In brief⚡
Hackers profited ~$700K by exploiting contract vulnerability in FilDA.
Double Spend vulnerability discovered in UniSat Marketplace
Kucoin lost ~$22.68K due to a Twitter hack
The rug pull cost Ordinals Finance ~$1 Million
~$1.82 M lost as hackers swept away liquidity from Merlin.
Hacks and Scams⚠️
FilDA
Amount of Loss: ~ $700K
Analysis
A loss of about 700K USD was experienced due to FilDA, a multi-chain lending protocol exploited by the Elastos Smart Chain (ESC) and REI Network.
Other FilDA deployments weren't impacted at all. Attack vectors are isolated, and vulnerabilities are found.
Attack Process (Attack Transactions)
Deposit and borrow operations through abandoned 0 balance asset pools and attacked after liquidation:
https://esc.elastos.io/tx/0x2ef210f2a37d04eed44cd8368e77090a79e4005d880dbe3754b522a57c0b635d/token-transfers
UniSat Marketplace
Analysis
The recently launched UniSat Marketplace has experienced many double-spend attacks due to a vulnerability in the UniSat code base.
UniSat tested various double-spend attack techniques last week while also making code improvements.
Sadly, some problems were still made clear in the initial public release.
Out of a total of 383 transactions, 70 transactions have been identified by UniSat as being affected by their preliminary findings.
Kucoin
Amount of Loss: ~ $22.68K
Analysis
The cryptocurrency exchange Kucoin reported that its official Twitter account was taken over for about 45 minutes starting at 0:00 on April 24 (UTC+2).
The attacker then posted fictitious activities that led to the loss of assets for numerous users. Twenty-two transactions with a 22,628 USDT have been found as of 2:00 (UTC+2) on April 24.
These transactions include ETH/BTC transactions linked to fraudulent activity.
All verified asset losses brought on by fake actions and social media leaks will be fully compensated by Kucoin.
Ordinals Finance
Amount of Loss: ~ $1 Million
Analysis
It has been determined that Ordinals Finance was an exit scam project that cost $1 million in losses.
The deployer takes OFI tokens from the OEBStaking contract, converts them to ETH, and sends them to the EOA address (0x34e...25cCF).
From there, Tornado Cash receives 550 ETH, or about $1 million, through this transaction.
The project's websites and social media pages have all been deleted.
Learn How to Protect Yourself from Rug Pull: https://blog.quillaudits.com/2021/10/13/can-smart-contract-audits-help-preempt-rug-pulls-in-the-defi-space/
Merlin
Amount of Loss: ~ $1.82 Million
Analysis
The zkSync ecological DEX Merlin ran out of liquidity.
Hackers stole $1.82 million in funds and used them to bridge to Ethereum.
Stolen funds ($1,823,477) are in 0x0b8a3ef6307049aa0ff215720ab1fc885007393d and, 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
Emerging L1 Protocol Security Threats
Layer 1 protocols are the fundamental blocks which make the Web3 ecosystem what it is today by facilitating secure, transparent and decentralised Web. But the world of Web3 is not completely safe. There are risks involved in it, too, and to mitigate these risks, it is important to go for an audit. Under these audits, security experts conduct deep assessments of the protocol’s codebase, smart contracts, consensus mechanisms and algorithms.
Decoding BeatGenAI (BGN) Flash Loan Exploit
On the 14th of April, the BeatGen AI on BNB Chain was attacked. The attack was made possible by a smart contract vulnerability. And around $14K was stolen by the hackers from the exploit. BeatGen offers a music library, a creation tool, a community forum, and a marketplace for buying/selling music products. In addition, users can earn tokens by staking their NFTs, which opens up new possibilities for monetization and rewards.
Tune in to Engaging Twitter Spaces & Webinars! 🎙️
Demystify the Ethereum Shangai Upgrade!
Web3 Community Spotlight🔦
New QuillCTF Voting Machine is live!