List of Largest Crypto Hacks in 2024 — ImmuneBytes

ImmuneBytes
27 min readMar 6, 2024

👿On Mar 6, 2024, a user on the Ethereum chain lost ~1.1 million $PAAL, worth ~$700K, when it signed a Uniswap Permit2 malicious signature.

Victim:
0x77d4a46b39f2e206411280a12c9344b769ff1066

Contract Address: 0x0528BEc5405178F112A0cdA7266c92c04Ad28260

Scammers:

  • 0xf3f436aa46406eb77ede9abeee410aadddfb68f4
  • 0x0000db5c8B030ae20308ac975898E09741e70000 (#Fake_Phishing187019)

Phishing Txn: https://etherscan.io/tx/0x3e47db5a54e132886f648f5c5f17f3ce6ef750455aa911bec5508b7a5b2df33d

Do you know what Permit2 signatures are and what risks are associated with them? Learn about it here: PERMIT2 ERC-20 Token Approvals and Associated Risks

👿On Mar 6, 2024, the TGBS token was exploited for ~$151k by using a flash loan attack.

What Is A Flash Loan Attack, And How To Prevent It?

The hacker’s modus operandi was to repeatedly transfer a small amount of TGBS to themself, which triggered the burning of tokens on the LP.

As a result, the token price fluctuated, which the exploiter manipulated to rake in profits.

The attacker was initially funded by Tornado Cash
.

Attacker:
0xff1db040e4f2a44305e28f8de728dabff58f01e1

Due to the exploit, the TGBS token prices took a steep fall and have yet to regain their lost levels.

Hack Txn: https://bscscan.com/tx/0xa0408770d158af99a10c60474d6433f4c20f3052e54423f4e590321341d4f2a4

Malicious Contract:
0x1a8eb8eca01819b695637c55c1707f9497b51cd9

Victim contract:
0xedecfa18cae067b2489a2287784a543069f950f4 (TGBS)

😈On March 5, 2024, Wootrade’s @_WOOFi WooPPV2 contract was targeted by malicious actors and got away with $8.5M worth of crypto assets on the Arbitrum chain.

The cause of the exploit is a price manipulation attack.
The price calculation in the WooPPV2 contract was flawed. The hacker exploited this flaw by flash-loaning $USDC.e and $Woo to manipulate the price.

This was followed by successive token swaps, which allowed the hacker to rake in profits due to price differences.

The attacker was initially funded by @TornadoCash on $ETH. Post exploit, the attacker has started obfuscating the stolen funds by transferring it to different EOAs and bridging them to other chains.

Exploited Contract: https://arbiscan.io/address/0xeFF23B4bE1091b53205E35f3AfCD9C7182bf3062

Exploiter Address: https://etherscan.io/address/0x9961190B258897BCa7a12B8f37F415E689D281C4

At the time of writing this, the exploiter is still holding ~$730K at this address.

Other Address Receiving Stolen Funds: https://arbiscan.io/address/0xb59d04d9957c9e266dff5c4173d4d2324eb029ad (~$7.4M)

Hack Txn: https://arbiscan.io/tx/0x57e555328b7def90e1fc2a0f7aa6df8d601a8f15803800a5aaf0a20382f21fbd

Hack Response:

On realizing the exploit, @_WOOFi immediately paused the affected contract and asked all its users to revoke approvals to the said contract.

The contract was paused within 13 minutes of the exploit, as per the officially released statement. This prevented the losses from escalating.

The vulnerabilities in the exploited contract are being rectified. WOOFi Swap is expected to be fully functional again within the next two weeks, as per the team @_WOOFi.

The team also confirmed that the current user assets in Earn vaults were not impacted in the exploit.
Oracle price manipulation attacks using flash loans are not new. There have been several crypto exploits in the past which have caused huge losses to the defi projects.

Know about Oracle Price Manipulation attacks and how they are executed in detail here:
What are Oracle Manipulation Attacks in Blockchain?

A detailed insight into flash loan attacks can be found here:
What Is A Flash Loan Attack, And How To Prevent It?

Top 10 Flash Loan Attacks

😈On Feb 29, 2024, Shido blockchain’s Ethereum staking contract has been exploited for ~$35m worth 4,353,473,223.864904 $SHIDO.

This number of SHIDO tokens drained out by the exploiter happens to be around half of the current circulating token supply of the token, which is 9 billion.

Due to the exploit, the SHIDO token prices quickly plummeted by 94% within the first 30 minutes.

How the Hack Was Executed?

The ownership of the contract was changed to a new address (0x1982), which immediately after acquiring the ownership, upgraded the StakingV4Proxy contract using a hidden withdrawToken() function, which was ultimately called to drain out ~4.3B SHIDO tokens.

Exploiter Address: https://etherscan.io/address/0x1982358c84da9d0b4b96fc9e8564d132f7d0041f

Exploited Contract:
https://etherscan.io/address/0xcda954a0c574d8c408f0b8c89a2b367d6a2d3354

Ownership transfer Txn: https://etherscan.io/tx/0xaa76ea503fadddf775b1ef7f195676440fdc3ac46ab642798ab6fa7ae3aafcbe

StakingV4Proxy upgrade by New Owner Txn: https://etherscan.io/tx/0x5d4056cdf40d09a6715fd0f26895d0c60038899b45620f0a6a402c4cd425b672

Draining Funds Txn:
https://etherscan.io/tx/0xed3000ddd8b4feb0902107f97a91815ecee8d7ccb57de9a9dbc50a4c07593cb3

How exactly the hacker was able to change ownership of the contract, raises suspicion about this exploit actually being a rug pull.

The exploiter was funded with 0.78075984 ETH via @AcrossProtocol by address
https://etherscan.io/address/0x147b12c06d9e8e3837280f783fd8070848d4412e which was funded via Layerswap and another address.

AcrossProtocol Funding Txn: https://etherscan.io/tx/0x5b6ee537d4ac6f184758f1f8d1caa0cc2af9268bb71ee9ce82f6b706fbe2883d

Response to the Hack

Shido has officially acknowledged the hack and has informed the community that it has asked the exploiter to accept a bounty and return the stolen funds.

The team Shido also stated that the measures to prevent such exploits have been put in place and assured that all those who have staked SHIDO, will have their tokens returned.

