Oct 6
Table of Contents
😈On Oct 6, 2022, the $RES Token on the Binance Smart Chain suffered a flash loan attack, leading to a theft of roughly $290,000.
The attacker exploited a vulnerability in the token’s #smartcontract, manipulated the pool price, and profited by swapping #tokens.
Oct 11
😈On Oct 11, 2023, a major exploit hit the $BH token on the #BSC chain when due to a suspected price manipulation, it lost💰~$1.27 million.
- Attacker Address: 0xFDbfcEEa1de360364084a6F37C9cdb7AaeA63464
- Contract Address: 0xCC61CC9F2632314c9d452acA79104DDf680952b5
The Exploit
The attacker executed a complex series of transactions to carry out this exploit. It all started with a flash loan involving a significant amount of $USDT.
From there, the attacker made use of smart contracts and specific functions to manipulate the price of $BH and extract profits.
Hack Flow
- Flash Loan: The attacker initiated a flash loan to obtain a substantial amount of $USDT.
- Liquidity Addition: Next, the attacker called the 0x33688938() function to add $USDT to the contract.
This action added liquidity to the trading pair, with the standard liquidity ratios being approximately 1 USDT: 100 BH. - Token Swap: Subsequently, the attacker swapped $USDT for $BH through the trading pair.
- Liquidity Removal: To maximize their gains, the attacker invoked the 0x4e290832 function to remove liquidity from the pair.
The Manipulation
Due to the attacker’s well-timed swap, the liquidity removal ratio was significantly altered, resulting in approximately 1 USDT: 2 BH.
This discrepancy allowed the attacker to withdraw more $USDT than they initially provided, thereby profiting from the price manipulation.
The Stolen Funds have been sent into Tornado Cash.
😈On Oct 11, 2022, the crypto ecosystem witnessed one of its darkest days, when a series of hacks and exploits saw projects bleed more than $115 million. Here’s a detailed breakdown:
Mango Markets: Largest Theft of the Day – $115M
- Platform: Solana-based DeFi project for borrowing, lending, and leverage trading.
- Hack Details: The attacker manipulated the platform’s collateral value perception, borrowing $116 million and plunging Mango’s treasury to a -$116.7 million balance.
- Affected Assets: USDC, MSOL, SOL, BTC, USDT, SRM, MNGO — nearly wiping out Mango’s liquidity.
Debanks’ Rabby Wallet: Smart Contract Exploit – $0.19M
- Platform: Open-source browser plugin for funds transfer across chains.
- Hack Details: An exploit in its smart contract allowed hackers to move user funds. Post-exploit, the hacker funneled 114 ETH and 179 BNB via Tornado Cash.
- Immediate Action: Rabby Swap urged users to revoke their approvals on all chains and warned against fake assistance accounts.
TempleDAO’s STAX Finance: Smart Contract Vulnerability – $2.3M
- Platform: Based on the TempleDAO DeFi protocol.
- Hack Details: A loophole in the smart contract function
migrateStakeled to the breach. Hackers created a deceptive contract mimicking the old one but didn’t transfer funds to the new one, withdrawing 321,155 xLP tokens. - Impact: This hack slashed about 4% of TempleDAO’s total assets, which stand at $56.93 million.
QAN Platform: Bridge Hack – ~$1.2M
- Platform: Ethereum bridge smart contract.
- Hack Details: Exploiters nabbed 1.4 billion QANX tokens and exchanged them for 3,090 BNB and 256 ETH.
- Total Loss: Approximately $1.2 million.
Oct 12
😈On Oct 12, 2023, @Platypusdefi on AVAX has been exploited for ~$1M in a possible flash loan exploit.
The attacker created a contract to interact with the project’s contracts and gained 7,935.91 WAVAX and 49,648.81 sAVAX.
The stolen funds remain in the malicious contract created by the attacker.
Malicious contract: 0xF2c444572A402ec83B7Cb64E4A9Fc2188F0628F2
Attacker:0x464073F659591507d9255B833D163ef1Af5ccc2C
Hack Txn:
0x6a09d38505beeb29ed4dbb30de2803f30f3c62e2464c6a20ec17026c372c763e
Update:
Platypus DeFi recovered around $1.98m of the ~$2.2m stolen in a breach on Oct 12, 2023.
The recovery includes 40,963 sAVAX (~$422K) and 104,713 WAVAX (~$977k) from the Exploiter EOA 0x0cD4 to Platypus DeFi multisig 0x068e.
