Monthly Dynamics | Web3 security incidents total losses of approximately $349 million

慢雾 SlowMist · 2023-12-04T07:00:38.000Z

Overview According to statistics from the Slowmist Blockchain Hacked Archive (https://hacked.slowmist.io), in November 2023, a total of 47 security incidents occurred, with a total loss of approximately US$349 million. main events Onyx Protocol On November 1, 2023, the DeFi lending protocol Onyx Protocol was attacked, resulting in a loss of 1,164.53 ETH, approximately US$2.1 million. According to the analysis of the SlowMist security team, the attacker's method is the same as that used to attack Hundred Finance, which is to borrow more funds than expected by manipulating interest rates to carry out the attack. According to MistTrack analysis, the stolen funds were transferred to Tornado Cash.

OverviewAccording to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), in November 2023, there were 47 security incidents with a total loss of approximately US$349 million.
Main EventsOnyx ProtocolOn November 1, 2023, the DeFi lending protocol Onyx Protocol was attacked, losing 1,164.53 ETH, about $2.1 million. According to the SlowMist security team, the attacker's methods were the same as those used to attack Hundred Finance, both of which manipulated interest rates to borrow more funds than expected to achieve the attack. According to MistTrack analysis, the stolen funds have been transferred to Tornado Cash.
TrustPadOn November 6, 2023, a staking contract of the cross-chain financing platform TrustPad was attacked, resulting in a loss of approximately $155,000. On November 9, TrustPad released a post-mortem analysis of the attack, stating that the attack was caused by the receiveUpPool function not verifying msg.sender, allowing the attacker to manipulate newlockstartTime. The attacker repeatedly called receiveUpPool() and withdraw() to collect rewards, and then called stakePendingRewards to convert the rewards to the staked amount. Finally, the attacker withdrew the rewards through withdraw().
TheStandard.ioOn November 7, 2023, the decentralized overcollateralized stablecoin protocol TheStandard.io was attacked, resulting in a loss of approximately $290,000. The key to the vulnerability was the low liquidity of the PAXG pool, which the attacker exploited to manipulate the market. On November 9, the attacker returned 243,000 EUROs to the protocol.
MEV BotOn November 7, 2023, the MEV robot (0x05f016765c6c601fd05a10dba1abe21a04f924a5) was attacked and lost about one thousand ETH. The SlowMist security team analyzed that the core reason for the attack was the lack of authentication of the 0xf6ebebbb function in the contract used to trigger arbitrage. The attacker called this function, exchanged the tokens in the contract to the Curve pool, and then used the funds from the flash loan for reverse exchange and obtained profits.
CoinSpotOn November 8, 2023, the Australian cryptocurrency exchange CoinSpot was attacked due to suspected private key leakage, and the hot wallet was stolen, resulting in a loss of more than 1,283 ETH, or approximately US$2.472 million.
Raft ProtocolOn November 11, 2023, the Raft Protocol, a stablecoin protocol on Ethereum, was attacked by a flash loan, resulting in the minting of 6.7 million stablecoins R and the loss of approximately $3.3 million in ETH. The root cause of the attack was a precision calculation problem that occurred when minting share tokens, which the attacker used to obtain additional share tokens. However, the attacker stole 1,577 ETH and then burned another 1,570 ETH. The attacker withdrew approximately 18 ETH from Tornado Cash before the attack, and had 14 ETH left after the attack, which means that the attacker lost 4 ETH in the entire process.
Exzo NetworkOn November 14, 2023, Exzo Network tweeted that a security breach against Exzo (XZO) had recently occurred due to a hacked owner/admin account. The attacker used the hacked admin wallet to transfer the "ownership" role of Exzo (XZO) to their wallet, enabling them to mint a large amount of XZO and drain 169 ETH from the XZO/ETH liquidity pool on Uniswap. The attacker also transferred a total of 69 ETH and the remaining XZO from the admin wallet to their own wallet.
dYdXOn November 18, 2023, the dYdX v3 insurance fund lost approximately $9 million due to YFI liquidation, and the CEO claimed to have been targeted.
Kronos ResearchOn November 19, 2023, crypto quantitative company Kronos Research tweeted that some of its API keys had been accessed without authorization. The attack resulted in a loss of 13,007 ETH, or approximately $26 million.
Poloniex, HTX, Heco BridgeOn November 10, 2023, the exchange Poloniex was attacked. According to the analysis and statistics of the SlowMist security team, the Poloniex hacker attack caused a loss of approximately US$130 million.
On November 22, 2023, according to monitoring by the SlowMist security team, HTX (formerly Huobi)'s hot wallet and Heco cross-chain bridge were attacked, with losses reaching US$113.3 million.
Kyber NetworkOn November 23, 2023, Kyber Network tweeted that KyberSwap Elastic was attacked and lost about $54.7 million. According to the analysis of the SlowMist security team, the root cause of this attack is that in the calculation of the exchange from the current price to the boundary scale price, the number of tokens required will add the compound interest of the handling fee to the liquidity due to the reinvestment curve of KyberSwap Elastic, resulting in a larger calculation result than expected, which can cover the user's exchange needs, but the actual price has crossed the boundary scale, making the protocol believe that the liquidity within the current scale range has met the exchange needs, so no liquidity update is performed. Ultimately, the liquidity increased twice when the reverse exchange crossed the boundary scale, allowing the attacker to obtain more tokens than expected. For details, see the double liquidity tragedy - KyberSwap huge hack analysis.
Rug PullAccording to incomplete statistics, there were 24 Rug Pull events this month, among which the highest proportion of runaway projects occurred in the BSC ecosystem, followed by the ETH ecosystem, as shown in the following figure:
SummarizeThis month, Poloniex, HTX, and Heco Bridge lost a total of $243 million, accounting for about 69% of the total losses from security incidents this month; there were 24 Rug Pull incidents, accounting for 51% of the number of security incidents this month. Users should fully understand the background and team of the project before participating in the project, and carefully choose investment projects; 2 liquidity utilization incidents caused the project party to suffer losses of approximately $54.99 million. The project party should strengthen the monitoring of the liquidity pool to effectively prevent and respond to potential security threats in a timely manner; 3 security incidents were caused by vulnerabilities in services provided by third parties. Before introducing third-party services, the project party should consider their security, conduct detailed reviews and verifications, and may also entrust security audit companies to conduct security audits on the services provided by third parties. Finally, the events included in this article are the main security events this month. More blockchain security events can be viewed in the SlowMist Blockchain Hacked Archives (https://hacked.slowmist.io/). Click to read the original text to jump directly.