Is this the first Shido Exploit?

On June 23, 2023, Shido was exploited on the BNB chain due to a configuration error, which resulted in a loss of 976 BNB, worth approximately $238,500.

What is Shido?

Shido is a Layer 1 POS blockchain, which has launched its testnet and is planning to launch its mainnet in the coming week, as per the update released on its X handle.

The native SHIDO token is an Ethereum-based ERC-20 token, which users have staked on the project’s DEX, which is offering an annual yield of 8% as per the info available on its website.

😈On Feb 28, 2024, the defi protocol @SenecaUSD was exploited for ~1,900 $ETH worth ~$6.5M. The Attacker was funded by @FixedFloat

Exploited Address: https://etherscan.io/address/0x94641c01a4937f2c8ef930580cf396142a2942dc

Hack Txns:

How the Hack Happened?

The hack happened due to a vulnerability in the smart contract.

Using a lack of input validation, the exploiter called performOperations function externally using a constructed call data. This enabled them to call any contract with arbitrary data.

Using this privilege, the exploiter transferred assets from addresses that had granted approvals to the vulnerable contracts directly to themself by calling the ‘transferfrom’ function.

The Hack Aftermath

Team Seneca has confirmed the hack and has asked its users to revoke the following approvals:

On Ethereum

  • PT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1
  • apxETH 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34
  • PT-weETH 0xBC83F2711D0749D7454e4A9D53d8594DF0377c05
  • PT-rsETH 0x65c210c59B43EB68112b7a4f75C8393C36491F06

On Arbitrum

Team Seneca has offered a 20% bounty to the exploiter in return for stolen funds.

The address provided for returning funds: https://etherscan.io/address/0xb7aF0Aa318706D94469d8d851015F9Aa12D9c53a

Team Seneca threatened to pursue legal action against the exploiter in case he failed to return funds.

Return of Funds by the Hacker

As per the latest update (Feb-29–2024 05:11:59 AM +UTC), the hacker has returned $5.3M (1537 ETH) at https://etherscan.io/address/0xb7aF0Aa318706D94469d8d851015F9Aa12D9c53a, which was specified by
@SenecaUSD for receiving stolen funds.

The remaining stolen funds 300 ETH (worth $1.04M) were split equally at the following addresses by the hacker.

😈Decentralized betting platform @RiskOnBlast on @Blast_L2 ecosystem executed an exit scam on Feb 25, 2024, when it duped its investors of $1.3M.

The scam was cleverly executed after raising funds on the pretext of an IDO, which was capped at 420 ETH.

The social media handles have been deleted, and the website http://Riskonblast.xyz is not accessible anymore.

The IDO was being promoted for over a week, and users were continuously lured by posting info about partnerships with different crypto exchanges and using scarcity marketing tactics.

The accumulated funds were stolen from over 750 wallets and were bridged to exchanges ChangeNow ($500,000), MEXC ($360,000), and Bybit ($187,000).

RiskOnBlast has recently raised over $1M in a seed funding round around a week ago. It was one of the 47 projects shortlisted (out of 3000 applications) to receive additional funding in Blast’s Big Bang competition.

What is @Blast_L2?

Blast is an Ethereum layer-2 project that has garnered over $1 billion in capital in the last few months, after going live.

This was the first rug pull of the Blast ecosystem. Blast is now being criticized for not taking enough due diligence checks before promoting the RiskOnBlast project through its official X handle, terming its potential as “undeniable.”

😈Defi protocol Blueberry Protocol Foundation @blueberryFDN came under attack on Feb 23, 2024, when multiple lending markets were collectively exploited for ~💰457.68 ETH ($1.34M) (TX Profit) 1 bWETH (Leftover value).

The total gas fee used was 0.093022519261676367 ETH.

Hack Txn:
https://etherscan.io/tx/0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4

Fortunately, all of the drained funds were front-run by a validator MEV bot @coffeebabe_eth
, and the stolen funds of ~366.65 ETH (excluding the validator fee of ~91.04 ETH) have been returned to a multisig address.

https://etherscan.io/tx/0xc4d45a5143d04d98f11c56f0944ad60426bfbe70b25b5b43a95f0e61a9386a52

The markets affected by the exploit are BTC, OHM, and USDC.

While the hack is being investigated, the protocol has been paused to avoid any further fund loss. The front end was already down as a result of the exploit.

The users were asked to withdraw their funds if they could establish an indirect connection with the exploited contract.

Team @blueberryFDN is also trying to get in touch with the white-hat managing MEV bot @coffeebabe_eth
to return ~91.04 ETH of the validator fee.

What is Coffeebabe.eth?

It is a white-hat hacker known by the pseudonym ‘coffeebabe.eth’, who has thwarted exploits by the crypto hackers on at least one more occasion.

In July 2023, the same white-hat hacker saved Curve protocol @CurveFinance from a ~$5.5M exploit (2800 ETH) by front-running the exploit transaction.

What is front-running in crypto?

Find all the information in an in-depth article here:
Front-Running Attacks in Blockchain: The Complete Guide

Is the front-running attack the same as the sandwich attack?

Find all your answers here: What are Sandwich Attacks in Blockchain?

😈On Feb 22, 2024, two wallets on Ronin Network belonging to Jeff Zirlin @Jihoz_Axie, co-founder of @Ronin_Network, were compromised in what appears to be a private key compromise.

The total loss in the theft was 3088693.24 RON tokens worth around 💰$10 million at the time of the hack.

Jeff clarified through a post from his official X (formerly Twitter) handle that the hack was limited to his personal wallets, and it had no impact on the Ronin bridge or Sky Mavis, which is a blockchain-based video game development studio, also co-founded by Jeff.

  • Compromised Wallet 1: 0x121ad060686848b196df8ca5c5e24722efe57115
  • Compromised Wallet 2: 0xa09a9b6f90ab23fcdcd6c3d087c1dfb65dddfb05

Hack Txns:

Total Loss: ~3088693.24 RONS

The stolen funds were first moved to the hacker’s address: 😈0x39f817976c51a91b60145febad81067e69713105 on the Ronin chain and were later bridged to Ethereum and finally to the Tornado Cash.

https://etherscan.io/address/0x64192819ac13ef72bf6b5ae239ac672b43a9af08#tokentxns

Private keys should be kept protected all the time as hackers are always looking to steal them from you through malicious apps, social engineering, phishing, and scamming.

