Weekly Report | Web3 Security Incidents Result in Estimated Losses of $30.6 Million
Overview
According to statistics from the SlowMist blockchain hack archive (https://hacked.slowmist.io), between July 17 and 23, 2023, there were seven security incidents, including breaches affecting BNO, GMETA, Shell Protocol, PleasrDAO, Uniswap founder Hayden Adams’ Twitter account, two attacks on Conic Finance, and theft from Alphapo’s hot wallet. The total loss is estimated at $30.6 million. These attacks were due to various causes such as contract vulnerabilities, Twitter account hacks, and fraudulent exits. Notably, our team assisted in two crypto theft cases that requested help on Twitter, and luckily, one case had a relatively successful resolution.
Specific Incidents
BNO Flashloan Attack
On July 18, 2023, BNO on the BNBChain suffered a flashloan attack due to business logic issues, resulting in an estimated loss of $500,000. The root cause was an issue with the reward calculation mechanism of a pool that supports NFT and ERC20 token rights. The pool has an “emergencyWithdraw” function, allowing users to immediately withdraw their ERC20 token rights. However, critically, this function did not handle or consider NFT rights records. The attacker exploited this flaw, deposited both NFT and ERC20 tokens into the pool, and then executed the “emergencyWithdraw” function specifically for their ERC20 tokens. In doing so, the attacker could bypass the reward calculation check and effectively manipulate the system to their advantage. With this manipulation, the attacker was able to clear users’ “reward debts,” earn undeserved rewards, and inflict significant economic damage on the mining pool and its users. Currently, the funds are still on the hacker’s address, with no transfers made yet.
GMETA Rugpull
On July 18, 2023, GMETA on the BSC performed a RugPull, taking approximately $3.6 million. The contract creator 0x9f0…ed1 transferred 1 million GMETA to address 0x427…8e5, then exchanged 120,000 GMETA for 23.6 million USDT, causing a price drop of about 96%. The creator minted the token on February 4, 2023, but did not sell until July 18.
A RugPull is one of the most common scams, occurring when the development team suddenly abandons a project and sells all its liquidity. Typically, new projects put some tokens into a DEX as liquidity, which can choose to place new tokens directly into the liquidity pool. As these new tokens gain enough public attention, the people behind the project begin to act maliciously. Once enough users have bought the tokens, they quickly sell the tokens and exchange them for other cryptocurrencies on the trading platform. Massive sales in a short period will quickly reduce the token price to zero, achieving the RugPull scheme.
Shell Twitter Hack
On July 19, 2023, the official Twitter account of the DeFi platform Shell Protocol on Arbitrum was suspected of being stolen. False news related to the claim of SHELL tokens was posted and the comments section closed. Do not interact with it. According to reports, this attack appears to have been due to the SIM card of the founder being compromised, resulting in both the individual’s Twitter and the Shell Protocol’s Twitter being hacked. The attacker is the PinkDrainer phishing gang.
A SIM swap attack is intended for identity theft. Attackers take over the victim’s phone number, allowing them to access bank accounts, credit cards, or crypto accounts. On July 5, the CEO of LayerZero also fell victim to a SIM swap attack, with his Twitter account likewise infiltrated by hackers. Recently, the SlowMist CISO stated in an interview with Cointelegraph: “As Web3 becomes more popular and attracts more people into the industry, the likelihood of SIM swap attacks also increases due to their relatively low technical requirements. Such SIM swap attacks are also common in the Web2 world, so it’s not surprising to see it happen in the Web3 environment.”
Given the low technical skills required for SIM swap attacks, users must pay attention to their identity security to prevent such hacker attacks. We recommend using multi-factor authentication, enhanced account verification (such as additional passwords), or setting up secure PINs or passwords for SIM cards or mobile accounts.
PleasrDAO Twitter Hack
On July 19, 2023, the Twitter account of PleasrDAO, a decentralized autonomous organization composed of DeFi leaders, early NFT collectors, and digital artists, was stolen. The official Twitter account posted false tweets about the claim of PLEASR tokens.
Hayden Adams Twitter Hack
On July 21, 2023, the Twitter account of Hayden Adams, founder of Uniswap, was compromised by hackers. The infiltrated account posted several tweets containing links to scam websites. The Uniswap Foundation issued a statement via Twitter: “Hayden’s account has been compromised by hackers. Do not click on this link or any similar links that might appear in tweets.”
Upon reviewing the phishing site, it was found to be enticing users to invoke the ‘Claim Reward’ function by promising non-existent rewards. The deceptive use of the ‘Claim Reward’ function name led users to believe they could receive ETH, when in reality, the fraudsters were attempting to steal users’ ETH. The actual executed actions were likely ‘Transfer’ or ‘Approve’.
