Cointime

Cointime

Download App
iOS & Android

Weekly Blockchain Security Watch (November 28 to Dec 4)

Validated Project

From November 28 to December 4, 2022, all security incidents that have occurred are all Security Hacks.

SECURITY HACKS:

1. Hacker Attacks Prometheus

On Nov 28, Prometheus, a dApp deployed on the BNB chain was attacked.

In this incident, the hacker withdrew 467,398 PHI from the project’s OTC contract and exchanged them to 124,73 BNBs.

The Prometheus team got back 112.08 BNBs and kept them in a multi sig (0x69A03128a7cb580553acf1cf287d4A5Ce0A01c1F).

The hacker exploited 12.65 BNBs (worth around US $3,654.5) in this incident.

At the time of writing, the project’s gPHI and dPHI supply had not been exploited, and all the contracts had been paused, except the dividends pool.

Additional Details:

- Attacker’s Address: 0xc7233627c65f0dd1465938212a3adaa5dea50bf6 (BNB chain)

- Hash Value of Attack Transaction:

0x15472327df1fdace59c14eba5f4069ffb65c71c5f38f00355da990b68121d160

2. Hacker Attacks Shamanzs Discord Server

On Nov 28, a hacker had attacked Shamanzs’ discord server. Shamanzs is an NFT project deployed on Ethereum.

3. Hacker Leverages Flash-loan to Attack Seaman

On Nov 29, a hacker had attacked Seaman, a dApp deployed on the BNB chain.

The root cause was that its tokenomics design would result in price manipulation.

The attacker flash-loaned 500,000 BUSDs and exchanged them to GVCs. The hacker then called Seaman’s transfer function to transfer a small number of SEAMAN tokens and triggered the SEAMAN tokens to be exchanged to GVCs. This process would call the _splitlpToken() function to distribute the GVCs to lpUser and reduce the number of GVCs in the BUSD-GVC trading pair thus increasing the GVC’s price.

The hacker repeated the process and eventually exploited 7781 BUSDs worth US $7781 in this incident.

Additional Details:

- Attacker’s Address: 0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c (BNB chain)

- Attacked Contract: 0xDB95FBc5532eEb43DeEd56c8dc050c930e31017e(GVC Token on BNB chain)

4. Hacker Attacks SmallBros Discord Server

On Dec 1, a hacker had attacked SmallBros’ discord server. SmallBros is an NFT project deployed on Ethereum.

5. Hacker Attacks Brainless Spikes Discord Server

On Dec 1, a hacker had attacked Brainless Spikes’ discord server. Brainless Spikes is an NFT project deployed on Ethereum.

6. Hacker Attacks Ankr

On Dec 2, a hacker attacked Ankr, a dApp deployed on the BNB chain.

The root cause was very likely that the Ankr Deployer’s private key was compromised.

The attacker exploited crypto assets worth around US $5 million in this incident.

For more details about this incident refer to:

https://twitter.com/FairyproofT/status/1598535802463875072?s=20&t=G7OlCC57pHNU-Bsgdjcb7w

Additional Details:

- Attacker’s Address: 0xf3a465C9fA6663fF50794C698F600Faa4b05c777 (BNB chain)

- Malicious aBNBc Contract: 0xd99955B615EF66F9Ee1430B02538a2eA52b14Ce4 (BNB chain)

- Ankr Deployer: 0x2Ffc59d32A524611Bb891cab759112A51f9e33C0 (BNB chain)

- Attacked Contract: 0xE85aFCcDaFBE7F2B096f268e31ccE3da8dA2990A (aBNBc on BNB chain)

- Initiator of Attack Transaction: 0x71699d5BD28F5C834eEe8E365848df056915Baa6 (BNB chain)

- Hash Value of Attack Transaction:

0xd07b210b872bc952b9f2250d8272a789f89a2f7a3621112fdd73addd7bdb080b (BNB chain)

CONCLUSION-

6 notable security incidents have occurred in the past week. Four out of them were attacks on smart contracts and two were attacks on social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

Web3
Comments

All Comments

Recommended for you

  • Cointime May 12 News Express

    1.The number of Bittensor subnets for the AI ​​project will increase to 64, and 1024 subnets will be achieved this year2.Trader predicts Bitcoin price will reach $350,0003.vladilena.eth redeemed 1930 weETH from Zircult, suspected of selling4.Solana’s on-chain DEX transaction volume yesterday exceeded the sum of five chains including Ethereum, BSC, and Arbitrum5.RSS3 VSL locked-in amount surged in the past two days and is close to 200 million US dollars 6.The transaction volume of Club Key on friend.tech platform exceeded 1 million7.Lido has paid out more than 516,000 ETH in staking rewards, equivalent to approximately $1.51 billion8.1,000 BTC transferred from TronDAO to an unknown new wallet9.Report: Justin Sun deposited 120,000 eETH into Swell L2, worth $376 million10.1707.36 BTC have flowed out of Binance in the past 7 days

  • cointelegraph ·

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

    The game is currently available in early access on the Epic Games Store.

