In brief⚡
😱 Pawnfi's Treasure Trove Vanished, ~$630K Stolen in Daring Hack Heist!
😵 Midas Capital Turns to Stone, ~$630K Lost in Contract Vulnerability Catastrophe!
🙈 VPANDA DAO's Bearish Bite, ~$265K Swiped in Epic Rug Pull Scandal!
⚠️ ARA's Flash Loan Nightmare! ~$124K Vanished in Lightning-Fast Attack!
💣 ASTARIA's Astronomical Anomaly, Beacons Manipulated, Malicious Mayhem Ensues!
🎢 Hackers' IPO Joyride, ~$102K Swindled in Daring Rug Pull Scam.
Hacks and Scams⚠️
Pawnfi
Amount of Loss: ~ $630K
Analysis
A notorious hack involving $APE (ApeCoin) and APE Staking has sent shockwaves through the community. Over ~$630K has been gained but at the expense of unsuspecting victims.
The protocol's fatal flaw lay in its failure to verify the transfer of NFTs when users utilized them as collateral for borrowing.
Here's how the audacious attacker seized the opportunity: They borrowed APE tokens by leveraging an existing NFT in the APE Staking Pool. These borrowed tokens were cunningly transferred and held within the project contract's grasp.
The attacker craftily reinvoked the
depositAndBorrowApeAndStake()
function, causing the contract to again stake the APE tokens in the APE Staking Pool. The twist? The contract mistakenly attributed the newly staked funds to the attacker who plotted this grand scheme.With the stage set, the audacious attacker boldly invoked the
withdrawApeCoin()
function, effortlessly reclaiming the APE tokens for their profits.
Midas Capital
Amount of Loss: ~ $600K
Analysis
Midas Capital, a renowned cross-chain marketplace solution, has fallen victim to a hacking incident. This breach has resulted in a significant loss of over ~$600,000.
The root cause of this cyber assault can be traced back to a rounding issue embedded within Midas Capital's lending agreement.
This discrepancy stemmed from a fork in the Compound Finance v2 codebase, mirroring a similar situation during the infamous Hundred Finance attack.
With the exploit in motion, the Midas Capital Exploiter swiftly took action, seizing the opportunity to transfer a substantial sum of 510 $BNB to Tornado Cash. This strategic move further complicates the recovery process and leaves traces of their nefarious activities within the Web3 ecosystem.
VPANDA DAO
Amount of Loss: ~ $265K
Analysis
VPANDA DAO, a project on the BNB Chain, has fallen victim to a devastating Rug Pull, leaving behind a trail of losses amounting to approximately ~$265K.
Let's dive deeper into the story: The creator of the $VPC contract kickstarted the project 416 days ago by minting a whopping 21,000,000 tokens to the 0xa9f2c4 address.
On June 19, 2023, the 0xa9f2c4 address made a heart-wrenching move, selling all 21,000,000 tokens for a seemingly good sum of ~$265K.
Ara
Amount of Loss: ~ $124K
Analysis
The Ara project has fallen victim to a cunning flash loan attack, resulting in a staggering profit of approximately $124,000 in BUSD for the attackers. This nefarious act has sent shockwaves through the Web3 community, leaving many questioning the security and integrity of the ecosystem.
Let's delve into the details: The attackers, suspected to be operating from the address 0xF84efA8a9F7E68855CF17EAaC9c2f97A9d131366, meticulously executed their plan, taking advantage of a bug in the contract's handling of permissions. This vulnerability proved to be their gateway to financial gain.
The exploit unfolded as follows:
1️⃣ Flashloan Madness: The attackers initiated a flash loan, amassing a staggering 1,202,701 USDT in funds.
2️⃣ Crafty Swaps: With the borrowed funds at their disposal, they deftly called the swap contract, swapping 163,497 ARA tokens for 123,246 USDT, skillfully manipulating the market.
3️⃣ Price Pumping: Utilizing the flash loaned 1,202,701 USDT, they unleashed a strategic move, acquiring a whopping 504,469 ARA tokens, effectively driving up the price of $ARA.
4️⃣ Takeover Maneuver: Exploiting the inflated value of $ARA, they made another call to the swap contract, swapping 132,123 USDT for 12,179 ARA, facilitating the takeover of $ARA by an approved address at a significantly inflated price.
5️⃣ Final Swipe: In the ultimate blow, they completed the cycle by swapping 504,469 ARA tokens back into a staggering 1,327,617 USDT, sealing their ill-gotten gains.
Astaria
Analysis
Astaria, the esteemed NFT lending platform, recently encountered a grave security concern, promptly triggering a high alert within the organization. At approximately 12:42 BST on June 20, an alarming flaw was detected in the execution of BeaconProxy.sol, exposing a vulnerability that allowed an attacker to manipulate the beacon's functionality.
This manipulation paved the way for a malicious execution, enabling the attacker to invoke the self-destruct feature.
Astaria swiftly acted to safeguard all funds and NFTs held within the platform.
To preserve the platform's integrity, Astaria entered a suspended state, temporarily halting new loan initiations. This precautionary measure aims to shield all assets within the protocol.
Astaria executed a comprehensive white-hat recovery script in an impressive display of resilience, emerging as a true security champion.
This meticulous script effectively saved all ERC20 and ERC721 assets belonging to liquidity providers (LPs) and borrowers.
The recovery process involved extracting funds and NFTs and seamlessly transferring them to Astoria's multi-signature addresses using updated contract implementations and advanced recovery code.
IPO
Amount of Loss: ~ $102K
Analysis
IPO, a highly anticipated project (Twitter handle IPO_web3), is embroiled in a suspected Rug Pull. The repercussions of this event have been deeply felt, with losses estimated at approximately ~$102K.
The project's native tokens have experienced a sharp decline, plummeting by a staggering 32%. This unexpected turn of events has left investors in shock, grappling with the sudden erosion of their investments.
Currently, attention is focused on the whereabouts of the stolen funds, which have been traced to addresses commencing with 0x35fe. These addresses now hold the ill-gotten gains, adding to the frustration and disappointment surrounding this unfortunate incident.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
The Anatomy of a DeFi Rug Pull: How to Protect Yourself as an Investor
According to a report, 1,548 Scam tokens were deployed in 2020 (September — December), while 83,368 scam tokens were deployed in the web3 community in 2021. Let’s highlight the 117,629 scam tokens that were deployed in 2022. As Web3 development progresses, we see an increase in scams and hacks. A Rug Pull is a decentralised finance (DeFi) scam. It involves developers or project teams of a DeFi protocol intentionally abandoning the project after raising funds and taking away investments, causing investors to suffer a significant loss.