Category: Hackers

Categories
Crypto News DeFi Hackers

Another Day, Another DeFi Hack: Indexed Finance ‘Incident’ Costs Users $16 Million

The decentralised finance (DeFi) platform Indexed Finance has suffered its first hack, bleeding two of its pools of an estimated US$16 million.

The platform announced on October 15 that there was something going on affecting the DEFI5 and CC10 pools.

Rebalancing Mechanism Exploited

After further inspection, it was found that hackers had exploited a weakness in one of the mechanisms used to balance pool token weightings. The attack affected the way index pools are rebalanced, with a more detailed description supplied in a post-mortem:

Security firm PeckShield reported that the attacker had stolen 15 ETH, 226.9K UNI, 7.5K AAVE, 6.4K COMP, 845.8K CRV, 516 MKR, 45.4K SNX, 33.2K LINK, 5.2K YFI, 17.8K UMA and 131.6K BAT, totalling around US$16 million. At the moment the $16M is sitting in the attacker’s account (0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe) with security firms keeping an eye out for movement.

According to the bot on Discord, the two pools that are now inaccessible have been left with US$288,000 and US$2 million in TVL, respectively.

NDX Token Drops 28%

Unsurprisingly, the protocol’s native NDX token has dumped 28 percent from US$3.35 to US$2.34 where it currently trades according to CoinMarketCap. The coin was trading at an all-time high of US$27.71 in February and is down 90 percent since then.

Those who have lost everything live in hope that the situation might resolve the way August’s Poly Network hack played out, with the hacker returning the funds and highlighting a major vulnerability.

As for compensating people who lost funds, this is – so soon after the event – still up in the air […] The core team will be discussing with the community how best to handle this situation.

Indexed Finance statement

They’ll be talking to similarly affected protocols for insights into their own approaches. It is still unclear whether the incident is a tombstone for the DeFi project or whether there will be a way to recover the funds or compensate users and restart.

Categories
Crypto News DeFi Hackers

DeFi Deja Vu: $160 Million at Risk in Another Compound Finance Bug

Compound Labs has suffered a second major blow after another bug in the system was discovered. About US$162 million is up for grabs in what is being called the “biggest-ever fund loss in a smart contract incident”.

The Hits Just Keep Coming

The hits just keep coming for popular DeFi staking protocol Compound (COMP) after what was supposed to be a routine upgrade went horribly wrong.

This is the second in just a few days to rock the protocol after a bug in COMP’s new Proposal 062 led to an over-distribution of around US$80 million worth of COMP to some of its users. Compound founder Robert Leshner asked users to give the funds back and thanked those who did.

On October 3, somebody exploited a bug in Compound’s Comptroller contract, part of the protocol that distributes yield farming rewards to users. After calling Compound’s drip () function, the attacker had transferred 202,472 COMP, worth US$68 million, from Compound’s reservoir to its Comptroller.

Since a tweet about the bug by Banteg, a core developer at Yearn.Finance, the Comptroller pool has been drained of about 64,997 COMP (US$21.5 million).

Bug Takes Seven Days to Correct

On October 1, Leshner tweeted that the amount of COMP tokens that could be accidentally distributed would be limited to 280,000 comp tokens, worth about US$92.6 million, but revealed on Sunday that more were at risk.

Leshner revealed that the Comptroller pool, already emptied once, had been replenished, thereby exposing a further 202,472.5 COMP tokens worth around US$66.9 million.

Total carnage has been avoided as the pool of cash exposed has a limited amount of tokens. The problem, however, is that the pool is replenished with cash at a rate of 0.5 comp tokens added every 15 seconds.

Leshner tweeted that when the drip () function was called on October 3, it sent a backlog of 202,472.5 COMP (about two months of COMP since the function was last called) into the protocol to distribute to users.

The community developers were hoping that Proposals 63 or 64 would go into effect before that happened, but because of the way in which Compound’s governance is structured the bug would take seven days to correct.  

