List of Crypto Hacks in the Month of January — ImmuneBytes

ImmuneBytes
13 min readJan 2, 2024

😈On Jan 1, 2022, DeFi Tinyman on Alogrand chain lost $3M worth of assets from its contract pools due to a smart contract vulnerability.

The Smart Contract Vulnerability

The protocol’s burn function was designed to allocate two different tokens (GOBTC and ALGO tokens) to the user on being called.

The ratio in which these two were given out was based on the amounts of each token stored within the protocol.

Using the flaw in the Tinyman pools’ contract code, the attacker was able to receive the GOBTC tokens alone instead of a mix of GOBTC and ALGO, as intended.

So, in other words, the exploiter received a GOBTC token every time they were supposed to receive an ALGO token.

Between GOBTC and ALGO, GOBTC was pricier and hence the attacker made a significant profit amounting to approximately $3M, over multiple transactions.

The stolen GOBTC tokens were later swapped for stablecoins and transferred to other exchanges and wallets.

The said vulnerability in the pool contract could have been discovered if the smart contracts were audited by an experienced and credible smart contract auditing.

😈In another major crypto exploit, on Jan 2, 2024, Radiant Capital @RDNTCapital on the Arbitrum chain was exploited for ~$4.5M (~1.9K ETH).

The root cause of the hack is the price manipulation, which was carried out by exploiting a rounding issue in the rayDiv() function.

The Exploitation

First, the index parameter (used as a denominator in the calculations) was inflated due to manipulation. The corresponding precision error also skyrocketed due to this inflation.

The attacker reaped profits through repeated deposit() and withdraw() operations.

The attack happened within the time frame of 6 seconds immediately after a new USDC market was deployed.

The rounding issue is a known issue in the current Compound/Aave codebase, which is forked by lending markets for activating new marketing.

To mitigate this, Aave has a mandatory policy to deposit alongside any new listing. While forking, it seems this practice was not taken into consideration.

Attacker’s address: https://arbiscan.io/address/0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

Malicious contract:
https://arbiscan.io/address/0x39519c027b503f40867548fb0c890b11728faa8f

The Aftermath

The team @RDNTCapital is trying to initiate contact with the attacker by leaving an on-chain message for the attacker, but they are still waiting to receive a response.

Ref: https://arbiscan.io/tx/0xcd1865e3bf185fc5fe0b5fb055f6d74cfa68ee50335ff92ad721063538922664

While the hack is being investigated, the Radiant DAO Council has paused lending/borrowing markets on Arbitrum temporarily.

😈On Jan 4, 2024, the Defi Protocol Gamma Strategies was exploited for ~1535 $ETH (~$3.43M) in what seems to be the attack on Camelot pools, utilizing Gamma CLMM.

Hack Txn: https://arbiscan.io/tx/0x025cf2858723369d606ee3abbc4ec01eab064a97cc9ec578bf91c6908679be75

Other than @GammaStrategies, decentralized exchanges (DEX), such as @Quickswap, @SushiSwap, and
@CamelotDEX, could be affected due to this exploit.

Gamma has strongly advised all its users to revoke all approvals to avoid a possible fund loss due to the exploit.

@CryptoAlgebra, which was earlier speculated to be exploited, has confirmed that the exploit is not connected with Algebra’s code, and it is safe to use services from its partners.

Beware of the phishing websites claiming to check for exposure and revoke access from @CryptoAlgebra

In an official statement, Gamma confirmed that the hacks were carried out using flash loan attacks.

The total fund loss in the exploit is 1535 ETH, worth ~$3.43M, which the attacker: https://arbiscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c
has now bridged to #Ethereum in the multiple transactions.

Ref: https://etherscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c

Gamma Exploiter Malicious Contract: https://arbiscan.io/address/0x4b57adc00ac38f74506d29fc4080e3dc65b78a69

Mitigation Steps

As a precautionary measure, Gamma has shut off all deposits on public-facing vaults. At the time of writing, the rebalances and management of the positions are active and operational, as they are not affected by the exploit.

What Caused the Exploit?

Although multiple measures were in place to prevent flash loan attacks but out of those measures, there was one that had a flaw.

The measure-where Gamma had set a price change threshold to disallow deposits on price change exceeding a certain threshold-was manipulated by the exploiter.

The threshold limits were set too high, which allowed up to 50–200% price change on specific LST and stablecoin vaults.

The attacker manipulated the price up to this high threshold limit and then minted a large number of LP tokens.

