Connect with us

Hacks

New Free DAO crashes 99% after $1.25M flash loan attack

Published

on

New Free DAO crashes 99% after $1.25M flash loan attack

New Free DAO crashes 99% after $1.25M flash loan attack Christian Nwobodo · 4 hours ago · 1 min read

The attacker was able to borrow 4481 WBNB and swapped it for NFD tokens amounting to $1.25 million. A sell-off of the tokens forced the price to crash by 99%.

1 min read

Updated: September 8, 2022 at 3:32 pm

Advertisement

Cover art/illustration via CryptoSlate

A flash loan attack launched against New Free DAO (NFD) has drained $1.25 million from the protocol and caused its token price to crash by 99%.

Blockchain security firm Certik raised an alarm about the attack via Twitter on Sept. 8. The attacker manipulated NFD’s “addMember()” function to add himself as a member, which gave him access to use the unverified contract to execute three flash loans.

#CertiKSkynetAlert 🚨

New Free Dao – $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.

The attacker has connections to Neorder – $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK

Advertisement

— CertiK Alert (@CertiKAlert) September 8, 2022

The attacker was able to borrow 4481 WBNB and swapped it for NFD tokens amounting to $1.25 million which forced the token price to crash by 99%.

About $500,000 is said to have been swapped to BUSD and being laundered through sanctioned mixing protocol Tornado Cash.

Attackers take to Avalanche

In less than 24 hours, the crypto community had to battle two flash loan attacks, including that of Avalanche.

On Sept. 7, a flash loan attack on the Avalanche blockchain wiped off $370,000 USDC from protocols building on the network.

Advertisement

#CertiKSkynetAlert🚨

CertiK Skynet has reported a #flashloan attack on #AVAX impacting contract 0xe767c… & some LPs. The attacker profited ~$370k USDC.

Possible impacted protocols include:@nereusfinance @traderjoe_xyz @CurveFinance
Contact us for analysis.

Stay Frosty!☃️ pic.twitter.com/bZvtgVPpl4

— CertiK Alert (@CertiKAlert) September 7, 2022

Advertisement

DEX

Transit Swap hacker returns $16.5M of stolen funds

Published

on

Transit Swap hacker returns $16.5M of stolen funds

Transit Swap hacker returns $16.5M of stolen funds Christian Nwobodo · 6 hours ago · 1 min read

Joint efforts of top security firms have lead to the hacker returning 70% of the $21 million stolen from Transit Swap’s smart contract exploit.

1 min read

Updated: October 3, 2022 at 12:43 pm

Advertisement

Cover art/illustration via CryptoSlate

Cross-chain DEX aggregator Transit Swap had a rough weekend after it lost over $21 million of users’ funds to a vulnerability attack.

An unknown hacker launched an attack against TransitSwap’s unverified smart contract on Oct. 1. Users who unknowingly approved their tokens for trading on Transit Swap had all their funds transferred directly to the hacker’s address.

Transit Swap users lost a cumulative $21 million to the vulnerability exploit across the ETH and BSC chain. The hacker lost about $1 million to an arbitrage bot as he moved the stolen funds.

Blockchain security firms SlowMist, PeckShield, and Bitrace, worked closely with the Transit Swap team to track the hacker’s IP, email address, and associated on-chain address. Their joint efforts saw the hacker return over 70% of the stolen funds.

Advertisement

📢📢📢Updates about TransitFinance
1/5 We are here to update the latest news about TransitFinance Hacking Event. With the joint efforts of all parties, the hacker has returned about 70% of the stolen assets to the following two addresses:

— Transit Swap | Transit Buy | NFT (@TransitFinance) October 2, 2022

As of press time, the returned funds totaling $16.5 million are held in Transit Swap’s ETH & BSC addresses. About 3180 ETH ($4.2 million), 1500 B-ETH ($2 million), and $10.4 million worth of BNB have been returned. However, $3,5 million in stolen BNB is still held in the exploiter’s BSC address.

The hacker reportedly moved 2,500 BNB (worth $715,000) into mixing protocol Tornado Cash and attempted to withdraw the funds through the LATOKEN crypto exchange.

TransitSwap hacker moved some stolen funds to Tornado Cash and said: I only exploited eth and bsc. If I attack other chains, I can get $100m. I should get a higher bounty than what I get now. It’s hard not to suspect that this is your official backdoor. https://t.co/GNgDyG1FJD https://t.co/LxyUQOGXQg

— Wu Blockchain (@WuBlockchain) October 3, 2022

The Transit Swap team has updated that they are still working to recover more stolen funds and will soon reach out to users about the fund return process.

