Category: Hackers

Categories
Crypto Exchange DeFi Hackers

Stablecoin DEX ‘Saddle Finance’ Exploited for $10 Million

Decentralised exchange Saddle Finance was hacked over the weekend, resulting in the loss of over US$10 million in funds. The DEX is working with blockchain security organisation BlockSec to return some of the lost funds and at the time of writing the identity of the hacker remained unknown.

Saddle Finance is an automated market maker that specialises in the trading of stablecoins and other pegged assets such as wrapped BTC.

Timeline of the Hack

According to on-chain data, the hack occurred at 7:40am UTC on April 30, with the hacker initially stealing approximately US$14.8 million in assets. 

Twitter user @web3isgreat, who catalogues blockchain hacks, claims it was a flash loan attack and, once stolen, the assets were funnelled through Tornado Cash to anonymise the transactions and make tracking the hacker virtually impossible:

Based on Twitter interactions, it appears BlockSec’s monitoring and attack blocking systems detected the exploit shortly after it began. Once aware of the attack, BlockSec tweeted an alert to Saddle Finance:

Around 20 minutes later, Saddle Finance tweeted that it was investigating a “possible exploit” and had paused pool withdrawals, later clarifying that only metapool withdrawals had been suspended:

Around two hours after it was first notified about the hack, Saddle tweeted that BlockSec had been able to secure approximately US$3.8 million of the lost funds:

In all, over US$10 million in assets remain missing with little chance of recovery.

In a worrying trend, DeFi hacks are becoming an increasingly common occurrence. In February, Meter.io was hacked for US$4.4 million and March saw Axie Infinity lose US$625 million in what has since been assessed as the largest DeFi exploit on record.

Categories
Crypto News DeFi Hackers

Hacker Steals $80 Million From DeFi Lender ‘Rari Capital’ via Fei Protocol Exploit

DeFi platform Rari Capital has been hacked for more than US$80 million in assets held within its Fuse lending pools.

Rari Capital’s Fuse platform enables DeFi developers to create their own lending markets. Security firm BlockSec identified the exploit as having occurred because of a reentrancy vulnerability in the protocol’s smart contract.

Development team Fei Protocol, which runs a decentralised US dollar-pegged stablecoin called Fei USD, was the biggest loser in the hack. The team manages lending markets on Fuse, where users can deposit funds for an annual yield and also take out loans in FEI stablecoin.

$10 Million Bounty Offered, ‘No Questions Asked’

Fei Protocol has acknowledged the massive exploit and asked the hacker(s) to return the funds to claim a US$10 million bounty:

The Rari Capital exploit is the third significant reentrancy hack in six months. In December, the unfortunately named Grim Finance, a compounding yield optimiser on the Fantom blockchain, was drained of an estimated US$30 million in Fantom (FTM) tokens.

And early last month, DeFi protocol Ola Finance suffered a US$3.6 million hack, also blamed on a reentrancy bug. A fortnight earlier, DeFi lending protocols Agave and Hundred Finance were exploited for approximately US$11 million. DeFi continues to provide far too much fertile ground for hackers.

Categories
Bored Ape Yacht Club Hackers Illegal NFTs Scams

Bored Ape Yacht Club’s Instagram Compromised in $2.8 Million NFT Phishing Scam

Bored Ape Yacht Club’s (BAYC) Instagram account has been hacked in a phishing scam resulting in an exploit of US$2.8 million worth of NFTs:

Yuga Labs, the creator of BAYC, is investigating the attack, tweeting followers not to click on links or mint new tokens. The attacker stole 133 NFTs after using BAYC’s Instagram account to promote a fake “airdrop”. The scam promised people free tokens if they connected their MetaMask wallets to the site linked through the post.

No Compensation As Yet

It is not yet known how the hacker accessed the Instagram account, and Yuga Labs has yet to announce whether it will compensate those affected by the scam:

According to Yuga Labs, “At the time of the hack, two-factor authentication was enabled and security surrounding the Instagram (IG) account followed best practices.” It added: “We’ve regained control of the account, and are investigating how the hacker gained access with IG’s team.”

According to blockchain data, the hacker’s wallet, which has been identified in connection with the attack, holds 91 NFTs and is said to be worth US$2.8 million based on the floor prices of the respective collections. The attack has seen 24 Bored Apes and 30 Mutant Apes stolen.

Yet Another Attack on BAYC

The news of this latest attack comes only weeks after the BAYC Discord servers suffered a phishing scam which led its governance token to plunge by 20 percent. Another possible hack was witnessed a couple of weeks ago when a BAYC NFT worth US$350,000 was sold for just US$115. Many question whether it was an exploit or just a massive error.

Categories
Crypto News Hackers Illegal Scams

Hacker Exploits DeFi Protocol ‘Zeed’ for $1 Million But Fails to Take the Funds

After the decentralised finance (DeFi) protocol ‘Zeed’ was exploited for US$1 million this week, the hacker destroyed the contract used but left all tokens, rendering them immobile:

Zeed is a lesser-known DeFi protocol, an “autonomous decentralised integrated ecosystem” that runs off the BNB Chain. The protocol was attacked by minting extra rewards that were sold on the market, thereby crashing the token’s price to zero:

After the attack, the hacker destroyed the contract used in the exploit, meaning that any tokens held by the contract could no longer be moved, according to PeckShield, who put it in a nutshell: “The hacker kills the contract, but forgets to transfer the profit.”

