Dec 1
Table of Contents
😈On December 1, 2023, the FCN-TRUST (FCN) token On BSC was exploited for over $504k in a flash loan attack where the attacker exploited a vulnerability in a specific, unverified contract.
The attack caused the token price to crash by 99% within a few hours.
Unverified Contract and Loss: The incident involves an unverified contract (0x431abb) on the BSC network. This contract appears to have flaws, particularly in its reward calculation logic, resulting in a loss exceeding $500,000.
Distribution of FCN Tokens: The contract in question is designed to distribute #FCN token rewards to users. The calculation of these rewards is based on the reserve amount of the FCN-BSC-USD pair.
Attacker’s Methodology:
Initial Staking: The attacker started by staking some tokens in the contract.
Flash Loan and Reward Claim: Subsequently, they executed a flash loan of BSC-USD from the FCN-BSC-USD pair. During the flash loan callback, they claimed rewards.
Exploitation of Calculation Logic: Due to the temporary reduction of BSC-USD in the pair (due to the flash loan), the contract 0x431abb erroneously calculated the rewards. This flaw led to an excessive allocation of #FCN tokens to the attacker.
Token Staking Transaction: https://bscscan.com/tx/0xbeea4ff215b15870e22ed0e4d36ccd595974ffd55c3d75dad2230196cc379a52
Reward Claim Transaction: https://bscscan.com/tx/0xb650e9f4b9eb023ea65b55ca4d088323e3d5bda377880dedb149a7fd3fd5c15f
The stolen funds have been moved to Tornado Cash in multiple transactions.
Attacker address: https://bscscan.com/address/0xa9edec4496bd013dac805fb221edefc53cbfaf05
😈On 1 Dec 2022, a smart contract (0x5a88114f02bffb04a9a13a776f592547b3080237) on BSC was apparently #exploited for ~$6k through a price manipulation.
The contract’s source code was not open, and the hacker could exploit the prices of ArenaPlay (APC) tokens due to a vulnerability where the swap prices were tied to the reserve balances of the PancakeSwap pair.
Txn: https://bscscan.com/tx/0xf2d4559aeb945fb8e4304da5320ce6a2a96415aa70286715c9fcaf5dbd9d7ed2
😈On 1 December 2021, DeFi platform BadgerDAO experienced a significant hack, resulting in the theft of $130 million in funds.
This attack was attributed to a phishing incident involving the injection of a malicious snippet through Cloudflare, a platform operating on Badger’s cloud network.
The hacker exploited a compromised API key, which had been created without the knowledge or authorization of Badger engineers.
This key allowed the attacker to periodically inject malicious code affecting a portion of Badger’s user base.
Approximately $9 million of the stolen funds were recovered as they were transferred by the hacker but not withdrawn from Badger’s vaults.
😈On 1 December 2020, the Compounder.Finance DeFi project executed one of the biggest rug pulls.
The contract was launched on November 9th, and a mere 22 days later, on December 1st, the developer team executed a classic developer rug pull, taking over $10 million from users, including $5.066 million in DAI, 4.8 million in ETH (8,080 ETH), $745,000 in Wrapped BTC (39 WBTC), and negligible amounts of DeFi tokens like COMP, UNI-V2, and CP3R.
https://etherscan.io/token/0x7ef1081ecc8b5b5b130656a41d4ce4f89dbbcc8c#tokenAnalytics
Astonishingly, Compounder.Finance had previously undergone an audit by third-party smart contract auditors, with documented correspondences between the two parties.
Adding to the shock, the project’s website and Twitter account were swiftly deleted following the rug pull, leaving users with significant losses and no recourse.
Dec 2
😈On Dec 2, 2023, an inactive project, “Fulcrum” on ETH, was exploited for ~$223K (99 $ETH) in a possible flash loan attack.
The attacker also left a on-chain message in French:
“Chapardez le cadavre, négociez avec les fantômes”
English Translation: “Pilfer the corpse, negotiate with the ghosts.”
The attacker performed two attacks in a short interval, gaining 41.98518131 ETH and 57.76452411 ETH, respectively.
