Feb 1
Table of Contents
😈On Feb 1, 2024, an address on Ethereum fell victim to a phishing attack and lost ~47.23 $stETH worth ~$109K.
Victim: 0x09e5249ca0fd21874ae47c092a069a8d8539caa4
Attacker1: https://etherscan.io/address/0x950f2086bc05012c4eed3bd25e97f628de334d33
Attacker2: https://etherscan.io/address/0x9fa7bb759641fcd37fe4ae41f725e0f653f2c726
Hack Txn 1: https://etherscan.io/tx/0xe7c9ab4859162e4ce949d0bb00b0691803ed088c3da09a49dc171e4c00153e32
Hack Txn 2: https://etherscan.io/tx/0x16716219fd536b70ffa51f60122b739832e4d8e06ff8400f157fe42d2238d2aa
To know phishing techniques adopted by crypto scammers and how to avoid falling for them, read these deep-insight articles on crypto phishing.
Zero-Value Token Transfer Phishing Attack
What is an Ice Phishing Blockchain Attack?
The Beginner’s Guide to Phishing Attacks
Feb 4
😈On Feb 4, 2024, due to an arbitrary DELEGATECALL.vulnerability in the proxy contract, a victim lost ~$11.4K worth of $USDC.
The victim was a @ibdotxyz user who was targeted with a malicious contract.
The Hope Money exploiter had manipulated Hope Money on the Ethereum Mainnet for 528 ETH, worth approximately $835,000, on October 18, 2023.
Victim: https://etherscan.io/address/0x62C76588859b8390660f4cB7d99E2e2fcc90c7E2
Attacker (Hope Money Exploiter): https://etherscan.io/address/0xa8bbb3742f299b183190a9b079f1c0db8924145b
Hack Txn: https://etherscan.io/tx/0x91fc38e1f8c65c0f934ac04a51c633cbb613a91774bfae179c7138b22bcddea0
Feb 5
👿On Feb 5, 2024, a victim lost $468,227 worth of Lido ETH and Coinbase ETH on Ethereum
Victim: 0xb2cbe33dc64380e7afda17f6bbcd594cfa540ff7
Scammer: 0xe72681aee64b958e1f9df7db9eea98d1296bc36c
Phishing Txns:
- https://etherscan.io/tx/0xc2e616d9464f0e7e9b2e7ce8cfb2145855e84b7db528b2ed5f076cd8270e4cf1
- https://etherscan.io/tx/0xcd11210366a7c8d56282fd9022344111b0fe9fda79592d0f9adc660650f0e3a6
Feb 7
👿On Feb 7, 2024, an address on Ethereum lost $236,850 worth of $pufETH to phishing scams.
Victim: 0x19cb508a49a474c33d5d7b9446ffcd19aab81eb2
Scammer:
- 0xf672775e124E66f8cC3FB584ed739120d32bBaad
- 0x7f3CDdc92519dE28C5Fcf1bC57C26F3Ee512Bb35
Phishing Txns:
- https://etherscan.io/tx/0x9e711299f5b1775b266bbad2dd378a06e2a88facc3f51a2b95c73560544efa81
- https://etherscan.io/tx/0x9e711299f5b1775b266bbad2dd378a06e2a88facc3f51a2b95c73560544efa81
Feb 8
👿On Feb 8, 2024, an address on Ethereum lost $236,276 worth of Aave WBTC and USDC.
Victim: 0x407a71481374e59d5a950ecba11e201c8df06b32
Scammer: 0xb3b52ff66b9ace60bf1fad2bfa7bdd20bac5252b
Phishing Txns:
- https://etherscan.io/tx/0x3124710dfda002262bef8bcc70c2d61f89ef05dbc73b797c9d303ade30c72690
- https://etherscan.io/tx/0x7965827cd2f2f7b4a0bc9ed8fba7a4943c7b87f679f74e814a4a339c41ec6150
- https://etherscan.io/tx/0xc29220c0ef107dd93d44c922c7a2b88513df3609f54e33436d1c9bce86eb59b1
👿On Feb 8, 2022, Superfluid, an Ethereum-based money streaming protocol, was exploited for $13M worth of crypto assets.
