Home Web3 SecurityCrypto Hacks Directory List of Crypto Hacks in the Month of January

List of Crypto Hacks in the Month of January

by ImmuneBytes
List-of-Crypto-Hacks-in-the-Month-of-January

Jan 1

😈On Jan 1, 2022, DeFi Tinyman on Alogrand chain lost $3M worth of assets from its contract pools due to a smart contract vulnerability.

The Smart Contract Vulnerability

The protocol’s burn function was designed to allocate two different tokens (GOBTC and ALGO tokens) to the user on being called.

The ratio in which these two were given out was based on the amounts of each token stored within the protocol.

Using the flaw in the Tinyman pools’ contract code, the attacker was able to receive the GOBTC tokens alone instead of a mix of GOBTC and ALGO, as intended.

So, in other words, the exploiter received a GOBTC token every time they were supposed to receive an ALGO token.

Between GOBTC and ALGO, GOBTC was pricier and hence the attacker made a significant profit amounting to approximately $3M, over multiple transactions.

The stolen GOBTC tokens were later swapped for stablecoins and transferred to other exchanges and wallets.

The said vulnerability in the pool contract could have been discovered if the smart contracts were audited by an experienced and credible smart contract auditing.


Jan 2

😈In another major crypto exploit, on Jan 2, 2024, Radiant Capital @RDNTCapital on the Arbitrum chain was exploited for ~$4.5M (~1.9K ETH).

The root cause of the hack is the price manipulation, which was carried out by exploiting a rounding issue in the rayDiv() function.

The Exploitation

First, the index parameter (used as a denominator in the calculations) was inflated due to manipulation. The corresponding precision error also skyrocketed due to this inflation.

The attacker reaped profits through repeated deposit() and withdraw() operations.

The attack happened within the time frame of 6 seconds immediately after a new USDC market was deployed.

The rounding issue is a known issue in the current Compound/Aave codebase, which is forked by lending markets for activating new marketing.

To mitigate this, Aave has a mandatory policy to deposit alongside any new listing. While forking, it seems this practice was not taken into consideration.

Attacker’s address: https://arbiscan.io/address/0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Malicious contract:
https://arbiscan.io/address/0x39519c027b503f40867548fb0c890b11728faa8f

The Aftermath

The team @RDNTCapital is trying to initiate contact with the attacker by leaving an on-chain message for the attacker, but they are still waiting to receive a response.

Ref: https://arbiscan.io/tx/0xcd1865e3bf185fc5fe0b5fb055f6d74cfa68ee50335ff92ad721063538922664

While the hack is being investigated, the Radiant DAO Council has paused lending/borrowing markets on Arbitrum temporarily.


Jan 4

😈On Jan 4, 2024, the Defi Protocol Gamma Strategies was exploited for ~1535 $ETH (~$3.43M) in what seems to be the attack on Camelot pools, utilizing Gamma CLMM.

Hack Txn: https://arbiscan.io/tx/0x025cf2858723369d606ee3abbc4ec01eab064a97cc9ec578bf91c6908679be75

Other than @GammaStrategies, decentralized exchanges (DEX), such as @Quickswap, @SushiSwap, and
@CamelotDEX, could be affected due to this exploit.

Gamma has strongly advised all its users to revoke all approvals to avoid a possible fund loss due to the exploit.

@CryptoAlgebra, which was earlier speculated to be exploited, has confirmed that the exploit is not connected with Algebra’s code, and it is safe to use services from its partners.

Beware of the phishing websites claiming to check for exposure and revoke access from @CryptoAlgebra

In an official statement, Gamma confirmed that the hacks were carried out using flash loan attacks.

The total fund loss in the exploit is 1535 ETH, worth ~$3.43M, which the attacker: https://arbiscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c
has now bridged to #Ethereum in the multiple transactions.

Ref: https://etherscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c

Gamma Exploiter Malicious Contract: https://arbiscan.io/address/0x4b57adc00ac38f74506d29fc4080e3dc65b78a69

Mitigation Steps

As a precautionary measure, Gamma has shut off all deposits on public-facing vaults. At the time of writing, the rebalances and management of the positions are active and operational, as they are not affected by the exploit.