Hack Txns:
- 0xb072f2e88058c147d8ff643694b43a42e36525b7173ce1daf76e6c06170b0e77
- 0x0fc5c0d41e5506fdb9434fab4815a4ff671afc834e47a533b3bed7182ece73b0
On-Chain Message: 0x352f7a90b56a76c9b808965cb21bead9e2d0ac1b186df2bc8676ffb57ba2dfc3
Attacker Add: 0x5A7C7Eb8D13A53D42A15d2B1D1b694CcC5141Ea5
Dec 4
😈On Dec 4, 2023, another ETH address fell victim to a phishing attack, losing approximately 6.3K $BANANA (worth about $100.65K) to AngelDrainer.
This incident adds to the growing list of phishing attacks we have reported for the past month.
Victim Add: https://etherscan.io/tx/0x6897cc443c2c509b62fac1855330530ec3c61fb4788067752e492c9d48a8dad7
Phishing Addresses involved:
- 0x0000d38a234679F88dd6343d34E26DCB50C30000
- 0x7FC43D7C6C9f9C85B3b68699df73B7c076d61146
- 0x412f10AAd96fD78da6736387e2C84931Ac20313f
Dec 5
😈On 5 Dec, 2023, @BEARNDAO, a decentralized reserve currency protocol on BSC was exploited for ~$769K.
The attacker exploited a bug in the function ConvertDustToEarned() in the BvaultsStrategy SmartContract to launch a sandwich attack.
Know how Sandwich Attacks are executed in the blockchains
The attacker created an attack contract to execute this exploit.
BvaultsStrategy Contract: 0x21125d94Cfe886e7179c8D2fE8c1EA8D57C73E0e
- Attacker Add: 0xCE27b195Fa6dE27081a86b98b64f77F5FB328dd5
- Attack Contract: 0xe1997bC971D5986AA57Ee8ffB57eb1DeBa4fDAaa
- Attack Txn: 0x51913be3f31d5ddbfc77da789e5f9653ed6b219a52772309802226445a1edd5f
The stolen funds have been transferred to the following addresses.
- 0x42df55549558b6119fe9c628b856dec6b86ed4c5
- 0x4d1f328e0dc4d3e8b7a81184cb89edc4cb7cd63a
😈On Dec 5, 2023, the CKD token on BSC was rugged for ~$539K when the deployer and other EOA removed the liquidity and dumped the tokens.
World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors
The deployer removed liquidity in over 3 txns:
Txns:
- 0xa9b929f980b946a17c1b424a2fb13e761a675540b7470c451b803abcdc476462
- 0x1f36b29931484d55b6b71a52d6bffd249b0b8fe66f765550a7bbdfb8c52a0b78
- 0xe6fa778eceeb98dbd5d9c165cc90472b8518dae396baa84ded5a9199390354f6
Token contract:
0x583e9b5ebB7B67157f7817CE3d57A2604fc83881
Deployer Add: 0xd03E23Da7A53BE6c96d7fF6e17c0c5ceb49B0dC1
😈On Dec 5, 2022, Lymex Tokens ($LYM) suffered a Rug Pull and lost $300,000
Amount Stolen: Approximately 46,633,195 $LYM, equivalent to about $300,000
Method: A whitelisted address 0xbC8054Ab4Bb4E60a13eDE09854F7957FF16D9679 transferred a massive amount of $LYM tokens to
0x00e6392f9ae5d022e30ff406830bb9b3bed6993e.
This address had approved the maximum LYM transfer eight days earlier. The stolen $LYM tokens were then moved to a second contract, 0x2038b897, swapped for 302,661 $BUSD, and transferred to the deployer and another address, 0x92c2eA2F.
Hacker’s Wallet: https://bscscan.com/address/0x00e6392f9ae5d022e30ff406830bb9b3bed6993e
😈On Dec 5, 2022, @RoastFootball ($RFB) Token Lottery Was Exploited
Method: Exploiting a weak pseudorandom number generation in the lottery function. The hacker executed transactions only when winning the lottery, reverting otherwise. They won 2 of 50 times.