Bugs, Bugs and More Bugs

For many crypto users, DeFi is becoming synonymous with bugs and hacks. Recently a bug was found on NFT marketplace OpenSea which destroyed 42 NFTs worth an estimated US$130,000. The bug was discovered when Nick Johnson, lead developer of Ethereum Name Server (ENS), tried to transfer an ENS name to one of his personal accounts, but it ended up in an unused burn address.

Earlier this month, the Avalanche blockchain also suffered its first hack. Zabu Finance, a DeFi project that runs on the chain, was exploited for US$3.3 million after a hacker identified a bug in the contract used by yield farms to distribute rewards. Zabu’s price quickly plummeted to zero.

Categories
Coinbase Crypto News Hackers

Hackers Exploit Coinbase Vulnerability to Steal Crypto from 6,000 Users

US crypto exchange Coinbase recently disclosed that funds from at least 6,000 customers were removed from their accounts by hackers who took advantage of a bug in its SMS multi-factor authentication (MFA). 

SMS MFA is a security feature that allows users to authenticate and log in to their accounts by entering a security token sent to them via SMS. This adds an extra layer of security to users and helps prevent unauthorised logins. 

Coinbase Says Hacker Exploited a Bug in its MFA

A letter posted by Coinbase on the Attorney General of California’s website shows the incident took place between March and May this year.

For customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.

Coinbase letter to users

The success of the attack means the hackers already knew victims’ personal information such as their email, phone number and password. The exchange says it’s unclear how the attackers were able to gain access to the information. However, chances are the information was gleaned from social engineering tricks or phishing attacks, which are not unknown to Coinbase and the crypto market in general. 

The total value of cryptocurrency lost in the SMS multi-factor authentication breach wasn’t disclosed, but the exchange said it had repaid the funds to affected users. 

We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost.

Coinbase

Lax Security, Poor Customer Service

Inarguably the leading cryptocurrency exchange in the US, Coinbase has approximately 68 million users from more than 100 countries, yet the exchange is often criticised for its lax security and poor customer service. 

In August, the exchange erroneously sent a message to about 125,000 customers, informing them that their 2FA settings had been changed. It subsequently had to compensate affected users for the impact of the incident on their trust in Coinbase.

Categories
Bitcoin Hackers Scams

Bitcoin.org Hacked and Promotes ‘Double Your Bitcoin’ Scam

Educational content platform Bitcoin.org has suffered a security breach and ended up in the hands of unidentified attackers who started promoting a shady bitcoin scam on the homepage.

On September 23, several users reported that the Bitcoin.org homepage was displaying a pop-up window requesting users to send BTC to a specific address and receive twice the amount in return. This, of course, rang alarm bells in the crypto community and Bitcoin.org soon announced via Twitter that the site had been compromised.

Bitcoin.org subpages were limited as result of the attack, which did not allow users to scroll through the page and precluded access to the PDF version of the Bitcoin whitepaper. While the site is now virtually up and running again, the URL to the whitepaper displays a “this site can’t be reached” message.

The address displayed on the site received 0.4 BTC (around US$17,000) in a few hours. It’s unknown if those funds belong to any victim who fell for the scam.

Not the First Bitcoin.org Attack

This is not the first time Bitcoin.org has been attacked. Early this year, Crypto News Australia reported that the site had been hit by a DDoS (Denial Of Service) attack. This happened shortly after Bitcoin.org lost a legal battle against self-proclaimed Bitcoin creator Craig Wright, who requested that a British court force the organisation to remove the BTC whitepaper for UK visitors.

Categories
Crypto Exchange Crypto News DeFi Hackers

Avalanche DeFi Project Vee Finance Loses Over $35 Million in Hack

A day after Vee Finance announced it had more than US$300 million total value locked on the protocol, it was hit by an attack draining an estimated US$35 million.