An exploiter manipulated a smart contract vulnerability in the Superfluid’s host contract by creating distribution indexes to spoof several accounts holding Super-tokens.
This was made possible by passing in faulty calldata.
Later, the attacker moved funds from Superfluid user wallets to exchanges on Polygon and swapped them for ETH.
Although the exploited #smartcontract was pre-audited by a prominent smart contract auditing firm but, this incident proved that it was not enough to avoid this exploit.
Hack Txn:
- https://polygonscan.com/tx/0xdee86cae2e1bab16496a49b2ec61aae0472a7ccf06f79744d42473e96edd6af6
- https://polygonscan.com/tx/0x396b6ee91216cf6e7c89f0c6044dfc97e84647f5007a658ca899040471ab4d67
Attacker’s address: https://polygonscan.com/address/0x1574f7f4c9d3aca2ebce918e5d19d18ae853c090
Feb 9
👿Crypto gaming and NFT platform PlayDapp, which collectively lost ~$290M worth of PLA tokens in two separate attacks—on Feb 9 and Feb 12, 2024—has informed the community that it has paused its PLA smart contract to conduct a migration based on the snapshot.
Address: https://etherscan.io/address/0xD151050d43c28690766f50Ce9ea8686c5D243a40
What has Transpired So Far?
In two separate exploits on Feb 9 and again on Feb 12, the exploiter managed to mint 200 million PLA tokens (worth ~$36.5 million) and 1.79 billion PLA tokens (worth $253.9 million), respectively.
As per the initial analysis, an unauthorized wallet possibly used a private key compromise to mint ~1.83 Billion PLA tokens in the two attacks.
However, PlayDapp tried contacting the exploiter through an on-chain transaction, offering a $1 million bounty in return for stolen funds.
Instead of responding to the offer, the hacker decided to mint 1.59 billion more PLA tokens valued at $253.9 million on Feb. 12 and simultaneously started laundering the funds through crypto exchanges.
Since the total circulating supply of PLA tokens was a mere 577 million before the breach, the exploiter struggled to sell the 1.8 billion newly minted tokens at anything close to their market value before the hacks.
The Hack Aftermath
The prices of the PLA token took a steep fall in response to the exploit.
In an effort to contain the exploit and stop the hacker from laundering the stolen funds, PlayDapp contacted numerous central exchanges and asked them to suspend deposits and withdrawals of PLA tokens.
It is also chalking out a strategy with blockchain forensic firms and law enforcement agencies to track the stolen funds. It is also holding discussions with the exchanges to launch airdrops for the migration of stolen funds.
The actual reason behind the intrusion is being investigated and will be known after the completion of the investigation.
Feb 13
😈In an exploit on Feb 13, 2024, the crypto casino platform @Duelbits suffered a massive exploit in which it lost ~$4.6m worth of crypto assets.
The hack has happened in @Duelbits wallets on $ETH and $BNB chains.
There has been no official statement from Duelbits on the hack so far, but the most likely reason behind the exploit is speculated to be a private key compromise or the loss of wallet access control.
The stolen funds comprise, but not limited to, $USDT, $APE, and $SHIB tokens.
The exploiter has managed to bridge stolen assets from BNB chain to Ethereum after swapping $USDT, $APE, and $SHIB to $ETH.
This was obviously an attempt to obfuscate the stolen funds trail. While swapping BNB for BSC-USD the exploiter came across a situation where the bridging to the Ethereum chain could not happen due to the lack of gas fees.
To overcome this, the hacker used the FixedFloat service, which allows quick cryptocurrency exchanges.
Attacker Address: https://etherscan.io/address/0x3933924faf011ae8d24e44bee450b3d78e46a666
Exploit Txn:
https://etherscan.io/tx/0x3bf414c5a62704cc917242336394eeeed15a7e1a50e857c15e611dab92999aa4
Learn how to keep your private keys safe here: Compromised Private Keys: Threats and Remedies
Feb 14
👿Miner (@minerercx), a token based on an experimental token standard ERC-X, was exploited for ~168.8 ETH (~$463.4k) on Feb 14, 2024.
The attacker stole funds in multiple transactions by exploiting a vulnerability in the #smartcontract.
The ERC-X token prices took a nosedive of -87% as a result of the exploit.
