In brief ⚡
😱 A zero-day compiler bug in older versions of vyper introduced heavy losses in Curve Finance and related contracts, including JPEG’D, Alchemix and Metronome DAO.
The value of the BALD Meme Coin on Coinbase Layer-2 plummeted to zero after the developer withdrew liquidity from the project.
LeetSwap experienced an exploit wherein an attacker discovered a function that enabled them to manipulate token prices within the project, resulting in a profit of approximately 342 ETH.
Uwerx, a budding blockchain-based freelancer marketplace, fell victim to a flash loan exploit post token presale, losing 176 ETH (~$324,000), and now seeks the exploiter's cooperation to return 80% of the funds, offering 20% as a "bug bounty" upon relaunch.
Apache NFT SalesRoom ASN on BNB Chain rugged for 680k.
Hacks and Scams⚠️
Curve Finance and Contracts
Amount of Loss: ~ $60 Million
Analysis
Multiple protocols, including JPEG'D, Alchemix, Metronome, and Curve Finance, were affected by a bug in certain older versions of Vyper, the language used in Curve's contracts.
The bug allowed attackers to exploit a misalignment of storage slots between two functions, enabling them to manipulate LP token prices and drain affected pools.
A total of $69M was drained from the affected pools, with some funds being returned by white hat hackers, but the losses had a significant impact on associated tokens' prices.
The vulnerability was not related to the read-only reentrancy bug but was a compiler-level bug that had been exploitable since 2021 and was patched in version 0.3.1 of Vyper.
The incident raised concerns about the need for more attention and investment in the underlying infrastructure and security of DeFi protocols.
BALD
Amount of Loss ~ $9.2 Million
Analysis
A well-funded deployer, suspected to be Armstrong or associated with FTX/Alameda, added $12M liquidity to BALD token, causing a rapid increase in price.
After the initial surge, the price stagnated, and the deployer started buying BASE tokens, resulting in a pump of almost 100% to ~$0.10.
However, on Monday, the deployer pulled ~$23M of liquidity (rug pull), making a profit of 3,163 ETH ($5.9M).
The deployer initially denied selling any tokens but later seemed uninterested in maintaining their innocence when called out.
The deployer's address had connections with Alameda, early Sushi, dydx governance, and evidence pointed towards a possible association with FTX/Alameda, possibly even SBF.
Leetswap
Amount of Loss ~ $620k
Analysis
LeetSwap, a DEX ecosystem on Base blockchain, was recently exploited, resulting in a profit of approximately 342 ETH (~$624,000) for the attacker.
The exploit was due to a function that allowed the hacker to manipulate token prices on the platform.
LeetSwap reached out to the attacker on social media, requesting the return of most of the stolen funds, leaving 50 ETH (~$92,000) as a gesture.
Uwerx
Amount of Loss ~ $3.7 Million
Analysis
Werx, a blockchain-based freelancer marketplace project, suffered a flash loan exploit after its token presale, resulting in a loss of 176 ETH (~$324,000).
The project was audited.
In response to the exploit, Werx announced plans to relaunch the token and requested the attacker to consider returning 80% of the funds, offering 20% as a "bug bounty."
Apache NFT Salesroom
Amount of Loss ~ $ 43.8 Million
Analysis
The Apache NFT SalesRoom (ASN) on the Binance Smart Chain (BSC) experienced a "rug pull" resulting in losses of approximately $680k.
The deployer of the contract transferred a substantial number of tokens to a specific address.
Subsequently, that address dumped 1 million ASN tokens for approximately $680k worth of BSC-USD.
The incident highlights the risks and vulnerabilities associated with investing in decentralized projects and the importance of conducting thorough due diligence before participating in such ventures.
Research Papers & Blogs🔖
All You Need to Know About ECDSA
The article discusses the Elliptic Curve Digital Signature Algorithm, a cryptographic technique used to sign transactions of Ethereum and other similar Blockchains.
Governance Attacks and You: The Responsible Citizen’s Guide
The article explains everything about Governance and how you, as a user, can spot that
Web3 Community Spotlight🔦
This was a dark month for the World of Web3.
We lost more than $𝟯𝟬𝟬 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 in 25 cunning hacks in the month of July.
Check out our monthly hack post.
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.