Some hackers misused and leveraged hundreds of millions of funds in the Solana ecosystem while others exploited the vulnerabilities of exchanges. At the same time, some Web3 projects also suffered from private key leaks and flash loan attacks.
Beosin EagleEye Web3 Security Monitor showed that as of press time, a total of eight Web3 security incidents occurred last week, with a cumulative impact of about 120 million US dollars.
October 9
1. Xave Finance was hacked, resulting in a 1,000-fold increase in RNBW issuance.
On October 9, the hacker deployed a malicious contract which called the executeProposalWithIndex() function in the DaoModule contract 0x8f90 to execute a proposal. The proposal content is to call the mint() function, creating 100,000,000,000,000 RNBWs and transferring ownership rights to the attacker. Finally, the hacker exchanged it for xRNBW.
2. Jumpn Finance rug pulled, withdrawing about 1.15 million US dollars to the attacker’s address.
The attacker (or team) calls the 0x6b1d9018() function of the 0xe156 contract to extract all user assets in the contract and store them in the attacker's address. At present, 2100 BNB ($581,700) of the stolen funds have been transferred to Tornado.Cash, and the remaining 2058 BNB ($571,128) is still stored in the attacker's address.
October 11
1. The QANplatform cross-chain bridge was exploited through a leaked private key and about 1.89 million US dollars was drained from it.
Firstly, the hacker initiated a transfer on BSC using the address (0x68e..) then called the bridgeWithdraw function in the cross-chain bridge contract BridgeQANX to transfer 1444169100 QANX tokens to the wallet address (0xF163...). A secondary attack was also executed for 1431880339 QANX tokens. The caller address of these two attacks is the same as the creator of the cross-chain bridge contract (0x68e...), hence it is likely this attack is due to a leakage of the private key.
2. Rabby Wallet swap contract was attacked whereby their token exchange function was directly called externally through the OpenZeppelin address library. The hackers made over $190,000 US dollars.
This external call vulnerability in the swap function of RabbyRouter allows easy authorization for anyone to transfer the funds just by calling the function. At present, attackers have launched attacks on various chains that Rabby is operating on, including Ethereum, BSC chain, Polygon, Avax, Fantom, Optimistic, and Arbitrum.
3. TempleDAO struck by 2.36 million US dollars exploit, about 4% of their total value locked (TVL).
TempleDAO’s migrateStake function in their StaxLPStaking contract lacks permission verification. This allows anyone to withdraw StaxLP in the contract by calling this function. After the successful exploit, the hacker exchanged all the StaxLP tokens obtained for ETH.
October 12
1. The Journey of Awakening (ATK) project suffered a flash loan attack.
The strategy contract of the ATK project was targeted by flash loan and a large amount of ATK tokens were taken from the contract. After that, the attacker exchanged all the obtained ATK tokens for BSC-USD, converted to BNB and sent to Tornado Cash, totaling about US$120,000.
2. Solana defi trading platform, Mango Markets, was hacked through a price manipulation on the native MNGO token, losing 116 million US dollars to hackers.
The hacker used two accounts with a total of 10 million USDT initial funds.
In the first step, the attackers deposited 5 million USDC into Mango Markets.
In the second step, the attacker then created a 483 million PlacePerpOrder2 position in the MNGO-PERP market.
In the third step, the price of the MNGO was manipulated, from $0.0382 to $0.91, by countertrading against their position using a separate account (account 2).
Account 2 now has 483 million * ($0.91 - $0.03298) = $423 million, which allowed the attacker to borrow $116 million out.
October 13
1. FTX Loses Over 100 million XEN and 81 ETH in a gas theft vulnerability exploit.
Hackers used the gas fee paid by FTX to mint a large amount of XEN TOKEN.
The hacker used his FTX hot wallet address to transfer a small amount of funds to the malicious contract address (0xCba9...7FD3) and subsequently used this contract to create sub-contracts in batches.
Since many contracts are created in the entire attack, and each time the sub-contract is executed, the sub-contract will self-destruct, so the following figure is shown as an example.
In the third step, the sub-contract’s fallback() function would initiate a mint request to the $XEN contract. The claimRank() function (image below) passes in a term (>= 1 day) for minting, requiring only to pay gas fee of calling without any other costs associated.
The claimMintRewardAndShare() function is for claiming, which only determines whether the term is reached or not (in this case set to 1 day by the hacker), then it can be withdrawn unconditionally to any address. However, in this call process, the transaction initiator is the FTX hot wallet address, so the gas of the whole call process is paid by the FTX hot wallet address, and the $XEN mint address is the attacker's address.
The above data comes from Beosin EagleEye Web3 Security Monitor
OP_NET seeks to bring Ethereum-like expressibility and creativity to Bitcoin. Master emphasised the need for applications that benefit all Bitcoin holders. He stated that these applications should go beyond NFT speculation.
Cheng YuanBut what exactly are smart contracts? Why are all these developments happening outside of the Bitcoin network? And is it possible for Bitcoin to adopt all of these alternative use cases for blockchain technology?
JinseFinanceBig Four accounting firm Ernst & Young (EY) released a new service for managing enterprise contracts via blockchain technology on April 17, called OpsChain Contract Manager (OCM).
JinseFinanceFor more than half a century, how computers and the Internet have profoundly affected large-scale collaboration in human society
JinseFinanceThirdweb identifies a security flaw in Web3 smart contracts, urging immediate action for contracts created before November 23. Mitigation steps include locking contracts, taking snapshots, and migrating to secure alternatives. Token holders in pools should withdraw tokens, and contract builders must request users to revoke approvals. Thirdweb has remedied affected contracts created post-November 23, with other services operating unaffected.
Huang BoRebecca Rettig, wants more clarity in the industry and sees that as key to approaching lawmakers.
TheBlockDespite the fierce headwinds the crypto industry faced over the last year, Web3 development activity has grown at an impressive rate, according to a new report.
decryptdClimate’s Sid Jha, a speaker at CoinDesk’s IDEAS conference, is a decentralized marketplace for climate-related data.
CoindeskSmart contracts provide plenty of benefits, but find out why those benefits can be just one side of a double-edged sword.
CointelegraphBinance suspended withdrawals for LUNA and UST amid the UST stablecoin losing its peg to the U.S. dollar on Tuesday.
Cointelegraph