The Vulnerability
The root cause lies with the _update function, which was awarding free tokens every time someone transferred tokens to themselves.
Being aware of this vulnerability, the attacker decided to manipulate this flaw and started sending tokens to himself in multiple transactions.
As soon as the tokens were sent, the _balances[from] function came into play and accurately calculated the attacker’s balance after subtracting the tokens the attacker sent but, due to the flaw, it was immediately overwritten by _balances[to], which erroneously added the sent value to the attacker’s balance, resulting in doubling of tokens in the account.
Attacker Address: 0xbff51c9c3d50d6168dfef72133f5dbda453ebf29
What Miner is Doing About the Exploit?
In an officially released statement, The Miner Team stated that they are re-auditing the vulnerable contract, and after its completion, the contract would be redeployed.
It also informed the community that the remaining liquidity of ~130 ETH will be used as LP for redeployment and that they are planning to take a pre-exploit snapshot of the current holders.
The Miner team has also left an on-chain message for the hacker to negotiate a deal for returning the funds in exchange for 30% (~$120k) of the stolen funds but, the attacker is yet to respond to this message.
On Chain Message: https://etherscan.io/tx/0x27a01149b321eaab0b16d488aefaffa04517a5cf73397b1bbcb8192a4db692ae
Feb 15
👿On Feb 15, 2024, in two separate incidents, @particle_trade—a permissionless leverage trading protocol on BSC and defi protocol @dualpools , were exploited for ~$139k and ~$41k, respectively.
Initial reports are emerging that the @particle_trade exploit happened because of unchecked user input.
In an officially released statement, @particle_trade confirmed the exploit and stated that the exploit happened to Particle’s previously deprecated NFT contract and that Particle’s current protocol was not impacted in this security incident.
On the other hand, @dualpools has yet to acknowledge the hack officially.
Breakup of Stolen Funds for @dualpools Exploit
- 50074554968631063877 BNB
- 0.171600491149762551 ВТСВ
- 3.992080348227829799 ETH
- 6,378.808120780430189153 ADA
- 911.577466008813446041 BSC-USD
@dualpools Hack Txn: https://bscscan.com/tx/0x90f374ca33fbd5aaa0d01f5fcf5dee4c7af49a98dc56b47459d8b7ad52ef1e93
@dualpools Attacker address: https://bscscan.com/address/0x4645863205b47a0a3344684489e8c446a437d66c
Malicious contract Used for @dualpools Exploit
Exploit: https://bscscan.com/address/0x38721b0d67dfdba1411bb277d95af3d53fa7200e
Feb 16
😈Cryptocurrency exchange @FixedFloat was exploited for ~$4.85m on #Ethereum and ~$21.1m on BTC on Feb 16 and 17, 2024, respectively.
The stolen assets include 409 BTC and ~1,728 $ETH
For Ethereum Chain
- Victim Address: 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F
- Attacker Address: 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085
For BTC
- Victim Address: bc1qns9f7yfx3ry9lj6yz7c9er0vwa0ye2eklpzqfw
- Attacker Address: bc1q2skp47p9f5mr4n4m27k66v0l68gh3xdd7ad4e5
What is FixedFloat?
FixedFloat is an automated crypto exchange that uses the Lightning Network for Bitcoin transactions.
The exchange does not require users’ registration or Know Your Customer (KYC) verifications.
Useful Read: Bitcoin’s Lightning Network: An Inkling Shot at Mass Adoption
What Happened to Stolen Funds?
The drainer already transferred most of the stolen $ETH to #eXch on #Ethereum. The stolen BTCs have been moved by the hacker to 3 different addresses.
- Bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns (~200 BTC)
- Bc1q04yvaefxyan4fuygsv4nr08pxet8ae426dxxf3 (~170.85 BTC)
- Bc1qp6gjx8par8e83lfqnem5q049x2qfpydfg27tjf (~38.45 BTC)
The Hack
The exact reason for the exploit is being investigated. There has yet to be an official acknowledgment from FixedFloat at the time of writing this.
Initially, Team FixedFloat had ruled out the possibility of the attack when a massive outflow of funds was reported.
They attributed outflow to “minor technical problems” and switched its services to maintenance mode.
