In brief⚡
Harvest Keeper lost ~$933K due to a malicious transfer of user funds.
Indexed Finance lost ~$ 9,925 due to a flash loan attack.
Malware caused General Bytes loss of ~1.8 million.
Investors lost ~$ 1.3 million to the iEarn Bot scam.
Hacks and Scams⚠️
Harvest Keeper
Amount of Loss: ~ $933K
Analysis
The Harvest Keeper project fraudulently transferred user funds totalling approximately 933,000 US dollars.
The attacker used the owner's authority to share the USDT pledged by the user in the HarvestKeeper contract by calling the
getAmount
function.Then the attacker used the user's token authorization to the EOA account to transfer the user's funds through the EOA multiple times, according to the data on the chain.
Indexed Finance
Amount of Loss: ~$ 9,925
Analysis
Indexed Finance's ORCL5 fell for a flash loan attack.
The preliminary root cause analysis shows that "
calcSingleOutGivenPoolIn()
" calculates the incorrect value oftokenAmountOut
.General Bytes
Amount of Loss: ~$ 1.8 Million
Analysis
On March 17 and 18, the encrypted currency ATM service general Bytes was attacked.
The attacker used the system's upload interface to upload and run a malicious Java programme, after which the attacker obtained database permissions on the server and the Hot wallet withdrawal API Key.
As a result of this:
API keys to access funds in hot wallets and exchanges can be read and decrypted.
Send money from your hot wallet.
Download user names and password hashes, and disable 2FA.
Access terminal event logs and search for instances where customers scanned their private key at an ATM. This data was logged in earlier versions of ATM software.
iEarn Bot
Amount of Loss: ~ $1.3M
Analysis
Thousands of people in several countries have fallen victim to the iEarn Bot scam.
Victims were persuaded to sign up for iEarn Bot, an "AI intelligent quantitative trading robot" that appeared to trade cryptocurrencies on their behalf successfully.
However, the victims soon realise they cannot withdraw their due earnings or invested funds.
Even though its website is riddled with errors, iEarn Bot claims to be an American company.
The man identified as the company's founder told the BBC he had nothing to do with the scheme, and companies and institutions listed as "strategic partners" denied involvement.
The BBC discovered a cryptocurrency wallet that received nearly $1.3 million in payments from approximately 13,000 other people.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
Web3 is a new internet era— decentralised, open, and powered by blockchain technology. This new paradigm provides enormous opportunities for businesses to streamline operations, reduce costs, and generate new revenue streams. However, with the benefits come new security challenges that must be addressed to ensure this technology is used safely and securely.
Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures
Cross-chain bridges are self-explanatory. They've been around for a while and are an excellent way to transfer funds from one chain to another. Bridges improve our Web3 experience, while QuillAudits improves protocol security. Because bridges handle large sums of money, it is only reasonable to ensure their safety, and safety is frequently the top priority in such protocols. Nonetheless, 2022 was rife with cross-chain hacks.
Tune in to Engaging Twitter Spaces & Webinars! 🎙️
Smart Contract Security ft. QuillAudits
Web3 Community Spotlight🔦
This repository contains minimal Solidity implementations of ERC20 tokens with potentially surprising or unexpected behaviour. All of the tokens in this repository are based on real tokens, many of which have previously been used to exploit smart contract systems. These example implementations are intended to help developers and auditors.