Weekly News | Web3 security incidents total loss of approximately $19.963 million

Overview

According to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), from August 14 to August 20, 2023, there were 10 security incidents with a total loss of approximately US$19.963 million.

Specific incident

MEV Bot

On August 14, 2023, Hexagate tweeted that a single MEV Bot had been exploited for approximately $200,000 in the past few days, including BNBChain, Ethereum, Polygon, and Arbitrum.

Zunami Protocol

On August 14, 2023, the Zunami Protocol on Ethereum suffered a price manipulation attack, losing 1,179 ETH (about $2.2 million). The cause of the incident was that the LP price calculation in the vulnerable contract relied on the contract's own CRV balance and the CRV exchange ratio in the wETH/CRV pool. The attacker manipulated the LP price by transferring CRV into the contract and manipulating the wETH/CRV pool exchange ratio. According to MistTrack analysis, all ETH has now been transferred to Tornado Cash.

It is worth mentioning that our system had previously detected the vulnerability, and we kindly reminded them of the vulnerability, but the project party did not take it seriously, and it was too late when the incident occurred.

put

On August 15, 2023, the official Twitter account of Ethereum scaling solution Metis was hacked. According to officials, team members became victims of a SIM swap attack, which enabled malicious actors to take over the account for about 30 hours.

The purpose of a SIM swap attack is identity theft, where the attacker takes over the victim's phone number, giving them access to bank accounts, credit cards, or crypto accounts. "As Web3 becomes more popular and attracts more people to the industry, the likelihood of SIM swap attacks increases due to its relatively low technical requirements," SlowMist CISO told Cointelegraph. "This type of SIM swap attack is also common in the Web2 world, so it's not surprising to see it appear in the Web3 environment."

(https://cointelegraph.com/news/crypto-sim-swap-how-easy-is-sim-swap-crypto-hack)

Since SIM swapping attacks do not require high technical skills from hackers, users must be aware of their identity security to prevent such hacking attacks. To protect against SIM swapping hacking attacks, we recommend using multi-factor authentication, enhanced account verification (such as additional passwords), or establishing a secure PIN or password for the SIM card or mobile phone account.

Six Networks

On August 15, 2023, the Sei Network official Discord server was hacked.

RocketSwap

On August 15, 2023, the Base ecosystem project RocketSwap was attacked. The attacker stole RCKT tokens, converted them into ETH worth approximately US$868,000 and cross-chained them to Ethereum. The hacker then created a memecoin called LoveRCKT, possibly with the intention of using the stolen assets to manipulate market sentiment for personal gain.

The incident also raised questions about RocketSwap, especially the deployment process and private key storage. However, the team denied internal involvement and attributed the behavior to third-party hackers. RocketSwap said: "The team needs to use offline signatures and place private keys on the server when deploying Launchpad. It has been detected that the server has been brute-forced, and because the farm contract uses a proxy contract, there are multiple high-risk permissions that lead to the transfer of farm assets."

SwirlLend

On August 16, 2023, the lending protocol SwirlLend team stole about $2.9 million in cryptocurrency from Base and $1.7 million in cryptocurrency from Linea. The stolen funds were all transferred to Ethereum across chains. So far, the deployer has transferred 254.2 ETH to Tornado Cash. SwirlLend's official Twitter and Telegram accounts have been cancelled, and its official website is also inaccessible. According to MistTrack analysis, the deployer used SwftSwap, XY Finance, Orbiter Finance, etc. At the same time, the following IPs were found: 50.*.*.106, 50.*.*.58, 50.*.*.42.

Made by Apes

On August 16, 2023, on-chain analyst ZachXBT tweeted that there was a problem with SaaSy Labs APl, an on-chain licensing application platform Made by Apes launched by BAYC, which allowed access to personal details of MBA applications. The problem was reported to Yuga Labs before disclosure and has now been fixed. Yuga Labs responded that it is currently uncertain whether there has been any data abuse, and is contacting anyone whose information may have been exposed, and will provide fraud and identity protection to any user who may need it.

(https://twitter.com/zachxbt/status/1691514780119343104)

Exactly Protocol

On August 18, 2023, the DeFi lending protocol Exactly Protocol was attacked, losing more than 7,160 ETH (about 12.04 million US dollars). Two contract attackers attacked by calling the function kick() multiple times, and used the developer contract on Ethereum to transfer the deposit to Optimism, and finally transferred the stolen funds back to Ethereum. It is understood that the root cause of the attack on Exactly Protocol was insufficient_check. The attacker bypassed the permission check in the leverage function of the DebtManager contract by directly passing an unverified fake market address and changing _msgSender to the victim's address. Then, in an untrusted external call, the attacker re-entered the crossDeleverage function in the DebtManager contract and stole the collateral from _msgSender. Exactly Protocol tweeted that the protocol has been unpaused and users can perform all operations without any liquidation. The hacker attack only affected users who used the peripheral contract (DebtManager), and the protocol is still operating normally.

Harbor Protocol

On August 19, 2023, the Cosmos ecosystem cross-chain stablecoin protocol Harbor Protocol tweeted that Harbor Protocol was exploited, causing some funds in the stable-mint, stOSMO, LUNA, and WMATIC vaults to be drained. From the information collected so far, the attacker used the following address to perform all operations: comdex1sma0ntw7fq3fpux8suxkm9h8y642fuqt0ujwt5. It is reported that Harbor Protocol lost 42,261 LUNA, 1,533 CMDX, 1,571 stOSMO, and 18,600 trillion WMATIC in the attack.

Thales

On August 20, 2023, the derivatives market Thales announced that a core contributor's PC/Metamask was hacked, and some hot wallets acting as temporary deployers ($25,000) or administrator robots ($10,000) were breached. Do not interact with any Thalesmarket contracts on BNB Chain, and revoke any contracts pending approval. All funds on Optimism, Arbitrum, Polygon, and Base are safe. Thales said it will officially abandon support for BSC due to this attack.

Summarize

This week, there were two incidents of losses caused by private key leaks. In the past, incidents of losses due to improper private key management by project parties were also common, such as the Ronin Network incident with a loss of more than $610 million, the Harmony incident with a loss of more than $100 million, and the Wintermute incident with a loss of more than $160 million. There are many reasons for the theft of private keys. There are three main aspects of private key security for project parties: private key cracking, social engineering attacks, and ecological security. Due to the importance of private keys, improving the level of secure storage (such as hardware encryption chip protection) and removing single point risks are important means to prevent attacks. When backing up private keys/mnemonics, you can also consider reducing single point risks and use some secure backup methods, media or processes. For details, please refer to the crypto asset security solution produced by SlowMist: https://github.com/slowmist/cryptocurrency-security.