SlowMist Weekly Security Report September 4rd to 10th

SlowMist
9 min readSep 12, 2023

--

Weekly Update | Approximately $42.554 Million in Losses from Web3 Security Incidents

Overview

According to statistics from SlowMist Blockchain’s Hacked Archive (https://hacked.slowmist.io), from September 4 to September 10, 2023, there were a total of 10 security incidents, resulting in an estimated loss of approximately $42.554 million.

Specific Incidents

Stake.com

On September 4, 2023, the cryptocurrency betting platform Stake.com suffered an attack, incurring losses of at least $41 million. On September 5, Edward Craven, the co-founder of Stake, confirmed the hacking incident but stated that the platform’s private keys were not compromised. Craven described the attack as a “sophisticated vulnerability” targeting the services used by the company to authorize on-chain transactions for Ethereum, Polygon, and BNB Chain. According to MistTrack analysis, the Stake attacker (0x22b…63f) used SquidRouter to convert MATIC into other currencies like AVAX and USDC, then moved these across chains to Avalanche. Subsequently, multiple currencies were converted into BTC via ParaSwap and transferred to the Bitcoin blockchain.

On September 6, the U.S. Federal Bureau of Investigation (FBI) stated that the North Korean hacking group Lazarus Group was responsible for the attack on Stake.com. According to the FBI’s statement, the organization has so far stolen over $200 million this year. This includes $60 million in virtual currency stolen from Alphapo and CoinsPaid in July, as well as approximately $100 million in virtual currency stolen from Atomic Wallet in June.

Saber DAO

On September 4, 2023, Saber DAO, an automated market maker for stablecoins on Solana, announced via Twitter that its Discord had been attacked but that the attacker had been successfully blocked.

Connext

On September 5, 2023, multiple users reported issues with the airdrop claim process for the Layer2 interoperability protocol Connext. Some accounts’ NEXT tokens were claimed to unexpected addresses. On-chain data shows that an address starting with 0x44Af claimed a large number of Connext NEXT tokens from 230 accounts in the past hour and subsequently sold them for ETH, USDT, and USDC, netting nearly $39,000.

The SlowMist Security team analyzed this incident and here’s what we found: Users can claim NEXT tokens through the `claimBySignature` function of the NEXT Distributor contract. This involves roles for both the ‘recipient’ and ‘beneficiary’. The ‘recipient’ role is used to receive the claimed NEXT tokens, and the ‘beneficiary’ role is an address that is eligible to claim NEXT tokens, which is determined when the Connext protocol announces eligibility for the airdrop. When a user claims NEXT tokens, the contract performs two checks: the first check verifies the signature of the ‘beneficiary’ role, and the second checks whether the ‘beneficiary’ is eligible for the airdrop. During the first check, it verifies that the ‘recipient’ submitted by the user is signed by the ‘beneficiary’, making it impossible to randomly input a ‘recipient’ address without a signature from the ‘beneficiary’. Even if someone crafts a signature for a designated ‘beneficiary’ address, it would fail the second check for airdrop eligibility. This eligibility check is performed through a Merkle proof, which should be generated by the official Connext protocol. Therefore, users who are not eligible to claim the airdrop cannot bypass this check to claim someone else’s airdrop.

On September 7, Connext released a post-incident analysis stating that the attacker performed a DOS attack on Tokensoft’s API, causing the claim database and UI to go down. During this process, 274,956 NEXT tokens from 253 unrelated wallets were claimed (accounting for 0.26% of the total airdrop amount) and sold at a price of approximately 40,000 USDT before ordinary users could claim them. However, Connext was not damaged in any way. After the DOS attack ended, the airdrop claim process resumed normally.

Cyberport Hong Kong

On September 5, 2023, Cyberport Hong Kong was hacked, with the attacker gaining access to various types of information, including start-up company data, corporate files, and identity verification documents. In total, about 436 GB of company data was compromised. According to a post on a cybersecurity-focused account, the stolen data is being offered for sale on the hacker’s website for approximately $300,000 (about 2.35 million Hong Kong dollars).

GMBL COMPUTER

On September 5, 2023, GMBL COMPUTER, a decentralized exchange in the Arbitrum ecosystem, fell victim to an attack. The attacker withdrew approximately $815,000 worth of GMBL tokens from the contract. GMBL stated, “We believe the vulnerability was due to a flaw in the platform’s referral system, which allowed people to place bets without depositing any funds and use them to generate referral bonuses. We have identified the exploiter and are working diligently to recover all funds lost due to this exploit.”