Learn how you can protect your keys from falling into the hands of hackers by reading
Crypto Security Essentials: Secure Encryption Key Management

To get into more technicalities about private and public crypto keys, read
Public and Private Keys: A Must Know In Cryptography!

😈In another crypto security incident, the password manager @LastPass users suffered a breach in which 22 users lost $6.2 million worth of crypto assets. The breach is known to have happened between Feb 19 and 20, 2024.

The stolen funds on EVM have already been swapped and bridged to Bitcoin via THORChain.

The list of affected users and domains can be found at
https://chainabuse.com/report/ff7c260c-88e2-4d1b-a386-efe448b737e2

Is this the first breach at LastPass?

This is the fourth time that LastPass’ security was breached by malicious actors.

In the last breach, which happened in Oct 2023, the losses were to the tune of $4.4 million, and it involved 80 crypto wallets belonging to 25 victims.

Before that, in Dec 2021, @LastPass users faced security incidents related to credential stuffing.

Also, in June 2015, LastPass acknowledged a breach in which email addresses, password reminders, server-per-user salts, and authentication hashes were compromised.

How did the Hack Happen?

In Dec 2022, @LastPass informed its users about unauthorized access to its third-party cloud-based storage service, which was being used by LastPass to store archived backups of production data.

This exploiter had stolen some source code and technical information from LassPass’s development environment in an earlier breach in Aug 2022.

This stolen information was used to target other LastPass employees, and the attacker ended up getting credentials and private keys, which were used in the exploit of Dec 2022.

LassPass, in a post-mortem report for the exploit, had assured its users that the attacker could only get his hands on basic customer account information and a backup of customer vault data from the encrypted storage container, where sensitive information like usernames and passwords, secure notes, and form-filled data was fully encrypted and secured.

Team LastPass was pretty sure that it was nearly impossible for the hacker to crack the master password required for decrypting the encrypted data through a brute force attack or any other password-cracking tool or algorithm.

But, clearly, they were proved wrong by the exploiter on Oct 25, 2023, when they stole away $4.4m of assets.

Why do the LastPass users continue to bear the brunt?

Users, who had ever used @LassPass to save their seed phrases or keys, were strongly urged by security researchers and experts to migrate their crypto assets.

They were also asked to strictly avoid reusing their master passwords on other websites as it might land them in a situation where a threat actor could use dumps of compromised credentials available on the Internet to attempt a breach of their crypto wallets.

It seems some of the LastPass users did not heed this advice, and hence, the breach continues unabated.

What steps should LastPass users take to avoid/mitigate the fund losses?

If you are a @LastPass user, consider taking the following steps urgently:

  • Rotate your keys by regenerating the seed phrase using a set of new seed keywords.
  • Move your crypto assets to a new address secured with this new seed phrase.
  • Do not use your LastPass password/seed phrase ever on any website
  • File a report on IC3.gov at https://ic3.gov/Home/ComplaintChoice

😈Cryptocurrency exchange @FixedFloat was exploited for ~$4.85m on #Ethereum and ~$21.1m on BTC on Feb 16 and 17, 2024, respectively.

The stolen assets include 409 BTC and ~1,728 $ETH

For Ethereum Chain

  • Victim Address: 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F
  • Attacker Address: 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085

For BTC

  • Victim Address: bc1qns9f7yfx3ry9lj6yz7c9er0vwa0ye2eklpzqfw
  • Attacker Address: bc1q2skp47p9f5mr4n4m27k66v0l68gh3xdd7ad4e5

What is FixedFloat?

FixedFloat is an automated crypto exchange that uses the Lightning Network for Bitcoin transactions.

The exchange does not require users’ registration or Know Your Customer (KYC) verifications.

Useful Read: What Happened to Stolen Funds? Bitcoin’s Lightning Network: An Inkling Shot at Mass Adoption

The drainer already transferred most of the stolen $ETH to #eXch on #Ethereum. The stolen BTCs have been moved by the hacker to 3 different addresses.

The Hack

  • Bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns (~200 BTC)
  • Bc1q04yvaefxyan4fuygsv4nr08pxet8ae426dxxf3 (~170.85 BTC)
  • Bc1qp6gjx8par8e83lfqnem5q049x2qfpydfg27tjf (~38.45 BTC)

The exact reason for the exploit is being investigated. There has yet to be an official acknowledgment from FixedFloat at the time of writing this.

Initially, Team FixedFloat had ruled out the possibility of the attack when a massive outflow of funds was reported.

They attributed outflow to “minor technical problems” and switched its services to maintenance mode.

At the time of writing this, the official website https://fixedfloat.com still shows an under-maintenance message.

👿On Feb 15, 2024, in two separate incidents, @particle_trade-a permissionless leverage trading protocol on BSC and defi protocol @dualpools , were exploited for ~$139k and ~$41k, respectively.

Initial reports are emerging that the @particle_trade exploit happened because of unchecked user input.

In an officially released statement, @particle_trade confirmed the exploit and stated that the exploit happened to Particle’s previously deprecated NFT contract and that Particle’s current protocol was not impacted in this security incident.

On the other hand, @dualpools has yet to acknowledge the hack officially.

Breakup of Stolen Funds for @dualpools Exploit

@dualpools Hack Txn: https://bscscan.com/tx/0x90f374ca33fbd5aaa0d01f5fcf5dee4c7af49a98dc56b47459d8b7ad52ef1e93

@dualpools Attacker address: https://bscscan.com/address/0x4645863205b47a0a3344684489e8c446a437d66c

Malicious contract Used for @dualpools Exploit
Exploit: https://bscscan.com/address/0x38721b0d67dfdba1411bb277d95af3d53fa7200e

👿Miner (@minerercx), a token based on an experimental token standard ERC-X, was exploited for ~168.8 ETH (~$463.4k) on Feb 14, 2024.

The attacker stole funds in multiple transactions by exploiting a vulnerability in the #smartcontract.

The Vulnerability

The ERC-X token prices took a nosedive of -87% as a result of the exploit.

The root cause lies with the _update function, which was awarding free tokens every time someone transferred tokens to themselves.

