In brief—
Events Under the Spotlight 🔎
MEV bot earns $1M but loses all to a hack
MEV bots are smart contracts that observe pending blockchain transactions and aim to make a profit from the results.
For example, when a user swaps tokens via a decentralized exchange’s liquidity pools, the price of the tokens on the exchange is affected, potentially creating an arbitrage opportunity that may be spotted by a bot.
This is precisely what happened in the hours leading up to the theft, when an unlucky user attempted to swap $1.85 million worth of cUSDC to USDC through an illiquid pool, receiving just $500 in return.
0xbadc0de
then exploited the imbalance, netting 800 ETH (~$1 million) via a complex automated arbitrage trade involving multiple DeFi platforms.
Despite OFAC Sanctions, Suspicious Fund Transfers on Tornado Cash Are Still Active
Tornado Cash was the subject of a suspicious $2.4 million fund transfer.
Money transfer is probably connected to the BXH Exchange hack, which occurred in late October and saw over 4,000 ETH worth $139 million stolen.
0x158F5, an externally owned address (EOA), ran the privileged function
InCaseTokensGetStuck()
to withdraw money from an Avalanche and Binance Smart Chain staking contract.
The address then connected the tokens to Ethereum.
The address then swapped ETH for bridging ERC-20 tokens. As a result, 1865 ETH tokens worth a cumulative $2.4 million have been put into Tornado Cash.
Jason Falovitch's NFTs worth $150K are stolen by Hackers
Former sports manager turned cryptocurrency entrepreneur Jason Falovitch acknowledged the breach into his wallet on September 25 in a blog post, saying hackers made off with at least $150,000 worth of NFTs.
Hackers allegedly took six ETH ($7,770) and four NFTs, including two Doodles, a Mutant Ape Yacht Club (MAYC) NFT valued at about $20,000, a Bored Ape Yacht Club NFT valued at more than $107,000, and six ETH ($20,000) from Falovitch's OpenSea cryptocurrency wallet.
Using the current Doodles NFT floor prices, the infamous hackers made more than $150,000 before they vanished.
According to the price of ETH at the time of purchase, Falovitch spent more than $377,000 on the four NFTs; therefore, the most recent breach was a major setback for him.
BXH suffered another flash loan attack
On September 28, 2022, the
TokenStakingPoolDelegate
contract updated by BXH after the last attack suffered another flash loan attack.
The contract lost 40,085 USDT, and the attacker made a profit after paying off the flash loan fee. 31794 USDT.
After analysis, this attack is caused by the use of
getReserves()
in the contract'sgetITokenBonusAmount
function to obtain the instantaneous quotation so that the attacker can make a profit by manipulating the quotation.