Introduction
The content in this article is a monthly serialized publication that provies a concise overviewe of security incidents occurring within the blockchain network ecosystem. Starting from this month, it aims to present and summarize notable security incidents.
Report
Allbridge io
- Date : 2023-04-01
- Loss : $570K
- Type : Token Inflation Attack
BSCScan : https://bscscan.com/tx/0x7ff1364c3b3b296b411965339ed956da5d17058f3164425ce800d64f1aef8210
Allbridge.io is essentially a platform for Cross-Chain token swaps.
Internally, the attack is carried out by creating an imbalance between vUSDbalance and tokenBalance through the withdraw function.
MEV bot fund losing
- Date : 2023-04-02
- Loss : $25M
- Type : Sandwich bot
Etherscan : https://etherscan.io/block/16964664
This incident is believed to be a case resulting from a Sandwich bot, with funds being lost from a total of 8 addresses.
ZeroTransfer scammer hack
- Date : 2023-04-04
- Loss : $850K
- Type : Scammer Phishing
Etherscan : https://etherscan.io/tx/0xb09f4c9fe09e6bbeb3abfdbed21a0403a2d8d2b6313ed1cbcdbd620a1f748fb2
Sentiment Read-only Reentrancy Attack
- Date : 2023-04-04
- Loss : $1M
- Type : Read-only Reentrancy Attack
Arbiscan : https://arbiscan.io/tx/0xa9ff2b587e2741575daf893864710a5cbb44bb64ccdc487a100fa20741e0f74d
The vulnerability stems from the possibility of an internal Reentrancy Attack occurring during the process of exitPool or joinPool. This vulnerability was exploited by triggering a Read-only Reentrancy Attack, allowing the attacker to steal funds
SushiSwap RouterProcess Approve Attack
- Date : 2023-04-09
- Loss : $3M
- Type : Unsafe approval
Etherscan : https://etherscan.io/tx/0xea3480f1f1d1f0b32283f8f282ce16403fe22ede35c0b71a732193e56c5c45e8
Arbitrum Project Rugpull
- Date : 2023-04-09
- Loss : $20K
- Type : Rugpull
Arbiscan : https://arbiscan.io/tx/0x1b79ea36b4dafbebae4761b9125bfab789d36065baf459ef460c9a275af695b1
The owner executed a malicious transaction using the 'upgradeTo()' function, resulting in a loss of nearly $20,000 in funds
Paribuos io Reentrancy Attack
- Date : 2023-04-11
- Loss : $100K
- Type : Reentrancy Attack
Arbiscan : https://arbiscan.io/tx/0x0e29dcf4e9b211a811caf00fc8294024867bffe4ab2819cc1625d2e9d62390af
This is Reentrancy Issue in CompoundV2.
Internally, the Reentrancy Attack occured in the 'doTransferOut()' function.
SyncDex Rugpull
- Date : 2023-04-13
- Loss : $370K
- Type : Rugpull
https://twitter.com/SlowMist_Team/status/1646404172017967104
Yearn Finance Inflation Attack
- Date : 2023-04-13
- Loss : $11.6M
- Type : Inflation Attack
Etherscan : https://etherscan.io/tx/0xd55e43c1602b28d4fd4667ee445d570c8f298f5401cf04e62ec329759ecda95d
Broadly speaking, the overall attack process appears to fall under the category of an Inflation Attack using a flash loan exploit, leveraging the rebalancing of yUSDT tokens.
By calling the Curve y swap with the manipulated prices, a significant amount of stablecoins was acquired.
These acquired stablecoins were then converted back to the original USDT and used to repay the loan to Aave, effectively transferring the funds, while the remaining balance was claimed by the attacker.
Hundred Finance Inflation Attack
- Date : 2023-04-15
- Loss : $7M
- Type : Inflation Attack
Optimistic Etherscan : https://optimistic.etherscan.io/tx/0x6e9ebcdebbabda04fa9f2e3bc21ea8b2e4fb4bf4f4670cb8483e2f0b2604f451
The cause of the attack involves rapidly inflating the exchange rate of hWBTC using 200 WBTC and draining the funds in the token pool with a minimal amount.
The vulnerability is attributed to a rounding issue, where the vulnerability arises from the logic that the exchangeRateMantissa is determined based on the amount of WBTC held in the contract rather than the WBTC used to create hWBTC.
0vixProtocol Deflation Attack
- Date : 2023-04-28
- Loss : $2M
- Type : Deflation Attack
Polygonscan : https://polygonscan.com/tx/0x10f2c28f5d6cd8d7b56210b4d5e0cece27e45a30808cd3d3443c05d4275bb008
The vulnerability occurred due to an issue with the Price Oracle of the GHST token. The attacker utilized a significant amount of borrowed funds to manipulate the token ratio during the vGHST -> GHST swap process. This manipulation caused fluctuations in the token's value, allowing the attacker to gain illicit profits.
