Category: Hackers

Categories
Blockchain Crypto News DeFi Hackers

Ola Finance Suffers $3.6 Million ‘Re-Entrancy’ Attack  

DeFi protocol Ola Finance has called on users to resist pointing fingers of blame and asked the community instead to focus on the growth of the project, as it addressed a US$3.6 million hack via Twitter on April 1.

The attack took place on Fuse Lending, Ola’s implementation on the Fuse blockchain:

Re-Entrancy Bug Responsible for Theft

The incident involved a “re-entrancy bug”, which is a commonly known culprit at the heart of DeFi attacks. The smart contract vulnerability enables hackers to make repeated calls to a protocol in order to steal assets, without having to pay back borrowed funds. 

The attack began by mixing funds through Tornado Cash, making the crypto hard to trace. The funds were then withdrawn over the Fuse Bridge and transferred to the Fuse network (Ola’s decentralised lending platform). The hacker used the assets as collateral to take out loans, and by exploiting the re-entrancy bug was able to then remove the starting funds without having to repay the loans.

This process was repeated several times across different Ola pools. The hacker then transferred the drained assets to wallets on Ethereum and BNB Chain. In total, the hacker holds US$3 million on Ethereum and another US$637,000 on BNB Chain.

Official Report Forthcoming

Ola tweeted that it would soon publish an “official report detailing the exploit”. For now it has responsibly paused the use of the Fuse network lending protocol while looking into rectifying the bad code.

This is not the first, nor will it be the last, re-entrancy attack in DeFi. Only two weeks ago, Agave and Hundred Finance, two lending DeFi protocols, were exploited for approximately US$11 million. Three months ago, Grim Finance DeFi protocol was hacked for US$30 million in Fantom tokens as attackers exploited a flaw in the vault contract.

Categories
Crime Crypto Wallets Hackers Scams

Cybersecurity Uncovers 13 Malicious Wallets that Could Steal Your Crypto

A criminal plot to steal users’ digital assets via apps impersonating popular cryptocurrency wallets has been uncovered in new research by global cybersecurity firm ESET.

ESET believes it’s likely that a single criminal group is behind the coordinated scheme to steal users’ crypto funds – via more than 40 copycat websites of popular crypto wallets used to promote downloads of malicious apps.

While the malicious apps were not available on Apple’s App Store (instead requiring download and installation using a configuration profile), 13 apps impersonating the Jaxx Liberty wallet were found on the Google Play store and have subsequently been removed by Google.

Counterfeit Wallets Target Chinese Users

Primarily targeting Chinese users, across both Android and iOS devices, the malicious apps closely mimicked the appearance and functionality of legitimate wallets including MetaMask, Coinbase and Trust Wallet.  

ESET researcher Lukáš Štefanko said the malicious code used in the Trojan wallets enables users’ funds to be stolen and opened users to other risks:

These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network.

Lukáš Štefanko, ESET researcher

Beware Before You Download

ESET found the Trojan apps and fake websites were sophisticated, and also promoted using ads on legitimate sites and via groups on Telegram and Facebook.

The firm said the source code of the threat it uncovered has now been leaked online, which could encourage and enable other criminals to spread the threat even further. 

In light of the findings, Keystone Wallet tweeted a warning to its users to be wary of what they download:

Fake wallet scams are a key risk for crypto investors. Last year it was revealed that over US$500,000 had been lost due to Google Ads directing users to fake wallets, while Apple was served a US$5 million lawsuit over a phishing app disguised as a wallet that was available in the tech giant’s App Store.

Categories
Axie Infinity Crypto News Hackers NFTs

Axie Infinity Loses $625 Million in Biggest DeFi Hack on Record

Ronin, the Ethereum sidechain specifically designed for popular NFT game Axie Infinity, has been the victim of a major hack, draining approximately US$625 million worth of WETH and USDC from its bridge.

Attack Started One Week Ago

Sky Mavis – the studio behind Axie Infinity – said the attack started on March 23, almost a week before being noticed yesterday, when a user was unable to withdraw 5k ETH from the bridge. The company is now reportedly in talks with several government agencies to identify the exploiter.

The attack occurred after four Ronin validators and one Axie DAO third-party validator were compromised:

Sky Mavis’s Ronin chain currently consists of nine validator nodes. In order to recognise a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO. 

Ronin Network statement

The attacker drained US$25 million USDC and 173.600 ETH (nearly US$600 million) from the bridge that connects Ronin with the Ethereum mainnet by using “hacked private keys” to execute the exploit. In doing so, they were able to forge two fake withdrawals (transactions 1 and 2) and steal the funds.

Biggest Hack in Crypto History by Now

This is now the largest hack in crypto history, narrowly exceeding last year’s US$600 million Poly Network hack, but still significantly larger than the US$326 million Solana wormhole hack earlier this year.