At the time of writing this, the official website https://fixedfloat.com still shows an under-maintenance message.
Feb 19
😈In another crypto security incident, the password manager @LastPass users suffered a breach in which 22 users lost $6.2 million worth of crypto assets. The breach is known to have happened between Feb 19 and 20, 2024.
The stolen funds on EVM have already been swapped and bridged to Bitcoin via THORChain.
The list of affected users and domains can be found at
https://chainabuse.com/report/ff7c260c-88e2-4d1b-a386-efe448b737e2
Is this the first breach at LastPass?
This is the fourth time that LastPass’ security was breached by malicious actors.
In the last breach, which happened in Oct 2023, the losses were to the tune of $4.4 million, and it involved 80 crypto wallets belonging to 25 victims.
Before that, in Dec 2021, @LastPass users faced security incidents related to credential stuffing.
Also, in June 2015, LastPass acknowledged a breach in which email addresses, password reminders, server-per-user salts, and authentication hashes were compromised.
How did the Hack Happen?
In Dec 2022, @LastPass informed its users about unauthorized access to its third-party cloud-based storage service, which was being used by LastPass to store archived backups of production data.
This exploiter had stolen some source code and technical information from LassPass’s development environment in an earlier breach in Aug 2022.
This stolen information was used to target other LastPass employees, and the attacker ended up getting credentials and private keys, which were used in the exploit of Dec 2022.
LassPass, in a post-mortem report for the exploit, had assured its users that the attacker could only get his hands on basic customer account information and a backup of customer vault data from the encrypted storage container, where sensitive information like usernames and passwords, secure notes, and form-filled data was fully encrypted and secured.
Team LastPass was pretty sure that it was nearly impossible for the hacker to crack the master password required for decrypting the encrypted data through a brute force attack or any other password-cracking tool or algorithm.
But, clearly, they were proved wrong by the exploiter on Oct 25, 2023, when they stole away $4.4m of assets.
Why do the LastPass users continue to bear the brunt?
Users, who had ever used @LassPass to save their seed phrases or keys, were strongly urged by security researchers and experts to migrate their crypto assets.
They were also asked to strictly avoid reusing their master passwords on other websites as it might land them in a situation where a threat actor could use dumps of compromised credentials available on the Internet to attempt a breach of their crypto wallets.
It seems some of the LastPass users did not heed this advice, and hence, the breach continues unabated.
What steps should LastPass users take to avoid/mitigate the fund losses?
If you are a @LastPass user, consider taking the following steps urgently:
- Rotate your keys by regenerating the seed phrase using a set of new seed keywords.
- Move your crypto assets to a new address secured with this new seed phrase.
- Do not use your LastPass password/seed phrase ever on any website
- File a report on IC3.gov at https://ic3.gov/Home/ComplaintChoice
Feb 22
😈On Feb 22, 2024, two wallets on Ronin Network belonging to Jeff Zirlin @Jihoz_Axie, co-founder of @Ronin_Network, were compromised in what appears to be a private key compromise.
The total loss in the theft was 3088693.24 RON tokens worth around 💰$10 million at the time of the hack.
Jeff clarified through a post from his official X (formerly Twitter) handle that the hack was limited to his personal wallets, and it had no impact on the Ronin bridge or Sky Mavis, which is a blockchain-based video game development studio, also co-founded by Jeff.
- Compromised Wallet 1: 0x121ad060686848b196df8ca5c5e24722efe57115
- Compromised Wallet 2: 0xa09a9b6f90ab23fcdcd6c3d087c1dfb65dddfb05
Hack Txns:
- https://app.roninchain.com/tx/0x6a89b582d37920e7c5ffde327417c2fd06f39c4c4a9aeef6e8bb3a45096f0585 (~11,130 RON)
- https://app.roninchain.com/tx/0xe5fcb3ea3993811a23eb919a2c78806a9af7ea907f0c5abf4d85394aba937003 (~298,000 RON)
- https://app.roninchain.com/tx/0x87841c81acde4828c10e7ce51f033c1bca613a0eaee2000a1ee6df3c3827830e (~830,000 RON)
- https://app.roninchain.com/tx/0x002e0c2213ea72c5ea749f6fa00f74c7bfab792189255fe9046c3aa865a68d1f (~1,949,561 RON)
Total Loss: ~3088693.24 RONS
The stolen funds were first moved to the hacker’s address: 😈0x39f817976c51a91b60145febad81067e69713105 on the Ronin chain and were later bridged to Ethereum and finally to the Tornado Cash.
https://etherscan.io/address/0x64192819ac13ef72bf6b5ae239ac672b43a9af08#tokentxns
Private keys should be kept protected all the time as hackers are always looking to steal them from you through malicious apps, social engineering, phishing, and scamming.