Advertisement

Continue Reading

Ethereum

This MEV bot gained and lost over $1M in 1 hour

Published

on

This MEV bot gained and lost over $1M in 1 hour

This MEV bot gained and lost over $1M in 1 hour Oluwapelumi Adejumo · 7 hours ago · 1 min read

The hacker got the bot to approve his transaction and moved all the funds to another address.

1 min read

Updated: September 28, 2022 at 10:01 pm

Advertisement

Cover art/illustration via CryptoSlate

A Maximal Extractable Value (MEV) bot 0xbaDc0dE lost over $1 million after a hacker exploited a flaw in its code.

Imagine making 800 ETH in a single arb

… and an hour later then losing 1100 ETH to a hacker

Here is the story of 0xbaDc0dE, an MEV bot who gained and lost it all in a few hours tonight

— @bertcmiller ⚡️🤖 (@bertcmiller) September 27, 2022

Advertisement

Flashbots’ Robert Miller explained that 0xbaDc0dE was a mempool bot active on ETH over the past few months, making about $220,000 transactions.

The bot got its big break after a user tried to sell cUSDC worth $1.8 million on Uniswap V2 but got about $500 in return, which generated a massive arbitrage opportunity.

According to Miller, 0xbaDc0dE took this opportunity and raked a handsome profit of 800 ETH.

However, the euphoria was short-lived because the MEV bot lost over 1100 ETH, around $1.4 million an hour later, due to a flaw in the code.

Miller said:

Advertisement

“It seems that the 0xbaDc0dE did not properly protect the function that they used to execute dYdX flash loans.”

The hacker exploited the “callFunction,” which is the function called by the dYdX router as a part of the flashloan execution, and the MEV bot code unfortunately allowed arbitrary execution.

So, the hacker got the bot to approve the transaction and moved all the funds to another address.

The recent incident showed how malicious players are taking advantage of vulnerabilities found in codes of crypto projects. This year alone, billions have been lost to hackers exploiting these vulnerabilities.

Only recently, a white hacker saved Arbitrum from an exploit that could have resulted in a loss of almost $500 million due to an initialization-related vulnerability.

Posted In: Ethereum, Hacks

Advertisement

Continue Reading

Hacks

Ethereum proof-of-stake client bug caught and patched without incident

Published

on

Ethereum proof-of-stake client bug caught and patched without incident

Ethereum proof-of-stake client bug caught and patched without incident Liam ‘Akiba’ Wright · 2 hours ago · 2 min read

Ethereum developers discovered a bug that could lead to EVM chains becoming stuck due to an excess gas error in the Besu client.

2 min read

Updated: September 27, 2022 at 3:31 pm

Advertisement

Cover art/illustration via CryptoSlate

Ethereum developers identified a bug within the Besu Ethereum client that could have led to “consensus failure in networks with multiple EVM implementations.”

Gary Schulte reported the issue to the Hyperledger GitHub repository and was found by Martin Holst Swende. It is understood that “no production networks have transactions that would trigger this failure.”

Bug identified during The Merge code review

Swende documented that he found the bug while “doing some #ethereum fuzzing in preparation for #TheMerge.” In response to a CryptoSlate journalist, Swende stated that users running a Besu node would have become stuck and “not able to follow the canon chain.” Further, any “besu-dominated network could have been stopped in it’s tracks.”

They would have been stuck, not able to follow the canon chain. And/or, any besu-dominated network (non-eth-mainnet) could have been stopped in it’s tracks.

— M H (((Swende))) (@mhswende) September 27, 2022

Advertisement

The Besu client is the second most popular client on the Ethereum network behind Geth. According to data available via ethernodes.org, The Besu client is used by 7.81% of Ethereum mainnet clients.

Vulnerable Besu client versions

Version 22.7.1 of the Besu client contains a fix to ensure “excess gas will not be allocated to inner transaction calls and correcting the excess gas errors.”

Versions earlier than 22.1.3 will also “prevent incorrect execution,” however, Ethereum mainnet requires other features only available in later versions. Client versions 22.4.0 to 22.7.0 are currently considered vulnerable to the gas bug.

As a result, Besu client users on the mainnet must upgrade to the patched version.