Another blockchain security firm, BlockSec, added: “Interestingly, the attacker does not transfer the obtained tokens out before self-destructing the attack contract. Probably, he/she was too excited.”

Yet Another DeFi Hack

Hacks are becoming an increasingly common occurrence in the DeFi space. Last year, DeFi project Cream Finance lost US$19 million in a flash loan attack – its second breach in six months. Earlier this week, Crypto News Australia reported that the Beanstalk stablecoin lost about US$182 million in yet another flash loan exploit.

Categories
Hackers Illegal NFTs Rarible Scams

2 Million Users’ NFTs at Risk After Security Firm Identifies Flaw in Rarible

Cyber security software firm Check Point Research (CPR) has identified a vulnerability in NFT marketplace Rarible that could have seen any of its 2 million monthly users lose their NFTs in a single transaction.

Attackers Could Have Gained Full Access

CPR has previously identified exploits, among them the infamous hack of OpenSea in October 2021. According to CPR:

CPR identified a security flaw in Rarible, the NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction. CPR immediately disclosed findings to Rarible, who acknowledged the security flaw. CPR’s revelations mark the second time that their researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world’s largest NFT marketplace.

Check Point Research

According to CPR, the exploit would have occurred when a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions, and the exploit would have begun with the victim receiving a link to a malicious NFT who then clicks on it.

Attack Methodology

CPR has provided outlines of the attack methodology:

  • Victims receive a link to the malicious NFT or browse the marketplace and click on it.
  • The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.
  • The victim submits the request and grants full access to the NFTs/crypto tokens to the attacker.

CPR immediately disclosed the findings to Rarible, which has since acknowledged the security flaw and taken action against the attack.

NFT Thefts Rampant

Earlier this year, Crypto News Australia reported a flaw on multibillion-dollar GameFi company Illuvium that caused it to drain its liquidity pools. Had it not done so, the flaw could have ended in billions of dollars lost due to the flaw.

Categories
DeFi Hackers Illegal Scams Stablecoins

Beanstalk Stablecoin Loses $182 Million in Flash Loan Exploit

An attacker has drained US$182 million from Beanstalk stablecoin protocol in a flash loan attack, the second nine-figure DeFi exploit in just a month. Beanstalk joins a growing list of Ethereum DeFi protocols to suffer multimillion-dollar breaches:

The attack on Beanstalk, a credit-based stablecoin built on Ethereum, mirrors an incident last year where PancakeBunny’s DeFi protocol suffered a US$45 million loss from the ecosystem. In the Beanstalk case, an attacker used a flash loan exploit to drain the protocol’s funds and Etherscan data shows Aave’s flash loan feature was leveraged to withdraw liquidity from the protocol. The hacker then used Uniswap to trade DAI, USDC and USDT for Ethereum.

The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack and the token was down 86 percent at the time of writing.

Native Tokens Used to Drain Funds

Beanstalk has since reported that the flash loan on Aave enabled the attacker to amass a large amount of Beanstalk’s native governance token, Stalk. Through the voting powers granted by the tokens, the attacker was then able to pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet:

Some Stolen Funds Diverted to a Ukrainian Relief Wallet

Beanstalk’s smart contracts were audited, but the audit was completed before the introduction of the flash loan vulnerability. No information has yet been forthcoming on whether funds would be reimbursed to users. According to PeckShield, the attacker appears to have donated US$250,000 of the stolen funds to a Ukrainian relief wallet.

Categories
Crypto News Crypto Wallets Ethereum Hackers

US Claims North Korean Hackers Behind $625 Million Ronin Breach

North Korean hacking group Lazarus has been blamed for last month’s US$625 million exploit of Ronin Network, an Ethereum sidechain used by play-to-earn crypto game Axie Infinity.

The link was made public on April 15 when US Treasury announced it had added a new Ethereum wallet to its list of sanctions for the Lazarus Group. It’s the same wallet address that Axie Infinity creator Sky Mavis named as the Ronin attacker in late March, as confirmed by Etherscan.

18% of Stolen Funds Already Laundered

Blockchain analytics firms Chainalysis and Elliptic have corroborated that the wallet address is the same used in the Ronin exploit. Elliptic also confirmed that 18 percent of the stolen funds had already been laundered before the Easter weekend. The wallet still holds 147,753 ETH, worth about US$430 million at the time of writing.

“Identification of the wallet will make clear to other VC actors that by transacting with it, they risk exposure to US sanctions,” said a Treasury spokesperson, who added:

There may be mandatory secondary sanctions on persons who knowingly, directly or indirectly, engage in money laundering, the counterfeiting of goods or currency, bulk cash smuggling, or narcotics trafficking that supports the Government of North Korea or any senior official or person acting for or on behalf of that government.