Details: The hacker was funded by @TornadoCash. The profits remain in the hacker’s address. 0x5f7db41e2196080f397cdcf8dd58e8adfdaf2ade.
Exploitation Transaction: https://bscscan.com/tx/0xcc8fdb3c6af8bb9dfd87e913b743a13bbf138a143c27e0f387037887d28e3c7a
Hacker’s Address: https://bscscan.com/address/0x5f7db41e2196080f397cdcf8dd58e8adfdaf2ade
These hacks underscore the ongoing security challenges in the crypto world, emphasizing the need for robust security protocols and continuous vigilance in the digital assets space.
Dec 6
😈On Dec 6, 2023, an exploit involving the TIME token on a decentralized exchange (DEX) resulted in a loss of approximately 94 ETH, worth around $200,000.
This incident was orchestrated through a vulnerability in the Forwarder #smartcontract, which is designed to execute transactions from arbitrary sender addresses.
Technical Breakdown of the Exploit:
The exploit was executed through a critical vulnerability that involved the inconsistency between two functions: Forwarder.execute() and TokenERC20.multicall().
The exploiter capitalized on this inconsistency in the following manner:
Manipulation of req.data
The Forwarder contract appends a ‘req.from’ address at the end of http://req.data. However, when the multicall() function is called, it processes the parameters but excludes ‘req.from’ before executing the actual call.
Misuse of the burn() Function
When the burn() function is invoked, it attempts to extract ‘req.from’ from the calldata, assuming it is provided by a TrustedForwarder.
Due to the earlier exclusion by multicall(), ‘req.from’ is missing, leading the function to erroneously use the last 20 bits of ‘http://req.data’. This part of the data can be manipulated by the attacker.
Execution of Exploit
Utilizing this flaw, the attacker drained funds from the DEX by burning most TIME tokens through the vulnerable Forwarder contract.
- Transaction 1: 0xecdd111a60debfadc6533de30fb7f55dc5ceed01dfadd30e4a7ebdb416d2f6b6
- Transaction 2: 0xc7df7e7bc537785b9068f4d6356caba3b16df1b6054927314724a9b2e49ab18b
- Token Contract: 0x4b0E9a7dA8bAb813EfAE92A6651019B8bd6c0a29
Dec 7
😈On Dec 7, 2023, an ETH address was scammed for ~$83K by the infamous angel drainer.
Since last month, we have been reporting multiple such cases of scams and phishing attacks by #angeldrainer and fake phishing accounts.
Victim Add: 0x1f660f4C9e0c833520eEfE7e207249B3Fa7DB92F
Txn: 0x917bd53864c6b4fd097be5f21f0a313f0634d84a31fc54f5713509d149fe2e71
Phishing Addresses involved:
- 0x0000d38a234679F88dd6343d34E26DCB50C30000
- 0xc0051fd875301012b33a48dFcc053177A3e028d0
- 0x412f10AAd96fD78da6736387e2C84931Ac20313f
😈On Dec 7, the @Web3camp_io project on BSC, lost around $40k worth of 6,687,000,000,000 3P tokens in an arbitrary address spoofing attack.
The cause of the exploit is a vulnerability that has been recently disclosed by @oppenzepplin.
The exploited contract was on @thirdweb, a platform for building and deploying smart contracts.
The Vulnerability
Due to a bug, the combined use of @OpenZepplin’s ERC2771Context and MulticallUpgradeable gives rise to an issue with ABI decoding issue, which causes it to bypass the forwarder’s signature check and thus creates a privileges escalation issue.
As a result, the attackers can utilize this illegitimate access to carry out privileged actions such as mint and token transfers.
Read more about this Vulnerability here: https://t.co/FtT1TLPVG1
Remedial Action
@Web3camp_io has locked the token smart contract and disabled the transfer of $3P tokens on the chain.