Being aware of this vulnerability, the attacker decided to manipulate this flaw and started sending tokens to himself in multiple transactions.

As soon as the tokens were sent, the _balances[from] function came into play and accurately calculated the attacker’s balance after subtracting the tokens the attacker sent but, due to the flaw, it was immediately overwritten by _balances[to], which erroneously added the sent value to the attacker’s balance, resulting in doubling of tokens in the account.

What Miner is Doing About the Exploit?

Attacker Address: 0xbff51c9c3d50d6168dfef72133f5dbda453ebf29

In an officially released statement, The Miner Team stated that they are re-auditing the vulnerable contract, and after its completion, the contract would be redeployed.

It also informed the community that the remaining liquidity of ~130 ETH will be used as LP for redeployment and that they are planning to take a pre-exploit snapshot of the current holders.

The Miner team has also left an on-chain message for the hacker to negotiate a deal for returning the funds in exchange for 30% (~$120k) of the stolen funds but, the attacker is yet to respond to this message.

On Chain Message: https://etherscan.io/tx/0x27a01149b321eaab0b16d488aefaffa04517a5cf73397b1bbcb8192a4db692ae

😈In an exploit on Feb 13, 2024, the crypto casino platform @Duelbits suffered a massive exploit in which it lost ~$4.6m worth of crypto assets.

The hack has happened in @Duelbits wallets on $ETH and $BNB chains.

There has been no official statement from Duelbits on the hack so far, but the most likely reason behind the exploit is speculated to be a private key compromise or the loss of wallet access control.

The stolen funds comprise, but not limited to, $USDT, $APE, and $SHIB tokens.

The exploiter has managed to bridge stolen assets from BNB chain to Ethereum after swapping $USDT, $APE, and $SHIB to $ETH.

This was obviously an attempt to obfuscate the stolen funds trail. While swapping BNB for BSC-USD the exploiter came across a situation where the bridging to the Ethereum chain could not happen due to the lack of gas fees.

To overcome this, the hacker used the FixedFloat service, which allows quick cryptocurrency exchanges.

Attacker Address: https://etherscan.io/address/0x3933924faf011ae8d24e44bee450b3d78e46a666

Exploit Txn:
https://etherscan.io/tx/0x3bf414c5a62704cc917242336394eeeed15a7e1a50e857c15e611dab92999aa4

Learn how to keep your private keys safe here: Compromised Private Keys: Threats and Remedies

👿Crypto gaming and NFT platform PlayDapp, which collectively lost ~$290M worth of PLA tokens in two separate attacks-on Feb 9 and Feb 12, 2024-has informed the community that it has paused its PLA smart contract to conduct a migration based on the snapshot.

What has Transpired So Far?

Address: https://etherscan.io/address/0xD151050d43c28690766f50Ce9ea8686c5D243a40

In two separate exploits on Feb 9 and again on Feb 12, the exploiter managed to mint 200 million PLA tokens (worth ~$36.5 million) and 1.79 billion PLA tokens (worth $253.9 million), respectively.

As per the initial analysis, an unauthorized wallet possibly used a private key compromise to mint ~1.83 Billion PLA tokens in the two attacks.

However, PlayDapp tried contacting the exploiter through an on-chain transaction, offering a $1 million bounty in return for stolen funds.

Instead of responding to the offer, the hacker decided to mint 1.59 billion more PLA tokens valued at $253.9 million on Feb. 12 and simultaneously started laundering the funds through crypto exchanges.

The Hack Aftermath

Since the total circulating supply of PLA tokens was a mere 577 million before the breach, the exploiter struggled to sell the 1.8 billion newly minted tokens at anything close to their market value before the hacks.

The prices of the PLA token took a steep fall in response to the exploit.

In an effort to contain the exploit and stop the hacker from laundering the stolen funds, PlayDapp contacted numerous central exchanges and asked them to suspend deposits and withdrawals of PLA tokens.

It is also chalking out a strategy with blockchain forensic firms and law enforcement agencies to track the stolen funds. It is also holding discussions with the exchanges to launch airdrops for the migration of stolen funds.

The actual reason behind the intrusion is being investigated and will be known after the completion of the investigation.

😈Defi protocol @MIM_Spell was exploited on Jan 30, 2024, for over $6.5m, in what appears to be a result of an exploitation of a rounding error.

In total, @MIM_Spell lost 2.74K $ETH in the attack which was initially funded with 1 $ETH from #TornadoCash.

Hack Txn: https://etherscan.io/tx/0x26a83db7e28838dd9fee6fb7314ae58dcc6aee9a20bf224c386ff5e80f7e4cf2

Attacker: https://etherscan.io/address/0x87f585809ce79ae39a5fa0c7c96d0d159eb678c9

As per the preliminary findings, the attacker attacked specific Cauldrons V3 & V4, which resulted in unauthorized MIM borrowing.

To minimize any further losses, @MIM_Spell set borrowing limits to zero for the attacked V3 and V4 cauldrons.

Team @MIM_Spell acknowledged the hack and confirmed that the issue has now been fully contained.

@MIM_Spell also confirmed that no user collateral is at risk. The hack is currently being investigated thoroughly, and the report will be published soon.

Team @MIM_Spell has also left an on-chain message to the attacker in an attempt to persuade him to return funds and accept some part of the stolen funds as a bug bounty.

On-Chain Message Txn: https://etherscan.io/tx/0xa1f8e3c30917f33956ef0a96417987a07a70509a2e48b6426b65906462faad6b

As of writing this, the hacker has yet to respond to this offer.

Immediately after the hack, the MIM initially fell to $0.77, only to later recover and reach $0.98.

The recovery could be attributed to @MIM_Spell DAO treasury’s buying back of MIM from the market to burn them.

Precision Loss Vulnerability in Solidity: A Deep Technical Dive

Rounding error or precision loss vulnerability can cause grave losses in well-orchestrated attacks by the crypto exploiters. Learn how you can fix these vulnerabilities in your project here:

😈In a massive phishing attack, a victim on #ethereum lost $1.1M worth of $LINK on Jan 25, 2024.

After the victim signed a malicious swap transaction, the victim suffered a sandwich attack during the swap (without slippage protection) of 58.2K $LINK (worth ~$813K) for 222.4 $ETH (worth ~$494K). This led to a loss of $300K.

