March 5
Table of Contents
😈On March 5, 2024, Wootrade’s @_WOOFi WooPPV2 contract was targeted by malicious actors and got away with $8.5M worth of crypto assets on the Arbitrum chain.
The cause of the exploit is a price manipulation attack.
The price calculation in the WooPPV2 contract was flawed. The hacker exploited this flaw by flash-loaning $USDC.e and $Woo to manipulate the price.
This was followed by successive token swaps, which allowed the hacker to rake in profits due to price differences.
The attacker was initially funded by @TornadoCash on $ETH. Post exploit, the attacker has started obfuscating the stolen funds by transferring it to different EOAs and bridging them to other chains.
Exploited Contract: https://arbiscan.io/address/0xeFF23B4bE1091b53205E35f3AfCD9C7182bf3062
Exploiter Address: https://etherscan.io/address/0x9961190B258897BCa7a12B8f37F415E689D281C4
At the time of writing this, the exploiter is still holding ~$730K at this address.
Other Address Receiving Stolen Funds: https://arbiscan.io/address/0xb59d04d9957c9e266dff5c4173d4d2324eb029ad (~$7.4M)
Hack Txn: https://arbiscan.io/tx/0x57e555328b7def90e1fc2a0f7aa6df8d601a8f15803800a5aaf0a20382f21fbd
Hack Response:
On realizing the exploit, @_WOOFi immediately paused the affected contract and asked all its users to revoke approvals to the said contract.
The contract was paused within 13 minutes of the exploit, as per the officially released statement. This prevented the losses from escalating.
The vulnerabilities in the exploited contract are being rectified. WOOFi Swap is expected to be fully functional again within the next two weeks, as per the team @_WOOFi.
The team also confirmed that the current user assets in Earn vaults were not impacted in the exploit.
Oracle price manipulation attacks using flash loans are not new. There have been several crypto exploits in the past which have caused huge losses to the defi projects.
Know about Oracle Price Manipulation attacks and how they are executed in detail here:
What are Oracle Manipulation Attacks in Blockchain?
A detailed insight into flash loan attacks can be found here:
What Is A Flash Loan Attack, And How To Prevent It?
March 6
👿On Mar 6, 2024, a user on the Ethereum chain lost ~1.1 million $PAAL, worth ~$700K, when it signed a Uniswap Permit2 malicious signature.
Victim:
0x77d4a46b39f2e206411280a12c9344b769ff1066
Contract Address: 0x0528BEc5405178F112A0cdA7266c92c04Ad28260
Scammers:
- 0xf3f436aa46406eb77ede9abeee410aadddfb68f4
- 0x0000db5c8B030ae20308ac975898E09741e70000 (#Fake_Phishing187019)
Phishing Txn: https://etherscan.io/tx/0x3e47db5a54e132886f648f5c5f17f3ce6ef750455aa911bec5508b7a5b2df33d
Do you know what Permit2 signatures are and what risks are associated with them? Learn about it here: PERMIT2 ERC-20 Token Approvals and Associated Risks
👿On Mar 6, 2024, the TGBS token was exploited for ~$151k by using a flash loan attack.
What Is A Flash Loan Attack, And How To Prevent It?
The hacker’s modus operandi was to repeatedly transfer a small amount of TGBS to themself, which triggered the burning of tokens on the LP.
As a result, the token price fluctuated, which the exploiter manipulated to rake in profits.
The attacker was initially funded by Tornado Cash
.
Attacker:
0xff1db040e4f2a44305e28f8de728dabff58f01e1
Due to the exploit, the TGBS token prices took a steep fall and have yet to regain their lost levels.
Hack Txn: https://bscscan.com/tx/0xa0408770d158af99a10c60474d6433f4c20f3052e54423f4e590321341d4f2a4
Malicious Contract:
0x1a8eb8eca01819b695637c55c1707f9497b51cd9
Victim contract:
0xedecfa18cae067b2489a2287784a543069f950f4 (TGBS)
March 7
👿On March 7, 2023, defi lender Tender Finance (Now Glend @GemachLend ) was exploited for ~$1.59 million through flash loan attacks.