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

  • Xinjiang launches special campaign to combat illegal fundraising, with key areas including virtual currency, blockchain, etc.

    According to Chang'an Xinjiang Public Account, Xinjiang Autonomous Region and Corps have launched a joint special action to crack down on illegal fund-raising, with key areas including third-party wealth management, fake private equity, fake gold exchange and other traditional fields, as well as emerging fields such as virtual currency, blockchain, cultural tourism, film and television investment, and debt resolution services. It is reported that key cases include cases involving more than 100 million yuan and cases that have been criminally filed for more than five years.

  • A British court has postponed the final sentencing of Wen Jian, a British-Chinese national involved in the country's largest Bitcoin money laundering case, until May 24.

    On May 11th, it was reported that Jian Wen, a 42-year-old British Chinese citizen, was found guilty of "participating in arranging money laundering" in the UK's largest Bitcoin money laundering case. He could be sentenced to up to 14 years in prison. Jian Wen's defense lawyer, Mark Harries, stated that due to the judge's busy schedule, the UK court has postponed Jian Wen's final sentencing, which was originally scheduled for May 10th, to May 24th.

  • Web3 startup Star Nest completes $6 million in Pre-A round of financing

    Hong Kong Web3 music startup Star Nest announced that it has completed a $6 million Pre-A round of financing, led by Chuangqi International Limited, a wholly-owned subsidiary of Hong Kong Stock Exchange-listed company Guofu Innovation. Star Nest will collaborate with Armonia Meta Chain to develop the Star Nest SpaceStar metaverse game, which includes music, role-playing, and social features.In addition, Star Nest plans to launch its NEST project in the third quarter of 2024. Nest will receive 2.1 billion NEST tokens tailored for the project, and Star Nest will use the NEST token to build a more complete music industry token economic system. The NEST token will be widely used for purchasing performance tickets, chain game cooperation, metaverse consumption, governance voting, and other activities.

  • Over $594 million worth of PYTH is staked

    According to Dune data,  there are currently 1,201,167,362 PYTH tokens in the staked state, with a total staked value exceeding $594 million. The number of PYTH stakers has reached 151,211.

  • US Department of Justice: Tornado Cash indictment has nothing to do with "free speech"

    On May 11th, the US Department of Justice explained why the motion to dismiss the criminal case against Tornado Cash founder Roman Storm was invalid. The Department of Justice reiterated that their indictment was not related to whether the Tornado Cash computer code had freedom of speech or was protected by the First Amendment of the Constitution. The defendant was not charged for publishing computer code, but for using it to facilitate profitable illegal activities.

  • USDC circulation decreased by $100 million in the past week, with a total circulation of $33 billion

    According to official data,as of May 9th, Circle has issued approximately $2 billion USDC and redeemed approximately $2 billion USDC in the past 7 days, with a decrease in circulation of approximately $100 million. The total circulation of USDC is $33 billion, with a reserve of $33.1 billion, including approximately $3.3 billion in cash and Circle Reserve Fund holding approximately $29.8 billion.

  • SEC rejects Coinbase's request for appeals court ruling on cryptocurrency rules

    The US SEC has rejected Coinbase's request to appeal to the court to review whether traditional securities rules are applicable to cryptocurrencies. In its application, Coinbase stated that it hoped the appeals court would consider whether the Howey test, which has long been used for securities evaluation, should be applied to digital assets. However, the SEC pointed out that Coinbase has not successfully demonstrated the need for such an evaluation. The SEC stated that Coinbase is attempting to create a "new legal test," but this attempt was rejected by the court. The court found that Coinbase's arguments lacked consistency and did not successfully demonstrate the existence of decisive issues. Currently, the judge responsible for hearing the SEC's case against Coinbase will make a ruling on Coinbase's intermediate appeal motion.

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company