In brief⚡
😮 FPG's ~$20M Mishap: Let's Shore Up Security Together!
🔒 TrustTheTrident lost ~$95K: Contracts Need Extra Security!
😱 Atlantis Loans Swamped by a ~$1M Wave
😲 Sturdy Finance's ~$770K Surprise: Unmasking Price Manipulation!
😮 Hackers Score ~$600K Jackpot from Hashflow.
🤠 Move VM's Stack Overflow Struggle
Hacks and Scams⚠️
FPG
Amount of Loss: ~ $2M
Analysis
On June 11, Floating Point Group (FPG), a trading platform for crypto institutions, was targeted by a cyber attack, resulting in a loss of ~$2 million in cryptocurrency.
After hiring external auditors to conduct cybersecurity audits and penetration tests last December, FPG implemented security measures and successfully obtained SOC 2 certification.
Following discovering the security breach, FPG froze all third-party accounts and implemented protective measures for all wallets.
The company's account isolation measures mitigated the attack's overall impact.
TrustTheTrident
Amount of Loss: ~ $95K
Analysis
TrustTheTrident ($SELLC) was attacked, resulting in a loss of approximately $95,000.
The vulnerable contracts are 0x274b3e185c9c8f4ddef79cb9a8dc0d94f73a7675, and the hacker address is 0xc67af66b8a72d33dedd8179e1360631cf5169160.
The root cause is that the Claim() function in the StakingRewards contract did not properly validate the input parameters, allowing the attacker to pass a Fake token to obtain more rewards.
When claiming, the attacker used a bogus token, which the StakingRewards contract recognised as USDT. They were over-rewarded for controlling the fake token and QiQi pairs!
Atlantis Loans
Amount of Loss: ~ $1M
Analysis
Even though developers abandoned the Atlantis Loans defi lending project in early April due to "financial difficulties," it has continued to chug along like a zombie as a self-executing defi protocol.
The cost of a governance attack on the BSC eco-protocol Atlantis Loans, in which attackers took control of the contract and replaced it with a contract containing backdoor functionality to transfer user assets, is estimated to be around $1 million.
On June 7, 2023, the attackers created a malicious governance proposal in the GovernorBravo contract.
They published and voted on a proposal that would allow them to upgrade the smart contract to use the approvals to transfer tokens to their wallet address. They eventually made off with assets worth approximately $1.1 million.
Sturdy Finance
Amount of Loss: ~ $770K
Analysis
The DeFi lending protocol Sturdy is suspected of being hacked, and evidence on the chain suggests that the attack was carried out via price manipulation.
The attackers moved 442.6 ETH to Tornado Cash.
When an attacker takes advantage of Balancer's read-only reentrancy vulnerability to manipulate the price of cB-stETH-STABLE, the requirement 'validateSetUseReserveAsCollateral' can be passed to remove previously collateralized steCRV tokens.
As a result, the attacker only needs to repay the remaining collateral to withdraw the collateral through liquidation.
Hashflow
Amount of Loss: ~ $600K
Analysis
Hashflow, a decentralized trading platform, is suspected of being the victim of an authorization-related attack.
However, this could be a white-hat hacking operation. The theft resulted in a ~$600,000 loss, and all affected users could recover their assets.
The majority of the funds were used in two separate transactions. The first was for 58K USD, and the second was for 150K USD (5 minutes apart).
There are two fund recovery options: the first is for total funds, and the second will donate 10% to the alleged white hat hacker who exploited the vulnerability but prevented further losses.
Move VM
Analysis
A security firm recently discovered a stack overflow vulnerability in the Move VM that does not limit the depth of recursive calls, causing a total network shutdown, preventing new validator nodes from joining the network, and potentially causing a hard fork.
This vulnerability affects mainnet_v1.2.1, Aptos mainnet_v1.4.3, and earlier versions. After June 10, 2023, Suimainnet_v1.2.1, Aptosmainnet_v1.4.3, and Move-language versions fix this vulnerability.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
Decoding USEA Token’s $1.1 Million Rug Pull
On June 6, 2023, the deployer of USEA token executed an exit scam (rug pull) and stole around $1.1 million in user funds. To do this, they minted a large number of tokens and removed all liquidity from the USEA token’s trading pair on PancakeSwap. This caused the price of the token to drop by almost 99%.
Emerging Trends in Smart Contract Security
The Web3 security industry is making huge strides to ensure the best possible security as we move forward. Many studies and research have been conducted to confirm the effectiveness of various security mechanisms.
Web3 Community Spotlight🔦
Partnership With Airchains