Overview
According to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), from August 7 to August 13, 2023, there were 7 security incidents, including Cypher, Steadefi, STA, Blockchain Capital, Earning.Farm, some MPC wallets and Fetch.ai, with a total loss of approximately US$122 million, of which the STA scam resulted in a loss of US$120 million.
Specific incident
Cypher
On August 7, 2023, Cypher, a decentralized exchange based on Solana, tweeted that it had been attacked. The attacker used an error involving the segregated margin sub-account mechanism to attack Cypher's main contract, causing it to ultimately withdraw more funds than it had initially deposited, resulting in bad debts in the system. The attacker stole 15,452 SOL, 149,205 USDC, and other tokens, with a loss of more than $1 million. On August 8, Cypher negotiated with the attacker, but the attacker did not respond; on August 12, Cypher launched a hacker bounty program.
Steadefi
On August 8, 2023, Steadefi, an automatic yield leveraged strategy platform, tweeted: "Our protocol deployer wallet (which is also the owner of all vaults in the protocol) has been leaked. The attacker has transferred ownership of all vaults (loans and strategies) to wallets they control, and continues to take various owner-only actions, such as allowing any wallet to borrow any available funds from the lending vault." According to MistTrack analysis, Steadefi lost about $1.1 million in this incident. The attacker exchanged profitable assets on Arbitrum and Avalanche for ETH and crossed the chain to Ethereum. As of now, the hacker has transferred 400 ETH to Tornado Cash. On August 8, the Steadefi team successfully recovered about $540,000 in user funds from the remaining vaults.
STA
On August 8, 2023, legal authorities in Odisha, India, successfully uncovered a cryptocurrency Ponzi scheme worth $120 million (Rs 10 billion). Two core figures in this fraudulent operation have been arrested. The project involved is called The Solar Techno Alliance (STA), using terms such as green energy and solar technology. The investigation found that STA, with the assistance of online members, used various persuasive strategies and promises of profits to attract people to participate in the scheme in a short period of time, with more than 10,000 participants in Odisha alone. The investigation showed that STA did not obtain authorization from the Reserve Bank of India, the Central Bank of India or other regulators to accumulate deposits.
Blockchain Capital
On August 9, 2023, the Twitter account of crypto venture capital firm Blockchain Capital was hacked and multiple tweets were posted to promote a token claim scam. The relevant scam tweets have been deleted and the Twitter account has now been restored. The phishing website (blockchainncapital) includes an extra "n" in the URL to mimic the original website (blockchaincapital) and trick users into signing malicious transactions, thereby draining their funds. At the same time, the scammers closed the comment section in an attempt to prevent others from warning about the scam.
In addition to this phishing behavior of adding a letter, there are some more confusing phishing behaviors as shown in the following figure:
The difference between the letter "ẹ" and the letter "e" is very subtle. This is a phishing method that uses Punycode. This kind of phishing with similar domain names can fool many people. Users should check carefully when clicking on the link to avoid asset loss.
Earning.Farm
On August 9, 2023, the DeFi project Earning.Farm suffered a reentry attack, losing 286 ETH (about $530,000). According to SlowMist analysis, the attacker reentered the LP's transfer function to transfer LP tokens when withdrawing funds, making the account balance less than the previously calculated shares value, triggering the logic of updating the shares value, causing the manipulated LP number to be updated to the shares value to be burned, which resulted in the final number of LPs burned being much smaller than expected. Users can withdraw additional funds from the pool by withdrawing the transferred LP again.
According to MistTrack analysis, the attacker withdrew 10 ETH from Tornado Cash on July 31, and 3 minutes after the withdrawal was successful, he re-deposited 5 ETH to Tornado Cash in 5 times. So far, the hacker has transferred 292.64 ETH to a new EOA address (0x21d...173) and has not yet transferred it out.
Some MPC wallets
On August 10, 2023, crypto infrastructure company Fireblocks disclosed a series of vulnerabilities (collectively referred to as "BitForge") that affect various popular crypto wallets that use multi-party computation (MPC) technology. The company classified BitForge as a "0 day" vulnerability, and Coinbase, ZenGo, and Binance (the three companies most affected by BitForge) have worked with Fireblocks to fix the potential vulnerabilities. If not remedied, these vulnerabilities would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds without the knowledge of users or suppliers. On August 10, Binance founder CZ tweeted: "Fireblocks discovered a series of new vulnerabilities affecting MPC wallets that existed in Binance's open source TSS library, but have been fixed. User funds were not affected."
Fetch.ai
On August 13, 2023, the blockchain-based AI infrastructure Fetch.ai tweeted that its official Discord channel had been hacked and the attacker had gained unauthorized access to its Discord server through an administrator account named "Atari_buzz1kLL."
other
According to SlowMist, Distrust recently discovered a serious vulnerability that affects cryptocurrency wallets using Libbitcoin Explorer 3.x. The vulnerability allows attackers to access the private key of the wallet by cracking the Mersenne Twister pseudo-random number generator (PRNG), which has already caused actual impact in the real world. The vulnerability stems from the pseudo-random number generator (PRNG) implementation in Libbitcoin Explorer 3.x. The implementation uses the Mersenne Twister algorithm and only uses the 32-bit system time as the seed. This implementation allows attackers to find the user's private key within a few days through brute force cracking. The vulnerability affects all users who use Libbitcoin Explorer 3.x to generate wallets, as well as applications that use the libbitcoin-system 3.6 development library. Known affected cryptocurrencies include Bitcoin, Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash. Due to the existence of this vulnerability, attackers can access and control users' wallets and steal funds from them.
According to SlowMist analysis, as of August 2023, more than $900,000 worth of cryptocurrency assets have been stolen. We strongly recommend that all users of Libbitcoin Explorer 3.x immediately stop using the affected wallets and transfer funds to a secure wallet. Please be sure to use a proven, secure random number generation method to generate a new wallet.
Summarize
The biggest loser this week was the Ponzi scheme, The Solar Techno Alliance (STA).
The so-called "Ponzi scheme" is to attract funds by promising high returns, and then use the funds of new investors to pay the interest of previous investors to create the illusion of making money, and then defraud more funds until this snowballing method can no longer be sustained, so that the lie is exposed and the bubble bursts. Most Ponzi schemes do not have real "investment" activities, and most of the profits are pocketed by the scammers. Various scams that use high interest returns as bait are emerging one after another, and their essence is illegal fundraising activities of the drum-beating and parcel-passing style. For all investment activities that promise high returns, you should be vigilant because they are likely to be scams. Please remember that there is no such thing as a free lunch, and users should be vigilant and enhance their risk prevention awareness and identification capabilities.