List of Crypto Hacks in the Month of May — ImmuneBytes

ImmuneBytes
9 min readMay 15, 2024

--

😈On May 5, 2024, the decentralized computing platform @GnusAi was hacked for ~$1.27m when an attacker minted a fake GNUS token on the Fantom chain and sold it on the #ethereum chain.

The reason for the hack is not clear, but it is speculated that the hacker obtained illegal access, using which they copied the token manager’s salt deployed on the Ethereum and redeployed it on Fantom.

Subsequently, the attacker minted around 500k GNUS tokens, which were later bridged (using Axelar Bridge
@axelarnetwork
) to the Ethereum and Polygon chains and sold for 407 ETH ($1.27M).

The Hack Aftermath

Team @GnusAi acknowledged the hack through their X handle and stated that they would take a snapshot of the block before the exploit took place and issue a new token shortly.

It also strongly advised its users not to purchase $GNUS tokens, as these could be counterfeit tokens created by hackers.

Attacker address: https://ftmscan.com/address/0x548c63a6a7299ab54762e1bfa6b56c1b94c2a820

Mint fake $GUNS Txn:
https://ftmscan.com/tx/0xd7dbbf47e4454a94f30f0ff034e3fb0040895347a41d974d524f7af066b4677d

Bridging Minted Tokens to #Ethereum Txn:
https://ftmscan.com/tx/0x9fe599bfb8bd381b1f2d07b685e00e501828f68a9f9596050aa8f63a25c12ec6

Bridge Txn: https://etherscan.io/tx/0x28ae708cb7d05392fb260f465fd7170fe79a657328b775cca5c4ad76246d8672

😈On May 8, 2024, the $GPU token on the #BNB chain was exploited for ~$32K when the attacker exploited a smart contract vulnerability. Reacting to the news of the exploit, the price of $GPU crashed by 100%.

The vulnerability is rooted in the _balance update function, a crucial component of the smart contract, which allowed the attacker to manipulate the token transfer process. This was possible because the _balances for the recipient could overwrite _balances for the sender, a flaw that was exploited.

This means when transferring money to yourself, the balance will increase by the amount of the transfer.

Exploit Txn: https://bscscan.com/tx/0x2c0ada695a507d7a03f4f308f545c7db4847b2b2c82de79e702d655d8c95dadb

Exploiter:
https://bscscan.com/address/0xcc78063840428c5ae53f3dc6d80759984788cbc0

Malicious contract:
https://bscscan.com/address/0x5234001627a376f5e0accb082548a283b1fa1586

Exploited contract:
https://bscscan.com/address/0xf51cbf9f8e089ca48e454eb79731037a405972ce

😈On May 10, 2024, @GalaxyFoxToken on Ethereum mainnet was exploited for ~$330K.

It appears the exploiter was able to rake in profits by falsely claiming 1.33 GFOX tokens, worth 108 WETH, by exploiting a smart contract vulnerability. This led to a massive 77% drop in the token prices.

The attack included 2 transactions with the same target contract: 0x11a4a5733237082a6c08772927ce0a2b5f8a86b6

Attacker 1:
0xfce19f8f823759b5867ef9a5055a376f20c5e454

Attack contract 1:
0x86c68d9e13d8d6a70b6423ceb2aedb19b59f2aa5

Attack transaction 1, loss of 100 ETH (~$300K):
0x12fe79f1de8aed0ba947cec4dce5d33368d649903cb45a5d3e915cc459e751fc

Attacker 2:
0x14b362d2e38250604f21a334d71c13e2ed478467

Attack contract 2:
0x347ed8eae1fb74767d894dca327c92c2ec4b7287

Attack transaction 2, loss of ~27M $GFOX, swapped to 2.32ETH (~$7K):
0x6a3d91fbd0a865a56c4efa7c540f28adcf7b569df44c9d50e1f86ab51b177405

😈The Bitcoin Defi @ALEXLabBTC lost ~$4.3m worth of assets in an exploit on May 14, 2024.