What Caused the Exploit?

Although multiple measures were in place to prevent flash loan attacks but out of those measures, there was one that had a flaw.

The measure—where Gamma had set a price change threshold to disallow deposits on price change exceeding a certain threshold—was manipulated by the exploiter.

The threshold limits were set too high, which allowed up to 50-200% price change on specific LST and stablecoin vaults.

The attacker manipulated the price up to this high threshold limit and then minted a large number of LP tokens.

Corrective Measures

To set things right, Gamma has taken the following steps:

  • Setting of rice change thresholds to a safe threshold level
  • Getting a 3rd party code review before re-enabling deposits
  • Maximizing recovery for all affected users
  • Conduct a detailed post-mortem analysis and propose a remediation plan

Jan 5

😈Narwhal project on #BSC suffered an exploit on Jan 5 and Jan 6, 2024, for a total of ~$1.5M worth of NRW tokens ($970k on Jan 6 and $500k on Jan 5).

On Jan 7, @Narwhal_fyi confirmed in an official tweet that it was exploited and is in the process of rebuilding the liquidity pool in the next 3 days.

It also stated that they are working on a new platform with enhanced security to avoid such exploits in the future.

The stolen NRW was later swapped for ETH and bridged to the Ethereum Network.

The address 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30 deposited 375 ETH into TornadoCash and also received ETH from 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568

At the time of reporting, ~$1M out of the stolen ~$1.5M has already been deposited into Tornado Cash
by the attacker.

The remaining Stolen funds are currently at:

  • ETH: 0xe07bCffac8cEC86886B49b509A4924182D2596d3 (~80 ETH)
  • ETH:: 0x51eF9B64e5Bc4A23C522ECE8769De87b022d3c41 (~100.3 ETH)

On Jan 6, the attacker called the withdraw() function with the signer info. In the decompiled contract, it has been found that the signer’s address was actually set by the contract owner, and it is possible that the signer’s private key was either compromised or the information was forged.

Exploited Contract: 0x8A2DF808CCb0DB866C5C152412D1718929143f53

The Alternate Theory

There are speculations that what seems to be an exploit by a malicious hacker could possibly be a cleverly executed exit scam in the shroud of an exploit.

To support the theory, the on-chain analysts have presented the following:

The NRW token price shows two major drops—Jan 5 and Jan 7.

The drop on Jan 5 is likely caused by the large transfer of NRW tokens to an EOA 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568 from multiple wallets.

Suspiciously, all these wallets received funding from the same address: 0x28B38A8B0b5AbEcE315a5064495056ad158DDDfF

The 0x28B38 address itself was initially funded by 0xfc8Cd26F86E6169e95A0256004B5c8FD1a6EFdDF, which received funds via FixedFloat.

The same address also funded the NRW deployer.

The Jan 7 price drop was triggered by EOA 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30, which called withdraw on unverified malicious contract 0x814304B1e200b4D36B26f53358BbBA6D6136B2F5.

This contract was created by 0x6eA, which was, in fact, funded by 0xfc8C, which had earlier funded the NRW deployer.


Jan 7

😈MangoFarmSOL, a farming protocol on Solana, which promised unprecedented yield in the $SOL space to its investors, stole away ~$2M of its investors’ wealth on Jan 7, 2024, in a well-orchestrated exit scam.

It had announced its MANGO token airdrop on Jan. 10, and to participate in the airdrop, users had to deposit their Solana SOL tokens in the protocol.

The TellTale Signs of the Scam

“Foobar,” a pseudonymous developer recently appointed as MangoFarmSOL’s security auditor, had warned users about MangoFarmSOL’s compromised front end on Jan 6 through a post on X (formerly Twitter).

He also predicted that the protocol could be a potential rug pull.

The Disappearing Act

The official website of MangoFarmSOL is now being flagged as a deceptive website. Their profile on X no longer exists, and the Telegram channel (with 1000 existing members) is not accepting new members anymore.

Is there Another Scam in Waiting?

There have been reports about screenshots being circulated on social media in which the developer of the now-scam project @MangoFarmSOL is shown claiming that he was forced to create Ponzi schemes and that he is involved with another project, BananaMiner.

