In briefâš¡
Events Under the Spotlight💥
🤯Hackers exploited $BRA on BSC for ~820 $WBNB ($225K)
The attack is triggered by a logic flaw in the BRA contract, in which the BRA transfer mechanism generates rewards depending on whether the caller or receiver is paired.
The root cause is a BRA contract logic flaw that doubles the tax fee to the pancake pair without invoking the sync() function after transferring.
The attacker repeatedly used the skim() function to increase the pair's balance. Finally, the attacker reversed WBNB.
The initial funding is provided by @FixedFloat. The profit was eventually transferred to: 0xe2ba15be8c6fb0d7c1f7bea9106eb8232248fb8b.
RoeFinance lost ~80K USD to a price manipulation attack
The root cause is the pool's limited liquidity, which resulted in price oracle manipulation.
The attacker employs two addresses to accomplish his goal (0x67a9 and 0x3afb). The attack consists of ten steps, with a total profit of around $80,000 (i.e., 2.29 WBTC and 39,982 USDC).
The initial attack tx is https://etherscan.io/address/0x15d87dc2eb27fda26451f8fb04c576639104344d, which is the new bot front-ran.
Mycelium ETH/USDT pool suffered a loss of ~300K due to an arbitrage bot attack
Arbitrage bots attacked the Mycelium platform's ETH/USDT pool. The robot detected an excessive spread of ETH prices on the platform and began abusing liquidity in large quantities.
The price difference can be attributed to the Bitfinex API, broadcasting the highly volatile ETH/USDT trading pair price at around 02:45 AM AEST time.
At the same time, Binance disrupted the blockchain asset management tool by blocking the US-related IP used by Mycelium, preventing the system from rebalancing the price through independent feeding.
UF DAO lost ~90K due to a contract vulnerability
The UF Dao of xdaoapp was hacked, and the exploiter stole $90,000 USDC.
The root cause was a contract vulnerability brought on by incorrect parameter settings.
The attacker used USDC to buy a 1:1 public offer of UF Dao and then redeemed almost all of it in UF Dao. The attack was carried out in four stages.
Step 1. Exchange of 0.4 $BNB for 111.62 $USDC.
Step 2. The UF Dao Lp token is obtained by purchasing a public offer with all $USDC (111.62) and receiving 111.62 $UFT (94.25% of total shares).
Step 3. Redeem the $USDC from the UF Dao with 94.5% shares by burning these $UFT tokens.
Step 4. Repeat steps 2 and 3 twice to drain the USDC in the UF Dao.