Learn how you can protect your keys from falling into the hands of hackers by reading
Crypto Security Essentials: Secure Encryption Key Management
To get into more technicalities about private and public crypto keys, read
Public and Private Keys: A Must Know In Cryptography!
Feb 23
😈Defi protocol Blueberry Protocol Foundation @blueberryFDN came under attack on Feb 23, 2024, when multiple lending markets were collectively exploited for ~💰457.68 ETH ($1.34M) (TX Profit) 1 bWETH (Leftover value).
The total gas fee used was 0.093022519261676367 ETH.
Hack Txn:
https://etherscan.io/tx/0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4
Fortunately, all of the drained funds were front-run by a validator MEV bot @coffeebabe_eth
, and the stolen funds of ~366.65 ETH (excluding the validator fee of ~91.04 ETH) have been returned to a multisig address.
https://etherscan.io/tx/0xc4d45a5143d04d98f11c56f0944ad60426bfbe70b25b5b43a95f0e61a9386a52
The markets affected by the exploit are BTC, OHM, and USDC.
While the hack is being investigated, the protocol has been paused to avoid any further fund loss. The front end was already down as a result of the exploit.
The users were asked to withdraw their funds if they could establish an indirect connection with the exploited contract.
Team @blueberryFDN is also trying to get in touch with the white-hat managing MEV bot @coffeebabe_eth
to return ~91.04 ETH of the validator fee.
What is Coffeebabe.eth?
It is a white-hat hacker known by the pseudonym ‘coffeebabe.eth’, who has thwarted exploits by the crypto hackers on at least one more occasion.
In July 2023, the same white-hat hacker saved Curve protocol @CurveFinance from a ~$5.5M exploit (2800 ETH) by front-running the exploit transaction.
What is front-running in crypto?
Find all the information in an in-depth article here:
Front-Running Attacks in Blockchain: The Complete Guide
Is the front-running attack the same as the sandwich attack?
Find all your answers here: What are Sandwich Attacks in Blockchain?
Feb 25
😈Decentralized betting platform @RiskOnBlast on @Blast_L2 ecosystem executed an exit scam on Feb 25, 2024, when it duped its investors of $1.3M.
The scam was cleverly executed after raising funds on the pretext of an IDO, which was capped at 420 ETH.
The social media handles have been deleted, and the website http://Riskonblast.xyz is not accessible anymore.
The IDO was being promoted for over a week, and users were continuously lured by posting info about partnerships with different crypto exchanges and using scarcity marketing tactics.
The accumulated funds were stolen from over 750 wallets and were bridged to exchanges ChangeNow ($500,000), MEXC ($360,000), and Bybit ($187,000).
RiskOnBlast has recently raised over $1M in a seed funding round around a week ago. It was one of the 47 projects shortlisted (out of 3000 applications) to receive additional funding in Blast’s Big Bang competition.
What is @Blast_L2?
Blast is an Ethereum layer-2 project that has garnered over $1 billion in capital in the last few months, after going live.
This was the first rug pull of the Blast ecosystem. Blast is now being criticized for not taking enough due diligence checks before promoting the RiskOnBlast project through its official X handle, terming its potential as “undeniable.”
Feb 27
😈On Feb 27, 2023, MyAlgo, a wallet on the Algorand chain, acknowledged that it was exploited for a massive ~$9.6M worth of crypto assets.
The exploits were carried out between Feb 19 and 21, and while acknowledging the hack, MyAlgo advised its users to withdraw funds as a precautionary measure.
In the exploit, 19.5 million ALGO and 3.5 million USDC were stolen from 25 different wallets.
