In brief ⚡
Wise Lending Faces $440,000 Exploit in DeFi Hack, Adding to 2024's Growing Wave of Decentralized Finance Vulnerabilities
Narwhal Project on Binance Smart Chain Faces $1.5 Million Exploit: Security Breach Raises Concerns of Exit Scam
List Of RugPull tokens
XAI Token
ElonTroll Token
Mango Farm SOL
Hacks and Scams⚠️
Wise Lending
Amount of Loss: ~ $460k
Analysis
Wise Lending, a Web3 lending app and yield aggregator, suffered an exploit on January 12, resulting in the loss of 170 Ether (ETH) worth approximately $440,000 at current prices.
The attacker manipulated an oracle price through a flash loan, utilizing an unverified contract with an address ending in d82c to drain funds.
Various tokens, including $9,000 worth of USD Coin (USDC), $2,000 worth of Tether (USDT), $5,000 worth of Dai (DAI), 18.51 Wrapped Ether (WETH), and several Pendle Finance associated tokens, were transferred to the exploiter's contract.
The attacker borrowed 1,110 Lido Staked Ether (stETH) tokens, equivalent to $2.9 million, from the Aave lending protocol as part of the exploit.
Security researchers, such as Spreek and Officer’s Notes, raised concerns about potential vulnerabilities associated with a new Pendle Finance derivative token and a 7% swing in price between stETH and ETH due to an AAVE v2 stETH flashloan.
This exploit adds to a series of DeFi protocol vulnerabilities in 2024, following similar incidents in the beginning of the year where Radiant Capital lost over $4.5 million, and Gamma Protocol lost over $400,000. In 2023, crypto hacks, scams, and exploits resulted in losses exceeding $1.8 billion, according to Certik.
NarhWal Project
Amount of Loss: ~ $1.5M
Analysis
The Narwhal project on the Binance Smart Chain (BSC) experienced two exploits on Jan 5 and Jan 6, resulting in a total loss of approximately $1.5 million worth of NRW tokens ($970k on Jan 6 and $500k on Jan 5).
On Jan 7, Narwhal_fyi officially confirmed the exploitation through a tweet, revealing that the team is actively rebuilding the liquidity pool over the next three days. They also announced plans to enhance platform security to prevent future exploits.
Stolen NRW tokens, valued at around $1 million, were exchanged for Ethereum (ETH) and bridged to the Ethereum Network. The attacker deposited 375 ETH into TornadoCash, with approximately $1 million already deposited by the attacker at the time of reporting.
The remaining stolen funds, amounting to around 80 ETH and 100.3 ETH, are held in two specific addresses on the Ethereum Network.
The hack occurred on Jan 6 when the attacker executed the withdraw() function with signer info. It was discovered that the signer's address was set by the contract owner, raising concerns about the compromise or forgery of the signer's private key.
There are speculations that the exploit might be an elaborate exit scam disguised as a hack. On-chain analysts pointed out unusual token price drops on Jan 5 and Jan 7, linking wallets involved in the exploit to a common funding address, suggesting a potential orchestrated exit scam.
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Tweets
GitHub Repos
Articles
Exploring the Potential for Life in the Internet and Blockchain
Unfolding Ancient Wisdom: How Ancient Stories Teach Modern Humans about Security and OpSec
Web3 Community Spotlight🔦
Note - all the respective links has been embedded in the image
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.