Corrective Measures

To set things right, Gamma has taken the following steps:

  • Setting of rice change thresholds to a safe threshold level
  • Getting a 3rd party code review before re-enabling deposits
  • Maximizing recovery for all affected users
  • Conduct a detailed post-mortem analysis and propose a remediation plan

😈Narwhal project on #BSC suffered an exploit on Jan 5 and Jan 6, 2024, for a total of ~$1.5M worth of NRW tokens ($970k on Jan 6 and $500k on Jan 5).

On Jan 7, @Narwhal_fyi confirmed in an official tweet that it was exploited and is in the process of rebuilding the liquidity pool in the next 3 days.

It also stated that they are working on a new platform with enhanced security to avoid such exploits in the future.

The stolen NRW was later swapped for ETH and bridged to the Ethereum Network.

The address 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30 deposited 375 ETH into TornadoCash and also received ETH from 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568

At the time of reporting, ~$1M out of the stolen ~$1.5M has already been deposited into Tornado Cash
by the attacker.

The remaining Stolen funds are currently at:

  • ETH: 0xe07bCffac8cEC86886B49b509A4924182D2596d3 (~80 ETH)
  • ETH:: 0x51eF9B64e5Bc4A23C522ECE8769De87b022d3c41 (~100.3 ETH)

On Jan 6, the attacker called the withdraw() function with the signer info. In the decompiled contract, it has been found that the signer’s address was actually set by the contract owner, and it is possible that the signer’s private key was either compromised or the information was forged.

Exploited Contract: 0x8A2DF808CCb0DB866C5C152412D1718929143f53

The Alternate Theory

There are speculations that what seems to be an exploit by a malicious hacker could possibly be a cleverly executed exit scam in the shroud of an exploit.

To support the theory, the on-chain analysts have presented the following:

The NRW token price shows two major drops-Jan 5 and Jan 7.

The drop on Jan 5 is likely caused by the large transfer of NRW tokens to an EOA 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568 from multiple wallets.

Suspiciously, all these wallets received funding from the same address: 0x28B38A8B0b5AbEcE315a5064495056ad158DDDfF

The 0x28B38 address itself was initially funded by 0xfc8Cd26F86E6169e95A0256004B5c8FD1a6EFdDF, which received funds via FixedFloat.

The same address also funded the NRW deployer.

The Jan 7 price drop was triggered by EOA 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30, which called withdraw on unverified malicious contract 0x814304B1e200b4D36B26f53358BbBA6D6136B2F5.

This contract was created by 0x6eA, which was, in fact, funded by 0xfc8C, which had earlier funded the NRW deployer.

😈MangoFarmSOL, a farming protocol on Solana, which promised unprecedented yield in the $SOL space to its investors, stole away ~$2M of its investors’ wealth on Jan 7, 2024, in a well-orchestrated exit scam.

It had announced its MANGO token airdrop on Jan. 10, and to participate in the airdrop, users had to deposit their Solana SOL tokens in the protocol.

The TellTale Signs of the Scam

“Foobar,” a pseudonymous developer recently appointed as MangoFarmSOL’s security auditor, had warned users about MangoFarmSOL’s compromised front end on Jan 6 through a post on X (formerly Twitter).

He also predicted that the protocol could be a potential rug pull.

The Disappearing Act

The official website of MangoFarmSOL is now being flagged as a deceptive website. Their profile on X no longer exists, and the Telegram channel (with 1000 existing members) is not accepting new members anymore.

Is there Another Scam in Waiting?

There have been reports about screenshots being circulated on social media in which the developer of the now-scam project @MangoFarmSOL is shown claiming that he was forced to create Ponzi schemes and that he is involved with another project, BananaMiner.

Representatives from BananaMiner have refuted all such allegations and have categorically denied any connection to MangoFarmSOL, except that they were approached for collaboration by them.

MangoFarmSOL must not be confused with another Solana-based project, Mango Markets, which was exploited in October 2022 for over $100 million.

The Conclusion

The Solana ecosystem has been increasingly targeted by scammers using wallet drainers.

The seriousness of the security threat for Solana-based projects can be gauged by the fact that the cybercriminals have been selling Solana drainer kits since December, and one of the large communities for SOL’s wallet drainer kit maintained by these cybercriminals has over 6k members.

Beware of the scammers who lure novice #cryptoinvestors to invest in fake projects and tokens.
Equip yourself with knowledge on detecting such scams and avoid falling for them.

You can get a great deal of knowledge about identifying such scams here:

Crypto & Defi Rug Pull: How to Spot? World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors Honeypot Scams in Crypto

😈A victim on #Ethereum fell victim to a zero-address transfer scam on Jan 10, 2024, when it accidentally sent 960,000 USDT to the scam address instead of the address it meant to transfer.