This is in addition to ~$575k recovered from a second exploiter. Multisig Address for Receiving Funds:
https://subnets.avax.network/c-chain/address/0x068e297e8FF74115C9E1C4b5B83B700FdA5aFdEB
Recovery Txns: https://subnets.avax.network/c-chain/tx/0x5e1e9c57876f08e0d0be29cdd463e5cda54c1ee3c7d79efb5795a79b5ff1c135
😈On Oct 12, 2023, A fake BIGTIME Token on the BSC chain was rugged for $162.8K when 0x60d6 swapped 1,000,000,000,000,000 BIGTIME tokens for 789.19055111 BNB
Exploiter: 0x60d6ec1903a77aFA57607548036257D0989b4527
Hack Txn: https://bscscan.com/tx/0x2b70a73bc655335646ec3a30ee3b399dbf5334deb05ba442b489468f77312dbd
Token Contract: https://bscscan.com/token/0x62fdf8567e67ebe4066435d570256eae0bfa5170
😈On Oct 12, 2023, ETH address 0x40F5f17c08547E4eD65d6610D8dAf5E2f049f6D1 lost ~85.3 $stETH to PinkDrainer in 3 different txns.
The PinkDrainer Wallet 1 (0x63605E53D422C4F1ac0e01390AC59aAf84C44A51) initiated these txns, and the transferfrom() function was called. It seems like a contract approval phishing attack.
The address (0x059f30bc3Ce1f7e8B68257DD11Ad0E6c35D299d4) to which the majority amount of ~67.4 $stETH was transferred was in touch with Pinkdrainer contract 1 (0x00000f312c54d0dd25888ee9CDC3DEE988700000) which was funded by PinkDrainer wallet 1.
😈On 12 Oct 2022, the Awakening project ($ATK) fell victim to a flash loan attack, resulting in a ~ $120K Loss.
Key Details:
- Targeted Strategy Contract: The attacker set their sights on the strategy contract associated with the $ATK project, located explicitly at address 0x96bF2E6CC029363B57Ffa5984b943f825D333614.
- Flashloan Exploitation: Employing a flash loan, the attacker orchestrated a swift and coordinated move, siphoning off a significant volume of $ATK tokens from the contract.
- Token Conversion: The intruder astutely converted the $ATK tokens into $BSC-USD.
- Conversion into $BNB: The attacker further converted the $BSC-USD into $BNB by taking another step in the laundering process.
- Obscured Path: The attacker deposited the funds to Tornado.cash
Oct 13
😈On Oct 13, 2023, Beluga Protocol @Belugadex, the multichain stable swap AMM on the #Arbitrum chain, was exploited for ~113 $ETH (~$175K) in a flash loan attack.
The attack, which was initially funded by 0.1 $ETH from #OKX exchange, happened in 21 transactions during which USDT-USDC.e balance was manipulated to make a profit.
The attacker has moved the stolen 113 $ETH worth ~$175K to #MEXC crypto exchange.
Contract Address: 0x9e8675365366559053f964be5838d5fca008722c
Hack Txn: https://arbiscan.io/tx/0x57c96e320a3b885fabd95dd476d43c0d0fb10500d940d9594d4a458471a87abe
Exploiter Add: 0x4843e00ef4c9f9f6e6ae8d7b0a787f1c60050b01
Attack Contract: 0x9e8675365366559053f964be5838d5fca008722c
Additional Read: What is Oracle Price Manipulation Attack?
😈On Oct 13, 2023, @Wise_Lending protocol on ETH was attacked by the attacker, but the transaction was successfully front-run by a notable white-hat MEV bot c0ffeebabe.eth.
This is the same white hat MEV bot that returned 2,879 ETH (~ $5.4 million) to Curve Finance during its exploit in July 2023.
It front-run the txn by offering ~93.4 ETH ($146.9k) as a bribe.
Additionally, the bot managed to secure its income of 75.79 ETH ($118K) through this exploitative maneuver.
It returned the 169.19 ETH to @Wise_Token. In response, @Wise_Token rewarded the bot with 1 ETH. The attacker, in this case, leveraged two critical vulnerabilities to execute the attack:
- Manipulating Share Values through ‘Donate’: The first exploit involved manipulating the value of each share within the lending pool by using the ‘Donate’ function. This manipulation likely created a skewed perception of the pool’s health and assets.
