In brief ⚡
Unibot and Maestrobots Exploits Lead to Combined $640,000 Crypto Loss, as Unibot Commits to Compensation.
Onyx Protocol's $2.1 Million Loss Reveals DeFi Vulnerabilities in Low-Liquidity Markets.
Fantom Foundation Hacked for $550,000 in Cryptocurrency, Investigating Security Breach.
Astrid Finance Recovers 80% of Stolen Crypto Following Exploit, Shifts Focus to Smart Contract Development.
Hackers Pilfer $4.4 Million in Cryptocurrency from LastPass Users in Recent Breach.
Hacks and Scams⚠️
UniBot
Amount of Loss: ~ $640k
Analysis
A Telegram chatbot called Unibot was exploited, resulting in the theft of approximately $640,000 worth of memecoins from users.
The attacker used Tornado Cash to swap the stolen crypto for ether after moving it through Uniswap.
Unibot acknowledged being a victim of a token approval exploit during a transition to a new router and pledged to reimburse any stolen funds.
Scopescan, a blockchain analytics firm, alerted Unibot users about the ongoing hack, which had initially gone undetected.
Unibot committed to compensating users who lost funds due to the contract exploit, with memecoins like Joe (JOE), UNIBOT, and BeerusCat (BCAT) being a significant part of the stolen assets.
A similar contract exploit affected Maestrobots, another group of cryptocurrency bots on Telegram, resulting in the loss of 280 ETH from users. Maestrobots later used its revenue to cover the user losses, citing a lack of liquidity to repurchase the lost tokens.
Onyx Protocol
Amount of Loss: ~ $2.1M
Analysis
On October 27, Onyx Protocol, a decentralized P2P lending platform, suffered a security breach, resulting in a loss of around $2.1 million due to an exploit in a low-liquidity market.
The incident underscores concerns about vulnerabilities in decentralized finance (DeFi) platforms, especially in markets with low liquidity.
The attacker targeted a known bug related to a rounding issue in the CompoundV2 fork, a widely used framework in the DeFi sector. This bug went unnoticed by Onyx Protocol until it was identified by blockchain investigator PeckShield.
The attacker exploited the oPEPE market, which lacked liquidity, by manipulating donations to borrow funds from more liquid markets and redeeming them through the rounding issue exploit.
A similar attack occurred on April 16 against the multichain lending protocol Hundred Finance, resulting in a $7 million loss. In this case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS to withdraw more tokens than initially deposited.
These incidents highlight the need for better understanding and proficiency in tracking cryptocurrencies to mitigate risks in DeFi platforms, involving transaction tracing, address clustering, behavioral analysis, pattern recognition, regulatory vigilance, and collaboration for platform security and integrity.
Fantom Foundation
Amount of Loss: ~ $7M
Analysis
The Fantom Foundation, developer of the Fantom network, was hacked for over $550,000 in cryptocurrency, initially reported as $7 million by blockchain security researchers.
The foundation clarified that most of the stolen funds belonged to other users, and 99% of their own funds were secure. Some wallets mislabeled by block explorers were initially thought to belong to the foundation but were later reassigned to an employee and no longer held company funds.
The attack is under investigation to determine how the wallets were compromised.
The Fantom network, an Ethereum Virtual Machine-compatible smart contract platform, has over $45 million in assets locked within its contracts.
The attack targeted the foundation and other Fantom wallet users, rather than the Fantom network itself.
Astrid Finance
Amount of Loss: ~ $228k
Analysis
Astrid Finance, an Ethereum-based liquid staking protocol, was exploited on October 28, resulting in the theft of $227,000 in cryptocurrency.
The Astrid team managed to convince the hacker to return 80% of the stolen funds by sending an on-chain message on October 29. The hacker agreed to keep 20% as a bounty and returned the rest.
Initially, the Astrid team threatened legal action if the funds weren't returned by October 31 at 8:00 am UTC, but the hacker complied ahead of the deadline.
Astrid has processed all refunds and plans to transfer the remaining funds to a multisignature wallet for future use in auditing and developing their smart contracts.
The company will focus on redeveloping its smart contracts and getting them audited by multiple top audit firms before any future Mainnet launch, while the current contract remains paused.
Last Pass
Amount of Loss: ~ $4.4M
Analysis
Hackers stole approximately $4.4 million in cryptocurrency from at least 25 LastPass users on October 25, as reported by blockchain analyst ZachXBT.
LastPass is a platform that stores and encrypts user password information, and its cloud-based storage service was previously breached in a cyberattack targeting an employee's credentials.
ZachXBT and MetaMask developer Taylor Monahan identified around 80 compromised crypto wallets linked to the hack.
The stolen funds encompass various cryptocurrencies, including Bitcoin, Ethereum, BNB, Arbitrum, Solana, and Polygon, based on a list published by Monahan.
Users were advised to immediately migrate their crypto assets if they had ever stored their seed phrase or keys in LastPass, as cryptocurrency wallets are frequently targeted by hackers due to the potential access to private keys, enabling full control over funds.
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Tweets
GitHub Repos
Articles
A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — Part 2
Per Aspera ad Astra: How to become a smart contract auditor & bugbounty-hunter
Web3 Community Spotlight🔦
Note - all the respective links has been embedded in the image
This time we analyzed how reentrancy works with a high severity finding
According to Binance research, as of August 2023, Telegram trading bots have been orchestrating transactions worth a staggering $283M. It’s
As the Asian web3 market garners attention, piercing through the blockchain industry’s elite 1% might seem formidable, particularly amidst the
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.