Impact and resolution

Danno Ferrin created a full write-up of the issue in a Hackmd article published Sept. 21. Ferrin’s analysis stated that

Advertisement

“A flaw in handling unsigned data as signed data a properly coded smart contract can create a function call that will return more gas than was passed in.”

Further technical information regarding the bug can be found in Ferrin’s post. However, the main takeaway is that the bug was resolved without any issue on the Ethereum mainnet. For a bad actor to maliciously exploit the bug, they would have had to act in a precise manner.

“In order to elevate this to a chain-halting bug a deliberately crafted call was needed, involving some interactions with the EIP-150 “all but one 64th” rule and reserving a portion of available gas for the calling contract.”

If the bug was not found, any chain with high participation from the Besu client could have experienced a smart contract “infinite loop” whereby the contract would “truly execute forever.”

Ferrin stated that fuzzing enabled the developers to identify and patch the bug without issue. Fuzzing is a method used by software developers “that involves providing invalid, unexpected, or random data as inputs to a computer program.”

“The biggest lesson demonstrated by this exploit is that the comparison of trace data in a fuzzing execution catches more bugs than simply comparing the end results.”

The excess gas bug became a non-event due to the diligence of Ethereum developers dedicating themselves to protecting the network. However, the potential harm it could have caused showcases the complexity behind executing the merge without issues.

The bug was patched in version 22.7.1 using “different conversion method that will “clamp” overflow values to the maximum expected values avoiding the signed translation issues.” Ferrin commented that users running nodes within the vulnerable range should update to the most recent version.

Advertisement

Continue Reading

Top posts

Billionaire Hedge Fund Founder Ray Dalio Steps Down As Co-CIO Of Bridgewater Associates Billionaire Hedge Fund Founder Ray Dalio Steps Down As Co-CIO Of Bridgewater Associates
ban bitcoin31 mins ago

Billionaire Hedge Fund Founder Ray Dalio Steps Down As Co-CIO Of Bridgewater Associates

Billionaire hedge fund founder Ray Dalio has stepped down as chief executive of Bridgewater Associates, according to a transfer of...

NFT Collection Veefriends Physical Collectibles To Debut At Macy’s And Toys’R’Us NFT Collection Veefriends Physical Collectibles To Debut At Macy’s And Toys’R’Us
Andy Kraniak7 hours ago

NFT Collection Veefriends Physical Collectibles To Debut At Macy’s And Toys’R’Us

In recent times, non-fungible tokens (NFTs) and their physical counterparts have started to debut at well known retail stores and...

This Tether update may finally bear some good results in the weeks to come This Tether update may finally bear some good results in the weeks to come
Altcoins9 hours ago

This Tether update may finally bear some good results in the weeks to come

Tether, the firm behind USDT, the largest stablecoin made some key changes to its asset reserves. On 3 October, Chief...

Pro-Russian Groups Raised $400,000 In Crypto Since Ukraine Invasion, Report Reveals Pro-Russian Groups Raised $400,000 In Crypto Since Ukraine Invasion, Report Reveals
conflict9 hours ago

Pro-Russian Groups Raised $400,000 In Crypto Since Ukraine Invasion, Report Reveals

Groups supporting Russia’s war effort in Ukraine have been actively collecting cryptocurrency to fund paramilitary operations and evade sanctions, researchers...

MATIC – The how and why of this buying opportunity MATIC – The how and why of this buying opportunity
Altcoins10 hours ago

MATIC – The how and why of this buying opportunity

Disclaimer: The findings of the following analysis are the sole opinions of the writer and should not be considered investment advice....

Over $4B laundered through DEXs, coin swaps and cross-chain bridges, Elliptic reports Over $4B laundered through DEXs, coin swaps and cross-chain bridges, Elliptic reports
DEX10 hours ago

Over $4B laundered through DEXs, coin swaps and cross-chain bridges, Elliptic reports

Over $4B laundered through DEXs, coin swaps and cross-chain bridges, Elliptic reports Oluwapelumi Adejumo · 11 mins ago · 2...

Can MakerDAO’s latest development drive MKR towards its next bull rally Can MakerDAO’s latest development drive MKR towards its next bull rally
Altcoins10 hours ago

Can MakerDAO’s latest development drive MKR towards its next bull rally

MKR holders that aped in towards the end of September are pleased with their decision considering the healthy run-up in...