The GMBL team offered a “Bug Bounty” to the attacker, promising not to take legal action in exchange for the return of 90% of the stolen funds. On September 6, the attacker returned 235 ETH (approximately $382,000), which amounts to 50% of the stolen funds.

Base

On September 6, 2023, Base experienced a block production halt. The Base team immediately began an investigation and subsequently deployed a fix, allowing block production to resume. The team has confirmed that network operations and RPC API have returned to normal and will continue to be monitored. Base later tweeted that the issue has been resolved and no funds are at risk.

Ordinals Wallet

On September 7, 2023, Ordinals Wallet fell victim to a SIM Swap attack. Its Twitter account was compromised and a phishing link “ordinalswallet[.]to” was posted. The attacker is identified as being part of the phishing gang PinkDrainer.

PEPE

On September 9, 2023, PEPE announced on Twitter that their old Telegram account had been hacked and was no longer under official control. The Twitter account “lordkeklol” was also compromised and used for scamming activities; this account has no affiliation with PEPE or its team members. PEPE stated that all official announcements will be made through their Twitter account in the coming weeks.

Vitalik Buterin Twitter Hack

On September 10, 2023, Ethereum co-founder Vitalik Buterin’s Twitter account was hacked. Any tweets containing phishing links have since been removed. According to data from Zachxbt, the value of the stolen assets exceeded $650,000 within just a few hours after the theft occurred.

LDO

On September 10, 2023, according to on-chain intelligence from the SlowMist Security Team, the token contract for LDO behaves unusually during transfer operations. Specifically, if the amount being transferred exceeds the user’s actual holdings, the operation does not trigger a rollback of the transaction. Instead, it simply returns a “false” as the processing result. Due to this characteristic, there is a potential risk for “fake deposit” schemes. Malicious attackers could potentially exploit this feature to commit fraud on centralized platforms.

Token contract behavior can vary from project to project. To ensure the security of funds and the accuracy of transactions, We strongly recommends conducting a thorough understanding of contract logic and comprehensive testing before integrating any new tokens.

On September 11, Lido responded to the “fake deposit” risk, stating that this behavior is expected and in line with ERC20 token standards. Both LDO and stETH remain secure. The Lido Token Integration Guide will be updated with detailed information on LDO to more clearly highlight this point.

Other Developments

On September 5, 2023, according to a Cointelegraph report, crypto scams targeting MetaMask users are employing URLs owned by various governments to deceive victims and gain access to their crypto wallets. Once a user clicks on any malicious link within a government website URL, they are redirected to a fake URL. It is reported that the official government websites of India, Nigeria, Egypt, Colombia, Brazil, Vietnam, and other jurisdictions have been found to redirect to fraudulent MetaMask sites.

According to Scam Sniffer’s monitoring, a whale address starting with 0x13e suffered a loss due to a phishing attack, losing 4,850 rETH and 9,579 sETH, valued at approximately $24.23 million. The victim granted token approval to the scammer through a signed “increaseAllowance” transaction. Analysis by MistTrack shows that some of the funds have been moved to FixedFloat, with a total of 2,402 ETH being transferred to Tornado Cash.

The phisher’s address, starting with 0x4c1…ab1, is linked to multiple fake websites imitating popular crypto projects to trick users into authorizing transactions. Always be cautious and double-check URLs and addresses.

Summary and Recommendations

This week has seen a surge in phishing incidents, including multiple Twitter accounts being hacked. Typically, hackers impersonate administrators after gaining access to accounts and post phishing links. These phishing sites are cheap to produce and easy to deploy, making them difficult to detect. Sometimes, users are redirected to fake customer support pages for phishing. It’s crucial for users to heighten their cybersecurity awareness as hackers can capture account details and passwords without the user being aware.

For Project Teams:

- Implement two-factor authentication and strong passwords to protect accounts.

- Always be vigilant against traditional cyber attacks and social engineering tactics, avoiding the download of malicious software and visiting phishing websites.

For Users:

- Always exercise caution, even with “official” platforms. Be particularly careful when authorizing or confirming action

Lastly, it’s strongly recommended to read the “Blockchain Dark Forest Self-Guard Handbook” by SlowMist: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.