By September 21, a total of 8,804.7 ETH and 213.93 in bitcoin had been stolen by attackers. Vee Finance is a lending and borrowing protocol built on the Avalanche blockchain that offers both flexible and fixed returns on crypto deposits.

Since its launch on September 14, the platform boasted that the total value of assets locked surpassed US$300 million, drawing the eyes of potential attackers.

The perpetrators found an exploit in the process of creating an order for leveraged trading, where only the price of the Pangolin pool was used by the oracle as the source of price feed.

When price fluctuates more than 3 percent, the oracle needs to be refreshed, in this case opening a window for the attacker to manipulate the price of the Vee Finance oracle machine.

The attacker manipulated the number of Pangolin’s tokens to make Vee Finance’s oracle machine refresh the price. This directly caused the contract to obtain the wrong price from the oracle during the slippage check, which caused it to be bypassed. A detailed attack analysis can be found on Vee’s official Medium blog.

Only ETH and BTC Stolen

As this incident occurred in the pending contract, the assets on the Stable Coin sector were not affected by the attack. So far, USDT.e, USDC.e and DAI.e assets in the Stable Coin sector have not been attacked. All pending orders were suspended, meaning that no new pending orders could be created, and existing pending orders could not be executed.

The company said it had located the address that collated US$35 million worth of crypto and suspended it.

According to address monitoring, the attacker has not yet transferred, or processed, the attacked assets any further. We are actively dealing with it and have proactively communicated [with] the attacker on the chain.

Vee Finance

According to Vee Finance, “The company, whose partners include the Avalanche blockchain and Chainlink, a platform that creates DeFi applications, said it had contacted the hacker and was trying to negotiate a solution.”

The problem has been fixed in the meantime and the Pangolin.Exchange has not been affected and is still safe to use, stated the report. Vee Finance posted it had made the white hat bounty available to the hacker if the funds were returned.

This is the second major hack on an Avalanche-based platform in a week. The first was on Zabu Finance, a DeFi protocol that supports peer-to-peer activity without a central player such as a bank or broker. Zabu revealed it had lost US$3.2 million to an attack on September 13, also resulting in a 99 percent price drop.

Categories
Crypto News DeFi Hackers Tokens

SushiSwap Hacked for $3M but Funds Returned Almost Immediately

A mystery rogue developer who allegedly drained 864.8 ETH (US$3 million) from a MISO auction has returned the funds to the original token contract.

SushiSwap’s token launch platform suffered a supply chain attack last week that targeted its ‘Jay Pegs Auto Mart’ auction contract.

The exploit was first identified on September 17 by Sushi’s CTO Joseph Delong, who tweeted a link to the transaction that drained the funds from the protocol.

According to Delong, an anonymous contractor injected malicious code into the MISO front end, replacing the original contract for the Jay Pegs Auto Mart token auction – a parody NFT project imitating the value of a 2007 Kia – with a personal Ethereum address. A total of 864.8 ETH was transferred to the address, but no other auctions were affected.

Threat of Legal Action Prompts Return of Funds

In a string of since-deleted tweets, Delong said that Sushi had “reason to believe” the attacker was eratos1122, a pseudonymous developer who worked with Sushi and other DeFi projects. Delong put up a trail of transactions linked to the hacker’s original address and an ultimatum was also posted threatening the hacker with legal action if the funds weren’t reinstated.

A couple of hours later, the hacker returned 865 ETH to the original MISO contract. Data from Etherscan showed that the hacker’s address was almost completely empty, with Delong himself confirming the news on Twitter.

Accused Developer Threatens Retaliation

It’s still not clear who the attacker was and Delong’s original tweets accusing the former MISO developer have been deleted. The accused person threatened to release some of the MISO code he was working on in the absence of an apology from Sushi and Delong.

While many saw this as a clear sign of the developer’s involvement in the incident, neither Sushi nor any of its founders have commented further on the issue.

Some among the crypto community have slated Sushi and Delong for their handling of the situation. With the protocol mostly built by anonymous developers, making accusations without a proper investigation has negatively affected Sushi’s reputation.