Bankrupt Crypto Lender Celsius’ Asset Sale Is Scheduled, Sources Say FTX CEO May Bid Bankrupt Crypto Lender Celsius’ Asset Sale Is Scheduled, Sources Say FTX CEO May Bid
Bankruptcy11 hours ago

Bankrupt Crypto Lender Celsius’ Asset Sale Is Scheduled, Sources Say FTX CEO May Bid

According to a filing published by the U.S. Bankruptcy Court for the Southern District of New York, the crypto lending...

DOGE up 8% as Elon Musk makes new acquisition offer for Twitter DOGE up 8% as Elon Musk makes new acquisition offer for Twitter
Investments11 hours ago

DOGE up 8% as Elon Musk makes new acquisition offer for Twitter

DOGE up 8% as Elon Musk makes new acquisition offer for Twitter Liam ‘Akiba’ Wright · 16 mins ago ·...

Cardano’s [ADA] price reacts this way as Voltaire hint airs Cardano’s [ADA] price reacts this way as Voltaire hint airs
ada11 hours ago

Cardano’s [ADA] price reacts this way as Voltaire hint airs

Late in September, Cardano [ADA] released the Vasil hardfork. Positive feelings persisted after the fork, as the network continued to...

Sears Home Warranty Review Sears Home Warranty Review
Uncategorized12 hours ago

Sears Home Warranty Review

Sears Home Warranty Ratings at a Glance While you likely already know Sears for the company’s series of department stores,...

Riot Blockchain produced over $7.1M worth of BTC in September Riot Blockchain produced over $7.1M worth of BTC in September
Bitcoin mining12 hours ago

Riot Blockchain produced over $7.1M worth of BTC in September

Riot Blockchain produced over $7.1M worth of BTC in September Andjela Radmilac · 2 hours ago · 1 min read...

Crypto giants criticize Twitter on scam, bot accounts impersonating them Crypto giants criticize Twitter on scam, bot accounts impersonating them
Buterin12 hours ago

Crypto giants criticize Twitter on scam, bot accounts impersonating them

Crypto giants criticize Twitter on scam, bot accounts impersonating them Oluwapelumi Adejumo · 2 hours ago · 2 min read...

Will Litecoin’s new update improve its chances of winning the PoW race Will Litecoin’s new update improve its chances of winning the PoW race
Altcoins12 hours ago

Will Litecoin’s new update improve its chances of winning the PoW race

Litecoin [LTC] has been making improvements to its existing technology for quite some time now. In line with the same,...

Ethereum Marks Three Consecutive Red Weekly Closes, Will Uptober Change Its Trajectory? Ethereum Marks Three Consecutive Red Weekly Closes, Will Uptober Change Its Trajectory?
ETH12 hours ago

Ethereum Marks Three Consecutive Red Weekly Closes, Will Uptober Change Its Trajectory?

Ethereum has been one of the cryptocurrencies that have received major support from the crypto community regardless of how the...

Mastercard Debuts Blockchain Surveillance Tool For Banks And Crypto-Centric Card Issuers Mastercard Debuts Blockchain Surveillance Tool For Banks And Crypto-Centric Card Issuers
Ajay Bhalla13 hours ago

Mastercard Debuts Blockchain Surveillance Tool For Banks And Crypto-Centric Card Issuers

On Tuesday, the multinational financial services corporation Mastercard revealed that it is launching a new crypto monitoring product called Crypto...

Research: Grayscale’s GBTC drops to all-time low of $12.5K; conversion to spot ETF could trigger rebound Research: Grayscale’s GBTC drops to all-time low of $12.5K; conversion to spot ETF could trigger rebound
adoption13 hours ago

Research: Grayscale’s GBTC drops to all-time low of $12.5K; conversion to spot ETF could trigger rebound

Research: Grayscale’s GBTC drops to all-time low of $12.5K; conversion to spot ETF could trigger rebound Christian Nwobodo · 2...

Biggest Movers: MATIC Hits 3-Week High, LINK Up Almost 10% Biggest Movers: MATIC Hits 3-Week High, LINK Up Almost 10%
Analysis14 hours ago

Biggest Movers: MATIC Hits 3-Week High, LINK Up Almost 10%

Polygon raced to a three-week high during today’s session, as bullish sentiment returned to cryptocurrency markets. Chainlink was also in...

Trending

Free Bitcoin MiningEarn from $50 to $75 daily with just your phone