The cause of the exploit is speculated to be a private key compromise, as initial analysis shows that the deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b carried out four malicious upgrades to the proxy contract associated with @ALEXLabBTC

The upgrades caused the address of the bridge endpoint contract to change to an unverified bytecode.

Attacker address:
https://bscscan.com/address/0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E

The attacker involved in this exploit was also involved in the attack on another defi
@Mars_DeFi412

Within an hour after the upgrade, the following withdrawals were made under these attack transactions.

A total of $4.3 million worth of digital assets were transferred to:

It is worth noting that these two addresses received their funding from Tornado Cash.

The Hack Aftermath

@ALEXLabBTC confirmed the hack through a post on their official X handle and communicated that a significant portion of stolen funds had been frozen with the close collaboration of crypto exchanges, partners, and contributors.

Team ALEX has also announced a 10% white hat bug bounty for the exploiter in return for the stolen funds by 18 May at 0800 UTC.

If the funds are not returned by the stated deadline, Team ALEX will go ahead with all possible legal remedies to find and punish the culprit responsible for the hack.

😈On May 14, 2024, the decentralized exchange @predyfinance on the ARB chain was attacked, resulting in the loss of $464K worth of crypto assets from its lending pool.

The attacker was funded by @FixedFloat 45 days ago.
Ref. https://arbiscan.io/address/0xe1783b01639818ec1069890eff251f26ea936653

The Hack Aftermath

Predy Finance acknowledged the hack through an official post on its X handle.

It stated that the hack is currently being investigated and advised its users (who have accessed the lending pool previously) to revoke access to the exploited contract to avoid loss of funds.

Predy Finance uses permit2 access without the need to approve Predy’s contract directly.

The contracts for which approval should be revoked are:

  • 0x02C9Ad1Aa219BCF221C3f915c45595f1d24928a1
  • 0x92027Eb7caa12EC06f9Ba149c9521A1A48921514

Users can revoke approvals by visiting the following link: https://arbiscan.io/tokenapprovalchecker?search

Predy Finance has left an on-chain message for the exploiter to urge them to return the stolen funds by May 17th at 0800 UTC for a 10% white hat bug bounty, failing in which strictest legal action will be initiated against the exploiter.

Ref: https://arbiscan.io/tx/0x3126bdf7adbd12a694f008001a0d7c9080cc7ab7ef12d436cf9104c9d595bc85

Movement of Stolen Funds

Post hack, around ~ 100 $ETH worth $293K was bridged to #ETH and is currently parked at https://etherscan.io/address/0xeDe4E01347C012BD57302ea606095FB1eC5c848E

The remaining funds of $217K $WETH is held at attacker’s address on #ARB https://arbiscan.io/address/0x76b02ab483482740248e2ab38b5a879a31c6d008

Technical Details

Attack transaction:
https://arbiscan.io/tx/0xbe163f651d23f0c9e4d4a443c0cc163134a31a1c2761b60188adcfd33178f50f

Attacker:
https://arbiscan.io/address/0x76b02ab483482740248e2ab38b5a879a31c6d008

Attack contract:
https://arbiscan.io/address/0x8affdd350eb754b4652d9ea5070579394280cad9

Targeted contract:
https://arbiscan.io/address/0x9215748657319B17fecb2b5D086A3147BFBC8613

😈Defi protocol @SonneFinance on the #Optimism chain came under a flash loan attack on May 14, 2024, and lost ~$20m worth of assets before being contained.

To contain the attack, it paused all of its markets on the Optimism chain. Team
@SonneFinance has also stated that its markets on the base chain are unaffected by this attack.

The soVELO, USDC, and WETH contracts were targeted in this attack.

Official Reason for the Exploit

Sonne Finance has released a post-mortem report for the hack, in which they have stated that the attack method was the donation attack to Compound v2 forks.

It was also made known that the exploiter could have stolen an additional ~$6.5M worth of assets if timely preventive measures had not been taken.

