100x Return- "Georgian Coinbase account is identical to Aladdin's magic lamp"🧞
HashingBits | Week- 35
In brief—
Events Under the Spotlight 🔎
Hackers attacked Mysten Labs’ Discord server last Saturday
The Discord server of Sui blockchain creators Mysten Labs was compromised.
Hackers may have uploaded a link to a purported airdrop on the server’s announcement channel, according to an unsubstantiated screenshot that was circulated on Twitter.
DDC exploited for $104,600
The attacker used the
handleDeductFee
function of the DDC contract after usingbalanceOf
to obtain all of the $DDC in the pool.Due to the fact that
handleDeductFee
does not validate thefeeAmount
and incoming address, this function has adjustable parameters.Nearly all of the DDC tokens in the victim pool were transferred by the attacker into the
handleDeductFee
function before sync was used to update the k-value.After the k-value was revised, the balance of DDC in the pool was reduced to 0.0003 DDCs.
As a result, the price of $USD that corresponds to $DDC has dramatically increased, and a substantial number of USD can be exchanged via a relatively small amount of $DDC. To exchange for 104,600 USD, the hacker utilised 23 $DDC.
By mistake activating the kill switch on the mainnet, DEX locks 660,000 USDC within
OptiFi informed users that its platform had come to an unceremonious end after its development team tried to update its code on Monday.
According to the post-mortem, the culprit was the command line “
solana program close
,” which the developers executed as part of their attempt to retrieve the tokens.However, and apparently unbeknownst to the OptiFi team, “solana program close” has the effect of closing the program permanently and irretrievably.
The developers appealed to Solana developers to make changes to Solana documentation in order to warn developers of the irrevocable nature of the program close function.
CUPID token fell for a Flash Loan attack
Through a flash loan on BNB Chain, the attacker achieved a profit of $78,622, which led to a 90% decline in the value of the token CUPID and a 300% increase before a decrease in the value of the token VENUS.
Cupid contract
0x40c994299fb4449ddf471d0634738ea79c734919
has a reward logic vulnerability. Get $CUPID tokens with LP tokens and USDT/VENUS.
The attacker used a flashloan to obtain $VENUS, staked them to obtain LP tokens, transmitted LP to numerous addresses, and then used the victim contract's
0xe98bfe1e()
function to obtain $Cupid tokens, which were later sold for a profit of 78,623 USDT.
Privacy project ShadowFi suffered a hack
ShadowFi recently tweeted that-
“We have experienced an exploit in our LP contract that has left it at $0. The ShadowFi team is hard at work looking for a solution that works in everyone's best interest. Please have patience while we push through this.
All presale proceeds are secured and safe.”
The attacker made a profit of about 1078 BNB (about $300,000) by taking advantage of SDF's flaw to enable anyone to burn the Token, and the stolen money was transferred to TornadoCash.
Kyber Network suffers frontend hack, loses $265K
According to Kyber Network, its team “identified a malicious code in our Google Tag Manager (GTM) which inserted a false approval, allowing a hacker to transfer users’ funds to his address.”
Kyber continued that the threat was “neutralized” within two hours, assuring its users that it is now “safe to use all KyberSwap functions.”
Hacker drained Bill Murray’s Crypto After $185K NFT Charity Auction
Hours after the closing of Bill Murray’s NFT auction that raised 119.2 ETH (around $185,000) for charity Thursday, a hacker stole the funds.
The hacker also tried to steal 800 NFTs from the Bill Murray collection that were sitting in the wallet, though Project Venkman said it foiled that attempt by moving those NFTs to a safehouse, too.
They said they ran a script to automatically move the NFTs to safety.
Georgian users are able to cash out for 100 times the rate thanks to Coinbase's mispricing
Coinbase (COIN) users in the Eastern European country of Georgia were able to exploit a price bug that allowed them to cash out their holdings for 100 times the exchange rate, pocketing thousands of dollars in profit.
Georgia's national currency, the lari (GEL), was priced at $290 rather than $2.90 on Wednesday. In an email to CoinDesk, Coinbase attributed the missed decimal point to "a third-party technical issue."
The error allowed users holding $100 worth of lari on Coinbase to withdraw it to their bank account for $10,000.
Coinbase said the issue was exploited by 0.001% of its total users, or about 1,000 customers.
Image shows trader sold five lots of 0.01 ETH ($15.25) for 4,272 GEL ($1,525) each on August 30 (Source: Blockworks)
Rug Pull Finder's NFT contract was abused to mint 400 NFTs instead of 1 per wallet
Rug Pull Finder’s "Bad Guys" contract doesn't have a max amount per transaction, allowing anyone on the access list to mint as many tokens as he'd like to.
Test Yourself for Web3❓
This week was full of hacks and exploits!
Tell us how you could have prevented ONE of the above attacks?
We’ll present your analysis before QuillAudits vast community!
Take your identity out of this mailbox to infront of thousands of avid Web3 folks!🚀
Trending Blog of the Week📈
One of the biggest challenges with the creation of NFTs is that blocks have only limited storage, and so images cannot be stored in the blockchain directly.
For this purpose, an identifier(such as web address or hash) for the image is used.
Check out following article on NFT security;
TLDR: NFT Security Audits, Risks, and Safety Measures👇