The attackers
- 0x340509fee1005cce6ec075c53f7a7b2c7b769f9d
- 0x0000000000000f25a072efa232d8efc0b5ce2436
managed to steal away 3P tokens worth ~$40k from the victims
- 0xb4E8Cb86324a9640Af81b48F708f933cB7D12Ac3
- Web3Camp: Deployer trusted account
Token Contract Address: https://bscscan.com/token/0xb806fa32ebdc04e5dbdd2ad83e75c8f7d8e8ef8b
Hack Tx: 0x2cd19f82d81ded614f69c48d2680e251eb1cc12756e2275a6a9b32d4ef0e0ae2
Dec 10
😈On Dec 10, 2023, an EOA fell victim to a phishing scam and ended up losing $378K worth of crypto assets.
The address 0x2dce signed a phishing ERC20 Permit message, allowing the scammers to drain funds.
😈Hack Txn: https://etherscan.io/tx/0x7204f9c50c5ddd8734bba6279fb68333170b8e651ae4ffd7c4e8ed87cd142564
- Victim: 0x2dcebf53ebd36e9b068989446ecca03231d7846a
- Scammer 1: 0xab4db125e41bbe6175f1d516d922733263cbf2ec
- Scammer 2: 0x8f953fe2e53228dc7a9e35541b5abc1d6844940b
The Beginner’s Guide to Phishing Attacks
Dec 12
😈On Dec 12, 2023, DEX OKX on #Ethereum suffered a breach and lost ~$2.7M worth of crypto assets due to a private key leakage.
The attack occurred immediately after the proxy admin owner upgraded the DEX proxy contract to a new implementation contract.
The exploit continued even after the proxy admin owner made another upgrade to the contract. The proxy admin owner could upgrade the DEX Proxy contract through the Proxy Admin.
After realizing the exploit, the DEX proxy was removed from the platform’s trusted list.
The OKX DEX, in an official statement, stated that the users would be duly compensated for the losses suffered in the exploit.
- DEX contract: 0x70cbb871e8f30fc8ce23609e9e0ea87b6b222f58
- OKX DEX TokenApprove contract: 0x40aa958dd87fc8305b97f2ba922cddca374bcd7f
- DEX Proxy: 0x55b35bf627944396f9950dd6bddadb5218110c76
- Proxy Admin: 0x3c18F8554362c3F07Dc5476C3bBeB9Fdd6F6a500
- Proxy Admin Owner: 0xc82Ea2afE1Fd1D61C4A12f5CeB3D7000f564F5C6
- Suspected Attacker: 0xFacf375Af906f55453537ca31fFA99053A010239
- Profit Address: 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d
Contract Upgrade Transactions:
- https://etherscan.io/tx/0xc6a5a7bc31bbc9a7530189e718f7ed96789fa65c56c3a4a08079a95074e280c8
- https://etherscan.io/tx/0x22ebd267d7344780e6d63cf3a76bab57b8f8fa41cf58df1a2e1707d75d8bee89
Compromised Private Keys: Threats and Remedies
😈On Dec 12, 2023, the scammers stole around $218.8K worth of crypto assets from an unsuspecting victim.
It is believed to be a phishing attack where 2.4M $MUBI tokens were transferred to the attacker’s address.
On receiving these 2.4M $MUBI tokens, the scammers swapped them for ~90.5 $ETH.
Victim: 0xd43e03529c8d9cf150baeb6f782f1a4c38fda435
Hacker: 0x7833ab00bdefa29822427f2ab27b1e116ee338ca
Hack Txn:
https://etherscan.io/tx/0x3bbc4ade312d3432fd2f137c0784bbff4e78aa8838853b17c10da9a7c60c42e7
Phishing attacks are constantly on the rise in the crypto world.
Learn how you can dodge the phishing attempts by deviously clever spammers here:
- Zero-Value Token Transfer Phishing Attack
- What is an Ice Phishing Blockchain Attack?
- The Beginner’s Guide to Phishing Attacks
😈On Dec 12, 2023, a victim on the Ethereum chain lost 158.1 $PAXG (worth ~$309.5K) to notorious scammer AngelDrainer.
Victim Add: 0xb40c95578cbd205e8cb066bb5b52c04bbb1144aa
Hacker Add: 0x412f10aad96fd78da6736387e2c84931ac20313f
Hack Txn: https://etherscan.io/tx/0x4a2e3031f9f46022b276bb71ab0fb676a0d902defae70702dd44bdf3c36be863
Dec 13
😈On Dec 13, 2022, Elastic Swap, the Automated Market Maker (AMM) operating on the Avalanche chain, lost ~$854K worth of #crypto assets to a price manipulation attack.