Team Sonne Finance is willing to negotiate a white hat bug bounty with the attacker in return for the stolen funds.

What Happened to the Stolen Funds?

At the time of writing this, the stolen funds have been parked at the following addresses:

  • 0x02FA2625825917E9b1F8346a465dE1bBC150C5B9
  • 0x5D0D99e9886581ff8fCB01F35804317f5eD80BBb
  • 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43
  • 0x6277ca71ffca08e691a6dd3ab05b98c0a8994c07

Other Addresses Involved

  • 0x4ab93fc50b82d4dc457db85888dfdae28d29b98d
  • 0xbd18100a168321701955e348f03d0df4f517c13b
  • 0x7e97b74252b6df53caf386fb4c54d4fb59cb6928
  • 0x9f09ec563222fe52712dc413d0b7b66cb5c7c795
  • 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
  • 0x6277ab36a67cfb5535b02ee95c835a5eec554c07

Technical Details:

Hack Txn: https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0

Attacker:
https://optimistic.etherscan.io/address/0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

Attack contract:
https://optimistic.etherscan.io/address/0x02fa2625825917e9b1f8346a465de1bbc150c5b9

Targeted contracts:

😈On May 14, 2021, SX vault (http://vaults.sx) contract on the EOS mainnet was exploited through a re-entrancy attack and lost ~$13.5M in this security incident.

What is a re-entrancy attack in crypto here: https://immunebytes.com/blog/reentrancy-attack/

In the heist, a total of 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen. This was the biggest hack on the EOS mainnet at that time.

Exploited Contract
https://bloks.io/account/vaults.sx

The exploiter carried out the attack by exploiting a vulnerability in the smart contract, which could have been identified by a detailed and careful analysis of the smart contract before its deployment on the mainnet.

😈On May 17, 2024, the crypto coin launching platform @pumpdotfun was exploited for ~$1.9M when a former employee misused their security privileges ( private key compromise) and stole away ~12.3K SOL.

The Hack Flow

To misappropriate funds, the rogue employee used flash loans on a Solana lending protocol to borrow SOL, then bought various coins to inflate their bonding curves to 100%.

After reaching the 100% mark, the exploiter took access to the bonding curve liquidity and repaid flash loans taken earlier.

The Attacker

An account on X, with the handle @STACCoverflow, claimed responsibility for the attack immediately after the exploit.

He posted that he had intended to redistribute the “remaining balances of bonding curves” to certain token users rather than keeping the stolen funds.

The account allegedly belongs to a doxxed developer previously employed at Pump.Fun.

The attacker has already conducted random airdrops of $SOL, and multiple addresses have received the windfall of $SOL.

The Hack Aftermath

To contain the hack and prevent further fund loss, trading was halted on http://pump.fun at 17:00 UTC, and
@pumpdotfun upgraded the contracts so that the attacker could not continue with the exploit.

Post-hack analysis revealed that a total of $45m of liquidity in the bonding curve contracts was at risk, but the exploiter could get hold of only ~$1.9m.

The Pump.Fun team has now successfully redeployed the contracts, and trading has also been unpaused.

The Mitigation

To tackle the FUD surrounding the platform Pump.Fun has decided to offer 0% trading fees for the next 7 days.

The exploited coins (and reached the 100% mark on bonding curves) between 15:21 and 17:00 UTC (the duration of the exploit) are currently untradable until LPs are deployed for them on Raydium.

The Pump.Fun team stated that the LPs all such affected coins would be seeded with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours.

Team Pump.Fun is committed to avoiding a repeat of such security incidents, and therefore, it is collaborating with blockchain security firms to put a security mechanism in place that would minimize the risks of similar exploits in the future.

😈In yet another setback for Web3 space, on May 20, 2024, Gala Games @GoGalaGames was exploited for a staggering ~$212M.

The hack resulted from a private key (with administrator privileges) compromise.

Using this unauthorized access, the attacker minted ~5B $GALA tokens worth ~$212M at the time of the hacks.