- Precision Loss in ‘withdrawShares’: The second exploit took advantage of precision loss, causing the ‘withdrawShares’ function to return a value of 0. This clever manipulation allowed the attacker to withdraw the donated WBTC, effectively emptying the pool.
Successful Frontrun Transaction: https://etherscan.io/tx/0x7ac4a98599596adbf12fffa2bd23e2a2d2ac7e8989b6ea043fcc412a29126555
Failed WiseLending-Exploiting Transaction: https://etherscan.io/tx/0x10620efb40ec9c495fafe79c56891906debd62fa4d7a5baacdefe351c663a2f2
😈On Oct 13, 2023, a zero-transfer scammer grabbed over ~$40K BSC-USD from address 0xa8498C4C9eCcB46838cAA6df390E4940722a7613.
Hack Txn:
https://bscscan.com/tx/0x230ef03a64905d8e0c9a074fde33c0fb993ad536b3852129c36efe485409ad69
Phishing address: 0x458728b505243a4FC6C138586d7E8feB44dF9961
The scammers polluted the victim’s txn history with fake Binance-Peg Tether USD (USDT) tokens and then grabbed funds from him.
Fake Token Contract: 0xEcbbdcfdc692c5259BF2F3E334DaBA44142a0542
Additional Read: What is a Zero-Transfer Phishing Attack?
Oct 17
😈On Oct 17, 2023, Fantom Foundation (@FantomFDN) suffered a breach of a few Fantom wallets.
The estimated losses from the Fantom Foundation funds are around 💰~$550K, and overall losses across multiple wallets are speculated to be around 💰~$7.1M (~4501ETH)
In an official statement, @FantomFDN acknowledged the breach and informed the community that although a few of the compromised wallets are labeled as “Foundation Wallets,” they were not being used officially by Fantom.
They had been reassigned to a Fantom employee, who was using them as personal wallets.
While the hack investigation is still underway, the cause of the hack could be 🔑private key theft🔓, executed with the help of phishing attacks and social engineering.
More information will be available after the completion of the hack analysis by @FantomFDN.
Stolen funds from the @FantomFDN wallet theft are currently sitting in EOA
https://etherscan.io/address/0x0b1F29DF74A19C44745862ab018D925501FE9596.
Oct 18
😈On Oct 18, 2023, Project The Honest Venture on #BSC has been rugged for ~$58k.
Just like a usual rug pull, the project @honestventures has also deleted their social media accounts on different social media platforms.
Token Contract Address: https://bscscan.com/address/0x693dBad5af3AFf43A1fa8d8154fAa527e1765DA4
😈On Oct 18, 2023, the @Hope_money_ defi protocol on Ethereum was exploited for 528 ETH in what appears to be a precision loss issue due to a smart contract exploit.
Attack tx: https://explorer.phalcon.xyz/tx/eth/0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392
The Hack Flow:
- The attacker opens a position in HopeLend and borrows 2,000 WBTC via a flash loan.
- The flash loan function in the Pool contract adds flash loan fees into the reserve’s liquidityIndex.
- The attacker manipulates the liquidityIndex of the hEthWBTC contract (from 1e27 to 7,560,000,001e27), which results in the precision loss.
- Using this precision loss, the attacker borrowed many assets and redeemed all WBTC collateral to make profits.
As per the official statement from @Hope_money_ ,out of ~528 ETH lost, 263.91 ETH was used by the exploit frontrunner to bribe the Validator (managed by LIDO).
The remaining 264.08 ETH is the profit earned by the exploiter. @Hope_money_ is reaching out to the parties involved in an attempt to recover the lost assets.
To mitigate precision losses:
- Always use the SafeMath library to perform arithmetic operations. SafeMath protects against overflows, underflows, and division by zero.
- Consider using fixed-point arithmetic libraries. Fixed-point arithmetic can be helpful for dealing with decimals without the risk of precision loss.
- When dealing with precision, it is often better to work with integers. For example, if you’re dealing with a token with 18 decimal places, represent all values as integers by multiplying them by 10^18.
Learn more mitigation strategies at:
- https://immunebytes.com/blog/how-to-bypass-the-integer-division-error-in-smart-contracts/…
- https://immunebytes.com/blog/arithmetic-issues-in-solidity-smart-contracts/…
- https://immunebytes.com/blog/explained-overflow-and-underflow-vulnerability-in-smart-contracts/…
Oct 20
😈On Oct 20, 2022, the DD token on the #BNB Chain and the Mango INU (MNGO) token on the Ethereum chain were rugged for $109K and $48.5 K, respectively.