The attacker could exploit the prices of various pools due to a flaw in the calculation logic in the #smartcontract.
Using this flaw, the exploiter manipulated:
- TIC-USDC pool for 22,454 AVAX worth ~$290,328
- AMPL-USDC pool of ElasticSwap on Ethereum for 445 ETH worth ~$564,000
Fortunately, the exploit on the Ethereum was front-run by an MEV bot, which saved an additional 445 ETH from being stolen.
Without this front run, the hack loss would have easily gone past the $1M mark.
Attack Txn on Ethereum: https://etherscan.io/tx/0xc2d86035f20389088b4277de6f13ca3f8bb819381b95e58359a22d0ad6f5cbda
Attack Txn on Avalanche:
https://snowtrace.io/tx/0x782b2410fcc9449ead554a81f78184b6f9cca89f07ea346bc50cf11887cd9b18
😈On Dec 13, 2021, Vulcan Forged—a blockchain game studio and NFT marketplace, was exploited for ~$140M.
The cause of the exploit was the private key leak, which compromised 96 addresses.
Most assets drained from the users’ wallets were in the platform’s native token, $PYR.
A total of over 4.5M PYR tokens were stolen in this exploit, and they were valued at ~$140M at the time of the attack.
Other than the native token, the users have also lost ETH and MATIC.
Hacker’s address on:
- Ethereum: https://etherscan.io/address/0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
- Polygon: https://polygonscan.com/address/0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
Dec 19
😈In another crypto phishing scam, a victim lost $218K worth of ETH on Dec 19, 2023. The method of exploit happens to be the usual—signing of a malicious ERC20 Permit message by the victim.
Victim: 0x9f6bcc3d52624a2be52a6b5499b582b98f7e5a41
Scammer Address: 0xe265398bc6ea0a4ae1de43de6e0fad81c205013b
Hack Txn: https://etherscan.io/tx/0x3103a5b7cdc84bbb67faf04ff1e1b81f3e7fa3f80cbbcdcc4485a12ddc8b571b
PERMIT2 ERC-20 token approvals and associated risks
😈A victim on Dec 19, 2023, lost approx. $333K worth of assets to multiple phishing addresses in a total of three transactions.
The victim had signed malicious ERC20 Permit messages which made the illegal token transfer possible.
Learn about PERMIT2 ERC-20 token approvals and associated risks here: https://bit.ly/3v3a1ou
Targeted Victim:
https://etherscan.io/address/0x7453275ad8cacf3a44d19bd10e5b6a2832b05fc3 (austinl.eth)
Hack Txns:
- https://etherscan.io/tx/0xa2962b64c6c74c61ac49cd081b9588da10f81c9aab9cd941f409a3dd07c3a2f9
- https://etherscan.io/tx/0x3da13a136ca6e909660619092e7bd4e55c8d56b4068fb600e2bef9d60d9fef99
- https://etherscan.io/tx/0x89c433a4cbd57e6b13b01a6ca72e5f9dda3dd7bfd5d93384bac73ede3aa5466f
Scammers’ Addresses Involved:
- 0x76cf09ab182c6bd47b980f7d6dacbda1d6705f37
- 0x1a42605d92c210e4be47a6363046c591659ab444
- 0x000000093E55f433Fb57a32AA5d5Fe717B3f7AB1 (Fake_Phishing268901)
- 0x50c47a3b581bf242e908335eec081f0fe6ceeaa9
Phishing attacks are here to stay in the crypto world. To avoid falling for such traps, equip yourself with knowledge, which you can find here:
- Zero-Value Token Transfer Phishing Attack
- What is an Ice Phishing Blockchain Attack
- The Beginner’s Guide to Phishing Attacks
Dec 20
😈On Dec 20, 2023. the multi-chain aggregator and cross-chain bridge @TransitFinance suffered an exploit. The breach has caused losses of around ~$110k.