Hack Txns:

In this attack, the MEV bot received a bribe of 135.56 ETH (equivalent to $301K).

Do you know what are Sandwich Attacks in Blockchain?
Find all your answers here: What are Sandwich Attacks in Blockchain?

😈On Jan 25, 2024, a victim on Ethereum lost ~$164k worth of PudgyPenguins NFTs to a phishing attack.

The hack’s cause was the victim’s signing of a malicious Blur Bulk signature.

What is Blur Bulk Listing Message Phishing

This phishing exploit method is not new and is based on a malicious Blur bulk listing signature used by scammers to steal NFTs with just one message signature.

Usually, NFT owners are tricked by a malicious website to sign a listing for selling their NFTs for 0 ETH.

Due to Blur’s unreadable bulk listing messages, it gets difficult for NFT owners to identify a malicious request from the marketplace, and they end up losing their NFTs to hackers.

To avoid falling for such traps, always check the source of the signature request before signing any approval for NFT transfers.

If the source doesn’t show http://blur.io, do not proceed with the signing request. Never sign any Blur bulk listing signature that is not from the official website i.e., http://blur.io

Hack Txn: https://etherscan.io/tx/0x2c837d3abc13ab662c84d518b129d045417d2e55af54748d932d7607f5cec10a

Victim:
https://etherscan.io/address/0x57179b08bd29b441da18ba84c526c3f0be23dacc

Scammer:
https://etherscan.io/address/0x9e09dc51ad3b33464093f5505b81bc96e2eccde0

😈The phishing scams continue to bleed the crypto investors. On Jan 23, 2024, the address 0xf8ebfa lost ~$1.3m worth of stablecoins on multiple chains.

  • 154.16K $USDC on #Ethereum
  • 300.34K $USDT on #Arbitrum
  • 834.24K $USDT on #BNBChain

Hack Txn: https://bscscan.com/tx/0x400b7583b892024db19940e2e74a26b22b188196e3c6cbff4e6663295a50daed

Victim: 0xf8ebfacb4768b4152dd38416c1ea5fd143f5f807

Scammer: 0xabd75cd4117fa7bfaa096f581abcec69b8d68f50

The phishing happened when the victim signed increaseAllowance transaction and multiple ERC20 Permit signatures/

The addresses used for receiving stolen tokens are the temporary addresses pre-computed by CREATE2.

😈DeFi @ConcentricFi or Arbitrum chain suffered an exploit on Jan 22, 2024, and has reportedly lost ~$1.72M worth of crypto assets (715 $ETH).

The exploiters got unauthorized access to the protocol through a targeted social engineering attack on one of the team members holding the deployer wallet.

The Attack Methodology

Although the smart contracts of the vault were duly audited before deployment but these contracts were upgradable, and the attackers manipulated this vulnerability to upgrade the vaults and minted LP tokens to drain the vault.

The attacker got hold of the private key through social engineering attacks on one of the team members with access to the deployer wallet.

As the vaults were upgradable, the attacker updated the implementation contract of the CONE-1 proxy contract from the original ConeCamelotVault contract to the attacker-controlled contract.

To mint LP tokens, the attacker added admin to the adminMint() function and subsequently drained the vaults.

Attacker Address 1: 0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1.

Attacker Address 2: 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b

Addresses Holding Stolen Funds:

The address which created 3 upgraded ConeCamelotVault contracts is
0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F.

  • 0x17865c33e40814d691663bc292b2f77000f94c34 — (115.749555148545411 ETH)
  • 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d — (300 ETH)
  • 0xFD681A9aA555391Ef772C53144db8404AEC76030 — (300 ETH)

Address 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d, holding stolen funds, is labeled as OKX Exploiter 2 on #Etherscan

Precautionary Measures

Other addresses holding funds: 0xFD681A9aA555391Ef772C53144db8404AEC76030 and 0x17865c33e40814d691663bc292b2f77000f94c34 both have previously received funds from OKX Exploiter 2 on Dec 13, 2023, as checked on #Etherscan.

Actions Taken:

To keep user funds safe, users are advised to revoke all approvals for the following addresses on $ARB:

Post exploit Team @ConcentricFi:

  • Initiated a detailed investigation to identify the culprits behind the attack and promised to release an in-depth post-mortem report on the completion of the investigation.
  • Started working towards implementing security measures to prevent future breaches.
  • Finding all possible options to mitigate the losses and safeguard the community’s interests.

😈On Jan 22, 2024, the @GAMEEToken on Polygon was exploited for $7M (600M $GMEE tokens).

The primary reason for the hack was a lack of access control, which led to the compromise of the $GMEE deployer address.

In the attack, the attacker withdrew a significant amount $GMEE from Animoca.

The stolen funds were later swapped to $MATIC. The attacker later bridged some of the funds to $ETH chain.

Due to the exchange of stolen funds by the exploiter at various DEX, the $GMEE token price across various exchanges has taken a hit.

In an official communication, the team @GAMEEToken confirmed that the exploit has only affected proprietary team token reserves, and no community-owned assets have been impacted in the attack.

Their initial investigation revealed that the compromise of the Polygon $GMEE deployer address might have happened via unauthorized GitLab access.

Attacker Address: https://polygonscan.com/address/0x16afa519642c932b073cd21d82162bdc7a471b86

The Hack Aftermath

GAMEE Token Contract Address: https://polygonscan.com/address/0xcf32822ff397ef82425153a9dcb726e5ff61dca7

Following are the actions taken by the team @GAMEEToken

Access control vulnerabilities can seriously impact a project’s stability, security, and integrity. Learn how such vulnerabilities can be mitigated at:
Access Control Vulnerabilities in Solidity Smart Contracts

😈On Jan 21, 2024, a phishing attack on #ethereum cost a victim ~$4.2M worth of aEthWETH and aEthUNI.

The loss happened due to the victim’s signing of multiple ERC20 Permit signatures.

Attack Txn: https://etherscan.io/tx/0x93a0ce0711edaf7664c26b3654095f1052010bb7da62c135b6ef0c425c0c2f09

Victim:
0x1749ad951fb612b42dc105944da86c362a783487

Attackers:
0x0000372B2BC916D6c904495e53533Ae90740F688
0xf672775e124E66f8cC3FB584ed739120d32bBaad

The addresses created to transfer these tokens are the temp addresses pre-computed by CREATE2.

