exploit
50,622 προβολές
26 Δημοσιεύσεις
Δημοφιλές
Πιο πρόσφατα
The #Bedrock liquid restaking protocol has suffered an #exploit resulting in a $2 million loss. The exploit was discovered in the protocol's smart contract code, leading to unauthorized withdrawals.
The Bedrock team is currently investigating the situation and has taken steps to prevent further losses by pausing the protocol.
#Binance #restaking #TrendingTopic
The Bedrock team is currently investigating the situation and has taken steps to prevent further losses by pausing the protocol.
#Binance #restaking #TrendingTopic
How Was KyberSwap Exploited for $46 Million? ⚠️
#KyberSwap , a decentralized exchange, faced a security breach resulting in a $46 million loss across various crypto assets.
The attack impacted wrapped Ether, #Lido-staked Ether, and Arbitrum funds, spanning multiple blockchains like Ethereum, Polygon, and others.
Despite the protocol's warning to users and ongoing investigations, the breach caused a 68% drop in total value locked and significant asset withdrawals.
The #exploit triggered a 7% dip in Kyber Network Crystal token prices, although they've partially recovered. This incident follows a vulnerability disclosure earlier in the year that didn't result in fund losses.
#Binance
#crypto2023
#KyberSwap , a decentralized exchange, faced a security breach resulting in a $46 million loss across various crypto assets.
The attack impacted wrapped Ether, #Lido-staked Ether, and Arbitrum funds, spanning multiple blockchains like Ethereum, Polygon, and others.
Despite the protocol's warning to users and ongoing investigations, the breach caused a 68% drop in total value locked and significant asset withdrawals.
The #exploit triggered a 7% dip in Kyber Network Crystal token prices, although they've partially recovered. This incident follows a vulnerability disclosure earlier in the year that didn't result in fund losses.
#Binance
#crypto2023
New #GoFetch attack on Apple Silicon CPUs can steal #crypto keys.
A new side-channel attack named "GoFetch" has been discovered, impacting Apple M1, M2, and M3 processors. This attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs, allowing attackers to steal secret cryptographic keys from the CPU's cache. GoFetch was developed by a team of researchers who reported their findings to Apple in December 2023. Since this is a hardware-based vulnerability, impacted CPUs cannot be fixed. While software fixes could mitigate the flaw, they would degrade cryptographic performance. The attack leverages flaws in Apple's implementation of the DMP system, violating constant-time programming principles. Owners of affected Apple devices are advised to practice safe computing habits, including regular updates and cautious software installation. While Apple may introduce mitigations through software updates, they could impact performance. Disabling DMP may be an option for some CPUs but not for M1 and M2. The attack can be executed remotely, making it a serious concern for users. Apple has yet to provide further comments on this issue.
#hack #exploit #vulnerability
A new side-channel attack named "GoFetch" has been discovered, impacting Apple M1, M2, and M3 processors. This attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs, allowing attackers to steal secret cryptographic keys from the CPU's cache. GoFetch was developed by a team of researchers who reported their findings to Apple in December 2023. Since this is a hardware-based vulnerability, impacted CPUs cannot be fixed. While software fixes could mitigate the flaw, they would degrade cryptographic performance. The attack leverages flaws in Apple's implementation of the DMP system, violating constant-time programming principles. Owners of affected Apple devices are advised to practice safe computing habits, including regular updates and cautious software installation. While Apple may introduce mitigations through software updates, they could impact performance. Disabling DMP may be an option for some CPUs but not for M1 and M2. The attack can be executed remotely, making it a serious concern for users. Apple has yet to provide further comments on this issue.
#hack #exploit #vulnerability
How Did Stars Arena Use a 10% Bounty to Recover Stolen Crypto? 👀
Stars Arena, a Web3 social media platform, #recovered nearly 90% of the crypto stolen in an October 7 exploit, worth around $3 million, by agreeing to pay a 10% bounty, equivalent to 27,610 AVAX, worth nearly $257,000, to the exploiter.
This bounty also compensated for 1,000 #AVAX worth over $9,000 seemingly lost by the exploiter in a bridge.
Stars Arena is finalizing an audit of a new smart contract before placing the returned funds and relaunching the platform. The initial #exploit was caused by a security breach in the smart contract, but they've since secured funding and contracted a development team to address the issue.
Additionally, Stars Arena's competitor, Friend.tech, faced SIM-swap attacks and has implemented security features to counter them.
#Binance
#crypto2023
Stars Arena, a Web3 social media platform, #recovered nearly 90% of the crypto stolen in an October 7 exploit, worth around $3 million, by agreeing to pay a 10% bounty, equivalent to 27,610 AVAX, worth nearly $257,000, to the exploiter.