Sky Mavis is said to be working with Chainalysis to monitor the stolen funds, most of which are still in the hacker’s wallet. Additionally, the company stated that it would migrate its entire node infrastructure, so it might take a while for things to get up and start running again. Also, as a result of the attack, both Ronin and Katana DEX are temporarily halted to avoid further attack vectors.

Jeff Zirlin, co-founder of Sky Mavis, described the hack as “one of the biggest in history” at the recent NFT LA conference:

Categories
Crypto News DeFi Hackers NFTs Scams

Suspicions Raised as $350,000 Bored Ape NFT Sells for Just $115

The owner of a Bored Ape NFT worth US$350,000 sold it for only 115 DAI (US$115) in what appears to be either a costly mistake or some kind of hack of the owner’s OpenSea account.

We’re accustomed to seeing NFTs – especially those from the Bored Ape Yacht Club (BAYC) – being sold for hundreds of thousands or even millions of dollars. Mistakes abound in this space, however. Three months ago, the owner of a Bored Ape mistakenly sold his NFT for US$3,000 instead of its market value price of $300,000.

In this latest case, however, bells started ringing in the NFT community as it’s unusual to see an owner of a valuable Bored Ape accepting such a low offer.

Second Undervalued Transaction, Same Buyer, Same Day

The owner of Bored Ape #835, who goes by the moniker “cchan“, accepted a bid of only 115 DAI – an Ethereum-based stablecoin – for his NFT. But what’s striking is that cchan also sold his Mutant Ape (from the Mutant Ape Yacht Club) #11670 for 25 DAI to the same buyer on the same day.

Bored Ape #835 is now owned by a user with the handle “6315EF”.

Currency Confusion or Tax Dodge?

People on crypto Twitter started conjecturing possible explanations for this event, such as cchan confusing ETH with DAI. Another possibility is tax-loss harvesting, which is selling certain assets at a loss to offset capital gains made via the sale of other assets or stocks, thus minimising the amount of taxes owing.

However, one user on Twitter said cchan was not aware of the situation, which suggests he had his account hacked:

This is quite a significant loss for cchan, having acquired his Bored Ape #835 in August last year for 15 ETH (US$51,000 today).

The NFT space is chock-full of horror stories like this. As Crypto News Australia reported a week ago, a trader with the online handle Dino Dealer sold his US$1.2 million clipart rock for less than a cent after erroneously listing the NFT for 444 wei, the smallest denomination of ETH, instead of 444 ETH.

Categories
Crypto News DeFi Hackers

DEX Aggregator Li.Finance Exploited for $600,000 But Users Reimbursed 

Li.Finance, a decentralised exchange (DEX) based in Germany, has had one of its smart contracts exploited, resulting in 29 users losing an estimated US$600,000 worth of various assets. The vulnerability has since been fixed and the majority of the affected users reimbursed.

According to the Li.Finance postmortem, on March 20 an attacker exploited a contract responsible for pre-bridge swaps and was able to steal an estimated 200 ETH in a single transaction:

The affected 29 wallets were emptied of a variety of tokens, with the attack based on wallets that had their token contracts set to give infinite approvals. The tokens included were USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. They were all converted to ETH and are still sitting in the hacker’s wallet.

Bug Bounty Option Ignored

The protocol also gave the hacker the option to claim a bug bounty, but there has been no response. The writer added in the post: “If you are reading this, we would be extremely grateful to provide a generous bounty and would obligate ourselves not to disclose any information about your identity.”

The thief’s wallet address containing the stolen funds. Source: Etherscan

Li.Fi Being a Nice Guy

The official post stated that the vulnerability had since been patched and the majority of affected users compensated within 24 hours. Out of the affected 29 wallets, 25 have been reimbursed for a total of US$80,000.

Owners of the remaining US$517,000 owed to four wallets have been given the option to transform the lost funds into an angel investment into Li.Fi, and thus future LI.FI tokens will be given to them under the same terms as an investor in the current funding round. Doing it this way reduces the damage to the platform’s treasury and also allows users to recover their investment with “an opportunity that would not be possible otherwise with huge upside potential”.

Importance of Audits and Security in DeFi

According to Li.Finance CEO Philipp Zentner, the platform was only a week away from its scheduled security audit. The audit might have been able to catch the bug before it was exploited, but nothing is assured:

This exploit has provided another example of why security must be of utmost importance. As builders in the space, it is our responsibility to ensure that users’ funds are safe above [all] else. Our users can rest assured that the audit is happening and LI.FI is safe to use

Li.Finance postmortem

This latest hack demonstrates how giving infinite approvals to smart contracts can potentially open up a user’s funds to a greater amount of risk. Infinite approvals allow users to swap coins at a decentralised exchange an unlimited amount of times without needing any further approval.

Earlier this month, Deus Finance also suffered an attack that cost the protocol US$3 million, following closely on the heels of the Fantasm Finance hack that cost the project US$2.6 million. The importance of security cannot be understated in the space; according to the 2021 Chainalysis Crypto Crime report, crypto stolen from DeFi has increased 1,330 percent since 2020.

Categories
Crime Crypto News Hackers NFTs OpenSea

$790,000 Worth of Rare Bear NFTs Stolen in Brazen Phishing Attack

Members of the Rare Bears NFT community woke on March 16 to find it had lost assets to the tune of US$790,000 due to a phishing scam. According to the team, weakened security of its Discord group allowed a perpetrator to spread a phishing link.

Rare Bear is a collection of 2,400 NFTs of cartoon-themed bears built atop the Ethereum blockchain. It was launched via a public mint last week and created by a New-Zealand-based digital artist called Enox.

Attacker Poses as Moderator

The phishing attack took place when an unknown person gained unauthorised access to the project’s Discord server, posing as an official moderator. There, the attacker was able to share a phishing link designed to steal people’s funds. The project took to Twitter to inform its community:

The attacker shared a message saying there was a new NFT mint, and then provided a link to a phishing site. Another user known as “steldes” on Twitter posted a screenshot of the phony announcement on the Discord server, with the scammer named Zhodan.

Malicious Smart Contract Allows Control Over Wallets

The fake announcement informed members of an additional 1,000 rare NFTs being added to the collection at a mint price of 0.1 ETH, or US$280. The website hosted a malicious smart contract that, when interacted with, allowed control over the victims’ wallets. As a result the hacker stole 179 NFTs and other assets belonging to everyone who participated in the mint:

The hacker then moved the assets to their Ethereum address. Soon after, most NFTs were sold one by one to the tune of 286 ETH, amounting to US$790,000. Exactly 213 ETH of the total was routed through mixing service Tornado Cash and 72.3 ETH was sent across three wallets:

Phishing Scams Rife in NFT Space

Due to the unregulated nature of the digital asset space, scams are an all too often occurrence, targeting NFTs heavily. A popular method of stealing NFTs is via phishing attacks. In January, a Bored Ape collector lost NFTs worth a whopping US$2.2 million. OpenSea also experienced a phishing scam in February in which at least US$3 million worth of NFTs were stolen.

Categories
Crypto News DeFi Fantom Hackers Tornado Cash

DeFi Platform ‘Deus Finance’ Exploited for $3 Million

Fantom-based DEUS Finance has suffered a flash loan exploit when hackers made off with an estimated US$3 million and washed it through Tornado Cash. Luckily, affected DEI holders will be reimbursed.

Hackers Use Flash Loan Attack

According to a tweet from blockchain security firm PeckShield, hackers used a flash loan attack to destabilise the DEI, the other token issued by DEUS Finance:

Hackers set the flash loan to target the price oracle responsible for the price of DEI, making it think the DEI had collapsed. This resulted in a loss of all funds that were held in the DEI/USDC liquidity pool.

An estimated US$3 million was stolen and exchanged for 200,000 DAI and 1101.8 ETH, and moved via the Multichain cross-chain router protocol (CRP). The hacker moved the funds to Tornado Cash, a privacy-centric swapping tool, to help make the funds disappear (or at least make them much harder to track).

Deus Finance admitted the flaw in its lending process and stated that its $DEI lending contract had been closed. The DEUS token fell nearly 40 per cent following reports of the hack, but it seemed to have recovered somewhat by the time of writing.

Community to be Fully Recompensed

According to the postmortem on its official medium, Deus Protocol CEO Lafayette Tabor reassured users they would be completely reimbursed:

To make things clear: NO USER FUNDS are LOST. We will make everyone whole again – anyone affected by the exploit will be reimbursed completely. This means that the sAMM inside the borrowing contract will be replenished and the balances of users that got affected will be restored to the value they had prior to the exploit.

Lafayette Tabor, CEO, Deus Protocol

After also taking to Twitter to inform the community about the reimbursement plan, Tabor stated that the developers would create a new contract where affected users would be able to repay their loans:

DEUS community members were elated to hear about the reimbursement scheme, since it’s very rare for compromised protocols to recompense their community.

This attack comes little more than a month after Polygon DeFi protocol QiDao was exploited for US$13 million. And in January, Algorand-based DeFi trading platform Tinyman was hacked and drained of roughly US$3 million.

Categories
Crypto News DeFi Hackers Tokens

Lending Protocols ‘Agave’ and ‘Hundred Finance’ Exploited for $11 Million

Two lending DeFi (decentralised finance) protocols, Agave and Hundred Finance, have been exploited for approximately US$11 million, both companies confirmed on Twitter this week:

Reentrancy Bug Responsible

Looking at the transaction data on Tenderly, it seems both protocols were hacked using reentrancy attacks, which is a vulnerability in Solidity, the programming language in which Ethereum is written.

Reentrancy is when an attacker manages to trick a function on the Solidity smart contract, called “callAfterTransfer” – the function then makes an external call to another untrusted contract.

Once the hacker has access to the untrusted contract, they can make recursive calls using the protocols’ funds without having to put up additional collateral.

Blockchain and security researcher Mudit Gupta shed some technical light on the hacks, stating that the attacker introduced code after the callAfterTransfer function to run a flash loan exploit, allowing them to borrow funds before the protocols were able to calculate the debt and prevent further borrowing.

Both protocols were hacked on the Gnosis chain, which is an EVM-compatible blockchain. Gupta added that what allowed reentrancy attacks was the fact that “the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer”:

Agave is a fork of DeFi lending protocol Aave, while Hundred Finance is a fork of Compound. Compound, on one hand, doesn’t follow the check-effects-interaction patterns, which is a recommended practice while making external calls in Solidity.

Aave does follow that practice, but according to Gupta there is a “path via liquidations using which the attacker broke the pattern”.

Tokens Wear the Fallout

Unsurprisingly, the native tokens of both protocols took a blow, both dropping by double digits, according to data from CoinMarketCap. But it seems they have recovered by at least 15 percent from their previous price.

After draining both protocols’ funds, the attacker went on to launder the money using Tornado Cash. Etherscan hasn’t labelled the attacker’s address with a DeFi exploit.

The event comes a week after Fantasm Finance was hacked for US$2.6 million through a flash loan attack, also using Tornado Cash to launder the funds.

Categories
Algorand DeFi Ethereum Hackers Illegal Polygon Scams

Fantasm Finance DeFi Project Exploited for $2.6 Million

This week’s attack on Fantom Network-based synthetic asset protocol Fantasm Finance saw the loss of US$2.6 million worth of Ethereum. The stolen funds were run through the Tornado cash mixing service and totalled 1,007 ETH.

According to the protocol’s Medium page, the team will conduct a postmortem and consider all compensation options for victims.

Another Day, Another DeFi Hack

The address of the attacker shows the extent of the theft, with 1.8 million FTM remaining in the pool for redemption:

Since the March 9 exploit, the attacker has been using Tornado cash to mask transactions. Tornado Cash is a service that breaks the link between source and destination addresses, thereby obscuring the transaction history.

Attacks on DeFi Remain Rife

The crypto space and DeFi, in particular, have been under attack by hackers seeking to exploit protocols. The reason for the frequency with which new projects launch without undergoing a security audit makes them very vulnerable to attackers. In January, Algorand-based DeFi platform ‘Tinyman’ was exploited for US$3 million. The team at Algorand quickly tweeted it it had been compromised and pulled the remaining liquidity from the project.

The most recent DeFi attack prior to Fantasm targeted Polygon DeFi protocol QiDao’s Superfluid vesting contract, draining US$13 million. User funds on QiDao however remained safe, as the exploit was “solely on Superfluid”, according to the Polygon-based DeFi protocol.

Categories
Ethereum Hackers OpenSea Polygon Solana

White Hat Hacker Reveals OpenSea Plans to Integrate Solana NFTs 

Images allegedly leaked from the leading NFT marketplace, OpenSea, indicate that the platform may soon introduce Solana-based NFTs. The images were discovered by tech blogger Jane Manchun Wong, well known for leaking information about yet-to-be-released features from specific technology platforms:

https://twitter.com/wongmjane/status/1486072506532626432

OpenSea is the market leader when it comes to NFTs and, as it stands, supports both the Ethereum and Polygon blockchain networks. Since its inception, OpenSea has recorded about US$22.73 billion in NFT sales, with 1,358,052 traders leveraging the platform.

Wong Gets It Right Again?

Wong, who in December was also first to report that Twitter would integrate Ethereum into ‘Tip Jar’, tweeted in January that “OpenSea is working on Solana integration, as well as Phantom wallet support”. She added: “OpenSea’s Chains Filter [shows] Solana as an option.”

https://twitter.com/wongmjane/status/1486077324630302721

This discovery is not the first time rumours of OpenSea adding Solana features have surfaced. The animator and Solana advocate @bhaleyart tweeted a similar image of OpenSea’s blockchain filter in mid-November:

White Hat Hackers to the Rescue

White hat hackers, also known as ethical hackers, have been widely active of late in the crypto space. Apart from leaking information, they have saved many companies from attacks. Just a couple of weeks ago, a white hat hacker chose to accept a US$2 million bounty instead of “printing unlimited Ethereum”.