In brief ⚡
DeFi platform Platypus suffered three flash loan attacks in 2023, losing a total of $2.23 million in assets. Previous attack in February depegged Platypus USD stablecoin.
Stars Arena, a Web3 social media app, has secured funding to recover from a $3 million exploit on October 6. The platform aims to improve security before re-opening the smart contract after suffering a second hack in a week.
A notable exit scam involving the $LSC token on Binance Smart Chain has led to a 97% drop in its value, with the Exiter profiting around $1.11 million in BUSD and transferring the funds to a separate wallet.
BH Token suffered a $1.27 million loss due to a price manipulation attack on PancakeSwap, exploiting a vulnerable smart contract. The attacker used a flashloan to create slippage in the BH/USDT trading pair and absconded with the funds.
Hacks and Scams⚠️
Platypus Defi
Amount of Loss: ~ $2M
Analysis
Platypus, a decentralized finance (DeFi) protocol, suffered three flash loan attacks, resulting in a total loss of $2.23 million in assets.
The first attack occurred on October 12, with $1.2 million in assets stolen. Shortly after, a second attack took place, resulting in the theft of $575,000 worth of assets. Within a minute, a third attack occurred, causing a loss of $450,000.
Platypus operates as an automated market maker (AMM) protocol, facilitating automated trading of digital assets through liquidity pools.
In flash loan attacks, vulnerabilities are exploited, enabling traders to borrow cryptocurrency instantly without providing collateral.
These recent attacks mark the third wave of security breaches on Platypus in 2023, with a prior attack in February resulting in an $8.5 million loss and de-pegging of the Platypus USD (USP) stablecoin.
In response to the February attack, Platypus established a compensation portal for victims to determine their eligible compensation and voice concerns before funds distribution.
The protocol raised $3.3 million in a 2021 funding round led by Three Arrows Capital, which has since declared bankruptcy.
Stars Arena
Amount of Loss: ~ $2.9 M
Analysis
Stars Arena, a Web3 social media app, has successfully secured funding to cover a $3 million hole resulting from an exploit on October 6.
The team confirmed the hack and urged users not to deposit funds while investigating the security breach.
Blockchain security firms like SlowMist tracked the hacker's actions, revealing that they drained nearly $3 million worth of AVAX tokens from Stars Arena.
The hacker eventually transferred the stolen funds to the Fixed Float crypto exchange.
The Stars Arena team apologized for the exploit and reported a distributed denial of service (DDoS) attack on their website.
The team is focused on recovering users' funds and improving platform security before relaunching the smart contract, emphasizing the need for a watertight security system.
This marks the second exploit on Stars Arena within a week, and the project's re-opening date remains uncertain, although the team aims to do so "very soon."
Lucky Star
Amount of Loss: ~ $1.1 M
Analysis
An exit scam has been detected on the Binance Smart Chain involving the token $LSC.
The token $LSC has experienced a significant 97% drop in its value.
A user, identified as the "Exiter," sold tokens for a profit of approximately $1.11 million in BUSD.
The Exiter then transferred the funds to another wallet address, 0x23f8c8...acfFd896.
The Exiter received a total of 3 million $LSC from two contract addresses.
One of these contract addresses, 0xae3dA6...7dCf3f8D, is associated with the node fee for $LSC.
The other contract address, 0x409F8C...07D04123, is linked to the Deployer, and its token is also involved in the exit scam.
BH Token
Amount of Loss: ~ $1.2 M
Analysis
In October 2023, BH Token fell victim to a price manipulation exploit, resulting in an estimated loss of $1.27 million.
The attacker employed a classic price manipulation attack, utilizing a vulnerable smart contract that calculated token values on-chain.
The attack began with a flashloan, allowing the attacker to manipulate the perceived value of BH Token by unbalancing a trading pair on PancakeSwap.
The attacker initiated a swap of USDT for BH at a low price, creating slippage and extracting liquidity at a much higher price.
The attacker incurred approximately $4.16 in fees for their attack but successfully drained $1.27 million in USDT by exploiting the created slippage.
To avoid detection, the attacker transferred their profits to Tornado Cash, a privacy-focused platform.
To prevent price manipulation attacks, implementing off-chain price oracles like Chainlink or slippage protection mechanisms in smart contracts can be effective measures.
Beluga Protocol
Amount of Loss: ~ $175k
Analysis
Beluga protocol on Arbitrum network targeted in a recent attack.
Security firm PeckShield reported the incident, indicating multiple exploits.
Initial theft amounted to approximately 59 ETH.
The attacker deposited 0.1 ETH from the OKX exchange, raising concerns about fraudulent identity.
Total stolen funds increased to 113.3 ETH (about $175K) through ongoing exploitation.
The attacker transferred funds to the MEXC crypto exchange.
The attack caused a brief 0.75% price decline in the associated token, dropping from $0.002797 to $0.002776.
Wise Lending
Amount of Loss: ~ $260k
Analysis
Wise_Lending was attacked by an unknown attacker.
A white-hat hacker with the handle 'c0ffeebabe.eth' successfully front-ran the attack.
The attacker exploited two main issues to drain the Pool:
Manipulating the value of each share through the 'Donate' function.
Utilizing precision loss to reduce the 'withdrawShares' value to 0 and withdraw the donated WBTC.
These vulnerabilities allowed the attacker to siphon funds from the Wise_Lending Pool.
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Tweets
GitHub Repos
Articles
Web3 Community Spotlight🔦
Note - all the respective links have been embedded in the image
Coming up with a surprise for you
Announcing Quill CTF Dubai
https://www.quillaudits.com/academy/ctf/dubai-blockchain-month
Title Partners
Register with your team with the link given below ⬇️
https://quillaudits.typeform.com/CTFRegister?typeform-source=t.co
Check out our new smart contract repository EVM Mastery Below
We had an AMA with CEO of Pentestify Lucas Martin Calderon
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.