Security

SlowMist Weekly Security Report August 21 to 26

SlowMist
SlowMist
August 29, 2023 · 5 minutes

Weekly Update: Web3 Security Incidents Result in Approximately $10.61 Million in Losses

Overview

According to data from SlowMist’s Hacked Archive, between August 21 and August 26, 2023, there were 8 recorded security incidents, resulting in an estimated total loss of $10.61 million.

Incidents Details

Fake LayerZero Token

On August 21, 2023, a fraudulent LayerZero token on the BSC chain was discovered to have had a substantial amount of its liquidity removed. The deployer extracted 4,827.99 WBNB, valued at approximately $1 million.

Balancer

On August 23, 2023 Pendle Finance, a DeFi yield protocol, announced that three of its Pendle pools have been affected by Balancer’s emergency measures. These pools are ETHx-bbaWETH, swETH-bbaWETH, and swETH-bbaWETH (Old Version). All other pools were unaffected, and the funds in the affected pools are secure.

August 24, 2023 Balancer released an update stating that more than 98.7% of the initially at-risk funds have been secured. The vulnerability has not been exploited yet, but 0.42% of the total TVL, amounting to $2.8 million, still remains at risk.

On August 27, 2023 the DeFi composable leverage protocol Gearbox Protocol suffered a flash loan attack, resulting in a loss of approximately $400,000. Gearbox Protocol responded by clarifying that the attack was solely related to Balancer pools and had no impact on Gearbox Protocol itself, which had neither been attacked nor incurred any losses.

August 27, 2023 Balancer fell victim to multiple flash loan attacks, incurring a minimum loss of $900,000.

Image sourced from MistTrack

Kroll & BlockFi

On August 25, FTX reported that insolvency claim agent Kroll experienced a cybersecurity event, compromising non-sensitive customer data of pending insolvency cases. BlockFi claimant data was also affected. FTX later announced that precautionary measures were taken, including the temporary suspension of affected user accounts.

Magnate Finance

On August 25, the Total Value Locked (TVL) in Magnate Finance, a scam project on the Base chain, decreased by approximately $6.4 million. The deployer altered the provider for the price oracle and removed all assets. According to analysis, the deployer address for Magnate Finance is also linked to exit scams in Solfire and Kokomo Finance. Currently, Magnate Finance’s website and social platforms are inaccessible, and its Telegram group has been deleted. As per a MistTrack analysis, some of the funds have already been moved via Stargate to other chains such as ETH, Arbitrum, and Optimism.

SOL Big Brain

On August 26, 2023, the NFT collector SOL Big Brain suffered a loss of approximately $1.5 million. The attacker hacked into the Telegram account of a portfolio company’s founder and messaged SOL Big Brain. After carefully verifying that the sender was indeed the company’s founder, SOL Big Brain followed the provided instructions. Unfortunately, the attacker had set up a phishing contract, resulting in SOL Big Brain losing $740,000 in stablecoins, $550,000 in ETH, and $200,000 in GEAR tokens.

Upon using MistTrack to analyze one of the phishing addresses, it was found that the address had been flagged for Uniswap Permit2 Phishing. The Permit2 signature method, originally proposed by Uniswap, is particularly susceptible to exploitation by phishers. The method is extremely stealthy and hard to defend against, putting any address that has interacted with Uniswap at potential risk. It is advised that users use Scam Sniffer’s specialized authorization management tool designed specifically for Uniswap Permit2 phishing (Scam Sniffer). If any unauthorized actions are detected, it is crucial to revoke the authorization promptly.

PEPE

On August 25, 2023 The PEPE team’s multisig (multi-signature) wallet transferred 160 trillion PEPE tokens, equivalent to approximately $15.08 million, into four centralized exchanges (CEXs). Concurrently, the PEPE multisig wallet reduced its signing threshold from 5/8 to just 2/8. This means that transactions could now be authorized with just two out of eight signatures, as opposed to requiring five. The transfer and change in multisig settings led to a massive sell-off of PEPE, resulting in a 17% drop in its value over 24 hours.

PEPE released a detailed statement on August 26 explaining the events of the previous day. They revealed that three former team members secretly returned, accessed the multisig wallet, and stole 60% of the tokens within it. They then transferred these tokens to various trading platforms for sale. Afterward, they removed themselves from the multisig wallet, effectively severing all ties with PEPE, and also deleted all their social media accounts, leaving only a message that said, “The multisig has been updated; you now have full control.” The Twitter account and remaining 100 trillion tokens in the multisig wallet are now secure, and the former team members no longer have access.

Jeremy Cahen, the founder of NFT marketplace Not Larva Labs, issued a statement claiming that PEPE’s “truth” is entirely false. He stated that he and the community have been exploited by the PEPE team.

PEPE tweeted that their Telegram group has currently been locked down, as the group admin’s original Telegram account has been hacked and the group is now under the control of hackers.

SVT

On August 26, 2023, The SVT token fell victim to a flash loan attack, exploiting a vulnerability in the economic model of its trading contract. The attacker profited approximately $400,000 through repetitive buy-and-sell operations. According to an analysis by MistTrack, the attacker’s initial funds originated from SwftSwap, and they have since transferred 1,070 BNB into Tornado Cash.

BitBrowser

On August 26, 2023 Users of the Bit Browser have raised concerns about a suspected leak of private keys, and multiple members of the crypto community reporting stolen keys. Bit Browser issued a notice acknowledging that their server cache data may have been compromised and that they have reported the incident to authorities. Users who have enabled the extension data sync feature for their wallets are at risk of having their assets stolen. It is recommended to take immediate action to transfer assets out of the potentially affected wallets.

Based on community feedback, we have collected some of the hackers’ addresses and made a preliminary assessment that the event has resulted in a loss of at least $410,000. We will continue to monitor the situation and track the movement of stolen funds, gathering any clues that might lead to the hackers. If you have any relevant information, we welcome you to contact us with your feedback.

Conclusion

As users, whether participating in projects or managing assets, it’s crucial to protect oneself from attacks. This involves staying up to date on the latest industry news and trends, and being vigilant about the latest threats in the crypto industry. Always exercise caution when interacting with unknown or suspicious entities online, verify their identity before transactions, and use robust security measures like two-factor authentication, strong passwords, and secure software.

Lastly, we strongly recommended everyone to read the SlowMist’s “Blockchain Dark Forest Survival Guide” for comprehensive security guidelines on how to safely navigate the web3 space.