Representatives from BananaMiner have refuted all such allegations and have categorically denied any connection to MangoFarmSOL, except that they were approached for collaboration by them.

MangoFarmSOL must not be confused with another Solana-based project, Mango Markets, which was exploited in October 2022 for over $100 million.

The Conclusion

The Solana ecosystem has been increasingly targeted by scammers using wallet drainers.

The seriousness of the security threat for Solana-based projects can be gauged by the fact that the cybercriminals have been selling Solana drainer kits since December, and one of the large communities for SOL’s wallet drainer kit maintained by these cybercriminals has over 6k members.

Beware of the scammers who lure novice #cryptoinvestors to invest in fake projects and tokens.
Equip yourself with knowledge on detecting such scams and avoid falling for them.

You can get a great deal of knowledge about identifying such scams here:

Crypto & Defi Rug Pull: How to Spot?

World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors

Honeypot Scams in Crypto


Jan 10

😈A victim on #Ethereum fell victim to a zero-address transfer scam on Jan 10, 2024, when it accidentally sent 960,000 USDT to the scam address instead of the address it meant to transfer.

Zero transfer scams have become quite common in the crypto world. They are increasingly getting popular with scammers as it requires minimal effort on the scammer’s part to steal money from novice #cryptoinvestors.

Victim: 0x3dFf6f65Fd3354D2f98e065B814456Dc54435F0a

Intended Address: 0x9462B598aa7e45e6C2df22c35337Be248Df98CD6

Phishing Address: 0x946c8e51d95a1f1643c3617363aee83439f98cd6

What is a Zero Transfer Scam, and how do you avoid it?

😈On Jan 10, 2023, the BRA token on #BSC was exploited for $225,000 when it lost 819 WBNB due to a smart contract vulnerability.

The Vulnerability

Due to a logic vulnerability in the smart contract, every time the transfer function was invoked, the sender and recipient got twice the rewards if they were a pair.

The Attack Flow

>>Step 1

The attacker took a flash loan of 1,400 WBNB and exchanged 1,000 WBNB for 10.5K BRA tokens, which they later transferred to the Pancakeswap pair.

>>Step 2

Using the skim() function, the attacker invoked the BRA contract’s transfer function to receive rewards.

>>Step 3

The ‘skim()’ was set to work as a recovery mechanism whenever the number of tokens supplied to a pair exceeded the two uint112 storage spaces for reserves.

The attacker manipulated this and provided pair as the recipient address for receiving the BRA tokens.

Due to the vulnerability in the smart contract, the number of BRA tokens after every single skim became twice the intended amount.

The hacker repeatedly called skim() around 100 times to significantly increase the contract pair’s BRA balance.

>>Step 4

The attacker then returned 1.675K WBNB tokens and repaid the 1.4K WBNB token flash loan.

A profit of 675 WBNB was generated in this process, which the hacker sent to their address.

The whole sequence of attack was repeated one more time, and this time, the profit gained by the attacker was 144 WBNB.

Technical Info:

Attack Transaction: https://bscscan.com/tx/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047

Attacker’s Address:

  • https://bscscan.com/address/0x67a909f2953fb1138bea4b60894b51291d2d0795
  • https://bscscan.com/address/0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B

BRA Token Code: https://bscscan.com/token/0x449fea37d339a11efe1b181e5d5462464bba3752#code

Pancake Swap Contract:
https://bscscan.com/address/0x8f4ba1832611f0c364de7114bbff92ba676adf0e

How to Avoid Such Attacks?

This attack would not have happened if the smart contract auditors had examined the contract for logical issues. By conducting thorough testing and reviews of the smart contract code, the auditors can discover and fix potential vulnerabilities before deployment.

BRA Token Detailed Hack Analysis


Jan 11

👿On Jan 11, 2024, a victim on the Ethereum chain was scammed for over ~$772K worth of stETH when it signed a malicious ERC20 Permit signature.

An ERC20 token approval given on a scam website can be activated by the hacker to carry out illegitimate transfers from an address without the knowledge of the owner.