By manipulating the misconfigured price oracle, the hacker borrowed $1.59 million worth of assets from the protocol by depositing 1 GMX token, which was valued at $71
The exploiter (who later turned out to be a white hat / ethical hacker) sent an on-chain message to Tender.fi mentioning that Tender Finance’s Oracle was misconfigured and asking them to get in touch with him to fix this misconfiguration.
Ref. https://arbiscan.io/tx/0x38ae60739af0726831957546d9d16c92ed75164a1581d4e4e6f270917913ab9c
Tender Finance later confirmed that the white hat hacker returned the funds for a bounty reward of $97,000 (62.15 ETH).
Oracle price manipulations have the potential to wreck any defi project.
Oracles act as a bridge between blockchains and the outside world by supplying them with real-world data, most commonly price feeds. Any error in the feed can be manipulated by malicious actors, resulting in big losses.
Good Read: What are TWAP Oracles, and How are they different from Uniswap?
March 11
👿On March 11, 2024, the DeFi protocol BlastOff (@blastozone) on the@Blast_L2chain was exploited for ~150 ETH.
In the breach, malicious actors entered the future yield minter vault and stole ~$606K worth of crypto assets.
According to the official statement, the affected users in the breach have been duly compensated, and the hacker has been offered a 20% bounty for returning the stolen assets.
The exact cause of the breach is currently being investigated and the protocol is also being reaudited for any vulnerabilities, left undiscovered due to the oversight of earlier blockchain auditors.
What is the Blast?
Blast is an Ethereum layer-2 project that has garnered over $1 billion in capital in the last few months.
@Blast_L2 chain just went live on the mainnet on March 1, 2024. On February 25, a Decentralized betting platform @RiskOnBlast project on the @Blast_L2 ecosystem executed an exit scam and duped its investors out of $1.3M.
March 13
👿On March 13, 2023, the defi @eulerfinance (Euler Labs) was exploited for $197 million in a flash loan exploit, aided by the vulnerability in the protocol logic.
The attack was carried out in multiple transactions and involved two malicious addresses. The hacker was able to rake in profits of 8.7 million DAI and 8099 ETH.
The Flawed Logic
The flawed logic involved donation and liquidation. The donateToReserves function failed to check for liquidity to ensure that the donator was still over-collateralized.
Moreover, the liquidation could not fetch the correct conversion rate from ‘borrow’ to ‘collateral’ asset.
Moreover, the hacker could bypass the health scores protection feature for borrowing accounts, as the flaw in the protection mechanism allowed insolvent accounts to obtain collateral without repaying the outstanding debt. The above stated flaw was found to be in computeLiqOpp function.
Euler Finance Hack – Detailed Analysis Report
👿On March 13, 2022, defi project Paraluni on the BSC chain fell victim to an exploit, which cost it $1.7 million.
The reason behind the attack was also a vulnerability in the MasterChef contract in which the the depositByAddLiquidity function was not programmed to check if the LP token created by the incoming token array ‘parameter_tokens’ was compliant with the specified _pid parameter or was consistent with the LP token (USDT-BUSD LP) in the pool.
On top of that, the re-entrancy protection was missing during the addition of the liquidity calculations.
This led to the exploit where the hacker used malicious contracts to carry out re-entrancy attacks in tandem with flash loans.
Paraluni Exploit – Detailed Hack Analysis
March 14
👿On March 14, 2024, a victim on the #ethereum chain fell to a phishing attack when it lost 501 http://ether.fi ETH(~$2 million)
Victim Address: 0x39b28b4ef189ea7ecc961b08f4d3f89f39ad1ccf
Phishing Addresses:
- 0x1AF48964975CCF8fb66140873B3D16237587CBe7 (Fake_Phishing187019)
- 0x0000db5c8B030ae20308ac975898E09741e70000
- 0xf672775e124E66f8cC3FB584ed739120d32bBaad (Fake_Phishing322740)
Phishing Txn: https://etherscan.io/tx/0x16d1e75227e8317999fdbe9cf00817c31fe52898f44c57b8dabac72b674be6e4
March 17
👿On March 17, 2024, Krishna Okhandiar, the founder of Remilia and Milady, who also goes by the name of Charlotte Fang, was reportedly hacked for millions of dollars worth of crypto assets, including ether and NFTs, which were transferred to a new wallet address.