😈 On Oct 20, 2022,, the IDEAL token on #ethereum chain was rug-pulled for $21K.
😈 Health Token on the #BNB chain also suffered a price manipulation #attack on Oct 20, 2022, and lost ~17 BNB.
😈On Oct 20, 2022, $BGEO token’s smart contract on the BNB Chain was also exploited for 12 BNB due to a #smartcontract vulnerability.
Oct 23
😈The attacker, on Oct 23, 2022, had stolen 49,950,000 L2DAO tokens from
@TheLayer2DAO on the Optimism chain.
The hacker exploited a vulnerability arising from an inefficient deployment of the #smartcontract.
Layer2DAO struck a deal with the hacker and repurchased 31,239,677 tokens at $0.001.
By that time, the attacker had already exchanged 16.7 million tokens.
The hasty deal with the hacker was done to protect the free fall of the L2DAO token prices, which had plummeted by 90% after the news of the exploit broke out.
Hacker’s Wallet for Storing Stolen Funds: https://optimistic.etherscan.io/address/0x0621160a25a17b7735ce7641fce5d24798c0a039
😈On Oct 23, 2022, the BTDOG (BTDOG) token on the #BSC chain suffered an exit scam and caused losses to the tune of ~$165K
Hacker Address: https://bscscan.com/address/0x3e7960A0Cd30Dfde3C57E071936b98c7E98c8303
😈On Oct 23, 2022, the A6 (A6) token on BSC was rugged for $56K.
Hacker Address: https://bscscan.com/address/0xE77D77309027c71F006DfF5d2F1b76060F4F5F13
Oct 24
😈On Oct 24, 2023, @MaestroBots (Maestro Router contract) on Ethereum was exploited, resulting in a loss of approximately 280 Ether due to a vulnerability in their smart contract.
Nature of the Vulnerability
The vulnerability was centered around the 0x9239127f function in the Maestro Router 2 #smartcontract, which had an external call vulnerability.
With this flaw, attackers could pass in a token address and fill in the called function as transferfrom, using the parameters of the victim’s address and their own address.
This allowed them to transfer tokens from the victim’s account to their own.
- Vulnerable Contract: 0x80a64c6D7f12C47B7c66c5B4E20E72bc1FCd5d9e.
- Attack Transaction Details: One of the attack transactions: 0xc087fbd68b9349b71838982e789e204454bfd00eebf9c8e101574376eb990d92
- Additional Loss: Apart from the Ether, the exploit also facilitated the theft of approximately 37M $JOE tokens.
However, 26M $JOE remains in the pool, leading to a price impact of -30 %.
Official Statement & Actions Taken
Maestro confirmed that the router exploit had been identified and addressed.
They updated their router to a safer, exploit-free version, and trading has been resumed.
However, they noted that tokens with pools on platforms like SushiSwap, ShibaSwap, and ETH PancakeSwap will remain temporarily unavailable.
Furthermore, Maestro has pledged to ensure that all affected parties will be compensated.
They are currently devising the most efficient and fair method to process refunds, aiming to begin this process within a day.
Oct 25
😈On Oct 25, 2023, a fake Mina Protocol token ($MINA) on BSC executed a rug pull.
The token experienced a sharp price drop of 100% when an address 0x0920baB9c331974E71FA2b066a92cB26dA2da44A swapped 1,000,000,000,000,000 $MINA for ~474.26 $BNB (worth ~$107.5K).
Token Contract Address: 0xDC2cE29256a7F44C3A291f8C08D575593455bc39
Hack Txn: 0xb799b3db005bcdc2e8544f9e8f8c9aca2392d0a865d6ad1f0477615ad9061abd
This honeypot token was created a few hours ago by address 0x1EC5a461281d52a937678871A20830Ec8376f7F6
at txn 0xd5d5370df3cb233a7998f38395b73666e6746f4fad85bce610f6f9b09ef00256
The token contract can mint more tokens.
0x0920…a44A interacted with address 0x1EC multiple times by calling a function ‘0xcc501133’
Both 0x0920 and 0x1EC have initially received funds from Binance hot crypto wallet
To avoid falling for fake tokens and blockchain projects, know about them here: World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors
😈On Oct 25, 2023, a fake #linea token on Ethereum was rugged for ~$729K.
