SlowMist Weekly Security Report August 14 to 20

Weekly Web3 Security Update | Approximately $19.963 Million in Losses

Overview

According to data from the SlowMist Blockchain Hacked Archive, from August 14 to August 20, 2023, there were a total of 10 security incidents with an estimated loss of about $19.963 million.

Incident Details:

MEV Bot
On August 14, 2023, Hexagate tweeted that in the past few days, a single MEV Bot was exploited, resulting in a loss of around $200,000, impacting BNBChain, Ethereum, Polygon, and Arbitrum.

Zunami Protocol:
On August 14, the Zunami Protocol on Ethereum was targeted by a price manipulation attack, incurring a loss of 1,179 ETH (approx. $2.2 million). The attack took advantage of vulnerabilities in the contract’s LP price calculation, which depended on its own CRV balance and the CRV-to-wETH exchange rate. By transferring CRV into the contract and manipulating the wETH/CRV pool’s exchange rate, the attacker controlled the LP price. Analysis by MistTrack reveals that the stolen ETH has been transferred to Tornado Cash.

Notably, our system had detected this vulnerability, and we proactively alerted the team. However, the warning went unheeded until the incident occurred.

Metis:
On August 15, Ethereum scaling solution Metis had its official Twitter account compromised. An insider reportedly fell victim to a SIM swap attack, which allowed the malicious actor to take control of the account for roughly 30 hours.

SIM swap attacks aim for identity theft by taking over the victim’s phone number to gain access to bank accounts, credit cards, or crypto accounts. SlowMist’s CISO, during a Cointelegraph interview, commented, “As Web3 gains traction, attracting more to the industry, SIM swapping rises due to its relatively low technical barrier. Such attacks are also common in the Web2 world, so its appearance in the Web3 environment isn’t surprising.”

(https://cointelegraph.com/news/crypto-sim-swap-how-easy-is-sim-swap-crypto-hack)

Given the ease of executing SIM swap attacks, users should prioritize personal security to fend off such threats. Recommendations include multi-factor authentication, strengthened account verification, or setting up secure PINs or passwords for SIM or mobile accounts.

Sei Network:
On August 15, the official Sei Network Discord server was breached.

RocketSwap:
On August 15, Base ecosystem project RocketSwap was attacked. The attacker stole RCKT tokens, converted them to ETH valued at around $868,000, transferred them across the Ethereum blockchain, and then created a memecoin called “LoveRCKT”. This may have been an attempt to manipulate market sentiment using the stolen assets.

The event raised concerns regarding RocketSwap’s deployment process and private key storage. However, the team denied any internal involvement, attributing the incident to an external hacker. RocketSwap mentioned, “During the Launchpad deployment, the team had to use offline signing and store the private key on a server. Our server was found to be brute-forced, and the farm contract’s use of proxy contracts with multiple high-risk permissions resulted in the asset transfer.”

SwirlLend:
On August 16, lending protocol SwirlLend’s team allegedly stole cryptocurrencies valued at about $2.9 million from Base and $1.7 million from Linea, with all stolen funds moved to Ethereum. As of now, 254.2 ETH has been transferred to Tornado Cash. SwirlLend’s official Twitter and Telegram accounts have been deactivated, and their website is inaccessible. MistTrack analysis revealed connections to SwftSwap, XY Finance, Orbiter Finance, and identified IP addresses: 50.x.x.106, 50.x.x.58, 50.x.x.42.

Made by Apes:
On August 16, on-chain analyst ZachXBT tweeted an issue with BAYC’s on-chain permit application platform, Made by Apes. The SaaSy Labs API allowed access to MBA application personal details. The problem, already reported to Yuga Labs, has been fixed. Yuga Labs is currently assessing the potential data misuse and reaching out to potentially affected individuals. They are also offering fraud and identity protection to any users who may need it.

https://twitter.com/zachxbt/status/1691514780119343104

Exactly Protocol:
On August 18, DeFi lending protocol Exactly Protocol faced an attack, resulting in a loss of over 7,160 ETH (approx. $12.04 million). Attackers employed the kick() function multiple times, and used a developer contract on Ethereum to transfer deposits to Optimism, eventually moving the stolen funds back to Ethereum. It is understood that the core reason for the attack on Exactly Protocol was insufficient checks. The attacker bypassed the permission check in the DebtManager contract’s leverage function by directly passing unverified false market addresses and altering the _msgSender to the victim’s address. They then re-entered the DebtManager contract’s crossDeleverage function in an untrusted external call and stole collateral from the _msgSender. Exactly Protocol announced on Twitter that the protocol has been unpaused, and users can carry out all operations without any liquidations. The hack affected only those using the peripheral contract (DebtManager), and the protocol is still operational.

Harbor Protocol:
On August 19, cross-chain stablecoin protocol Harbor Protocol within the Cosmos ecosystem tweeted about its exploitation, leading to a depletion of funds in the stable-mint, stOSMO, LUNA, and WMATIC vaults. The attacker used the following address for all actions: comdex1sma0ntw7fq3fpux8suxkm9h8y642fuqt0ujwt5. It’s reported that Harbor Protocol lost 42,261 LUNA, 1,533 CMDX, 1,571 stOSMO, and 18.6 trillion WMATIC during the attack.

Thales:
On August 20, derivatives marketplace Thales released a statement that a core contributor’s personal computer/Metamask was compromised. Hot wallets used as temporary deployers ($25,000) or admin bots ($10,000) have been breached. Users are advised not to interact with any Thalesmarket contracts on BNB Chain and to revoke any pending contracts. All funds on Optimism, Arbitrum, Polygon, and Base are safe. Thales stated that they will officially drop support for BSC due to this attack.

Conclusion

This week, two significant incidents were attributed to the exposure of private keys. Such oversights are not isolated cases. Historical precedents include the staggering loss of over $610 million in the Ronin Network episode, $100 million in the Harmony event, and $160 million in the Wintermute situation. There are myriad reasons for the mismanagement and theft of private keys. Primarily, the security of these private keys can be compromised through three avenues: brute-force decryption, social engineering attacks, and ecosystem vulnerabilities.

Given the pivotal role of private keys, it’s imperative to escalate their security measures. This can be achieved by adopting advanced storage solutions like protection with hardware encryption chips and eliminating any single point of failure. Furthermore, when it comes to backing up private keys or mnemonic phrases, it’s advisable to diversify the methods to reduce vulnerabilities. Employing secure backup modalities, mediums, or procedures can greatly augment security. For a comprehensive guide on fortifying cryptocurrency assets, please consult the security solution on our Github.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.