Victim: 0x551b30bc933e26e098bd2e68d436c24ed39b7312

Scammer: 0x1A42605D92C210E4bE47A6363046c591659ab444 (Fake_Phishing269883)

Hack Txn: https://etherscan.io/tx/0xa653ede5787d5ee4b869d01643c3178b38d470445cd2078c23a5f2cfed4ff37b

To stay protected from ERC20 token approval phishing scams, always:

  • Set the token transfer limits for token approvals to minimal.
  • Ensure that the website authorized for token approvals is genuine and trustworthy.
  • Bookmark the URL of the website or access it from the official channels.
  • Look for the approvals which are no longer in use and revoke them ASAP.
  • Stay updated with the news of exploits in the crypto world.

Revoke the approval without losing time to protect your funds from being drained by an exploiter of the dApp approved previously.

ERC20 Permit2 approval and the associated risks

Jan 12

😈Defi WiseLending protocol @Wise_Lending on Rthereum came under a price manipulation attack on Jan 12, 2024, when the exploiter manipulated a rounding error and caused losses of ~$460K (~178ETH)

The hacker knew that WiseLending uses rounding up when calculating shares withdrawals.

The attacker repeatedly called the withdraw function with a unit amount to cause a mismatch between the protocol token balance and shares. This led to the price manipulation.

The stolen funds are currently held at 0x592856d68B3FEE1D2dAa34CdC9851f3477C52530

Manipulated Contract: https://etherscan.io/address/0xb90cf1d740b206b6d80854bc525e609dc42b45dc

Hack Txn: https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31

Rounding errors in smart contracts can lead to severe security vulnerabilities. To know how these can be mitigated, read:

How to Bypass the Integer Division Error in Smart Contracts?

Precision Loss Vulnerability in Solidity: A Deep Technical Dive

😈An address on the #Avalache chain lost 9.41 $BTC (~$433K) in a phishing attack on Jan 12, 2024. The victim transferred the stolen amount in two transfers in a single transaction.

Read: The Beginner’s Guide to Phishing Attacks

Hack Txn: https://subnets.avax.network/c-chain/tx/0xe00e4c8c11cff74c6a2296ef4e20cd0bc9811365022460f7207197923c4f51ed

Victim: 0xda60167db93bfd982204a55afb7321a76afc419b

Contract Add: 0xf455878e14d435e23dd8a2000c8fac3fca2f33d5

Scammer Add 1: 0xa3aa460C12713A000a33893b024D95db80945a2F (1.41147824 aAvaBTC.b)

Scammer Add 2: 0x7666a59f3A38934cb1262d22Fac52A67fda4B123 (7.99837663 aAvaBTC.b)


Jan 15

😈On Jan 15, 2023, Midas Capital was exploited using read-only Reentrancy. The losses in the attack were calculated to be ~$660K.

In the attack, the Polygon liquidity pool of the stablecoin protocol Jarvis was targeted.

Midas Capital had listed the WMATIC-stMATIC Curve LP token on their platform with supply caps of about 250,000.

The hacker was aware of it, and as the first step of the attack, they used Balancer V2, AAVE V3, and AAVE V2 to obtain WMatic flash loans in order to inflate the LP token price and borrow against it.

In the next step, they entered the Midas markets and added some liquidity to Curve (0 stMatic, 270000 of WMatic).

The hacker then deposited Curve LP as collateral (270K WMATIC) to Midas and added a large amount of liquidity (0 stMatic and 71M WMatic), which resulted in an imbalanced market state.

In the final step, the attack removed liquidity from Curve to trigger a callback using which they borrowed jCHF, jEUR, jGBP, and agEUR at an incorrect Curve LP price in Midas.

This led to the loss of 663,101 MATIC tokens, valued at over ~$660,000 at that time.

Hacker Address: 0x1863b74778cf5e1c9c482a1cdc2351362bd08611

Attack Txn: https://polygonscan.com/tx/0x0053490215baf541362fc78be0de98e3147f40223238d5b12512b3e26c0a2c2f

Exploited Contract: https://polygonscan.com/address/0x5bca7ddf1bcccb2ee8e46c56bfc9d3cdc77262bc#code

Reentrancy Attack: The Ultimate Guide


Jan 16

😈On Jan 16, 2024, an address lost $229,553 worth of WBTC and ETH after signing malicious phishing signatures on a phishing website.