Conic Finance Attack
On July 21, 2023, Conic Finance’s ETH Omnipool fell victim to a series of small-scale hacker attacks, resulting in an approximate loss of $3.2 million. Conic Finance issued an update on the attack stating, “The core cause of the attack was due to incorrect assumptions about the address returned by the Curve registry for ETH in the Curve V2 pool, which enabled a reentrancy attack. Fixes for the affected contracts are being deployed.”
On July 22, 2023, Conic Finance suffered a second attack, unrelated to the reentrancy vulnerability of the ETH Omnipool. The attackers profited around $300,000 by exploiting the crvUSD Omnipool. Currently, all deposit services for Omnipools have been suspended, but users can still make withdrawals. Conic Finance is assessing the situation and will provide updates as they become available.
Alphapo Wallet Hack
On July 23, 2023, the hot wallet of cryptocurrency payment service provider Alphapo was robbed, with the theft spanning across the TRON, ETH, and BTC chains, resulting in a loss exceeding $23 million. It remains unclear how many bitcoins were stolen from Alphapo. Alphapo’s client, HypeDrop, has already disabled the withdrawal function. According to an analysis by MistTrack, a total of 11,673,373 USDT in profits was exchanged for TRX on the TRON chain, and finally, 118,351,300 TRX was transferred to another address, which has not yet been moved. On the Ethereum chain, the profits in USDC, USDT, and DAI were exchanged for 3,252.35 ETH, then a total of 5,716.77 ETH was transferred to another address. This address then distributed 5,742 ETH to 67 different addresses, which transferred the ETH to 67 Avalanche addresses through Avalanche: Bridge. On the Avalanche chain, these 67 addresses converted the ETH to BTC.b and then transferred them to 67 BTC addresses. Monitoring and follow-up are ongoing.
Other Findings
On July 17, 2023, a Twitter user’s private key was leaked while recording a demo video, resulting in the theft of 9.2 ETH and 1,700 USDT, totaling $20,000. With the victim’s request for assistance, the following findings were made:
- 10.08 ETH was transferred via TransitSwap to OKXChain and exchanged for 1,244.44 OKT. 0.013 ETH was transferred via TransitSwap to TRON and exchanged for 310.81 TRX.
2. The 1,244.44 OKT was then transferred via TransitSwap to TRON and exchanged for 18,149.08 USDT.
On July 19, under pressure and due to the victim’s promise, the attacker returned half of the stolen funds.
Additionally, on July 20, 2023, numerous users reported that the address 0x5608808d4e5af536abb578898b4b025b61a65f8a had been vigorously pilfering coins from user wallets across multiple chains. We utilized the anti-money laundering tracing analysis platform, MistTrack, to examine several chains and made the following discoveries:
1) On Ethereum, the hacker converted USDC and DAI into ETH. Out of this, 0.1 ETH was transferred to FixedFloat. The hacker withdrew 12.05 ETH from FixedFloat and there were traces of cross-chain transactions via Stargate and AcrossProtocol.
2) On BNBChain, 74.3 BNB was moved to FixedFloat, and a significant amount of 0.78 BNB was withdrawn from FixedFloat to an address, 0xe4a…67a, that has strong ties to the hacker’s address.
3) On Polygon, 4,497 MATIC was transferred to FixedFloat, and 53.15 MATIC was withdrawn from FixedFloat to another address, 0xe4a…67a, that has significant associations with the hacker’s address.
4) On Avalanche, 47.9 AVAX was shifted to FixedFloat.
Furthermore, our investigation revealed the hacker’s IP addresses as follows: 146.*.*.215, 146.*.*.166, 146.*.*.213, 146.*.*.197, 146.*.*.222, 146.*.*.254, 146.*.*.174. It appears that a VPN was used, and there is a suspicion of the presence of Russian and English language patterns. As for the exact cause behind these wallet thefts, we are still unable to conclusively determine it and our investigation is ongoing.
Summary
This week saw a surge in phishing attacks on media platforms like Discord and Twitter. Hackers typically gain administrative or account permissions and impersonate administrators to post phishing links. The cost of creating these phishing sites is very low and execution is straightforward, making it difficult for people to be suspicious, especially when hackers redirect users to fake customer support pages for phishing. Users must enhance their security awareness as hackers can capture user account information and passwords without their knowledge.
We strongly advise projects to adopt two-factor authentication, set strong passwords, and other security measures to protect accounts. Staff must also be vigilant against various traditional network attacks and social engineering attacks, avoid downloading malicious software, and visiting phishing websites. As users, awareness should be maintained that ‘official’ does not equate to ‘absolutely safe’. Caution must be exercised wherever authorization or confirmation is required, and information should be cross-verified through multiple channels when possible. Installing anti-phishing plugins can also help identify some phishing websites.