Zero transfer scams have become quite common in the crypto world. They are increasingly getting popular with scammers as it requires minimal effort on the scammer’s part to steal money from novice #cryptoinvestors.

Victim: 0x3dFf6f65Fd3354D2f98e065B814456Dc54435F0a

Intended Address: 0x9462B598aa7e45e6C2df22c35337Be248Df98CD6

Phishing Address: 0x946c8e51d95a1f1643c3617363aee83439f98cd6

What is a Zero Transfer Scam, and how do you avoid it?

😈On Jan 10, 2023, the BRA token on #BSC was exploited for $225,000 when it lost 819 WBNB due to a smart contract vulnerability.

The Vulnerability

Due to a logic vulnerability in the smart contract, every time the transfer function was invoked, the sender and recipient got twice the rewards if they were a pair.

The Attack Flow

>> Step 1

The attacker took a flash loan of 1,400 WBNB and exchanged 1,000 WBNB for 10.5K BRA tokens, which they later transferred to the Pancakeswap pair.

>>Step 2

Using the skim() function, the attacker invoked the BRA contract’s transfer function to receive rewards.

>>Step 3

The ‘skim()’ was set to work as a recovery mechanism whenever the number of tokens supplied to a pair exceeded the two uint112 storage spaces for reserves.

The attacker manipulated this and provided pair as the recipient address for receiving the BRA tokens.

Due to the vulnerability in the smart contract, the number of BRA tokens after every single skim became twice the intended amount.

The hacker repeatedly called skim() around 100 times to significantly increase the contract pair’s BRA balance.

>>Step 4

The attacker then returned 1.675K WBNB tokens and repaid the 1.4K WBNB token flash loan.

A profit of 675 WBNB was generated in this process, which the hacker sent to their address.

The whole sequence of attack was repeated one more time, and this time, the profit gained by the attacker was 144 WBNB.

Technical Info:

Attack Transaction: https://bscscan.com/tx/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047

Attacker’s Address:

BRA Token Code: https://bscscan.com/token/0x449fea37d339a11efe1b181e5d5462464bba3752#code

Pancake Swap Contract:
https://bscscan.com/address/0x8f4ba1832611f0c364de7114bbff92ba676adf0e

How to Avoid Such Attacks?

This attack would not have happened if the smart contract auditors had examined the contract for logical issues. By conducting thorough testing and reviews of the smart contract code, the auditors can discover and fix potential vulnerabilities before deployment.

BRA Token Detailed Hack Analysis

👿On Jan 11, 2024, a victim on the Ethereum chain was scammed for over ~$772K worth of stETH when it signed a malicious ERC20 Permit signature.

An ERC20 token approval given on a scam website can be activated by the hacker to carry out illegitimate transfers from an address without the knowledge of the owner.

Victim: 0x551b30bc933e26e098bd2e68d436c24ed39b7312

Scammer: 0x1A42605D92C210E4bE47A6363046c591659ab444 (Fake_Phishing269883)

Hack Txn: https://etherscan.io/tx/0xa653ede5787d5ee4b869d01643c3178b38d470445cd2078c23a5f2cfed4ff37b

To stay protected from ERC20 token approval phishing scams, always:

  • Set the token transfer limits for token approvals to minimal.
  • Ensure that the website authorized for token approvals is genuine and trustworthy.
  • Bookmark the URL of the website or access it from the official channels.
  • Look for the approvals which are no longer in use and revoke them ASAP.
  • Stay updated with the news of exploits in the crypto world.

Revoke the approval without losing time to protect your funds from being drained by an exploiter of the dApp approved previously.

ERC20 Permit2 approval and the associated risks

😈Defi WiseLending protocol @Wise_Lending on Rthereum came under a price manipulation attack on Jan 12, 2024, when the exploiter manipulated a rounding error and caused losses of ~$460K (~178ETH)

The hacker knew that WiseLending uses rounding up when calculating shares withdrawals.

The attacker repeatedly called the withdraw function with a unit amount to cause a mismatch between the protocol token balance and shares. This led to the price manipulation.

The stolen funds are currently held at 0x592856d68B3FEE1D2dAa34CdC9851f3477C52530

Manipulated Contract: https://etherscan.io/address/0xb90cf1d740b206b6d80854bc525e609dc42b45dc

Hack Txn: https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31

Rounding errors in smart contracts can lead to severe security vulnerabilities. To know how these can be mitigated, read:

How to Bypass the Integer Division Error in Smart Contracts? Precision Loss Vulnerability in Solidity: A Deep Technical Dive

😈An address on the #Avalache chain lost 9.41 $BTC (~$433K) in a phishing attack on Jan 12, 2024. The victim transferred the stolen amount in two transfers in a single transaction.