The said malicious wallet immediately started selling the NFTs and swapping tokens after receiving the stolen NFTs and ether.
The wallet appears to be selling the NFTs (so far, 5 Miladys and 40 Remilios) and swapping tokens to accumulate ETH.
The blockchain data shows that the exploiter sent $1 million in ether to a secondary address, and it still holds nearly $1 million in ether and several other tokens (143 NFTx-staked Miladys and 104 NFTx-staked Remilios) as of writing this.
As per the last update received, all the stolen NFTs have been sold to accumulate 850 ETH ($3 million).
The exact reason for the hack is not known yet, but there is an ownership transfer of Remilia’s treasury to the drainer, which happened before the hack, which raises doubts about this being either a rug pull or an insider’s job.
Tx of Ownership Transfer: https://etherscan.io/tx/0x1178ae5d067eb5e950e5d98fc060081992d7d50366974421212be33951eef186
Stolen assets were moved to the following address:
0x778Be423ef77A20A4493f846BdbcDDfc30252cE9
What is Milady?
Milady, a collection of 10,000 anime profile picture NFTs designed by Charlotte Fang, was launched in the year 2021. In May 2023, Elon Musk (Tesla CEO) publicly endorsed Milady NFTs, which shot up its floor price from 3.8 ETH to 7.8 ETH.
Remilia and Milady Controversy
Since 2022, Okhandiar and the Milady community have been embroiled in legal disputes involving the ownership of project assets, which has negatively impacted Milady’s market value.
In September 2023, Charlotte Fang informed the community through a post on X (formerly Twitter) that a developer in the Milady ecosystem stole around $1 million in generated fees from Remilia Corporation along with the ownership of its three official X accounts—Miladymaker, Remilionaire, and Remiliacorp.
March 20
👿On March 20, 2024, ParaSwap, a middleware for traders and decentralized applications, discovered a critical vulnerability in its Augustus V6 contract.
By the time the vulnerability was discovered and @paraswap paused the V6 API, four of the users (who had approved the vulnerable contract) had already lost ~$ 24k worth of assets.
@paraswap has officially confirmed that the stolen amount has been recovered, and for refunds, impacted users can contact their support team.
Remain user funds have now been moved to a new address, and users have been advised to revoke approvals for the vulnerable contract at address 0x00000000FdAC7708D0D360BDDc1bc7d097F47439
👿On March 20, 2024, Defi Protocol Dolomite @Dolomite_io on the Arbitrum chain has been exploited for ~$1.8m in USDC. The exploit happened to an old Dolomite contract from 2019 on #ethereum.
In an official tweet, Dolomite confirmed that the hack did not impact their current product on Arbitrum.
The exploiter’s wallet was funded by the reltor.eth (tornado cash relayer) from Tornado Cash twelve days ago.
Realtor.eth address: 0x4750BCfcC340AA4B31be7e71fa072716d28c29C5
Immediately after getting funded on March 8, the hacker tried to steal funds from the
@Dolomite_io exchanged its old contract, but the attack could not go through.
Hack Attempt Txn on March 12: https://etherscan.io/tx/0x105e05c8eb7d0f9d8e57e9bce21ba55a22908acb0e7ac84d07b6bb483deb4cd5
However, on March 20, the exploiter managed to steal 541 ETH and 94k DAI from the contract using the ‘submit rings’ method.
Exploit tx:
https://etherscan.io/tx/0x8756db0d30f8c5ba0eee75c4d4337ee03df2b240d5989dee353a937327e642bd
Exploiter address:
https://etherscan.io/address/0x52522d35725836d48e12e64731fa170bcd9423bf
The Hack Aftermath
As per the latest update by @Dolomite_io , they have submitted a transaction that disables the exploited contract from being called.
https://etherscan.io/tx/0x0b4dd1fa64d94322bfec73e59996792f1094e7fe3bdb7981829888bacbfc30ba
As a result, the users who still have not revoked approval to the exploited contract will be safe from further exploits, but they have been urged to revoke approval to the following old contracts.