CREATE2 is now increasingly being used by scammers to carry out phishing attacks.

To Know What is CREATE2 and How it is Used by Scammers for Phishing Read
Explained: Create2 Opcode in Solidity

😈DeFi protocol @BasketDAOOrg was hacked on Jan 17, 2024, for over $107K due to a vulnerability in its smart contract.

The attack was an arbitrary low-level call exploit that happened due to a bug in the contract’s approval process.

In March 2022, the same contract, along with another contract (0x01A903c12A2Dd87A5410173A29543504DF8bD14B), were found to have similar vulnerabilities, which had caused fund loss.

Hack Txn: https://etherscan.io/tx/0x97201900198d0054a2f7a914f5625591feb6a18e7fc6bb4f0c964b967a6c15f6

Hacked Contract: https://etherscan.io/address/0x4622aff8e521a444c9301da0efd05f6b482221b8

Attacker Add: https://etherscan.io/address/0x63136677355840F26c0695dD6DE5C9E4f514f8e8

😈On Jan 17, 2024, a victim on the Ethereum chain lost $149,435 worth of tokens due to signing malicious phishing signatures on a phishing site.

Hack Txn:
Jan-17–2024 09:42:35 PM +UTC
https://etherscan.io/tx/0x98480bb8e5c212b4f408a3f74fbb94dc60529a97d14fe2356372b170ab320773

Victim Add:
0x373adc79ff63d5076d0685ca35031339d4e0da82

Scammer Add 1:
0x4f4314e1e81650497d46e5b2179f5f3430902011

Scammer Add 2: 0x9fA7bB759641FCd37fe4aE41f725e0f653f2C726 (PinkDrainer: Wallet 2)

😈In another phishing incident on Jan 17, 2024, a victim on the Ethereum chain lost $178,030 worth ~6667 Auction tokens to the phishing maneuvers of the scammer.

Hack Txn: Jan-17–2024 01:37:59 PM +UTC
https://etherscan.io/tx/0x8f6cb49baa8886d1d1fef5146afbccdb6075b3f0cc0fd3a9cf604fb9b9f0b94f

Victim Add: 0xefbf320e8bc2e0a051db24f73b6f5756deeddcda

Scammer Add 1: 0xa2f10ccba0f5950eea846be601d7e0a627144b4e

Scammer Add 2: 0xa3aa460c12713a000a33893b024d95db80945a2f (Fake_Phishing270927)

😈On Jan 16, 2024, an address lost $229,553 worth of WBTC and ETH after signing malicious phishing signatures on a phishing website.

Hack Txn:
https://etherscan.io/tx/0x6d34b0f63da4f7402c467a657eb4c12894d1dfaa3b0095992d19eb64de2282fc

Victim: 0x23f8c7db7a1b656652e9726ab264c5b181418b9f

Scammer: 0x145f2b66b7bf5ad64b4ae21d1c77a20c61bf45a9

The victim signed three ERC20 Permit signatures, and these token spenders are the temp address pre-computed by CREATE2.

Explained: Create2 Opcode in Solidity

CREATE2, although better than the previous CREATE, is now increasingly being used by scammers to carry out phishing attacks.

😈DeFi protocol Socket @SocketDotTech on Ethereum has been exploited for ~$3.3M on Jan 16, 2024, due to a bad route added 3 days ago.

Added Route tx: https://etherscan.io/tx/0x1df44e224c7a715da25fa33dcad2ca3a930d1a4dafd263e61c07b52673d505f4

This has affected users who had given infinite approval to the SocketGateway contract https://etherscan.io/address/0x3a23f943181408eac424116af7b7790c94cb97a5

The Input Validation Vulnerability

The attacker took advantage of the incomplete user input validation to steal funds from the users who had approved the contract.

The attack was carried out by making an unsafe call in the performAction function.

Due to an input validation vulnerability in the contract, when transferring 0 WETH, the caller can specify other functions in the call and still pass the balance check validation.

Manipulating this flaw, the attacker constructed calldata to call transferfrom() of arbitrary tokens and transferred tokens approved to the contract by other users.

Attacker Add: https://etherscan.io/address/0x50df5a2217588772471b84adbbe4194a2ed39066

Hack Txn: https://etherscan.io/tx/0x591d054a9db63f0976e533f447df482bed5f24d7429646570b2108a67e24ce54

To contain the hack, the exploited contract was paused, and Socket asked its users to revoke all approvals to avoid loss of funds.

The bad route was also removed by Socket.

The Hack Aftermath

Disable route tx:
https://etherscan.io/tx/0xac75adcc1cb3fef158c4f200c48fcbcbb9b6ce3250bdf3751d6231d41a9e604b

As of writing this, @SocketDotTech has informed the community that they have bridged on @BungeeExchange , and most of their partner frontends have been resumed.

They also stated that they are conducting a detailed analysis of the exploit, the report of which would be shared later with the community.

😈Defi WiseLending protocol @Wise_Lending on Rthereum came under a price manipulation attack on Jan 12, 2024, when the exploiter manipulated a rounding error and caused losses of ~$460K (~178ETH)

The hacker knew that WiseLending uses rounding up when calculating shares withdrawals.

The attacker repeatedly called the withdraw function with a unit amount to cause a mismatch between the protocol token balance and shares. This led to the price manipulation.

The stolen funds are currently held at 0x592856d68B3FEE1D2dAa34CdC9851f3477C52530

Manipulated Contract: https://etherscan.io/address/0xb90cf1d740b206b6d80854bc525e609dc42b45dc

Hack Txn: https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31

How to Bypass the Integer Division Error in Smart Contracts? Precision Loss Vulnerability in Solidity: A Deep Technical Dive

Rounding errors in smart contracts can lead to severe security vulnerabilities. To know how these can be mitigated, read:

😈An address on the #Avalache chain lost 9.41 $BTC (~$433K) in a phishing attack on Jan 12, 2024. The victim transferred the stolen amount in two transfers in a single transaction.