Hack Txn:
https://etherscan.io/tx/0x6d34b0f63da4f7402c467a657eb4c12894d1dfaa3b0095992d19eb64de2282fc

Victim: 0x23f8c7db7a1b656652e9726ab264c5b181418b9f

Scammer: 0x145f2b66b7bf5ad64b4ae21d1c77a20c61bf45a9

The victim signed three ERC20 Permit signatures, and these token spenders are the temp address pre-computed by CREATE2.

CREATE2, although better than the previous CREATE, is now increasingly being used by scammers to carry out phishing attacks.

Explained: Create2 Opcode in Solidity

😈DeFi protocol Socket @SocketDotTech on Ethereum has been exploited for ~$3.3M on Jan 16 due to a bad route added 3 days ago.

Added Route tx: https://etherscan.io/tx/0x1df44e224c7a715da25fa33dcad2ca3a930d1a4dafd263e61c07b52673d505f4

This has affected users who had given infinite approval to the SocketGateway contract https://etherscan.io/address/0x3a23f943181408eac424116af7b7790c94cb97a5

The attacker took advantage of the incomplete user input validation to steal funds from the users who had approved the contract.

The Input Validation Vulnerability

The attack was carried out by making an unsafe call in the performAction function.

Due to an input validation vulnerability in the contract, when transferring 0 WETH, the caller can specify other functions in the call and still pass the balance check validation.

Manipulating this flaw, the attacker constructed calldata to call transferfrom() of arbitrary tokens and transferred tokens approved to the contract by other users.

Attacker Add: https://etherscan.io/address/0x50df5a2217588772471b84adbbe4194a2ed39066

Hack Txn: https://etherscan.io/tx/0x591d054a9db63f0976e533f447df482bed5f24d7429646570b2108a67e24ce54

To contain the hack, the exploited contract was paused, and Socket asked its users to revoke all approvals to avoid loss of funds.

The bad route was also removed by Socket.

Disable route tx:
https://etherscan.io/tx/0xac75adcc1cb3fef158c4f200c48fcbcbb9b6ce3250bdf3751d6231d41a9e604b

The Hack Aftermath

As of writing this, @SocketDotTech has informed the community that they have bridged on @BungeeExchange , and most of their partner frontends have been resumed.

They also stated that they are conducting a detailed analysis of the exploit, the report of which would be shared later with the community.


Jan 17

😈DeFi protocol @BasketDAOOrg was hacked on Jan 17, 2024, for over $107K due to a vulnerability in its smart contract.

The attack was an arbitrary low-level call exploit that happened due to a bug in the contract’s approval process.

In March 2022, the same contract, along with another contract (0x01A903c12A2Dd87A5410173A29543504DF8bD14B), were found to have similar vulnerabilities, which had caused fund loss.

Hack Txn: https://etherscan.io/tx/0x97201900198d0054a2f7a914f5625591feb6a18e7fc6bb4f0c964b967a6c15f6

Hacked Contract: https://etherscan.io/address/0x4622aff8e521a444c9301da0efd05f6b482221b8

Attacker Add: https://etherscan.io/address/0x63136677355840F26c0695dD6DE5C9E4f514f8e8

😈On Jan 17, 2024, a victim on the Ethereum chain lost $149,435 worth of tokens due to signing malicious phishing signatures on a phishing site.

Hack Txn:
Jan-17-2024 09:42:35 PM +UTC
https://etherscan.io/tx/0x98480bb8e5c212b4f408a3f74fbb94dc60529a97d14fe2356372b170ab320773

Victim Add:
0x373adc79ff63d5076d0685ca35031339d4e0da82

Scammer Add 1:
0x4f4314e1e81650497d46e5b2179f5f3430902011

Scammer Add 2: 0x9fA7bB759641FCd37fe4aE41f725e0f653f2C726 (PinkDrainer: Wallet 2)

😈In another phishing incident on Jan 17, 2024, a victim on the Ethereum chain lost $178,030 worth ~6667 Auction tokens to the phishing maneuvers of the scammer.

