In brief⚡
Events Under the Spotlight💥
Ankr defi project exploited for approximately $7 million
The Ankr Protocol has become the latest victim of a DeFi exploit. The hacker has reportedly minted 10 trillion Ankr Reward Bearing Staked BNB (aBNBc).
The exploiter targeted the Ankr protocol's aBNBc smart contracts, draining entire liquidity and moving funds to Tornado Cash. An infinite minting bug has been discovered.
Before the attack, the deployer changed the implementation contract to the vulnerable contract address (possibly due to a private key compromise).
After that, the attacker used the mintApprovedTo function. Decompiling reveals no permission checks in this mintApprovedTo function, allowing anyone to mint tokens.
Ankr exploiter had transferred 900 BNB into Tornado Cash, worth approximately $253,000. It had also converted USDC and ETH to Ethereum, and the exploiter now possessed 5,500 (roughly $7 million) and 500,000 USDC.
The hacker now owns 20 trillion aBNBc, ranking him 13th among token holders. aBNBc is a staking reward token known as Ankr Reward Bearing Staked BNB.
SEAMAN exploited for ~$7.78K
The $SEAMAN and $GVC tokens are traded in separate trading pairs, allowing an attacker to use the function to influence the price of one of the tokens.
At each transfer function, the SEAMAN contract exchanges $SEAMAN for the LP token $GVC.
The hacker instructs the transfer function to transfer a minimum unit of $SEAMAN, causing the contract to swap $SEAMAN for $BUSD in the BUSD-SEAMAN pair.
Then, in the BUSD-GVC pair, swap $BUSD for $GVC, which consumes the amount of GVCs in the BUSD-GVC pair and raises the $GVC price.