Again on Mar 5, 2023, due to a compromised company wallet that was linked to @AlgodexOfficial’s liquidity rewards program and was used for providing extra liquidity to the ALGX token, the hacker stole away ~$55k worth of ALGX tokens from the liquidity reward pool.
The user assets and ALGX liquidity were not impacted by the exploit.
The exact reasons behind the compromise for the Feb 27 exploit were never officially revealed, but it is assumed to be along the lines of the Mar 5 exploit.
😈On Feb 27, 2023, BNB-based protocol @launchzoneann lost ~$700k worth of crypto assets. It was found that the LaunchZone deployer had made an approval to an unverified contract 473 days before the hack.
The attacker (probably aware of this approval) called a function on the unverified contract, which lacked access control.
This allowed the exploiter to transfer 9,886,961 LZ of LaunchZone’s funds to the Biswap LZ-BUSD pool.
The attacker then swapped 50 BUSD in the same pool to extract 9,886,999.87 LZ.
Later the exploiter manipulated LaunchZone’s contract to perform a bad swap and drained the pool. Finally, the stolen LZ tokens were swapped for for 87,911.041 BUSD.
The approval given by the LaunchZone deployer raises suspicion about this exploit actually being a rug pull.
😈On Feb 27, 2023, the SwapX project on the BNB chain lost around $1M due to a lack of effective access control on the approval function, which allowed hackers to approve their malicious contract and force conduct transactions on the victim’s behalf.
The hack was never officially confirmed by the SwapX team.
Access Control Vulnerabilities in Solidity Smart Contracts
😈On Feb 27, 2021, @furucombo, a transaction batching protocol used in defi, was exploited for ~$14M by using a malicious contract.
Furucombo users would often use the Aave defi protocol for carrying out their transactions. The malicious contract first tricked Furucombo into believing that it was the new version of Aave (Aave v2) and then took advantage of poorly configured permissions in Furucombo user accounts.
The victims had given ERC20 token permission to the Furucombo protocol, which allowed it to perform transactions without needing any additional approvals from the users.
When users interacted with the malicious contract (pretending to be Aave v2), the malicious contract drained out tokens for which users had already given approval to Furucombo.
This hack would not have happened if:
- Furucombo had a mechanism of whitelisting critical smart contracts it would interact with or have relied upon to carry out any transaction.
- If users had not given unbridled permission to Furucombo to carry out transactions without needing approvals.
Permit2 ERC20 token approvals and their pitfalls.
Feb 28
😈On Feb 28, 2024, the defi protocol @SenecaUSD was exploited for ~1,900 $ETH worth ~$6.5M. The Attacker was funded by @FixedFloat
Exploited Address: https://etherscan.io/address/0x94641c01a4937f2c8ef930580cf396142a2942dc
Hack Txns:
- https://etherscan.io/tx/0x775cc19c5c29deda98220cf3d244cb2f3f0e63e1c842060abeb26f84df2fb76d
- https://etherscan.io/tx/0x288d02902224e50719b49b2683b9f25e19abc197f4c3e0b3babbf75966130c83
- https://etherscan.io/tx/0xab7f14e2b75e70c8b136c8facb7a94d1947b812749660d0cb961e1a0db7c2f64
- https://etherscan.io/tx/0xa97ee9580ca7845c4e830eb6e00a0ba1a85b71a5ead2fbfafab20327817900cb
- https://etherscan.io/tx/0xb9f650e1dcd9c92983a2ef1a9973628ed9a89060765f2e208527d71ca9e9adad
How the Hack Happened?
The hack happened due to a vulnerability in the smart contract.
Using a lack of input validation, the exploiter called performOperations function externally using a constructed call data. This enabled them to call any contract with arbitrary data.
Using this privilege, the exploiter transferred assets from addresses that had granted approvals to the vulnerable contracts directly to themself by calling the ‘transferfrom’ function.