Read: The Beginner’s Guide to Phishing Attacks

Hack Txn: https://subnets.avax.network/c-chain/tx/0xe00e4c8c11cff74c6a2296ef4e20cd0bc9811365022460f7207197923c4f51ed

Victim: 0xda60167db93bfd982204a55afb7321a76afc419b

Contract Add: 0xf455878e14d435e23dd8a2000c8fac3fca2f33d5

Scammer Add 1: 0xa3aa460C12713A000a33893b024D95db80945a2F (1.41147824 aAvaBTC.b)

Scammer Add 2: 0x7666a59f3A38934cb1262d22Fac52A67fda4B123 (7.99837663 aAvaBTC.b)

😈On Jan 15, 2023, Midas Capital was exploited using read-only Reentrancy. The losses in the attack were calculated to be ~$660K.

In the attack, the Polygon liquidity pool of the stablecoin protocol Jarvis was targeted.

Midas Capital had listed the WMATIC-stMATIC Curve LP token on their platform with supply caps of about 250,000.

The hacker was aware of it, and as the first step of the attack, they used Balancer V2, AAVE V3, and AAVE V2 to obtain WMatic flash loans in order to inflate the LP token price and borrow against it.

In the next step, they entered the Midas markets and added some liquidity to Curve (0 stMatic, 270000 of WMatic).

The hacker then deposited Curve LP as collateral (270K WMATIC) to Midas and added a large amount of liquidity (0 stMatic and 71M WMatic), which resulted in an imbalanced market state.

In the final step, the attack removed liquidity from Curve to trigger a callback using which they borrowed jCHF, jEUR, jGBP, and agEUR at an incorrect Curve LP price in Midas.

This led to the loss of 663,101 MATIC tokens, valued at over ~$660,000 at that time.

Hacker Address: 0x1863b74778cf5e1c9c482a1cdc2351362bd08611

Attack Txn: https://polygonscan.com/tx/0x0053490215baf541362fc78be0de98e3147f40223238d5b12512b3e26c0a2c2f

Exploited Contract: https://polygonscan.com/address/0x5bca7ddf1bcccb2ee8e46c56bfc9d3cdc77262bc#code

Reentrancy Attack: The Ultimate Guide

😈On Jan 16, 2024, an address lost $229,553 worth of WBTC and ETH after signing malicious phishing signatures on a phishing website.

Hack Txn:
https://etherscan.io/tx/0x6d34b0f63da4f7402c467a657eb4c12894d1dfaa3b0095992d19eb64de2282fc

Victim: 0x23f8c7db7a1b656652e9726ab264c5b181418b9f

Scammer: 0x145f2b66b7bf5ad64b4ae21d1c77a20c61bf45a9

The victim signed three ERC20 Permit signatures, and these token spenders are the temp address pre-computed by CREATE2.

CREATE2, although better than the previous CREATE, is now increasingly being used by scammers to carry out phishing attacks.

Explained: Create2 Opcode in Solidity

😈DeFi protocol Socket @SocketDotTech on Ethereum has been exploited for ~$3.3M on Jan 16 due to a bad route added 3 days ago.

Added Route tx: https://etherscan.io/tx/0x1df44e224c7a715da25fa33dcad2ca3a930d1a4dafd263e61c07b52673d505f4

This has affected users who had given infinite approval to the SocketGateway contract https://etherscan.io/address/0x3a23f943181408eac424116af7b7790c94cb97a5

The attacker took advantage of the incomplete user input validation to steal funds from the users who had approved the contract.

The Input Validation Vulnerability

The attack was carried out by making an unsafe call in the performAction function.

Due to an input validation vulnerability in the contract, when transferring 0 WETH, the caller can specify other functions in the call and still pass the balance check validation.

Manipulating this flaw, the attacker constructed calldata to call transferfrom() of arbitrary tokens and transferred tokens approved to the contract by other users.

Attacker Add: https://etherscan.io/address/0x50df5a2217588772471b84adbbe4194a2ed39066

Hack Txn: https://etherscan.io/tx/0x591d054a9db63f0976e533f447df482bed5f24d7429646570b2108a67e24ce54

To contain the hack, the exploited contract was paused, and Socket asked its users to revoke all approvals to avoid loss of funds.

The bad route was also removed by Socket.

Disable route tx:
https://etherscan.io/tx/0xac75adcc1cb3fef158c4f200c48fcbcbb9b6ce3250bdf3751d6231d41a9e604b

The Hack Aftermath

As of writing this, @SocketDotTech has informed the community that they have bridged on @BungeeExchange , and most of their partner frontends have been resumed.