Read: The Beginner’s Guide to Phishing Attacks

Hack Txn: https://subnets.avax.network/c-chain/tx/0xe00e4c8c11cff74c6a2296ef4e20cd0bc9811365022460f7207197923c4f51ed

Victim: 0xda60167db93bfd982204a55afb7321a76afc419b

Contract Add: 0xf455878e14d435e23dd8a2000c8fac3fca2f33d5

Scammer Add 1: 0xa3aa460C12713A000a33893b024D95db80945a2F (1.41147824 aAvaBTC.b)

Scammer Add 2: 0x7666a59f3A38934cb1262d22Fac52A67fda4B123 (7.99837663 aAvaBTC.b)

👿On Jan 11, 2024, a victim on the Ethereum chain was scammed for over ~$772K worth of stETH when it signed a malicious ERC20 Permit signature.

An ERC20 token approval given on a scam website can be activated by the hacker to carry out illegitimate transfers from an address without the knowledge of the owner.

Victim: 0x551b30bc933e26e098bd2e68d436c24ed39b7312

Scammer: 0x1A42605D92C210E4bE47A6363046c591659ab444 (Fake_Phishing269883)

Hack Txn: https://etherscan.io/tx/0xa653ede5787d5ee4b869d01643c3178b38d470445cd2078c23a5f2cfed4ff37b

To stay protected from ERC20 token approval phishing scams, always:

ERC20 Permit2 approval and the associated risks

Revoke the approval without losing time to protect your funds from being drained by an exploiter of the dApp approved previously.

😈A victim on #Ethereum fell victim to a zero-address transfer scam on Jan 10, 2024, when it accidentally sent 960,000 USDT to the scam address instead of the address it meant to transfer.

Zero transfer scams have become quite common in the crypto world. They are increasingly getting popular with scammers as it requires minimal effort on the scammer’s part to steal money from novice #cryptoinvestors.

Victim: 0x3dFf6f65Fd3354D2f98e065B814456Dc54435F0a

Intended Address: 0x9462B598aa7e45e6C2df22c35337Be248Df98CD6

What is a Zero Transfer Scam, and how do you avoid it?

Phishing Address: 0x946c8e51d95a1f1643c3617363aee83439f98cd6

The Vulnerability

😈On Jan 10, 2023, the BRA token on #BSC was exploited for $225,000 when it lost 819 WBNB due to a smart contract vulnerability.

The Attack Flow

Due to a logic vulnerability in the smart contract, every time the transfer function was invoked, the sender and recipient got twice the rewards if they were a pair.

>> Step 1

>>Step 2

The attacker took a flash loan of 1,400 WBNB and exchanged 1,000 WBNB for 10.5K BRA tokens, which they later transferred to the Pancakeswap pair.

>>Step 3

Using the skim() function, the attacker invoked the BRA contract’s transfer function to receive rewards.

The ‘skim()’ was set to work as a recovery mechanism whenever the number of tokens supplied to a pair exceeded the two uint112 storage spaces for reserves.

The attacker manipulated this and provided pair as the recipient address for receiving the BRA tokens.

Due to the vulnerability in the smart contract, the number of BRA tokens after every single skim became twice the intended amount.

>>Step 4

The hacker repeatedly called skim() around 100 times to significantly increase the contract pair’s BRA balance.

The attacker then returned 1.675K WBNB tokens and repaid the 1.4K WBNB token flash loan.

A profit of 675 WBNB was generated in this process, which the hacker sent to their address.

Technical Info:

The whole sequence of attack was repeated one more time, and this time, the profit gained by the attacker was 144 WBNB.

Attack Transaction: https://bscscan.com/tx/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047

Attacker’s Address:

BRA Token Code: https://bscscan.com/token/0x449fea37d339a11efe1b181e5d5462464bba3752#code

How to Avoid Such Attacks?

Pancake Swap Contract:
https://bscscan.com/address/0x8f4ba1832611f0c364de7114bbff92ba676adf0e

BRA Token Detailed Hack Analysis

This attack would not have happened if the smart contract auditors had examined the contract for logical issues. By conducting thorough testing and reviews of the smart contract code, the auditors can discover and fix potential vulnerabilities before deployment.

😈MangoFarmSOL, a farming protocol on Solana, which promised unprecedented yield in the $SOL space to its investors, stole away ~$2M of its investors’ wealth on Jan 7, 2024, in a well-orchestrated exit scam.

The TellTale Signs of the Scam

It had announced its MANGO token airdrop on Jan. 10, and to participate in the airdrop, users had to deposit their Solana SOL tokens in the protocol.

“Foobar,” a pseudonymous developer recently appointed as MangoFarmSOL’s security auditor, had warned users about MangoFarmSOL’s compromised front end on Jan 6 through a post on X (formerly Twitter).

The Disappearing Act

He also predicted that the protocol could be a potential rug pull.

Is there Another Scam in Waiting?

The official website of MangoFarmSOL is now being flagged as a deceptive website. Their profile on X no longer exists, and the Telegram channel (with 1000 existing members) is not accepting new members anymore.

There have been reports about screenshots being circulated on social media in which the developer of the now-scam project @MangoFarmSOL is shown claiming that he was forced to create Ponzi schemes and that he is involved with another project, BananaMiner.

Representatives from BananaMiner have refuted all such allegations and have categorically denied any connection to MangoFarmSOL, except that they were approached for collaboration by them.

The Conclusion

MangoFarmSOL must not be confused with another Solana-based project, Mango Markets, which was exploited in October 2022 for over $100 million.

The Solana ecosystem has been increasingly targeted by scammers using wallet drainers.

The seriousness of the security threat for Solana-based projects can be gauged by the fact that the cybercriminals have been selling Solana drainer kits since December, and one of the large communities for SOL’s wallet drainer kit maintained by these cybercriminals has over 6k members.

Beware of the scammers who lure novice #cryptoinvestors to invest in fake projects and tokens.
Equip yourself with knowledge on detecting such scams and avoid falling for them.

Crypto & Defi Rug Pull: How to Spot? World of Rising DeFi Scams: 5 Types of Scams that are Deceiving Investors Honeypot Scams in Crypto

You can get a great deal of knowledge about identifying such scams here:

😈Narwhal project on #BSC suffered an exploit on Jan 5 and Jan 6, 2024, for a total of ~$1.5M worth of NRW tokens ($970k on Jan 6 and $500k on Jan 5).