The Hack Aftermath
Team Seneca has confirmed the hack and has asked its users to revoke the following approvals:
On Ethereum
- PT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1
- apxETH 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34
- PT-weETH 0xBC83F2711D0749D7454e4A9D53d8594DF0377c05
- PT-rsETH 0x65c210c59B43EB68112b7a4f75C8393C36491F06
On Arbitrum
- PT-weETH 0x11446bbb511e4ea8B0622CB7d1437C23C2f3489b
- stEUR 0x7C160FfE3741a28e754E018DCcBD25dB04B313AC
- PT-aUSDC 0x4D7b1A1900b74ea4b843a5747740F483152cbA5C
- wstETH 0x2d99E1116E73110B88C468189aa6AF8Bb4675ec9
- PT-rsETH 0x2216E32006BB80d20f7906b88876964F9AF68aFb
Team Seneca has offered a 20% bounty to the exploiter in return for stolen funds.
The address provided for returning funds: https://etherscan.io/address/0xb7aF0Aa318706D94469d8d851015F9Aa12D9c53a
Team Seneca threatened to pursue legal action against the exploiter in case he failed to return funds.
Return of Funds by the Hacker
As per the latest update (Feb-29-2024 05:11:59 AM +UTC), the hacker has returned $5.3M (1537 ETH) at https://etherscan.io/address/0xb7aF0Aa318706D94469d8d851015F9Aa12D9c53a, which was specified by
@SenecaUSD for receiving stolen funds.
The remaining stolen funds 300 ETH (worth $1.04M) were split equally at the following addresses by the hacker.
- https://etherscan.io/address/0x0c77350c4bde539ffcee261a149dbc6e6afda517
- https://etherscan.io/address/0xa07c64e55f52aaf5c361321cf01b316ecbddb5a9
Feb 29
😈On Feb 29, 2024, Shido blockchain’s Ethereum staking contract has been exploited for ~$35m worth 4,353,473,223.864904 $SHIDO.
This number of SHIDO tokens drained out by the exploiter happens to be around half of the current circulating token supply of the token, which is 9 billion.
Due to the exploit, the SHIDO token prices quickly plummeted by 94% within the first 30 minutes.
How the Hack Was Executed?
The ownership of the contract was changed to a new address (0x1982), which immediately after acquiring the ownership, upgraded the StakingV4Proxy contract using a hidden withdrawToken() function, which was ultimately called to drain out ~4.3B SHIDO tokens.
Exploiter Address: https://etherscan.io/address/0x1982358c84da9d0b4b96fc9e8564d132f7d0041f
Exploited Contract:
https://etherscan.io/address/0xcda954a0c574d8c408f0b8c89a2b367d6a2d3354
Ownership transfer Txn: https://etherscan.io/tx/0xaa76ea503fadddf775b1ef7f195676440fdc3ac46ab642798ab6fa7ae3aafcbe
StakingV4Proxy upgrade by New Owner Txn: https://etherscan.io/tx/0x5d4056cdf40d09a6715fd0f26895d0c60038899b45620f0a6a402c4cd425b672
Draining Funds Txn:
https://etherscan.io/tx/0xed3000ddd8b4feb0902107f97a91815ecee8d7ccb57de9a9dbc50a4c07593cb3
How exactly the hacker was able to change ownership of the contract, raises suspicion about this exploit actually being a rug pull.
The exploiter was funded with 0.78075984 ETH via @AcrossProtocol by address
https://etherscan.io/address/0x147b12c06d9e8e3837280f783fd8070848d4412e which was funded via Layerswap and another address.
AcrossProtocol Funding Txn: https://etherscan.io/tx/0x5b6ee537d4ac6f184758f1f8d1caa0cc2af9268bb71ee9ce82f6b706fbe2883d
Response to the Hack
Shido has officially acknowledged the hack and has informed the community that it has asked the exploiter to accept a bounty and return the stolen funds.
The team Shido also stated that the measures to prevent such exploits have been put in place and assured that all those who have staked SHIDO, will have their tokens returned.
Is this the first Shido Exploit?
On June 23, 2023, Shido was exploited on the BNB chain due to a configuration error, which resulted in a loss of 976 BNB, worth approximately $238,500.
What is Shido?
Shido is a Layer 1 POS blockchain, which has launched its testnet and is planning to launch its mainnet in the coming week, as per the update released on its X handle.
The native SHIDO token is an Ethereum-based ERC-20 token, which users have staked on the project’s DEX, which is offering an annual yield of 8% as per the info available on its website.