SECURITY HACKS:
1. Hacker Exploits Implementation Vulnerability on MooCakeCTX
On 7 Nov, a hacker attacked MooCakeCTX, a dApp deployed on the BNB chain by exploiting an implementation vulnerability.
Crypto assets worth around US$140, 000 were exploited in this incident.
For more details, refer to:
Additional Details:
- Attacker’s Address: 0x35700c4a7BD65048f01D6675F09d15771c0fAcd5 (BNB chain)
- Attacking Contract: 0x71Ac864f9388eBD8e55a3cdBC501D79C3810467C (BNB chain)
- Attacked Contract: 0x489afbAED0Ea796712c9A6d366C16CA3876D8184 (BNB chain)
- Hash Value of Attack Transaction:
0x03d363462519029cf9a544d44046cad0c7e64c5fb1f2adf5dd5438a9a0d2ec8e
2. Hacker Conducts Attack Against Brahma TopGear
On 9 Nov, a hacker conducted an attack against Brahma TopGear, a dApp deployed on Ethereum.
The root cause of the incident was that one of its functions lacked validation for an input parameter.
The hacker initially called the Zapper contract’s zapIn function to transfer the “requiredToken” tokens faked by the hacker to the Zapper contract. The contract then called the zap function to pass the validation. The hacker proceeded to call the swapTarget function to transfer all the USDCs that had been approved to spend. The process is repeated thrice, transferring a total of 889,343 USDCs (~US$889, 343).
Additional Details:
- Attacker’s Address: 0x6FA00a7324DC293eA8ECf56fe3143104494C4213 (Ethereum)
- Attacking Contract: 0x60032a41726241499B0c626c836C9099cb895c05 (Ethereum)
- Attacked Contract: 0xD248B30A3207A766d318C7A87F5Cf334A439446D (Ethereum)
- Hash Value of Attack Transaction:
0xeaef2831d4d6bca04e4e9035613be637ae3b0034977673c1c2f10903926f29c0
3. Hacker Exploits DFX Finance
On 11 Nov, a hacker had exploited DFX Finance, a DeFi application deployed on Ethereum.
The root cause was found on Curve’s contract’s flash() function, possessing a re-entrancy vulnerability.
The hacker acquired gas from Tornado Cash to conduct the attack, exploiting the list of following cryptocurrencies:
- 53,617,229 GYEN
- 422,182 EUROC
- 471,358 XSGD
- 820,042 NZDS
- 736,565 CADC
- 2,091,583 USDC
- 12,007,056,045 XIDR
The hacker eventually exchanged all of the exploited cryptocurrencies to ETHs and cashed them out though Tornado Cash.
Additional Details:
- Attacker’s Address: 0x14c19962E4A899F29B3dD9FF52eBFb5e4cb9A067 (Ethereum)
- Attacked Contract: 0xF3d7AA346965656E7c65FB4135531e0C2270AF83 (Ethereum)
- Attacking Contract: 0x6cfa86a352339e766ff1ca119c8c40824f41f22d (Ethereum)
4. A Large Number of Cryptos Are Transferred from FTX
On Nov 12, a large number of crypto assets were transferred from FTX’s hot wallets.
Crypto assets worth around US $3.6 million were transferred in this incident.
For more details please refer to:
5. Hacker Exploits PlayAFAR’s Discord Server
On Nov 12, a hacker attacked PlayAFAR’s discord server. PlayAFAR is a game application deployed on Solana.
CONCLUSION-
5 notable security incidents related to security hacks have occurred in the past week.
4 of 5 attacks were attacks on smart contracts, centralized exchanges, or wallets, while and 1 on social media.
It is worth noting that the attack on FTX was conducted by an ex-developer working for FTX, who acquired the private keys.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter:
For a better understanding of all things Web3.0: https://medium.com/@FairyproofT
Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/