Cointime

Download App
iOS & Android

Weekly Blockchain Security Watch Jan 2 to Jan 8

Validated Project

From 2 January 2023 to 8 January 2023, all security incidents that have occurred were Security Hacks.

SECURITY HACKS:

1. RTFKT’s COO Nikhil Gopalani Announces He Had Suffered Phishing Attack

On 3 Jan, RTFKT’s COO Nikhil Gopalani (@Nikgopalani) announced on Twitter that he had suffered a phishing attack and that the hacker had sold all his CloneX NFTs along with others.

He lost around US$300, 000 worth of crypto assets during this incident.

2. Worlds Beyond Announces Discord Hacked

On 3 Jan, NFT project on Ethereum Worlds Beyond (@WorldsBeyondNFT) announced on Twitter that their Discord account had been hacked and their server was temporarily compromised. The account also reported that all staff hand been banned from the server.

The account later reminded users that they will “never stealth mint” and urged users to only use their official links to avoid potential scams or hacks.

As of the time of writing, investigations are still ongoing, and the project has opened channels in Discord to aid affected users.

3. Hacker Exploits Vulnerability on Function Lacking Validation for Settings in Attack Against GDS

On 3 Jan, GDS Chain’s application deployed on the BNB chain was attacked.

The root cause of this incident was its “_lpRewardAmount” function had lacked validation for its settings. The hacker leveraged a flash-loan and exploited this vulnerability to launch the attack.

After the hack, the GDS’ price crashed by 84% and crypto assets worth around US $187,000 were exploited.

Additional Details:

– Attacker’s Address: 0xcF2362B46669E04B16D0780cf9B6e61c82De36a7

– Hash Value of Attack Transaction:

 0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694

4. Cirrus Announce Holders of CryptoPunks, BAYCs, Meebits Suffer Phishing Scams

On 4 Jan, NFT community member Cirrus (@CirrusNFT) announced on Twitter that holders of CryptoPunks, BAYCs, and Meebits suffered phishing scams. CryptoPunks 4607, 965, and BAYC 1723 were exploited.

Later, Twitter user @CryptoNovo311 claimed that 4 CryptoPunks in his possession were stolen.

CryptoPunks and BAYCs worth above 600 ETHs (US$748, 800) were exploited in these attacks.

It was also suspected that the hacker had also exploited 111 KUMALEON NFTs and used FixedFloat to cash out.

Additional Details:

– Attacker’s Address: 0x8E25Ab3382ad5bde35A09E72d3b9a851A7cC8d00

– Attacked Address: 0x52aD8f3C506aA25b954276c5456060DAd6f3Fd7b

5. Hacker Exploits Whale Holder of GMX Through Phishing Attack

On 4 Jan, a whale holder of GMX suffered from a phishing attack on the BNB chain.

The attacker exploited 82519 GMXs worth around US $3.4 million on the BNB chain, exchanged them to 2627 ETHs and cross-chain transferred them from the BNB chain to Ethereum.

6. Hacker Attacks Deviants’ Discord Server

On 4 Jan, a hacker attacked Deviants’ discord server. Deviants is an NFT project on Ethereum.

7. Inkwork Labs Announce Discord Server Compromised

On 5 Jan, NFT project on Solana Inkwork Labs (@InkworkLabs) announced on Twitter that their Discord server had been compromised. The account later posted a follow-up thread revealing that one of their “now older mods, Krypto King#0036” had clicked on a malicious link that caused a Dyno bypass. Dyno is a Discord bot used for various purposes like moderation and user verification.

The account also reported that although the attackers had gained access to the server earlier, the attack was not conducted until everyone was away.

Inkwork Labs also reported that the accounts associated with the exploited were identified and banned. They also urged users not to click on any links unless a drops is scheduled. Moreover, they advised users to “always double check the user who’s posting the announcement. ALWAYS.”.

Relevant channels for affected users have been opened for further assistance.

8. Hacker Attacks Twitter User @TheViralFever

On 6 Jan, a hacker launched a phishing attack against Twitter user @TheViralFever by sending the users a fake link to ENS airdrop.

9. Hacker Attacks PanksNotDed’s Discord Server

On 7 Jan, a hacker attacked PanksNotDed’s discord server. PanksNotDed is an NFT project on Ethereum.

10. Hacker Attacks Cyber Kongz’s Discord Server

On 7 Jan, a hacker attacked Cyber Kongz’s discord server. Cyber Kongz is an NFT project on Ethereum.

11. Mycelium Announces Attack Due to Issue with Price Feed for ETH-USD

On 7 Jan, the team behind a DeFi perpetual application deployed on Arbitrum Mycelium (@mycelium_xyz) announced on its Twitter a that it was attacked.

The team also announced that the attack came due to an issue with its price feed for ETH-USD. Its MLP was exploited by 4% ~ 6% of the total assets, totaling around US$300, 000.

At the time of writing, the issue had been fixed and the application was back to work.

12. Hacker Attacks Yaypegs’s Discord Server

On 8 Jan, a hacker attacked Yaypegs’s discord server. Yaypegs is an NFT project on Ethereum.

13. Hacker Attacks Mech’s Discord Server

On 8 Jan, a hacker attacked Mech’s discord server. Mech is an NFT project on Polygon.