The cause of the exploit appears to be the lack of valid input validation for the pool.
The malicious hacker managed to pass a forged pool and WBNB/BUSD pool path and thus controlled the actualAmountIn in the first swap.
The SwapRouter failed to detect this and took the forged actualAmountIn as the initial value for the swap in the WBNB/BUSD pool.
Attacker address: 0xf7552ba0ee5bed0f306658f4a1201f421d703898
Earlier Exploits of Transit Finance
On Oct 1, 2022, Transit Finance was exploited for $28.9M worth of crypto assets from the users’ wallets who had approved the Transit Swap contract.
Coincidently, the reason for this exploit was also a lack of proper input validation during the token exchange, which allowed an arbitrary external call.
Due to a vulnerability in the transferFrom() function, which permitted anyone to transfer tokens approved by users for trading on Transit Swap to any address, the attacker made an arbitrary external call, enabling the unauthorized acquisition of tokens that users had approved.
Attacker’s Address for Oct 2022 Exploit: 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46
The Cure
To prevent vulnerabilities of this kind, developers should implement comprehensive input validation routines. This includes:
- Validating data types
- Checking for boundary conditions
- Sanitizing user input to prevent unexpected conditions from occurring
- Use fuzzing tools to check unexpected inputs
- Creating a wide array of edge cases to ensure robust input validation
- Rigorous Smart contract auditing by a credible firm like ImmuneBytes
Dec 21
😈On December 21, 2021, DeFi Visor Finance’s (now @GammaStrategies) staking contract RewardsHypervisor on the #ethereum chain was exploited for 8,812,958 VISR tokens, which were worth $8.2m at that time.
The attacker implemented the IVisor delegateTransferERC20 interface and called the staking contract’s withdraw function to transfer tokens using a malicious contract.
Similarly, the secondary migration contract used for our ENS-ETH vault was also exploited using IVisor delegateTransferERC20.
The staking contract dependence on a user-provided contract to implement the required transfer function made this hack possible.
Hack Txn: https://etherscan.io/tx/0x69272d8c84d67d1da2f6425b339192fa472898dce936f24818fda415c1c1ff3f
Attacker’s Address: 0x8efab89b497b887cdaa2fb08ff71e4b3827774b2
Attack Contract: 0x10c509aa9ab291c76c45414e7cdbd375e1d5ace8
A diligent and comprehensive smart contract audit would have highlighted this vulnerability.
Dec 22
😈A zero transfer scammer stole 💰710K $ USD from a victim on Dec 22, 2023.
The victim 0xf8cc…3d6a intended to transfer tokens to the address
0x949954b50B5780d3A1c54deB7Cbb0dbcc558861B
But ended up sending it to a similar appearing phishing address:
0x949D0DbE58c77EEF31eDAB5E476f41E4F5ef861B
Hack Txn: https://etherscan.io/tx/0x66096743f07f2f0d49818f5e4de28b98bbf3ac6bfcf665fa48225f97260be6b1
Victim: https://etherscan.io/address/0xf8cC32a062667cf43344Ca5c5F76c2a437b93D6a
This costly mistake could have been avoided if the victim had taken certain precautions while making this transaction.
What are zero-transfer scams, and how can they be avoided?
Dec 25
😈Crypto AI trading bot @MegabotETH suffered an exit scam on Dec 25, 2023. The project has lost over $742k worth of assets, out of which ~$692k worth of assets were lost on the Solana chain alone.
The social media handles of the project have been deleted, and the website has gone offline.
On its X handle on Dec 23, @MegabotETH had announced a 24-hour Solana presale on Dec 25. The maximum allowed participation amount was set to be 1000 SQL.
It appears that the scammers wanted to maximize their profits, as the plug was pulled on the day of presale.
Stolen funds are stored in the presale wallet (8GQyzGgWW3xPVvoDmTUzvv9U7LreyTzXDusQJGDNmEPC)
😈On Dec 25, the Decentralized finance (DeFi) platform Telcoin App suffered a breach and lost over $1.3M worth of crypto assets on the Polygon chain.
