In brief⚡
Aave V2 on Polygon faced a compatibility issue.
CoinDeal lost ~$45M to a scam.
Swap-LP lost ~$1M due to a contract vulnerability.
Hackers made a profit of ~$2.17M from Tornado Cash in a governance attack.
A Reward Calculation Flaw costs LunaFi a loss of ~$35K.
Fintoch investors lost ~$31.6M in a scam.
RDP downgrade exploit discovered in Trezor.
Hacks and Scams⚠️
Aave
Analysis
Approximately 110 million USD in WETH, USDT, WBTC, and WMATIC in Aave V2 on Polygon cannot be withdrawn, borrowed, or repaid.
The interest rate strategy contract is only compatible with Ethereum and not Polygon.
Aave has submitted a patch to address this issue, which will be implemented following voting. Funds are not at risk, but unfreezing will take at least a week time.
CoinDeal
Amount of Loss: ~ $45M
Analysis
According to the US Department of Justice, a Nevada man has been charged with his alleged involvement in CoinDeal.
This investment fraud scheme defrauded over 10,000 victims of over $45 million. According to court documents, Lee allegedly conspired with Neil Chandran and others to defraud investors in companies controlled by Chandran.
These companies, known as "ViRSE," include Free Vi Lab, Studio Vi Inc., ViDelivery Inc., ViMarket Inc., and Skalex USA Inc.
These companies work on virtual world technology, including their cryptocurrency, for use in virtual worlds.
Chandran is accused of deceiving investors by falsely promising extremely high returns under the guise that his company was about to be acquired by a syndicate of wealthy buyers.
According to the allegations, Lee was the nominal owner and director of ViMarket and was directed by Chandran to deposit investor funds into ViMarket's bank accounts.
Swap-LP
Amount of Loss: ~ $1M
Analysis
The Swap-LP project on BSC was attacked.
The attacker’s address is
0xdEAd40082286F7e57a56D6e5EFE242b9AC83B137
, and the cumulative profit was 609 ETH, about 1 million US dollars.
Tornado Cash
Amount of Loss: ~ $2.17M
Analysis
Tornado Cash was hit by a governance attack at 15:25 on May 20. Through a malicious proposal, the attacker obtained 1.2 million votes, exceeding the number of legal votes (approximately 700,000) and gaining full governance control.
An attacker could withdraw all locked votes and drain all tokens in the governance contract, effectively disabling routers. However, they would still be unable to drain individual pools.
Tornado Cash governance attackers obtained 483,000 TORN in total from governance vaults.
On 2023-05-13 at 7:22 (UTC), exploiters launched the #20 proposal, explaining that it supplements the #16 proposal and uses the same execution logic.
However, the proposal contract contains additional self-destruct logic. Its creator, 0x7dC86183274b28E9f1a100a0152DAc975361353d, was created using create2 and has a self-destruct function, so after it self-destructed with the proposed agreement, the exploiters could still deploy different bytecodes to the same address as before.
LunaFi
Amount of Loss: ~ $35K
Analysis
Polygon ecological project LunaFi was attacked.
The attacker obtained initial funds from TornadoCash on BSC.
The root cause was a reward calculation flaw and many other contract issues.
Fintoch
Amount of Loss: ~ $31.6M
Analysis
Fintoch, a blockchain financial platform, is suspected of running a Ponzi scheme.
It defrauded BNB Chain users of 31.6 million USDT, and the funds were transferred to multiple addresses on Tron and Ethereum. Users reported being unable to withdraw funds.
Fintoch advertises itself as a Morgan Stanley-built blockchain financial platform where users can earn a daily 1% return on investment.
The Fintoch website's team page refers to "Bobby Lambert" as its CEO, even though he does not exist and is a paid actor.
The Singapore government and Morgan Stanley had previously warned about the investment plan.
Trezor
Analysis
According to The Block, cybersecurity firm Unciphered claims it was able to breach hardware-encrypted Trezor T wallets.
Unciphered demonstrated exploiting the wallet vulnerability to extract the private mnemonic key from the wallet in a YouTube demo, claiming that the attack is only possible if the attacker has physical access to the hardware wallet.
"This appears to be a vulnerability called an RDP downgrade attack, which requires extremely sophisticated technical knowledge and advanced equipment," Trezor CTO Tomá Suánka responded.
Even under these conditions, Trezor can pass a powerful pass, rendering RDP downgrade attacks ineffective."
Trezor also stated that they had collaborated with their sister company Tropic Square to create a new secure element for hardware wallets to address future issues.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
The Ultimate Guide to Smart Contract Audit Pricing
Smart Contracts are today's Web3 ecosystem enablers. When it comes to implementing complex functionalities over a blockchain, they are unrivalled. They are the ones around whom the entire decentralised world revolves. They are wonderful, without a doubt, but are they secure?
Decoding Swaprum Finance $3 Million Rug Pull
On May 18, 2023, the deployer of Swaprum Finance, a decentralised finance platform built on the Arbitrum blockchain, carried out an exit scam (Rug Pull) and stole approximately $3 million in user funds. Following the fraud, they immediately deleted both their website and all of their social media profiles.
Web3 Community Spotlight🔦
The owner has given you one LP. You collect commission from your LP at the end of the test. However, it is too small for you. Increase the amount of commission you can earn.