Hack Txn: Jan-17-2024 01:37:59 PM +UTC
https://etherscan.io/tx/0x8f6cb49baa8886d1d1fef5146afbccdb6075b3f0cc0fd3a9cf604fb9b9f0b94f

Victim Add: 0xefbf320e8bc2e0a051db24f73b6f5756deeddcda

Scammer Add 1: 0xa2f10ccba0f5950eea846be601d7e0a627144b4e

Scammer Add 2: 0xa3aa460c12713a000a33893b024d95db80945a2f (Fake_Phishing270927)


Jan 18

😈On Jan 18, 2022, Crosswise Finance (@crosswisefi)—the cross-chain decentralized exchange (DEX), suffered an exploit that saw it losing funds worth in excess of $879k.

Hack Txn: https://bscscan.com/tx/0xd02e444d0ef7ff063e3c2cecceba67eae832acf3f9cf817733af9139145f479b

Exploiter Add: 0x748346113B6d61870Aa0961C6D3FB38742fc5089

The Hack Methodology

  1. The hack investigation showed that the hacker had used privileged functions to exploit codes. The privileged function (knowingly or unknowingly) was exposed to the public.
  2. The hacker used this exposed privileged function to add a trusted forwarder and hijacked the owner privilege of the Crosswise Finance MasterChef contract.
  3. Once the attacker succeeded, he changed TrustedForwarder ownership by calling the setTrustedForwarder() function.
  4. The hacker then swapped 0.01 WBNB to 3.71 CRSS through a Crosswise router to withdraw funds from the protocol.
  5. In the next step, the hacker deposited 1 CROSS to the Crosswisefi Masterchef contract and created a new strategy in this controlled network to withdraw 692K CRSS.
  6. In the final step, the attacker swapped the 692K CRSS for 547 WBNB, which were transferred using TornadoCash, which was also used for the initial funding to carry out the exploit.

The Aftermath

  • @crosswisefi acknowledged the exploit and expelled 4 of its project developers for the lapse and suspected insider role, and legal consultations were done for appropriate actions.
  • To salvage the project and restore the confidence of its users, the team Crosswise decided to prepare a snapshot of the users’ holdings prior to the exploit and continue with the practice of taking snapshots after the project’s intended redeployment.
  • The entire code was put under the scrutiny of smart contract auditors to ensure the redeployment was free from any existing or new vulnerabilities.
  • A compensation plan was also discussed for the affected users post-relaunch of the project.
  • The users were urged not to buy or sell CRSS tokens or convert pre-sale tokens before redeployment. These existing tokens were planned to be replaced with new tokens post-relaunch.

Jan 21

😈On Jan 21, 2024, a phishing attack on #ethereum cost a victim ~$4.2M worth of aEthWETH and aEthUNI.

The loss happened due to the victim’s signing of multiple ERC20 Permit signatures.

Attack Txn: https://etherscan.io/tx/0x93a0ce0711edaf7664c26b3654095f1052010bb7da62c135b6ef0c425c0c2f09

Victim:
0x1749ad951fb612b42dc105944da86c362a783487

Attackers:
0x0000372B2BC916D6c904495e53533Ae90740F688
0xf672775e124E66f8cC3FB584ed739120d32bBaad

The addresses created to transfer these tokens are the temp addresses pre-computed by CREATE2.

CREATE2 is now increasingly being used by scammers to carry out phishing attacks.

To Know What is CREATE2 and How it is Used by Scammers for Phishing Read
Explained: Create2 Opcode in Solidity


Jan 22

😈DeFi @ConcentricFi or Arbitrum chain suffered an exploit on Jan 22 and has reportedly lost ~$1.72M worth of crypto assets (715 $ETH).

The exploiters got unauthorized access to the protocol through a targeted social engineering attack on one of the team members holding the deployer wallet.

Although the smart contracts of the vault were duly audited before deployment but these contracts were upgradable, and the attackers manipulated this vulnerability to upgrade the vaults and minted LP tokens to drain the vault.

The Attack Methodology

The attacker got hold of the private key through social engineering attacks on one of the team members with access to the deployer wallet.

As the vaults were upgradable, the attacker updated the implementation contract of the CONE-1 proxy contract from the original ConeCamelotVault contract to the attacker-controlled contract.