Over 3 Billion Telcoin tokens were sent out on Polygon in a series of suspicious transactions.
Immediately after the exploit was discovered, the app was temporarily frozen, and investigations were started to find the incident’s root cause.
In an official update on their X handle, @telcoin confirmed the exploit and stated there was no vulnerability within the Telcoin Wallet code.
The issue has been found with the proxy implementation of the wallet on Polygon and has primarily impacted the wallets that have never initiated any transactions since they were created.
The team @telcoin has also stated that they have deployed the fix to patch this issue.
What comes as a relief to the affected users is that the Telcoin team is planning to restore all affected wallets to their pre-exploit balances before the app is turned back on.
Also, the community has been informed that no keys, backend systems, or user data were breached during this exploit.
Dec 27
😈 On Dec 27, 2023, the multi-chain crypto trading platform @ThunderTerminal has suffered an exploit resulting in a loss of ~$242K (86.5611512804 ETH + 439.12232317 SOL).
The exploit started on Dec 27 at 12:11:47 AM UTC and lasted till 12:20:35 AM UTC.
In an official statement, Team Thunder confirmed the hack and stated that only less than 1% of wallets were affected in this attack, and no desktop wallets were impacted.
Cause of the Exploit
The cause of the exploit was a compromised third-party service (MongoDB Atlas) connection URL, which was used to pull session tokens and execute withdrawals on behalf of users.
The server did not red-flag these withdrawal requests because of the leaked session tokens and approved the authentication requests.
It is reported that the MongoDB company was exploited 8 days ago, and its data and customer account details were leaked as a result.
Team @ThunderTerminal has reassured the community that the Thunder teammates’ accounts themselves were not compromised either externally or internally.
Also, since the trading platform does not store any private keys, the malicious attacker could not access any wallets.
Since then, the exploiter has transferred the stolen 86.3 $ETH to Railgun—the decentralized privacy protocol.
Immediate Measures Taken
Post exploit the team Thunder has:
- Revoked all kinds of access to transaction signing
- Revoked All pre-existing connection URLs
- Revoked All pre-existing session tokens
- Ensured all current and future connection URLs can only be accessed and used directly from Thunder servers.
Steps for Fund Recovery & Enhanced Security
Thunder is taking the following steps to recover funds and avoid future exploits.
- Pursue legal action against the culprits of the exploit with the help of the FBI
- Conduct a detailed technical audit to pinpoint all attack surfaces.
- Add 2FA authentication for withdrawals.
- Bolster security for session issuing and authentication.
- Initiate negotiation with the exploiter to regain lost funds.
Compensation for Affected Users
The team @ThunderTerminal has assured that all affected users in this exploit will be issued refunds to make up for any losses. They would also get the facility of 0% fees and $100k in credits each.
Dec 28
😈On Dec 28, 2020, defi @CoverProtocol was exploited for over $4M by manipulating a vulnerability in the protocol’s liquidity mining/farming contract called Blacksmith.
The stolen funds included 1,400 ether, one million DAI, 3K LINK, and 90 WBTC.
The Cover DeFi protocol merged with http://Yearn.Finance (@yearnfi) in November 2020.
The Vulnerability
The contract written in Solidity language had a bug that caused it to use memory and storage incorrectly.
The contract was caching the pool data in memory to save some gas. It would update the pool data in storage but not the cached data.
The outdated cached data is later used in calculations and that made the hack possible.
This vulnerability allowed exploiters to mint the native COVER token infinitely. Using this infinite minting bug, the attacker minted 40 quintillion COVER tokens.
The Hack Flow
Deposit LP tokens to Blacksmith contract
Withdraw almost all LP tokens to inflate ‘accRewardsPerToken’
Deposit LP tokens again
Claim COVER rewards and trick the contract to mint a quintillion of $COVER tokens
The Stolen Funds
The attacker sold $5 million worth of COVER tokens but surprisingly returned more than $3 million worth of assets (4350 ETH).
The attacker later revealed himself through a message from his X (formerly Twitter) handle http://Grap.Finance, informing the community that he had returned the stolen funds.