The deployer named Fake_Phishing188235 removed ~403 #ETH and some fake Linea tokens from the liquidity pool.
The stolen funds have been moved to #tornadocash, and the deployer also received initial funds from Tornado Cash.
Contract Address: 0x00000000fEB6A772307C6aA88AB9D57b209aCb18
Deployer Address: 0x5Ac6737bD66d870cf52e51d95976E59C9b6DAC99
Hack Txn: 0x4ab6ec871ee08d408f1e5af97450af37b052e8df633074f1687d78c9eb6e4ced
😈On Oct 25, 2022, The AssetsDepositUpgrade contract for @Melody_SGS on BNB Chain was hacked, causing a total damage of 2,225 BNBs.
This was not due to a contract-level vulnerability but an Off-chain module vulnerability.
An issue in the Off-chain signature generation allowed the hacker to generate legitimate signatures, leading to the theft of SGS and SNS, which were sold for a profit of 2,225 BNB.
😈On Oct 25, 2022, Project Santa Coin (SANTA) on BNB Chain suffered an #exitscam, experiencing a #slippage of 68.18%. An estimated $209K was taken by the exploiter.
Contract Add: 0x4F1A6FC6A7B65Dc7ebC4EB692Dc3641bE997c2F2
Hacker Address: 0x1A97098B09b8be6b457fab6f14F9CBE42c19a2f5
😈On Oct 25, 2022, the $ULME token on BNB Chain was subjected to a flashloan attack, leading to a loss of 💰50,646 $BUSD.
The attack started with a 1,000,000 BUSD borrowed via flash loan, which was swapped for $ULME tokens.
Through vulnerabilities in the buyMiner function, the attacker manipulated approved $BUSD and indirectly increased the $ULME price.
After the price hike, $ULME was swapped back to $BUSD, repaying the flash loan and netting a profit of 💰50,646 $BUSD.
Hack Txn: 0xdb9a13bc970b97824e082782e838bdff0b76b30d268f1d66aac507f1d43ff4ed
😈On October 25, 2022, NoodleSwap on the BNB chain was exploited due to a reentrancy vulnerability, costing a total of $29K.
Hack Txn: 0x8037b3dc0bf9d5d396c10506824096afb8125ea96ada011d35faa89fa3893aea
Exploiter Address: 0x8Ca72F46056D85DB271Dd305F6944f32A9870FF0
Oct 26
😈 On Oct 26, 2023, a fake iShares Bitcoin ($IBTC) on #BSC executed a rug pull
The token experienced a sharp price drop of 100% when an address 0xf4956850dd33Ae01018Cc0075E60dC21499c5B37 swapped 1,000,000,000,000,000 $IBTC for ~394.7 $WBNB (worth ~$88K).
Token Contract Add: 0xDc68EED00bce879fb920076Eaf227a99d7927929
Hack Txn: 0x8a92789d6702ca158c2187281f57dfe9a97dd2bb476aad542c7753b224da0341
This honeypot token was created a few hours ago by address 0xc329504902ad087445822fBa1ae1Ac19d7918Ed9
at txn 0xce6ad2f34723cc21e7b2e6c371548ac69e4d7a02449dea9e5172a7d4729ff539
The token contract can mint more tokens.
0xf49568 used a newly created contract 0x8BDB39A01d02d86dC2F3eaB13aDb343683127278 multiple times by calling a function ‘0x25e34f51’
Both 0xf49568 and 0xc32950 have initially received funds from #Binance hot #cryptowallet
It’s crucial to emphasize that the transaction activities, as well as the reception of funds by the deployer and the address responsible for dumping the tokens, closely resemble the fraudulent rug pull associated with the fake Mina Protocol token ($MINA) on #BSC on October 25th.
$MINA Token Contract Add: 0xDC2cE29256a7F44C3A291f8C08D575593455bc39
😈 On October 26, 2020, Harvest Finance @harvest_finance was exploited in a 😈flash loan attack for ~$24 million from its USDC and USDT vaults.
The attacker skillfully manipulated asset values within the http://Curve.fi Y pool, causing a 13.8% drop in the USDC vault’s share price and a 13.7% decrease in the USDT vault’s share price.
The incident also triggered a sharp 65% decline in the value of Harvest Finance’s native token, FARM, in just one hour.
Harvest Finance Detailed Hack Analysis
Oct 27
😈 On 27 Oct, 2023, the $STIMMY token on ETH was rugged for ~$78.2K when the contract deployer removed ~43.8 $ETH and 1,112,705,482.7 $STIMMY tokens from the L.P.