To mint LP tokens, the attacker added admin to the adminMint() function and subsequently drained the vaults.

Attacker Address 1: 0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1.

Attacker Address 2: 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b

The address which created 3 upgraded ConeCamelotVault contracts is
0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F.

Addresses Holding Stolen Funds:

  • 0x17865c33e40814d691663bc292b2f77000f94c34 — (115.749555148545411 ETH)
  • 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d — (300 ETH)
  • 0xFD681A9aA555391Ef772C53144db8404AEC76030 — (300 ETH)

Address 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d, holding stolen funds, is labeled as OKX Exploiter 2 on #Etherscan

Other addresses holding funds: 0xFD681A9aA555391Ef772C53144db8404AEC76030 and 0x17865c33e40814d691663bc292b2f77000f94c34 both have previously received funds from OKX Exploiter 2 on Dec 13, 2023, as checked on #Etherscan.

Precautionary Measures

To keep user funds safe, users are advised to revoke all approvals for the following addresses on $ARB:

  • 0x39c1bc90ba23d4d95eafa9335ceb83e0826e7ea7
  • 0x0f9da8eaf006079d772955644bac36f17934b36e
  • 0x319e70fc896a138619617b7d06f0dfcd2e554808
  • 0x6277f4f9f55bfc331bcbe8db2f221ae186489915
  • 0x7f8863c2086fde3d199f5dd27d555574d1bb7228

Actions Taken:

Post exploit Team @ConcentricFi:

  • Initiated a detailed investigation to identify the culprits behind the attack and promised to release an in-depth post-mortem report on the completion of the investigation.
  • Started working towards implementing security measures to prevent future breaches.
  • Finding all possible options to mitigate the losses and safeguard the community’s interests.

😈On Jan 22, 2024, the @GAMEEToken on Polygon was exploited for $7M (600M $GMEE tokens).

The primary reason for the hack was a lack of access control, which led to the compromise of the $GMEE deployer address.

In the attack, the attacker withdrew a significant amount $GMEE from Animoca.

The stolen funds were later swapped to $MATIC. The attacker later bridged some of the funds to $ETH chain.

Due to the exchange of stolen funds by the exploiter at various DEX, the $GMEE token price across various exchanges has taken a hit.

In an official communication, the team @GAMEEToken confirmed that the exploit has only affected proprietary team token reserves, and no community-owned assets have been impacted in the attack.

Their initial investigation revealed that the compromise of the Polygon $GMEE deployer address might have happened via unauthorized GitLab access.

Attacker Address: https://polygonscan.com/address/0x16afa519642c932b073cd21d82162bdc7a471b86

GAMEE Token Contract Address: https://polygonscan.com/address/0xcf32822ff397ef82425153a9dcb726e5ff61dca7

The Hack Aftermath

Following are the actions taken by the team @GAMEEToken

  • The compromised deployer address was replaced with a new secure address
  • Liquidity provisioning was temporarily closed on all DEXs
  • All centralized exchanges with $GMEE markets were contacted to disable deposits temporarily and freeze tokens linked to the hack
  • A detailed audit of all existing procedures and contracts has been initiated.
  • Help from law enforcement agencies is being pursued to take legal action against the culprits and recover stolen funds.

Access control vulnerabilities can seriously impact a project’s stability, security, and integrity. Learn how such vulnerabilities can be mitigated at:
Access Control Vulnerabilities in Solidity Smart Contracts


Jan 23

😈The phishing scams continue to bleed the crypto investors. On Jan 23, 2024, the address 0xf8ebfa lost ~$1.3m worth of stablecoins on multiple chains.

  • 154.16K $USDC on #Ethereum
  • 300.34K $USDT on #Arbitrum
  • 834.24K $USDT on #BNBChain

Hack Txn: https://bscscan.com/tx/0x400b7583b892024db19940e2e74a26b22b188196e3c6cbff4e6663295a50daed

Victim: 0xf8ebfacb4768b4152dd38416c1ea5fd143f5f807

Scammer: 0xabd75cd4117fa7bfaa096f581abcec69b8d68f50

The phishing happened when the victim signed increaseAllowance transaction and multiple ERC20 Permit signatures/

The addresses used for receiving stolen tokens are the temporary addresses pre-computed by CREATE2.