On Jan 7, @Narwhal_fyi confirmed in an official tweet that it was exploited and is in the process of rebuilding the liquidity pool in the next 3 days.

It also stated that they are working on a new platform with enhanced security to avoid such exploits in the future.

The stolen NRW was later swapped for ETH and bridged to the Ethereum Network.

The address 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30 deposited 375 ETH into TornadoCash and also received ETH from 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568

At the time of reporting, ~$1M out of the stolen ~$1.5M has already been deposited into Tornado Cash
by the attacker.

The remaining Stolen funds are currently at:

  • ETH: 0xe07bCffac8cEC86886B49b509A4924182D2596d3 (~80 ETH)
  • ETH:: 0x51eF9B64e5Bc4A23C522ECE8769De87b022d3c41 (~100.3 ETH)

On Jan 6, the attacker called the withdraw() function with the signer info. In the decompiled contract, it has been found that the signer’s address was actually set by the contract owner, and it is possible that the signer’s private key was either compromised or the information was forged.

The Alternate Theory

Exploited Contract: 0x8A2DF808CCb0DB866C5C152412D1718929143f53

There are speculations that what seems to be an exploit by a malicious hacker could possibly be a cleverly executed exit scam in the shroud of an exploit.

To support the theory, the on-chain analysts have presented the following:

The NRW token price shows two major drops-Jan 5 and Jan 7.

The drop on Jan 5 is likely caused by the large transfer of NRW tokens to an EOA 0xEa55BAEF29dc70799fAec4E2896b4D16A750E568 from multiple wallets.

Suspiciously, all these wallets received funding from the same address: 0x28B38A8B0b5AbEcE315a5064495056ad158DDDfF

The 0x28B38 address itself was initially funded by 0xfc8Cd26F86E6169e95A0256004B5c8FD1a6EFdDF, which received funds via FixedFloat.

The same address also funded the NRW deployer.

The Jan 7 price drop was triggered by EOA 0x9481b7c8f83A7BB3E8e3648b453d6Eb59dFFcC30, which called withdraw on unverified malicious contract 0x814304B1e200b4D36B26f53358BbBA6D6136B2F5.

This contract was created by 0x6eA, which was, in fact, funded by 0xfc8C, which had earlier funded the NRW deployer.

😈On Jan 4, 2024, the Defi Protocol Gamma Strategies was exploited for ~1535 $ETH (~$3.43M) in what seems to be the attack on Camelot pools, utilizing Gamma CLMM.

Hack Txn: https://arbiscan.io/tx/0x025cf2858723369d606ee3abbc4ec01eab064a97cc9ec578bf91c6908679be75

Other than @GammaStrategies, decentralized exchanges (DEX), such as @Quickswap, @SushiSwap, and
@CamelotDEX, could be affected due to this exploit.

Gamma has strongly advised all its users to revoke all approvals to avoid a possible fund loss due to the exploit.

@CryptoAlgebra, which was earlier speculated to be exploited, has confirmed that the exploit is not connected with Algebra’s code, and it is safe to use services from its partners.

Beware of the phishing websites claiming to check for exposure and revoke access from @CryptoAlgebra

In an official statement, Gamma confirmed that the hacks were carried out using flash loan attacks.

The total fund loss in the exploit is 1535 ETH, worth ~$3.43M, which the attacker: https://arbiscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c
has now bridged to #Ethereum in the multiple transactions.

Ref: https://etherscan.io/address/0x5351536145610aa448a8bf85ba97c71caf31909c

Mitigation Steps

Gamma Exploiter Malicious Contract: https://arbiscan.io/address/0x4b57adc00ac38f74506d29fc4080e3dc65b78a69

What Caused the Exploit?

As a precautionary measure, Gamma has shut off all deposits on public-facing vaults. At the time of writing, the rebalances and management of the positions are active and operational, as they are not affected by the exploit.

Although multiple measures were in place to prevent flash loan attacks but out of those measures, there was one that had a flaw.

The measure-where Gamma had set a price change threshold to disallow deposits on price change exceeding a certain threshold-was manipulated by the exploiter.

The threshold limits were set too high, which allowed up to 50–200% price change on specific LST and stablecoin vaults.

Corrective Measures

The attacker manipulated the price up to this high threshold limit and then minted a large number of LP tokens.

To set things right, Gamma has taken the following steps:

  • Setting of rice change thresholds to a safe threshold level
  • Getting a 3rd party code review before re-enabling deposits
  • Maximizing recovery for all affected users
  • Conduct a detailed post-mortem analysis and propose a remediation plan

😈In another major crypto exploit, on Jan 2, 2024, Radiant Capital @RDNTCapital on the Arbitrum chain was exploited for ~$4.5M (~1.9K ETH).

The Exploitation

The root cause of the hack is price manipulation, which was carried out by exploiting a rounding issue in the rayDiv() function.

First, the index parameter (used as a denominator in the calculations) was inflated due to manipulation. The corresponding precision error also skyrocketed due to this inflation.

The attacker reaped profits through repeated deposit() and withdraw() operations.

The attack happened within the time frame of 6 seconds immediately after a new USDC market was deployed.

The rounding issue is a known issue in the current Compound/Aave codebase, which is forked by lending markets for activating new marketing.

To mitigate this, Aave has a mandatory policy to deposit alongside any new listing. While forking, it seems this practice was not taken into consideration.

Attacker’s address: https://arbiscan.io/address/0x826d5f4d8084980366f975e10db6c4cf1f9dde6d

The Aftermath

Malicious contract:
https://arbiscan.io/address/0x39519c027b503f40867548fb0c890b11728faa8f

The team @RDNTCapital is trying to initiate contact with the attacker by leaving an on-chain message for the attacker, but they are still waiting to receive a response.

Ref: https://arbiscan.io/tx/0xcd1865e3bf185fc5fe0b5fb055f6d74cfa68ee50335ff92ad721063538922664

While the hack is being investigated, the Radiant DAO Council has paused lending/borrowing markets on Arbitrum temporarily.

Originally published at https://www.immunebytes.com on March 6, 2024.

--

--

ImmuneBytes

Build a hack-proof solution with the industry’s leading blockchain security company.