@stimmyerc has already deleted all its social profiles, and the deployer has moved the stolen funds to different addresses.
Token Contract: 0x5bC749A299c5DE62325e1a676D53527149F7aa30
Deployer Add: 0xfc74e21e30fc7424ab689e127619362497810832
Txn: 0x660e39afb9e419bccf12941d0ce53d0253122df4950c24bbc898c5f94c6a5960
The deployer had received funds from add: 0x17321448295e56fac0d00c4464ee3938f715818d, which has many interactions with the honey pot/fake tokens
😈 On Oct 27, 2022, Team Finance on the Ethereum platform was exploited for over $14.5 million.
An attacker capitalized on a vulnerability in the LockToken contract’s ‘migrate’ function, which permitted the unauthorized migration of tokens from the V2 liquidity pool to the V3 liquidity pool.
Team Finance Exploit – Oct 27, 2022 – Detailed Analysis
😈On October 27, 2021, Cream Finance was exploited for $136 million.
An attacker leveraged a vulnerability in the platform’s lending system, initiating the exploit by borrowing $500 million DAI from MakerDAO.
Cream Finance Exploit – Oct 27, 2021-Detailed Analysis
Oct 28
😈 On 28 Oct 2023, @AstridFinance, an Ethereum liquidity re-staking pool, experienced a security breach due to a smart contract vulnerability in its withdrawal function.
This resulted in a loss of approximately $228k. This vulnerability allowed the attacker to manipulate the parameters of the withdraw() function, specifically the token address and token amount.
Hack Txn: 0x8af9b5fb3e2e3df8659ffb2e0f0c1f4c90d5a80f4f6fccef143b823ce673fb60
Hacker Add: 0x792eC27874E1F614e757A1ae49d00ef5B2C73959
To explain the exploit in simpler terms, the attackers followed these steps:
- They created three counterfeit tokens: A, B, and C.
- They used one of these fake tokens to withdraw and claim stETH.
- Another fake token was used to withdraw and claim rETH.
- The third fake token was employed to withdraw and claim cbETH.
- Finally, they converted stETH, rETH, and cbETH into ETH.
@AstridFinance acknowledged the attack and paused the smart contract.
After successful negotiation with the hacker, the hackers returned 80% of the stolen funds, amounting to 102 ETH in the txn: 0x27cbd5f2f12067bcc9be3bafa9140b849ee1ee68ae5329c2a4ba789685111ad7
Oct 29
😈 On 29 Oct 2023, a #BSC address was scammed for ~$16K by a zero transfer scammer.
The scammer made various fake BUSD transactions with the victim’s address and many zero-value transactions in BUSD, polluting the victim’s transaction history.
The fake BUSD token used was created by Fake_Phishing2303.
Scammer Add: 0x9F01D1946f2f463432D1dd16D50A0E59b5da48E3
Victim Add: 0xf7aDeE1045Cd495e7658EdF25b0BD10eaB5Efd3e
Hack Txn: 0x3ca49dc971dd062b7d7a272e6f0030a2776542587e8b29e600d7559cd610c354
Fake BUSD Token contract: 0x130adF5fC687c97b82B28b532F0d8Cf500E5072C
Token creator: 0xDC043FB8479B768cB6b0a32A634A40E02e31D60F
Oct 31
😈 On 31st Oct, 2023 @TeamUnibot was exploited for 💰~$640K due to a smart contract vulnerability.
Contract Add: 0x126c9FbaB3A2FCA24eDfd17322E71a5e36E91865
Txn: 0xcbe521aea28911fe9983030748028e12541e347b8b6b974d026fa5065c22f0cf
Hacker Add: 0x413e4Fb75c300B92fEc12D7c44e4c0b4FAAB4d04
Technical Details:
- The ‘varg0’ and ‘varg4’ parameters in the 0xb2bd16ab() function aren’t properly validated, making it possible to call any external contract arbitrarily.
- The root cause of the breach is a “Call injection.”
- The vulnerability lies in the 0xb2bd16ab() method, where malicious calldata can be passed.
- Suspicions arise due to a lack of input validation in the 0xb2bd16ab function of the 0x126c contract.
- This allows arbitrary calls, enabling attackers to invoke the ‘transferFrom’ function and thereby continue transferring out tokens approved to the contract.