Jan 25

😈On Jan 25, 2024, a victim on Ethereum lost ~$164k worth of PudgyPenguins NFTs to a phishing attack.

The hack’s cause was the victim’s signing of a malicious Blur Bulk signature.

This phishing exploit method is not new and is based on a malicious Blur bulk listing signature used by scammers to steal NFTs with just one message signature.

What is Blur Bulk Listing Message Phishing

Usually, NFT owners are tricked by a malicious website to sign a listing for selling their NFTs for 0 ETH.

Due to Blur’s unreadable bulk listing messages, it gets difficult for NFT owners to identify a malicious request from the marketplace, and they end up losing their NFTs to hackers.

To avoid falling for such traps, always check the source of the signature request before signing any approval for NFT transfers.

If the source doesn’t show http://blur.io, do not proceed with the signing request. Never sign any Blur bulk listing signature that is not from the official website i.e., http://blur.io

Hack Txn: https://etherscan.io/tx/0x2c837d3abc13ab662c84d518b129d045417d2e55af54748d932d7607f5cec10a

Victim:
https://etherscan.io/address/0x57179b08bd29b441da18ba84c526c3f0be23dacc

Scammer:
https://etherscan.io/address/0x9e09dc51ad3b33464093f5505b81bc96e2eccde0

😈In a massive phishing attack, a victim on #ethereum lost $1.1M worth of $LINK on Jan 25, 2024.

After the victim signed a malicious swap transaction, the victim suffered a sandwich attack during the swap (without slippage protection) of 58.2K $LINK (worth ~$813K) for 222.4 $ETH (worth ~$494K). This led to a loss of $300K.

In this attack, the MEV bot received a bribe of 135.56 ETH (equivalent to $301K).

Hack Txns:

  • https://etherscan.io/tx/0x16ac84571af9a83017ca53cae15ccd090434013c7d14bae3c7d04b17484627e6
  • https://etherscan.io/tx/0x827cb7d0b74b8c8d0d84b14a5d2b7b58c95a606e7b9037a4ca6f0c0286c79d64

Do you know what are Sandwich Attacks in Blockchain?
Find all your answers here: What are Sandwich Attacks in Blockchain?


Jan 30

😈Defi protocol @MIM_Spell was exploited on Jan 30, 2024, for over $6.5m, in what appears to be a result of an exploitation of a rounding error.

In total, @MIM_Spell lost 2.74K $ETH in the attack which was initially funded with 1 $ETH from #TornadoCash.

Hack Txn: https://etherscan.io/tx/0x26a83db7e28838dd9fee6fb7314ae58dcc6aee9a20bf224c386ff5e80f7e4cf2

Attacker: https://etherscan.io/address/0x87f585809ce79ae39a5fa0c7c96d0d159eb678c9

As per the preliminary findings, the attacker attacked specific Cauldrons V3 & V4, which resulted in unauthorized MIM borrowing.

To minimize any further losses, @MIM_Spell set borrowing limits to zero for the attacked V3 and V4 cauldrons.

Team @MIM_Spell acknowledged the hack and confirmed that the issue has now been fully contained.

@MIM_Spell also confirmed that no user collateral is at risk. The hack is currently being investigated thoroughly, and the report will be published soon.

Team @MIM_Spell has also left an on-chain message to the attacker in an attempt to persuade him to return funds and accept some part of the stolen funds as a bug bounty.

On-Chain Message Txn: https://etherscan.io/tx/0xa1f8e3c30917f33956ef0a96417987a07a70509a2e48b6426b65906462faad6b

As of writing this, the hacker has yet to respond to this offer.

Immediately after the hack, the MIM initially fell to $0.77, only to later recover and reach $0.98.

The recovery could be attributed to @MIM_Spell DAO treasury’s buying back of MIM from the market to burn them.

Rounding error or precision loss vulnerability can cause grave losses in well-orchestrated attacks by the crypto exploiters. Learn how you can fix these vulnerabilities in your project here:

Precision Loss Vulnerability in Solidity: A Deep Technical Dive

You may also like