This bounty also compensated for 1,000 #AVAX worth over $9,000 seemingly lost by the exploiter in a bridge.
Stars Arena is finalizing an audit of a new smart contract before placing the returned funds and relaunching the platform. The initial #exploit was caused by a security breach in the smart contract, but they've since secured funding and contracted a development team to address the issue.
Additionally, Stars Arena's competitor, Friend.tech, faced SIM-swap attacks and has implemented security features to counter them.
#Binance
#crypto2023
⚡️ KyberSwap exchange losses $47M in possible liquidity providers exploit
KyberSwap appears to have suffered a $47M exploit of its Elastic Pools liquidity solution. The funds included $20.7M on Arbitrum, $15M on Optimism, $7M on Ethereum, $3M on Polygon, and $2M on Base. A large portion of the funds are denominated in various forms of ether, such as wrapped tokens and liquid staking tokens.
$KNC #KNC #KyberSwap #exploit $MATIC $ARB #ARB #MATIC🔥🔥
KyberSwap appears to have suffered a $47M exploit of its Elastic Pools liquidity solution. The funds included $20.7M on Arbitrum, $15M on Optimism, $7M on Ethereum, $3M on Polygon, and $2M on Base. A large portion of the funds are denominated in various forms of ether, such as wrapped tokens and liquid staking tokens.
$KNC #KNC #KyberSwap #exploit $MATIC $ARB #ARB #MATIC🔥🔥
Via #AnciliaAlerts on X, @rugged_dot_art has identified a re-entrancy #vulnerability in a smart contract with address 0x9733303117504c146a4e22261f2685ddb79780ef, allowing an attacker to #exploit it and gain 11 #ETH . The attack transaction can be traced on #Etherscan at https://etherscan.io/tx/0x5a63da39b5b83fccdd825fed0226f330f802e995b8e49e19fbdd246876c67e1f. Despite reaching out to the owner three days ago, there has been no response.
The vulnerability resides in the targetedPurchase() function, where a user can input arbitrary swapParams, including commands to 4. This triggers the UNIVERSAL_ROUTER.execute() function, and as per Uniswap Technical Reference, command 4 corresponds to SWEEP, invoking the sweep() function. This function sends ETH back to the user's contract, leading to a re-entrancy issue.
Within targetedPurchase(), a balance check is performed before and after calling _executeSwap(). Due to the re-entrancy problem, a user can stake tokens (e.g., from a flashloan) to satisfy the balance check, ensuring a successful purchase action where tokens are transferred to the user. The urgency of the situation is underscored by the ongoing waiting period for the owner's response, emphasizing the need for prompt attention to mitigate potential exploitation.
The vulnerability resides in the targetedPurchase() function, where a user can input arbitrary swapParams, including commands to 4. This triggers the UNIVERSAL_ROUTER.execute() function, and as per Uniswap Technical Reference, command 4 corresponds to SWEEP, invoking the sweep() function. This function sends ETH back to the user's contract, leading to a re-entrancy issue.
Within targetedPurchase(), a balance check is performed before and after calling _executeSwap(). Due to the re-entrancy problem, a user can stake tokens (e.g., from a flashloan) to satisfy the balance check, ensuring a successful purchase action where tokens are transferred to the user. The urgency of the situation is underscored by the ongoing waiting period for the owner's response, emphasizing the need for prompt attention to mitigate potential exploitation.
Via @Michaeltalkhere ($BPET dev team lead ) on X regarding the #PvP contract #exploit
As announced, I would like to disclose the details of the exploit and how did we get the money back.
Firsly, the reason of the exploit was there was a bug in ‘request swap from #POTION to #BPET ’ functionality that makes the exploiter be able to withdraw excessive amounts of $BPET tokens from the PvP contract after staking their own tokens.
Below are some noticeable withdrawing transactions the exploiter made.
(https://arbiscan.io/tx/0x058b8808e721f68c01c62ad70687f38f39d749bfc9d0e8f6be839c3af603dec6)
(https://arbiscan.io/tx/0x1ad1f7536e2d91cc5aeef6e29f948ee73fa760a482b0455ca78adade83c4ef53)
(https://arbiscan.io/tx/0x500713e7c025d5ab71e2446069a46a60009ef8060d2537bc4b29296c6f76f9d7)
Right after becoming fully aware of the exploit, we did 2 things
- Checked out to see if the exploiter’s addresses can be mapped with any Twitter profiles of any xPet users (and we found the user mapping with one of the exploiter addresses)
- Reached out to all partners in our network who can pour in the helps. They were explorer sites, centralized exchanges, privacy mixers, offramp tools, and security firms.