Contract 1 for Revoking Approval: https://etherscan.io/address/0xE2466deB9536A69BF8131Ecd0c267EE41dd1cdA0
Contract 2 for Revoking Approval: https://etherscan.io/address/0x7f49ac8fdb38d24b686130e22579c7efe69b19c0
The unattended Permit2 ERC20 token approvals can put your crypto assets at grave risk. Read this to know how you can avoid such fund loss:
PERMIT2 ERC-20 Token Approvals and Associated Risks
👿On March 20, 2024, the community-governed L1 blockchain @airdao_io suffered an exploit of ~$880K in which it lost 35.2m AMB tokens and 125.51 ETH from the AMB/ETH Uniswap pool.
Hacker’s Address Which Received Stolen Funds
https://etherscan.io/address/0xFD1754f6Cb9DA53c6F26E3E2eE3DE875CC11C7AA
Exploited Address:
https://etherscan.io/address/0x35e5fd25370b6445a5501956870c93b7ad5ae50e
Hack Txns: https://etherscan.io/tx/0x2e0087b709f158c4272a02bf0038b2770a94d8146b2633d7d1bbb2c452ec91b4
https://etherscan.io/tx/0x12019c14cd4da75f7af310fc1a6ef843ce394c7a414b3c231632d7bde6c124b0
The official reason for the exploit has been stated as the exploiter’s unauthorized access to the LP using social engineering methods and malicious email attachments sent to one of @airdao_io ‘s partners.
The stolen funds are on the move post hack. The attacker has used multiple exchanges including #Binance, #MEXC, #ChangeNOW, #KuCoin, and #BitMart to swap stolen funds to $ETH, which were then deposited to
@MEXC_Official , by routing it through different addresses.
In response to the hack the AirDAO team has initiated contact with various crypto exchanges to track and freeze the stolen funds.
Along with that, the team has also announced a white-hat bounty of 10% for the hacker if he agrees to return the stolen funds. If the hacker fails to comply with the condition of returning funds for a bounty, the case will be reported to the law enforcement authorities for further action.
As per the official statement, in this exploit, the users’ funds on the AirDAO blockchain or exchanges, as well as the AirDAO multisig, remained unaffected.
The detailed hack analysis is currently underway, and its findings will be shared with the community as soon as it is completed.
March 23
👿On March 23, 2023, the Curio defi project @curio_invest suffered an attack, resulting in the loss of $16 million worth of assets.
The primary reason for the exploit is a permission access logic vulnerability in the smart contract based on
@MakerDAO, which the attacker exploited to mint an additional 1B $CGT.
Exploiter Address: https://etherscan.io/address/0xdaAa6294C47b5743BDafe0613d1926eE27ae8cf5
Hack Txn: https://etherscan.io/tx/0x4ff4028b03c3df468197358b99f5160e5709e7fce3884cc8ce818856d058e106
Attack contract:
https://etherscan.io/address/0x1e791527aea32cddbd7ceb7f04612db536816545
Target contract:
https://etherscan.io/address/0x579a3244f38112b8aabefce0227555c9b6e7aaf0
Post hack, the exploiter has conducted multiple swaps and transfers to make stolen funds tracing obscure.
The Hack Flow
In the exploit, the attacker used the “cook function” of the attack contract to manipulate the ”IDSChief” and ”IDSPause” contracts to carry out a governance manipulation and mass token minting scheme.
The attacker initially minted 2e18 CGT tokens, which they subsequently locked and used for voting. This allowed the attacker to alter the governance system in their favor.
Once the control was gained, the attacker executed a delegate call to the attack contract Spell using the IDSPause contract.
March 25
👿The burnable meme rune coin Zongzi @ZongZiFa_ was exploited for ~$232k (391.33 WBNB) on March 25, 2024, when the attacker inflated the price of ZongZi to make profits from the invitation rewards.