US Treasury spokesperson

‘Critical Chokepoints’ in the War on Hackers

The spokesperson said that anti-money laundering and countering the financing of terrorists were “critical chokepoints” in the war on hackers, and called on the crypto industry to implement these types of safeguards.

According to a Ronin blog post, “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk.” Redeployment was expected before the end of this month and a full post-mortem would follow at a later date.

Since the attack, Sky Mavis announced a US$150 million funding round led by Binance to help reimburse affected users. Sky Mavis ultimately hopes to recover the stolen funds over the next two years.

Categories
Bored Ape Yacht Club Hackers Illegal NFTs Scams Tokens

$APE Drops 20% Following Bored Ape Yacht Club Discord Hack

ApeCoin has dropped 8 percent after the Bored Ape Yacht Club (BAYC) Discord servers suffered a phishing scam. The governance token behind the world’s largest NFT collection has plunged after news of the phishing attack was confirmed.

APE Witnesses Massive Fluctuations

APE fell from roughly US$14 on March 31 and at some point reached US$12.8, according to CoinMarketCap. The tokens were airdropped to Bored Ape and Mutant Ape NFT holders on March 16 and will serve as the governance token for the project’s newly launched decentralised autonomous organisation (DAO). APE will allow its holders to vote on the project’s roadmap and upcoming proposals.

Since the token launched, the price action has been rather volatile with APE going as high as US$39.4, before settling at a range between US$14 and $16.  

An unknown hacker gained access to the official Discord meant to host members of BAYC, Mutant Ape Yacht Club, and Mutant Ape Kennel Club, three NFTs from Yuga Labs. The attackers posted a phishing link in the Mutant Ape Kennel channel disguised as a “stealth NFT mint”, which was used to steal Mutant Ape Yacht Club #8662 from one user:

No ‘April Fools Stealth Mints’

The team at BAYC indicated in a tweet that it had “caught” the issue immediately but cautioned users not to mint any NFT using a link posted on its Discord, and indicated to users that it had no April Fools stealth mints. According to several reports, clicking on the link would result in losing the respective holders’ NFTs. It has been reported that the hacker may have carried out the attacker via Ticket Tool, a popular Discord bot that automatically generates support tickets:

Twitter users have also warned of a similar exploit on the Discord server of Doodles, another NFT collection, but at the time of writing this had not yet been confirmed:

Categories
Crypto News DeFi Hackers Scams

DeFi Lender ‘Inverse Finance’ Exploited for $15.6 Million

Inverse Finance, a decentralised lending protocol built on Ethereum, has lost over US$15 million in the latest multimillion-dollar DeFi hack of the year. Hackers were able to lean on an exploit and take out massive loans and get away through Tornado Cash.

As spotted by blockchain analytics firm PeckShield, the lending protocol had 4300 ETH stolen:

The hackers targeted Inverse’s Anchor (ANC) money market by artificially manipulating token prices to borrow loans against extremely low collateral:

The hackers were funded with 901 ETH (US$3 million) from Tornado Cash in order to pull off the exploit. By tricking the price oracle into thinking the native INV token was at a much higher price, massive loans were then taken out on Anchor using INV as collateral.

List of stolen crypto. Source: EtherScan

This was done by injecting the funds into several trading pairs on SushiSwap, inflating the price of INV. A representative from PeckShield told CoinDesk that “the attack was high-risk, since the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV [had fallen] back to normal levels before the attacker took out the loans”.

Inverse’s Plan of Action

Inverse has since paused all borrowing and stated in a thread that a plan would be sent to governance to “ensure all wallets impacted by the price manipulation are repaid 100 percent”, adding that it would not mint new INV to repay affected users, which might affect its already falling price.

A bounty has been made available to the hacker but no further updates have been issued. To minimise the risk of future problems like this one, a representative for the protocol added that it is working with Chainlink to build a new INV oracle.

This event only adds to the list of DeFi hacks to have occurred this year. In March, Deus Finance was exploited for US$3 million in a flash loan attack, while in February QiDao also suffered a multimillion-dollar exploit.

Categories
Crypto News Crypto Wallets Hackers Trezor

Trezor Suffers Newsletter Phishing Attack via MailChimp Exploit

Crypto hardware wallet company Trezor has confirmed that some of its users were the target of a phishing attack over the weekend. Trezor tweeted that it was investigating “a potential data breach of an opt-in newsletter hosted on MailChimp” and warned users to avoid opening emails from “[email protected]”.

“We will not be communicating by newsletter until the situation is resolved,” Trezor advised in a later post. “Do not open any emails appearing to come from Trezor until further notice. Please ensure you are using anonymous email addresses for bitcoin-related activity.”

Fake Security Breach Used as Bait

Trezor users shared warnings and screenshots of the phishing attempt from April 2, some noting it was a bare-faced ruse to induce users to download malicious code under the guise of Trezor’s Suite desktop app by alleging a fake security breach at the company:

A Trezor Good News Story

In a rare good news story associated with a similar incident in January, a hacker using the handle ‘Kingpin’ was able to bail out a user who’d forgotten the PIN to his Trezor One hardware wallet.

Kingpin later posted a video demonstrating how he managed to retrieve the user’s PIN: