13
2. Mango Inu Rug-pull
On Oct 24, Avraham Eisenberg who exploited Mango Markets claimed on his Twitter account that he exploited $100,000 by rug-pulling Mango Inu and he didn’t do anything wrong.
According to his words, after he deployed a Mango Inu token, around $250,000 was attracted to buy it. However due to some operational issues he only got $100,000 within half an hour.
16 notable security incidents related to security hacks have occurred in the past week. 14 were attacks and 2 were rug-pulls.
10 of 14 attacks were attacks on smart contracts or centralized exchanges and 4 on social media.
It is worth noting that 3 attacks were caused by missing validation for parameters.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.