Funds Return Txn: https://etherscan.io/tx/0xc2fd5094c1e108f83222a86bd46b35fc0da35616385d681964b22003643f982e
Post Hack Measures
Cover Protocol later announced that it would launch a new token through a snapshot of tokens before the hack and urged users not to buy COVER tokens while the hack was being investigated.
The Risk Mitigation
This hack could have been avoided if the vulnerable #smartcontract had undergone stringent security auditing from an experienced blockchain and smart contract security audit firm.
.
Dec 31
😈The decentralized cross-chain protocol @Orbit_Chain suffered an exploit on December 31, 2023, a few hours before the new year’s dawn.
The exploit has cost Orbit Chain a whopping ~$82M due to the breach of its Ethereum L1 Vault, which has lost various crypto assets, including DAI, USDC, USDT, ETH, and WBTC in the unidentified access.
Fund Loss Breakup
- $30 million $USDT
- $10 million $USDC
- $10 million DAI
- 230.879 $WBTC
- 9,500 $ETH
The Hack Aftermath
To contain the exploit’s impact and recover lost funds, the Orbit Chain team has requested major global cryptocurrency exchanges to freeze stolen assets.
It is also in touch with law enforcement agencies to track down the movement of stolen funds. The team is also trying to initiate contact with the hacker in a bid to recover the stolen funds.
So far, the hacker has been sent two messages on the bridge, but they have yet to respond to any of these.
The cause of the attack is currently being investigated.
Meanwhile, the team @Orbit_Chain has warned its users to avoid fake reimbursement claim websites and strongly advised them to look for the updates only on Orbit Chain’s official social media handles.
Hack Txns:
- https://etherscan.io/tx/0xe0bada18fdc56dec125c31b1636490f85ba66016318060a066ed7050ff7271f9
- https://etherscan.io/tx/0x639d27e564214411ad8eb06cf00d85cd90f83503a53ab5bf35dd5c6e1148ae0a
- https://etherscan.io/tx/0x64a6f486c20671e1389b3c7948d46733325c407245a86bf510cb69ef401a3f0e
- https://etherscan.io/tx/0x958aeec58ea2f0f9700adda24e43fb76f9e052e4c20773f180c49d7529d95f16
The exploiter initially funded with 10 $ETH from #TornadoCash and transferred them through the intermediary address 0x70462bfb204bf3ccb0560f259072f8e3a85b3512
Attacker: 0x9263e7873613ddc598a701709875634819176aff
Stolen Fund Receivers
- 0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
- 0x3a886a63c768665a9830886e608d6f9dc6b4f730
- 0xa70f8917a957757f5505a5535df1591c54f65b9d
- 0x9ca536d01b9e78dd30de9d7457867f8898634049
- 0xdadfa3ccd40fc3d5a0164c6f9444f60163ccbf3b
Stolen Funds Holders as of Jan-02-2024 06:00:00 AM +UTC
- 0x817bb1761b715a08a9142f99fa7d0ccf73f4c0ef—4,999,236 DAI
- 0x157a409c2bfff38209a32e55d3eac1bfc93dd664—4,999,121 DAI
- 0x3a886a63c768665a9830886e608d6f9dc6b4f730—10,000,001.3227759 DAI
- 0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5—9,500 ETH
- 0xf49de491e1c0d84a0e0bd2d57a841825fcf179fd—4,679 ETH
- 0x589257e07e11e761f31956d54b2323f63ee36b7d—4,320 ETH
- 0xd283fa3bd85887725c8982f539cc404a450f7fd9—4,000 ETH
- 0x5e22cb028865d6a93080d7ab42d2fe9a0e8dc085—4,242.6 ETH
Other Addresses Involved
- 0x0c43edeb2ee69c27d689e912ab5b8e8eef128d4c
- 0x42839f4423985b5ef989498b0605b1dcca8f0df1
- 0xe03d37392255fd1dae5476b04388315cc70b78c2
Instaswapper Depo from Attacker: 0xbad82ca05bd3d40b783d39e52abc1446f33aae12
Instaswapper Receiver on XRP: rN7EFW25YcGG6nzRY4W7TbX5tRyngW1Dj1