List of Crypto Hacks in the Month of March — ImmuneBytes

ImmuneBytes
3 min readMar 6, 2024

--

😈On March 5, 2024, Wootrade’s @_WOOFi WooPPV2 contract was targeted by malicious actors and got away with $8.5M worth of crypto assets on the Arbitrum chain.

The cause of the exploit is a price manipulation attack.
The price calculation in the WooPPV2 contract was flawed. The hacker exploited this flaw by flash-loaning $USDC.e and $Woo to manipulate the price.

This was followed by successive token swaps, which allowed the hacker to rake in profits due to price differences.

The attacker was initially funded by @TornadoCash on $ETH. Post exploit, the attacker has started obfuscating the stolen funds by transferring it to different EOAs and bridging them to other chains.

Exploited Contract: https://arbiscan.io/address/0xeFF23B4bE1091b53205E35f3AfCD9C7182bf3062

Exploiter Address: https://etherscan.io/address/0x9961190B258897BCa7a12B8f37F415E689D281C4

At the time of writing this, the exploiter is still holding ~$730K at this address.

Other Address Receiving Stolen Funds: https://arbiscan.io/address/0xb59d04d9957c9e266dff5c4173d4d2324eb029ad (~$7.4M)

Hack Txn: https://arbiscan.io/tx/0x57e555328b7def90e1fc2a0f7aa6df8d601a8f15803800a5aaf0a20382f21fbd

Hack Response:

On realizing the exploit, @_WOOFi immediately paused the affected contract and asked all its users to revoke approvals to the said contract.

The contract was paused within 13 minutes of the exploit, as per the officially released statement. This prevented the losses from escalating.

The vulnerabilities in the exploited contract are being rectified. WOOFi Swap is expected to be fully functional again within the next two weeks, as per the team @_WOOFi.

The team also confirmed that the current user assets in Earn vaults were not impacted in the exploit.
Oracle price manipulation attacks using flash loans are not new. There have been several crypto exploits in the past which have caused huge losses to the defi projects.

Know about Oracle Price Manipulation attacks and how they are executed in detail here:
What are Oracle Manipulation Attacks in Blockchain?

A detailed insight into flash loan attacks can be found here:
What Is A Flash Loan Attack, And How To Prevent It?

Top 10 Flash Loan Attacks

👿On Mar 6, 2024, a user on the Ethereum chain lost ~1.1 million $PAAL, worth ~$700K, when it signed a Uniswap Permit2 malicious signature.

Victim:
0x77d4a46b39f2e206411280a12c9344b769ff1066

Contract Address: 0x0528BEc5405178F112A0cdA7266c92c04Ad28260

Scammers:

  • 0xf3f436aa46406eb77ede9abeee410aadddfb68f4
  • 0x0000db5c8B030ae20308ac975898E09741e70000 (#Fake_Phishing187019)

Phishing Txn: https://etherscan.io/tx/0x3e47db5a54e132886f648f5c5f17f3ce6ef750455aa911bec5508b7a5b2df33d

Do you know what Permit2 signatures are and what risks are associated with them? Learn about it here: PERMIT2 ERC-20 Token Approvals and Associated Risks

👿On Mar 6, 2024, the TGBS token was exploited for ~$151k by using a flash loan attack.

What Is A Flash Loan Attack, And How To Prevent It?

The hacker’s modus operandi was to repeatedly transfer a small amount of TGBS to themself, which triggered the burning of tokens on the LP.

As a result, the token price fluctuated, which the exploiter manipulated to rake in profits.

The attacker was initially funded by Tornado Cash
.

Attacker:
0xff1db040e4f2a44305e28f8de728dabff58f01e1

Due to the exploit, the TGBS token prices took a steep fall and have yet to regain their lost levels.

Hack Txn: https://bscscan.com/tx/0xa0408770d158af99a10c60474d6433f4c20f3052e54423f4e590321341d4f2a4

Malicious Contract:
0x1a8eb8eca01819b695637c55c1707f9497b51cd9

Victim contract:
0xedecfa18cae067b2489a2287784a543069f950f4 (TGBS)

👿On March 7, 2023, defi lender Tender Finance (Now Glend @GemachLend ) was exploited for ~$1.59 million through flash loan attacks.

By manipulating the misconfigured price oracle, the hacker borrowed $1.59 million worth of assets from the protocol by depositing 1 GMX token, which was valued at $71

The exploiter (who later turned out to be a white hat / ethical hacker) sent an on-chain message to Tender.fi mentioning that Tender Finance’s Oracle was misconfigured and asking them to get in touch with him to fix this misconfiguration.

Ref. https://arbiscan.io/tx/0x38ae60739af0726831957546d9d16c92ed75164a1581d4e4e6f270917913ab9c

Tender Finance later confirmed that the white hat hacker returned the funds for a bounty reward of $97,000 (62.15 ETH).

Oracle price manipulations have the potential to wreck any defi project.

Oracles act as a bridge between blockchains and the outside world by supplying them with real-world data, most commonly price feeds. Any error in the feed can be manipulated by malicious actors, resulting in big losses.

Good Read: What are TWAP Oracles, and How are they different from Uniswap?

Originally published at https://www.immunebytes.com on March 6, 2024.

--

--

ImmuneBytes
ImmuneBytes

Written by ImmuneBytes

Build a hack-proof solution with the industry’s leading blockchain security company.