Just last month, a collective effort from the crypto community saved SushiSwap’s token fundraising platform from a potential US$350 million heist.

Almost simultaneous with the MISO exploit, SUSHI gained 23 percent in 24 hours following a growth spurt for decentralised exchange tokens (DEX).

Categories
Crime Crypto Wallets Hackers

Apple Faces $5 Million Class Action Lawsuit Over Fake Wallet That Led to Crypto Theft

Apple is facing a US$5 million class-action lawsuit from crypto investors after one of its applications allegedly enabled hackers to steal their coins.

The suit levels accusations of negligence, fraud and several computer-specific privacy torts against Apple. It details how hackers planted a phishing application disguised as a crypto wallet called “Toast Plus” in the tech giant’s App Store and lured unwitting users into installing a criminal portal on their devices.

For all intents and purposes, the app resembled a version of popular crypto wallet Toast Wallet but had no connection to it other than sharing a similar name.

According to the suit – filed on behalf of first plaintiff Hadona Diep – Apple is liable for all victims’ losses due to its failure to vet the application before placing it on the App Store. The compensation sought is specified in the complaint as upwards of US$5 million.

Diep, a resident of Maryland who describes herself as a “full-time cyber-security IT professional”, linked her private XRP key or seed phrase into Toast Plus only to later discover her crypto assets – a total of 474 Ripple (XRP) coins – had been drained.

Court documents show that as well as compensation, all class-action plaintiffs demand that Apple be prevented from allowing similar schemes to operate in its App Store in future.

Apple User Agreement Disclaimers Do Not Apply

Apple has yet to respond to the lawsuit or make any public comment on the matter, but it seems the disclaimers in its user agreement don’t apply in this case. The fact that Toast Plus was not an actual application, but instead a medium for the commission of fraud, makes any existing contract using it as subject matter void.

As the lawsuit points out:

While the App Store does have terms and conditions, including limitations on liability, those terms and conditions are the product of adhesion, in that consumers have no other practical ability to access applications for iPhones and iPads if they do not use the App Store; those terms and conditions are therefore not applicable to this case.

Class-action complaint, Diep v Apple Inc, Maryland District Court

Just last month, fake Ronin wallets were reported to be circulating on Google and Apple app stores. The bogus wallets were designed to trick users into giving up their account information, only to find their funds or collectibles removed soon thereafter.

Also last month, Apple announced the settlement of a separate class-action suit filed by US-based software developers, promising better terms for those who make the software that iPhone users run.

Categories
Crypto News DeFi Hackers Tokens

ZABU Token Tanks 99% After $3.2 Million DeFi Hack

Zabu Finance, a DeFi project running on the Avalanche blockchain, has been exploited for around US$3.2 million worth of its native token, Zabu – plunging its price within minutes to zero.

First DeFi Hack on the Avalanche Blockchain

In what was the first exploit on the Avalanche blockchain, the attacker drained the funds from the SPORE pool, exploiting the “Transfer Tax” mechanism to mint tokens and subsequently plunging its value to zero. The SPORE pool contained 402,9 Wrapped Ether (WETH), 23,157 Wrapped AVAX (WAVAX), 21,501 Pangolen (PNG), 106,848 Avaware (AVE), 361,267 Tether (USDT), and 23,958 JOE.

The attacker found a bug in the contract used by yield farms to distribute rewards. According to security firm PeckShield, the bug has “happened many times before”.

Yet the Zabu Finance team tried to calm down its community, outlining it wasn’t behind the attack and burned all team tokens. The protocol burned the remaining 93.21 million Zabu tokens – around US$360,000 worth.

Another Day, Another DeFi Hack

Zabu Finance is the latest protocol to be hacked, adding to a list of hacked projects this year. A similar case involving Popsicle Finance occurred on August 7 when an attacker manage to drain 85 percent of the deposit pools by taking advantage of a bug found on the smart contracts.