Exploiter Address: https://bscscan.com/address/0x2c42824ef89d6efa7847d3997266b62599560a26
Hack Txn: https://bscscan.com/tx/0x247f4b3dbde9d8ab95c9766588d80f8dae835129225775ebd05a6dd2c69cd79f
Exploiter Contract: https://bscscan.com/address/0x0bd0d9ba4f52db225b265c3cffa7bc4a418d22a9
Stolen Funds are currently Stored at EOA: 0x20f62b7dd38fbb5c85a6ffe2733f2f12bdb900c9
There has been no official acknowledgment of the exploit from @ZongZiFa_so far.
March 26
👿On March 26, 2024, Munchables @_munchables_ , a nonfungible token (NFT) game on the @Blast_L2 blockchain suffered an exploit and lost ~$63 million worth of ether (ETH).
A total of 17,413.96 ETH was stolen and transferred to an EOA by a developer who had admin-level access to the @_munchables_ lock contract. Using this privilege, they upgraded the Lock contract, which is deployed to lock tokens for a specified period of time.
Hack Txn: https://blastscan.io/tx/0x9a7e4d16ed15b0367b8ad677eaf1db6a2a54663610696d69e1b4aa1a08f55c95
Hacker’s Address:
https://blastscan.io/address/0x6e8836f050a315611208a5cd7e228701563d09c5
Although @_munchables_ had put appropriate checks in place to ensure that no one could withdraw more than they deposited, but right before upgrading, the attacker assigned himself a deposited balance of 1,000,000 Ether.
Contract Implementation Address for Exploit:
https://blastscan.io/address/0x910fFc04A3006007A453E5dD325BABe1e1fc4511
This huge deposit was made possible by the hacker, who manipulated storage slots manually five days ago on March 21, 2024, and subsequently assigned himself the enormous Ether balance before changing the contract implementation to make it look legit.
Ref Txn: https://blastscan.io/tx/0x3d08f2fcfe51cf5758f4e9ba057c51543b0ff386ba53e0b4f267850871b88170
Once the TVL became sufficiently high, the exploiter withdrew that balance to complete the exploit.
Post-hack, the exploiter’s wallet address transferred $10,700 worth of ETH through the Orbiter Bridge and the Blast ETH back into native ETH.
Later, the exploiter’s wallet sent an additional 1 ETH to a new wallet address.
The Hacker’s North Korean Connection
Crypto sleuth @ZachXBT claimed that the exploit was carried out by a North Korean developer known by the alias “Werewolves0943, hired by the Munchables team. This was found after @ZachXBT
tracked their activity based on their GitHub commit, where they are listed as “Werewolves0493”.
Other suspicious Github Usernames are NelsonMurua913, BrightDragon0719, and Super1114, which recommended each other for the jobs, transferred payments to the two same exchange deposit addresses regularly and funded each other’s wallets several times.
Is it Possible to Undo the Theft?
Although using centralized intervention to undo the effects of the theft is considered against the ethos of decentralized networks, several crypto developers and traders are advocating for a chain rollback to help recover the funds.
For the unversed, a chain rollback in blockchain refers to the reversal of transactional history within a blockchain network. It’s a retroactive alteration of the ledger, where transactions that were previously confirmed and recorded in blocks are invalidated and removed.
Doing a chain rollback can undo the effects of a hack or other malicious activity that resulted in the theft of funds or other assets.
Recovery of Stolen Funds
As per the latest update, @Blast_L2 core contributors intervened in the exploit and have secured $97m in a multisig to avert this colossal theft.
Multisig Address: 0x4D2F75F1cF76C8689b4FDdCF4744A22943c6048C
The funds are being returned without any ransom or bounty, which has come as a sigh of relief for the investors.
@_munchables_ will distribute these funds to the affected users, and details will be made available later.
Team Munchables has also confirmed that the Munchables developer has shared all private keys involved to assist in recovering the user funds, including the key that currently holds $62,535,441.24 USD and the key that holds 73 WETH, along with the owner key, which contains the rest of the funds.
The fund is currently in a multisig wallet 0x4D2F75F1cF76C8689b4FDdCF4744A22943c6048C
Multisig Wallet Owners:
0xFfE8d74881C29A9942C9D7f7F55aa0d8049C304A0xe0C5B8341A0453177F5b0Ec2fcEDc57f6E2112Bc
0x94103f5554D15F95d9c3A8Fa05A9c79c62eDBD6f