💡 How to Tackle Threats of Compromised Private Keys?

According to the latest update, the attacker has already swapped 599 million $GALA for ~5.9K $ETH (worth ~$21.8m) via the decentralized exchange Uniswap.

It was found that a total of ~12B $GALA tokens were exposed to the exploit, but due to swift containment of the hack by blocking malicious unauthorized access, the hacker managed to mint $5B tokens only.

The price of $GALA took a hit of 20% before making a marginal recovery.

The Official Version

In a tweet two hours after the hack, the CEO of Gala Games (@Benefactor0101) acknowledged the hack and confirmed that it was contained within 45 minutes of its discovery.

He also stated that it was an isolated security incident, and the unauthorized access that was used to execute the hack has been removed. He also stated that Gala Games’ ETH smart contract is unaffected by the hack and is being secured using a multi-sig wallet.

Team Gala Games is in touch with law enforcement agencies (FBI, DOJ) to identify the culprit and recover the stolen funds.

It is Not the First Time for GALA Games

In November 2021, GALA Games lost around $130 million (~8.65 billion GALA tokens) in a security incident. This theft was also deemed an inside job involving Wright Thurston, one of the company’s foundered as an inside job as well, that involved Wright Thurston, one of the founders of GALA Games.

In 2023, the SEC charged him in a case involving the alleged selling of $18 million worth of unregistered securities in the form of a cryptocurrency (called GREEN) related to a public global decentralized power grid.

In another exploit in November 2023, GALA Games experienced a $1B exploit, but fortunately, it was a white-hat hack and didn’t eventually result in the loss of funds.

Technical Details

Attacker:
https://etherscan.io/address/0xe2ca471124b124831e231fb835778840ad100f97

Targeted contract:
https://etherscan.io/address/0xd1d2eb1b1e90b638588728b4130137d262c87cae

Hack Txn: https://etherscan.io/tx/0xa6d90abe17d17743a9cecab84bcefb0fd0bbfa0c61bba60fd2f680b0a2f077fe

😈$YON on BNB Chain was exploited on May 22, 2024, and lost 190 $BNB worth ~$118K as a result. The reason for the exploit was found to be the access control vulnerability.

The Vulnerability

The vulnerability in the transferFrom function of the target contract (YON) allowed the attacking contract to directly transfer $YON to the LP contract.

👀Must Read 👉What are Access Control Vulnerabilities in Smart Contracts? 👉List of Access Control Vulnerability Hacks

😈On May 24, 2021, Autoshark Finance was exploited in a flash loan attack to steal a massive 💰$745k.

The Hack Flow & Vulnerability

The attack on Autoshark was not an isolated incident. It was preceded by a similar hack on PancakeBunny, executed on May 19, 2021, 10:34:28 PM +UTC, using the same modus operandi.

The primary reason for the exploit was a flaw in the incentive reward mechanism set in the SharkMinter contract.

The exploiter made a small deposit to the SHARK-BNB Vault, and borrowed 100K BNB of flash loan from PancakeSwap.

Out of 100K BNB, the attacker used 50K BNB to swap them for the SHARK token.

The remaining 50K BNB and swapped SHARK tokens were later sent to the SharkMinter contract by the hacker.

This huge amount of tokens sent to the contract confused the system and made it believe that it made the profits and became all set to generate rewards as per the defined business logic.

By calling the getReward function, the hacker manipulated the system to mint 100M SHARK as a reward, in addition to 15M for the dev and 20M for the referrer.

Exploit Txn:

The hacker sold these collectively minted 135K SHARK tokens for 102K WBNB, thus making a profit of 2.2K WBNB.

https://bscscan.com/tx/0xfbe65ad3eed6b28d59bf6043debf1166d3420d214020ef54f12d2e0583a66f13

Originally published at https://www.immunebytes.com on May 15, 2024.

--

--

ImmuneBytes

Build a hack-proof solution with the industry’s leading blockchain security company.