Just a few days later, an unknown attacker managed to drain US$600 million from cross-chain protocol Poly Network. While not a DeFi hack per se, as the attacker turned out to be a white hat hacker (an ethical hacker), it was by far the biggest amount stolen in DeFi history.

Categories
Crypto News DeFi Hackers

Cream Finance to Pay Back Users $19 Million via Protocol Fees Following DeFi Hack

Cream Finance (aka C.R.E.A.M.), a popular decentralised lending protocol, has allocated 20 percent of all the fees it charges to repay affected customers from a recent exploit in which it lost US$19 million.

Cream has announced repaying affected users after a flash loan hack at the end of last month. The team said it will post Cream collateral with Flexa, creator of AMP, to ensure the debt is entirely paid.

Additionally, the Cream team is offering a 10 percent bug bounty to the attacker and up to 50 percent for third parties who can assist the protocol to recover the funds.

We learned from this exploit and will use it as an opportunity to strengthen our protocol. Exploits are setbacks but this won’t stop us from fulfilling our mission to drive capital efficiency and meet the decentralised lending needs of individuals, institutions and protocols.

C.R.E.A.M. Communications announcement

At first, it was thought the hacker had stolen just over US$19 million, but after updating prices the total loss surpassed US$37.5 million.

Not the Best Year for Cream Finance

As Crypto News Australia reported this week, Cream Finance was exploited for the second time in six months. On August 31, an unknown attacker managed to drain 462 million AMP and 2,800 tokens – worth US$29 million – from its vault. According to blockchain security firm PeckShield, the attacker took advantage of an error in the integration process of AMP, forcing the protocol to halt supply and borrow on AMP to stop the exploit.

Five months ago, Cream and PancakeSwap suffered a DNS attack following several notices shared on social media, leaving users exposed to the protocols’ websites.

It’s always advisable to DYOR (Do Your Own Research) before investing in a DeFi protocol, as hackers, scammers and other malicious actors are thriving in this ecosystem.

Categories
Blockchain Crypto News DeFi Hackers

Cream Finance DeFi Loses $19 million in Flash Loan Hack, its Second Breach in 6 Months

Decentralised finance (DeFi) platform Cream Finance has fallen victim to an exploit, the second time the protocol has been targeted. This latest flash loan attack on August 30 stole an estimated US$19 million from the protocol.

While Cream Finance runs on Ethereum, Binance Smart Chain and Fantom, luckily the only affected market was the v1 market on the Ethereum blockchain:

How Did It Happen?

According to PeckShield, a blockchain security company, the hacker made “a flash loan of 500 ETH and deposited the funds as collateral. [Next] the hacker borrowed 19M $AMP and made use of the reentrancy bug to re-borrow 355 ETH inside the $AMP token transfer. Then the hacker self-liquidated the borrow.”

The flash loan attack process. Source: PeckShield

The process was repeated 17 times, allowing the hacker to get away with around US$18.8 million.

“The funds are still parked in 0xCE1F … 6EDE. We are actively monitoring this address for any movement,” PeckShield noted, providing the hacker’s address via Etherscan.

The price of AMP token plunged more than 14 percent in the first few hours following the exploit but has been recovering since. This is the second time in six months that Cream Finance has fallen victim to an exploit.

The Importance of Reviewing DeFi Contracts

Various security and crypto experts have identified some of the major concerns surrounding the emerging DeFi market. “DeFi can be hacked for two main reasons – vulnerability in the DeFi smart contract code, or hacking the private key of the smart contract owner who has permissions to control the protocol,” said Lior Lamesh, CEO of GK8.

Lamesh added that “in order to prevent such attacks, financial institutions looking to offer DeFi services need to do two main steps: First, review the DeFi smart contract code and validate that it has no vulnerabilities; second, protect the smart contract owner’s private key at the highest level of security.”

As more institutional investors flock to DeFi and the benefits brought by the technology, it’s becoming increasingly important to review code and to ensure contracts execute as intended.