To be specific, #Etherscan team helped us to tag all 4 addresses related to the exploiter on Ethereum on Arbiscan as ‘xPet exploiter’. Thanks for that, the exploiter addresses were visibly exposed to and closely-watched by the public. All the centralized exchange, privacy mixer, and offramp tool teams helped to take close notice In case any of the exploiting address would have interactions with centralized exchange Hot wallets, privacy mixer contracts, or offramp tool depositing addresses. The security firms has helped us follow all, even smallest, onchain traces from the exploiter
In short, we had the combined efforts from multiple parties to closely monitoring the exploiter's movements and ensure that exploiter doesn’t have any chance to get the stolen funds mixed or obscured.
As announced, I would like to disclose the details of the exploit and how did we get the money back.
Firsly, the reason of the exploit was there was a bug in ‘request swap from #POTION to #BPET ’ functionality that makes the exploiter be able to withdraw excessive amounts of $BPET tokens from the PvP contract after staking their own tokens.
Below are some noticeable withdrawing transactions the exploiter made.
(https://arbiscan.io/tx/0x058b8808e721f68c01c62ad70687f38f39d749bfc9d0e8f6be839c3af603dec6)
(https://arbiscan.io/tx/0x1ad1f7536e2d91cc5aeef6e29f948ee73fa760a482b0455ca78adade83c4ef53)
(https://arbiscan.io/tx/0x500713e7c025d5ab71e2446069a46a60009ef8060d2537bc4b29296c6f76f9d7)
Right after becoming fully aware of the exploit, we did 2 things
- Checked out to see if the exploiter’s addresses can be mapped with any Twitter profiles of any xPet users (and we found the user mapping with one of the exploiter addresses)
- Reached out to all partners in our network who can pour in the helps. They were explorer sites, centralized exchanges, privacy mixers, offramp tools, and security firms.
To be specific, #Etherscan team helped us to tag all 4 addresses related to the exploiter on Ethereum on Arbiscan as ‘xPet exploiter’. Thanks for that, the exploiter addresses were visibly exposed to and closely-watched by the public. All the centralized exchange, privacy mixer, and offramp tool teams helped to take close notice In case any of the exploiting address would have interactions with centralized exchange Hot wallets, privacy mixer contracts, or offramp tool depositing addresses. The security firms has helped us follow all, even smallest, onchain traces from the exploiter
In short, we had the combined efforts from multiple parties to closely monitoring the exploiter's movements and ensure that exploiter doesn’t have any chance to get the stolen funds mixed or obscured.
⚡️ Top 10 Crypto Protocols Exploits in November
During November 2023, the crypto industry saw a loss of $343M across the web3 ecosystem. According to Immunefi's report, $335.5M was lost to hacks across 18 specific incidents, and $7.46M was lost to fraud across 23 specific incidents. Let's analyze the largest losses of the month!
#exploit #hack #hacks $KNC $HT $DYDX $RAFT $XCN #dydx #KNC
During November 2023, the crypto industry saw a loss of $343M across the web3 ecosystem. According to Immunefi's report, $335.5M was lost to hacks across 18 specific incidents, and $7.46M was lost to fraud across 23 specific incidents. Let's analyze the largest losses of the month!
#exploit #hack #hacks $KNC $HT $DYDX $RAFT $XCN #dydx #KNC
He mined #Bitcoin when it was under $0.05
He held the keys to 25,000 $BTC
The Tragic Story of how ALLINVAIN lost $1.6 billion in one of the biggest robberies in crypto history 🔥
ALLINVAIN backed up his wallet to Dropbox, Wuala, and SpiderOak.
He later deleted them after he found out Dropbox employees could remotely access files.
But the real issue was someone hacked his computer and stole the UNENCRYPTED wallet file.
ALLINVAIN’s biggest mistake was that he kept his keys unencrypted on his computer.
His hack is a reminder to always keep your private keys written in a secure OFFLINE location
Even some of the biggest names in Bitcoin have suffered similar exploits
Today ALLINVAIN’s story lives as a reminder of the importance of security and safety in btc .
#Bitcoin❗ #exploit #security $BTC
He held the keys to 25,000 $BTC
The Tragic Story of how ALLINVAIN lost $1.6 billion in one of the biggest robberies in crypto history 🔥
ALLINVAIN backed up his wallet to Dropbox, Wuala, and SpiderOak.
He later deleted them after he found out Dropbox employees could remotely access files.
But the real issue was someone hacked his computer and stole the UNENCRYPTED wallet file.
ALLINVAIN’s biggest mistake was that he kept his keys unencrypted on his computer.
His hack is a reminder to always keep your private keys written in a secure OFFLINE location
Even some of the biggest names in Bitcoin have suffered similar exploits
Today ALLINVAIN’s story lives as a reminder of the importance of security and safety in btc .
#Bitcoin❗ #exploit #security $BTC