They also stated that they are conducting a detailed analysis of the exploit, the report of which would be shared later with the community.

😈DeFi protocol @BasketDAOOrg was hacked on Jan 17, 2024, for over $107K due to a vulnerability in its smart contract.

The attack was an arbitrary low-level call exploit that happened due to a bug in the contract’s approval process.

In March 2022, the same contract, along with another contract (0x01A903c12A2Dd87A5410173A29543504DF8bD14B), were found to have similar vulnerabilities, which had caused fund loss.

Hack Txn: https://etherscan.io/tx/0x97201900198d0054a2f7a914f5625591feb6a18e7fc6bb4f0c964b967a6c15f6

Hacked Contract: https://etherscan.io/address/0x4622aff8e521a444c9301da0efd05f6b482221b8

Attacker Add: https://etherscan.io/address/0x63136677355840F26c0695dD6DE5C9E4f514f8e8

😈On Jan 17, 2024, a victim on the Ethereum chain lost $149,435 worth of tokens due to signing malicious phishing signatures on a phishing site.

Hack Txn:
Jan-17–2024 09:42:35 PM +UTC
https://etherscan.io/tx/0x98480bb8e5c212b4f408a3f74fbb94dc60529a97d14fe2356372b170ab320773

Victim Add:
0x373adc79ff63d5076d0685ca35031339d4e0da82

Scammer Add 1:
0x4f4314e1e81650497d46e5b2179f5f3430902011

Scammer Add 2: 0x9fA7bB759641FCd37fe4aE41f725e0f653f2C726 (PinkDrainer: Wallet 2)

😈In another phishing incident on Jan 17, 2024, a victim on the Ethereum chain lost $178,030 worth ~6667 Auction tokens to the phishing maneuvers of the scammer.

Hack Txn: Jan-17–2024 01:37:59 PM +UTC
https://etherscan.io/tx/0x8f6cb49baa8886d1d1fef5146afbccdb6075b3f0cc0fd3a9cf604fb9b9f0b94f

Victim Add: 0xefbf320e8bc2e0a051db24f73b6f5756deeddcda

Scammer Add 1: 0xa2f10ccba0f5950eea846be601d7e0a627144b4e

Scammer Add 2: 0xa3aa460c12713a000a33893b024d95db80945a2f (Fake_Phishing270927)

😈On Jan 18, 2022, Crosswise Finance (@crosswisefi)-the cross-chain decentralized exchange (DEX), suffered an exploit that saw it losing funds worth in excess of $879k.

Hack Txn: https://bscscan.com/tx/0xd02e444d0ef7ff063e3c2cecceba67eae832acf3f9cf817733af9139145f479b

Exploiter Add: 0x748346113B6d61870Aa0961C6D3FB38742fc5089

The Hack Methodology

  1. The hack investigation showed that the hacker had used privileged functions to exploit codes. The privileged function (knowingly or unknowingly) was exposed to the public.
  2. The hacker used this exposed privileged function to add a trusted forwarder and hijacked the owner privilege of the Crosswise Finance MasterChef contract.
  3. Once the attacker succeeded, he changed TrustedForwarder ownership by calling the setTrustedForwarder() function.
  4. The hacker then swapped 0.01 WBNB to 3.71 CRSS through a Crosswise router to withdraw funds from the protocol.
  5. In the next step, the hacker deposited 1 CROSS to the Crosswisefi Masterchef contract and created a new strategy in this controlled network to withdraw 692K CRSS.
  6. In the final step, the attacker swapped the 692K CRSS for 547 WBNB, which were transferred using TornadoCash, which was also used for the initial funding to carry out the exploit.

The Aftermath

  • @crosswisefi acknowledged the exploit and expelled 4 of its project developers for the lapse and suspected insider role, and legal consultations were done for appropriate actions.
  • To salvage the project and restore the confidence of its users, the team Crosswise decided to prepare a snapshot of the users’ holdings prior to the exploit and continue with the practice of taking snapshots after the project’s intended redeployment.
  • The entire code was put under the scrutiny of smart contract auditors to ensure the redeployment was free from any existing or new vulnerabilities.
  • A compensation plan was also discussed for the affected users post-relaunch of the project.
  • The users were urged not to buy or sell CRSS tokens or convert pre-sale tokens before redeployment. These existing tokens were planned to be replaced with new tokens post-relaunch.

Originally published at https://www.immunebytes.com on January 2, 2024.

--

--

ImmuneBytes

Build a hack-proof solution with the industry’s leading blockchain security company.