CONCLUSION-

13 notable security incidents have occurred in the past week. Most of them were phishing attacks against Discord or Twitter accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/

Comments

All Comments

Recommended for you

  • Publisher-Exchanges: Consumer Applications and the Attention Theory of Value

    “The price is the news” is an often used adage in crypto circles any time there is heightened engagement and awareness around a network following fast price action. It has become clear to me that the inverse of this statement is perhaps more profoundly true: “The news is the price.”

  • The Token Is The Product

    There’s an old saying in venture that says “first time founders focus on product, and second time founders focus on distribution”. This describes how product builders often expect that they can achieve growth purely thanks to the quality of their product, rather than by investing energy into creating repeatable patterns that will help them consistently attract attention and users to their product.

  • Ethereum has blobs. Where do we go from here?

    On March 13, the Dencun hard fork activated, enabling one of the long-awaited features of Ethereum: proto-danksharding (aka EIP-4844, aka blobs). Initially, the fork reduced the transaction fees of rollups by a factor of over 100, as blobs were nearly free. In the last day, we finally saw blobs spike up in volume and the fee market activate as the blobscriptions protocol started to use them. Blobs are not free, but they remain much cheaper than calldata.

  • Web3 AI training company FLock raises $6 million in seed funding

    Web3 artificial intelligence training company FLock has raised $6 million in seed funding led by Lightspeed Faction and Tagus Capital. FLock will use these funds to develop its team and build a federated learning-driven artificial intelligence training platform.

  • Prisma: Vault owners need to prohibit delegation of contracts related to LST and LRT

    The LSD stablecoin protocol Prisma Finance stated in a post that for vault owners, please prohibit delegating authorization of the LST contract starting with 0xcC72 and the LRT contract starting with 0xC3eA.

  • MAS: Singapore is working on global first-tier fund tokenization regulation

    Chia Der Jiun, Managing Director of the Monetary Authority of Singapore, introduced some fund tokenization pilots at an event for asset managers. These pilots are part of the Project Guardian and MAS Global Layer 1 (GL1) tokenization plans. Chia Der Jiun emphasized the advantages of tokenization in real-time settlement and process automation, which can improve efficiency and achieve greater customization of funds. UK asset management company Schroders and fund distribution platform Calastone are exploring this as part of the Project Guardian public blockchain trial in Singapore. A recent survey by Calastone showed that 96% of asset management companies in the Asia-Pacific region plan to launch tokenized products within three years. Chia stated that as these Project Guardian pilot projects approach commercialization, MAS is working with the pilot project managers to study the legal and regulatory treatment and impact of tokenized investment funds."

  • Indonesia's Financial Services Authority to Regulate Crypto Industry in 2025 with Evaluation in Regulatory Sandbox

    Indonesia's Financial Services Authority (OJK) will take over regulation of the crypto industry from the commodities agency Bappebti. Crypto firms must undergo evaluation in a regulatory sandbox before being licensed to operate in the country. The OJK aims to prioritize consumer protection and education, and firms operating without evaluation in the sandbox will be considered illegal. The sandbox provides a safe and isolated environment for testing and innovation development, helping to enhance security and responsible management in the financial sector. Once under OJK's oversight, crypto assets will likely be reclassified as financial instruments.

  • The Shenzhen Illegal Fund Raising Prevention Office issued a risk warning on the "DDO digital options" business

    The Shenzhen Office for Preventing and Dealing with Illegal Fundraising issued a risk warning regarding the "DDO digital option" business. The activities related to the DDO digital option business conducted in the name of Dingyifeng International are essentially the issuance and trading of virtual currencies. According to the "Notice on Further Preventing and Dealing with Risks of Speculation in Virtual Currency Trading" jointly issued by ten departments including the People's Bank of China in September 2021, it is clear that virtual currency-related business activities are illegal financial activities, and overseas virtual currency exchanges providing services to residents within China are also illegal financial activities. The activities conducted by Dingyifeng International in the name of serving residents within China are suspected of illegal fundraising and other illegal financial activities. Our office has organized relevant departments to carry out work, resolutely deal with illegal fundraising and criminal activities, and seriously investigate the legal responsibilities of relevant personnel. (Shenzhen Local Financial Supervision and Administration Bureau)

  • The Hong Kong Legislative Council plans to review the relevant stable currency consultation and sandbox legislation at the end of this year or next year

    Hong Kong legislator Wu Jiezhuang revealed that Hong Kong will release stablecoin consultation and sandbox (computer security mechanism), which will allow the industry to innovate digital asset projects in the sandbox environment. Relevant legislation will be reviewed in the Legislative Council at the end of this year or next year, which will help the entire digital asset industry ecosystem. Hong Kong has been improving the digital asset (virtual asset) market on different legal levels. Last year, there were regulations on virtual currency trading platforms and issuance systems.

  • Vitalik: Humanity needs to create a world where blockchain and artificial intelligence work together

    Vitalik Buterin, the founder of Ethereum, stated at BiddleAsia 2024 held at Signiel Seoul in the Songpa district on March 28 that artificial intelligence is a huge market and its importance is increasing day by day. We need to create a world where blockchain and artificial intelligence work together. Artificial intelligence can now create applications with 100 to 500 lines of code. Vitalik also stated that the ability to write 10,000 lines of code can eliminate most of the bugs in the Ethereum virtual machine.