The Ethereum DApp project Paid Network was under attack. The attacker minted nearly 160 million U.S. dollars in PAID tokens through contract vulnerabilities and made a profit of 2,000 ETH (about 3 million U.S. dollars). The SlowMist Security Team followed up and analyzed it at the first time, and now we will analyze the details for your reference.

Attack details analysis


The well-known DeFi project Furucombo was hacked and lost more than 15 million U.S. dollars. The SlowMist security team immediately intervened in the analysis and shared the details of the attack with everyone.

Attack details analysis

The contract in question this time is in Furucombo’s own agency contract. The entire attack process is very simple. By setting the logical address of Furucombo’s AaveV2 Proxy, the attacker caused all subsequent logic called through the Furucombo proxy contract to be forwarded to the attacker’s own malicious contract, resulting in the theft of any funds.


On February 5, 2021, according to the intelligence of the SlowMist Zone, the DAI strategy pool of the well-known chain machine gun pool yearn finance was attacked. The SlowMist security team immediately followed up the analysis. The following is a brief analysis of SlowMist:

1. The attacker first borrowed a large amount of ETH from dYdX and AAVE using flash loans

2. The attacker uses the ETH loaned from step 1 to loan DAI and USDC in Compound

3. The attacker deposits all USDC and most of the DAI in step 2 into the Curve DAI/USDC/USDT pool. At this time…


Background

At present, the demand for using LP Token for mortgage lending is increasing, but there is currently no comprehensive method for securely obtaining the price of LP Token on the market. In the process of analyzing the method of obtaining LP Token price, the SlowMist security team paid attention to the Alpha Finance team’s method of safely obtaining LP price. After reading carefully, I will share relevant thoughts with everyone.

Analysis of LP Token price acquisition

At present, the common ways to obtain LP Token prices are as follows:


Background

On January 27, 2021, according to the SlowMist Zone intelligence, SushiSwap was attacked again. The problem was that the transaction fee of the DIGG-WBTC trading pair was taken away by the attacker through special means. The SlowMist security team immediately intervened in the analysis of related incidents after receiving the intelligence. The following are the details of the attack.

What is SushiMaker

SushiMaker is an important component of the SushiSwap protocol. It is used to collect the handling fee of each trading pair of SushiSwap, and by setting the routing of each token, the handling fee of different trading pairs is finally converted…


Since 2020, the DeFi market has been prospering wildly. DEXs led by Uniswap and SushiSwap have developed particularly rapidly, stealing a large number of transactions from traditional exchanges. At the same time, the congestion of the Ethereum network and excessive gas fees have greatly affected the user experience . Based on the above reasons, as the world’s leading exchanges, Huobi and OKEx have laid out plans one after another, focusing on infrastructure construction, and successively launching exchange public chains to find new possibilities through transformation and increase exchanges. Ecological value.

On December 21, 2020, the Huobi Eco-Chain Heco mainnet was…


According to statistics from the SlowMist Technology Blockchain Hacked Event Library (hacked.slowmist.io/en) , there were 122 blockchain security incidents that were disclosed in the blockchain ecology in 2020: 54 of which were smart contract and token security incidents. There were 29 exchange security incidents, 12 public chain attacks, 12 wallet attacks, and 15 other attacks.

Cumulative number of blockchain attacks

With the implementation of various applications, the security problems caused by blockchain digital assets are generally on the rise. There are various types of digital currency crimes. Theft, fraud, illegal fundraising, money laundering, illegal transactions on the dark web, crimes and other cases are frequent…


According to the intelligence of the SlowMist Zone, on December 29, 2020, the price of the Cover agreement plummeted. The SlowMist security team followed up and analyzed related incidents as soon as possible. The following is a brief analysis process.

A brief analysis

1. In the Blacksmith contract of the Cover protocol, users can mortgage BPT tokens through the deposit function;

2. After the first deposit-withdraw, the attacker will update the pool through the updatePool function and use accRewardsPerToken to record the cumulative reward;

3. Later, the reward will be distributed through the _claimCoverRewards function and recorded using the rewardWriteoff parameter;

4. After…


Background

On December 18, 2020, according to the SlowMist Zone Intelligence DeFi project Warp Finance suffered a flash loan attack. The following is a detailed analysis of the entire attack process by the SlowMist security team.

Attack analysis

  1. Through the attack transaction, it can be seen that the attacker borrowed about 2.9 million DAI and 345,000 WETH through Uniswap and dydx lightning loans:
    https://etherscan.io/tx/0x8bb8dc5c7c830bac85fa48acad2505e9300a91c3ff239c9517d0cae33b595090

On November 30, 2020, according to the intelligence of the SlowMist Zone, the Ethereum AMM token exchange protocol Sushi Swap was attacked, and the loss was about 15,000 US dollars. The SlowMist security team immediately intervened in the analysis and shared it in the form of a newsletter for your reference.

Background

The role of the Sushi Maker contract in the Sushi Swap project is to store the handling fee for each transaction pair in Sushi Swap. The handling fee will be stored in the contract in the form of SLP (Proof of Liquidity). There is a convert function in the…

SlowMist

Focuses on Blockchain Ecosystem Security, has served Huobi/OKEx/Binance/imToken, nearly a thousand commercial customers in total.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store