SlowMist November Security Update: Approximate Loss of $349 Million

SlowMist
7 min readDec 1, 2023

--

Overview

Based on the insights from the SlowMist Blockchain Hacked Archive, the month of November 2023 was marked by a significant number of security breaches within the blockchain sector. In total, 47 distinct incidents were recorded, cumulatively leading to a substantial loss estimated at around $349 million. This figure not only sheds light on the ongoing challenges faced in safeguarding digital assets but also the critical need for continuous advancements and stronger security measures in the rapidly evolving space of blockchain.

Notable Incidents

Onyx Protocol

On November 1, 2023, the DeFi lending protocol Onyx Protocol was attacked, resulting in a loss of 1,164.53 ETH, approximately $2.1 million. The SlowMist security team analyzed that the attacker’s methods were similar to those used in the attack on Hundred Finance. They manipulated interest rates to borrow more funds than expected to carry out the attack. According to MistTrack analysis, the stolen funds have been transferred to Tornado Cash.

TrustPad

On November 6, 2023, a staking contract on the cross-chain financing platform TrustPad was attacked, resulting in a loss of about $155,000. On November 9, TrustPad published a post-attack analysis, explaining that the attack occurred because the `receiveUpPool` function did not validate `msg.sender`, allowing the attacker to manipulate `newlockstartTime`. The attacker repeatedly called `receiveUpPool()` and `withdraw()` to collect rewards, and then used `stakePendingRewards` to convert these rewards into staked amounts. Finally, the attacker withdrew the rewards using `withdraw()`.

TheStandard.io

On November 7, 2023, TheStandard.io, a decentralized over-collateralized stablecoin protocol, was attacked, resulting in a loss of approximately $290,000. The key to this vulnerability was the low liquidity in the PAXG pool, which the attacker exploited to manipulate the market. On November 9, the attacker returned 243,000 EUROs to the protocol.

MEV Bot

On November 7, 2023, an MEV bot (0x05f016765c6c601fd05a10dba1abe21a04f924a5) was attacked, resulting in a loss of about one thousand ETH. The SlowMist security team analyzed that the core reason for the attack was the lack of authentication in the contract’s 0xf6ebebbb function, which was used to trigger arbitrage. The attacker called this function, exchanged tokens in the contract into a Curve pool, then used funds from a flash loan to perform a reverse exchange, ultimately profiting from this maneuver.

CoinSpot

On November 8, 2023, the Australian cryptocurrency exchange CoinSpot was suspected to have been attacked due to a private key leak. The theft from its hot wallet resulted in a loss of over 1,283 ETH, approximately $2.472 million.

Raft Protocol

On November 11, 2023, the Raft Protocol, a stablecoin protocol on Ethereum, was attacked using a flash loan, resulting in the minting of 6.7 million R stablecoins and a loss of about $3.3 million in ETH. The fundamental cause of the attack was a precision calculation issue that occurred during the minting of share tokens, which the attacker exploited to obtain extra share tokens. However, the attacker stole 1,577 ETH and then burned 1,570 ETH. The attacker had withdrawn approximately 18 ETH from Tornado Cash before the attack and was left with 14 ETH afterward, meaning they lost 4 ETH in the process.

Exzo Network

On November 14, 2023, Exzo Network announced in a tweet that a security vulnerability had recently been exploited against Exzo (XZO), due to the owner/administrator account being compromised. The attacker used the compromised admin wallet to transfer the “ownership” role of Exzo (XZO) to their wallet, enabling them to mint a large amount of XZO and withdraw 169 ETH from the XZO/ETH liquidity pool on Uniswap. The attacker also transferred a total of 69 ETH and the remaining XZO from the admin wallet to their own.

dYdX

On November 18, 2023, the dYdX v3 insurance fund suffered a loss of about $9 million due to YFI liquidations, with the CEO claiming it was a targeted attack.

Kronos Research

On November 19, 2023, the cryptocurrency quantitative trading firm Kronos Research reported via Twitter that some of its API keys had been accessed without authorization. This attack resulted in a loss of 13,007 ETH, approximately worth $26 million.

Poloniex, HTX, Heco Bridge

On November 10, 2023, the exchange Poloniex was attacked. According to analysis and statistics from the SlowMist security team, the hack on Poloniex caused an estimated loss of about $130 million.

On November 22, 2023, the SlowMist security team reported that the HTX (formerly Huobi) hot wallet and the Heco cross-chain bridge were attacked, resulting in a loss of $113.3 million.

Kyber Network

On November 23, 2023, Kyber Network announced in a tweet that KyberSwap Elastic was attacked, resulting in a loss of about $54.7 million. The SlowMist security team analyzed that the fundamental cause of this attack was in the calculation of the amount of tokens needed to exchange at the boundary scale price. Due to KyberSwap Elastic’s reinvestment curve, the liquidity added not only includes the principal amount but also the compounded transaction fees, leading to a higher calculation result than expected. This allowed the protocol to believe that the liquidity within the current scale was sufficient for the exchange, so no liquidity update was performed. When the reverse exchange crossed the boundary scale, the liquidity was increased twice, allowing the attacker to obtain more tokens than expected. More details can be found in the analysis of the massive hack on KyberSwap, titled “The Agony of Double Liquidity.”

Rug Pulls

According to incomplete statistics, there were 24 rug pull incidents this month. The highest proportion of these occurred in the BSC (Binance Smart Chain) ecosystem, followed by the ETH (Ethereum) ecosystem. The specifics are illustrated in the following image:

Summary

In November, the combined losses from the Poloniex, HTX, and Heco Bridge incidents reached $243 million, accounting for approximately 69% of the total losses from security events this month. There were 24 rug pull incidents, making up 51% of the total number of security events. Users should thoroughly understand the background and team of projects before participating, and be cautious in their investment choices. Two incidents involving liquidity exploitation caused approximately $54.99 million in losses to project operators.

As we conclude our analysis of November 2023’s blockchain security landscape, it’s clear that vigilance and proactive measures are key. Projects are urged to intensify their oversight of liquidity pools, a crucial step in both the prevention and swift response to emerging security threats. Notably, three major incidents this month were linked to vulnerabilities in third-party services, underscoring the necessity for thorough security assessments prior to their integration. To enhance this process, projects may benefit from partnering with specialized security firms for comprehensive audits of these external services. Remember, the incidents we’ve discussed are just a snapshot of a broader pattern observed in November 2023. For a more extensive overview of blockchain security events and to stay informed about ongoing risks and protective strategies, we encourage visiting the SlowMist Blockchain Hacked Archive. Staying informed is the first step towards ensuring a more secure and resilient blockchain ecosystem.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet