SlowMist Weekly Security Update July 24 to 30

SlowMist
6 min readJul 31, 2023

--

Weekly Update | Approximately $59.63 Million Lost to Web3 Security Incidents

Overview

According to statistics from the Slowmist Blockchain Black Archives (https://hacked.slowmist.io), from July 24 to 30, 2023, there were seven security incidents involving Palmswap, MetaLabz, Eralend, Carson, DefiLabs, Kannagi Finance, and Curve Finance. The total estimated loss stands at approximately $59.63 million, attributed to tactics such as Rug Pull, flash loan attacks, and re-entry lock failure.

Specific Incidents

Palmswap

On July 25, 2023, the Palmswap project on the BSC chain was attacked, with the assailant profiting over $900,000. The attack resulted from the core function’s permission control feature being inactive, and the liquidity token’s price calculation model being overly simplistic. On July 28, Palmswap tweeted that 80% of the stolen funds had been returned, with the remaining 20% being regarded as the hacker’s bug bounty.

MetaLabz

On July 25, 2023, MetaLabz tweeted, “To secure our supply, we deployed an unaudited contract that was exploited. The situation was exacerbated by subsequent liquidity attacks, resulting in losses slightly above 400 BNB.”

Eralend

On July 25, 2023, multiple users reported that the Zksync-based lending protocol Eralend suffered a flash loan attack. The attackers manipulated the oracle prices, exploiting approximately $2.76 million from the USDC pool. All other pools remained unaffected.

Carson

On July 27, 2023, Carson of the BSC ecosystem was attacked, resulting in a loss of approximately $145,000. The Carson token price has plunged by 96%, with the attacker having converted the stolen assets into 600 BNB and transferred to Tornado Cash.

DefiLabs

On July 28, 2023, DefiLabs on the BNB chain has absconded, taking away approximately $1.6 million. DeFiLabs claimed on Twitter that the platform encountered “unexpected issues” during “maintenance and updates”.

Kannagi Finance

On July 29, 2023, the zkSync Era yield aggregator protocol Kannagi Finance executed a Rug Pull, rendering its official Twitter and official frontend ineffective. DeFiLlama data shows that Kannagi Finance’s TVL was $2.13 million yesterday, and it’s nearly zero now, predicting a user loss of $2.13 million.

Curve Finance/Alchemix/JPEG’d etc.

On July 30, 2023, Curve Finance tweeted that many stablecoin pools using Vyper 0.2.15 were attacked due to re-entry lock failure, causing a cumulative loss of approximately $52 million. As of now, the Curve Finance TVL has fallen to $1.869 billion, a decrease of 42.5% in the past 24 hours.

Alchemix recently announced that Curve Finance alerted them about a potential vulnerability in their alETH/ETH pool due to an issue with Vyper. Alchemix swiftly removed the liquidity controlled by AMO contracts from the Curve pool. The vulnerability was executed on the Curve pool contract, but Alchemix’s smart contracts were not attacked, ensuring the safety of the funds. Alchemix needs to perform three transactions: withdrawing LP tokens from Convex, extracting alETH from the Curve pool, and extracting ETH from the Curve pool. The first transaction, which involves withdrawing LP tokens from Convex, has been completed. Following the second transaction, 8,000 ETH was removed from the Curve pool. There remains approximately 5,000 ETH liquidity in the Curve pool that is controlled by the AMO. During the process of removing the remaining liquidity, the alETH/ETH Curve pool was attacked. At present, the alETH reserve has suffered a loss of approximately 5,000 ETH.

According to an analysis by MistTrack, the initial funds for the Curve CRV/ETH exploiter (0xb75…324) came from Binance.

Moreover, the Curvefi: Deployer (0xbab…f67) once sent an on-chain message to the CRV/ETH exploiter (0xb75…324).

As of now, the CRV/ETH exploiter (0xb75…324) has transferred all the profit, consisting of 35.26 ETH, 7,193,401.77 CRV, and 7,680.49 WETH, to a new address (0xB1C…148).

In another update from July 22, the Estonian crypto payment service provider CoinsPaid announced that it had suffered a cyber attack, resulting in the theft of cryptocurrencies worth $37.3 million. On July 26, the SlowMist team tweeted that the attackers behind CoinsPaid, Atomic, and Alphapo may all belong to the North Korean hacker group Lazarus Group.

Further analysis revealed:

1) The address TGG…1Ag received a large transfer of 118,351,300 TRX from the address TJF…3ym, which is related to the Alphapo incident.

2) TGG…1Ag received funds from the Coinspaid hot wallet on July 22, which flowed out through the addresses TNM…Jem and TJ6…xuf.

3) The address TNM…Jem received funds from the address TJX…JQx used by the Atomic Wallet exploiter, which could be related to Lazarus/DPRK.

Summary

The major cause of security incidents this week has been flash loan attacks. Flash loans are innovative products in decentralized finance, allowing users to borrow and repay in the same transaction (block) without any collateral. A single on-chain transaction can contain multiple operations, allowing developers to incorporate other on-chain operations between borrowing and repaying. This has led to the rise of flash loan attacks. Although flash loans themselves do not contain vulnerabilities, they can be exploited to manipulate prices or arbitrage across multiple protocols at a very low cost, posing a risk. The SlowMist security team advises DeFi project teams to always remain vigilant, conduct regular security audits, track and resolve new security threats and vulnerabilities, and protect projects and assets to the greatest extent possible.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet