The monthly security incident highlights of Zero Hour Technology have begun! According to statistics from some blockchain security risk monitoring platforms, in June 2024, the amount of losses from various security incidents increased compared with May. More than 39 typical security incidents occurred in June, and the total loss amount caused by hacker attacks, phishing scams and Rug Pulls reached 198 million US dollars, an increase of about 28.6% from May. This amount is the second highest monthly loss amount in 2024. In addition, 1.3 million US dollars were refunded in security incidents. Among them, the loss of exit fraud was about 4.8 million US dollars, the loss of flash loans was about 23.5 million US dollars, and the loss of vulnerability exploits was about 171.3 million US dollars.
Hacker attacks
10 typical security incidents
(1) On June 2, the decentralized exchange Velocore suffered a security vulnerability, resulting in a loss of approximately $6.8 million in ETH. According to the Velocore accident analysis report, the main cause of the accident was the incorrect logic in the velocore__execute() function of ConstantProductPool.
(2) On June 4, NCD was attacked on BNBChain, resulting in a loss of approximately $20,000.
(3) On June 7, SteamSwap (STM) was attacked on BNBChain, resulting in a loss of approximately USD 105,000.
(4) On June 7, Advance Auto Parts, Inc., a major supplier of automotive aftermarket parts, suffered a massive data breach. A threat actor named “Sp1d3r” claimed that Advance Auto Parts had been breached. The threat actor also claimed to have stolen 3TB of data from the company’s Snowflake cloud storage. The stolen information was allegedly sold for $1.5 million.
(5) On June 9, the Loopring smart wallet was hacked. The attack took advantage of a wallet with only one keeper, specifically the Loopring official keeper. The hacker initiated a recovery process, impersonating the wallet owner to reset ownership and extract assets. The hacker has converted all of the stolen Loopring assets into Ethereum. The address currently holds 1,373 ETH, worth over $5 million.
(6) On June 10, the UwU protocol suffered multiple flash loan attacks by hackers, resulting in a loss of nearly $20 million. Hackers have withdrawn different assets (such as WBTC and DAI) from the pool and converted them into ETH. Currently, UwU claims that it has repaid 2,000,000 CRV, 100,000 bLUSD and 125,000 USDT of bad debts. Since the incident on June 10, 2024, a total of $11,600,000 has been repaid.
(7) On June 17, Dyson was attacked on BNBChain, resulting in a loss of approximately $31,000.
(8) On June 21, the liquidity pool of Blast ecosystem project YOLO Game on Bazaar was stolen for $1.5 million. The root cause was that there was no permission check in the "exitPool" function, allowing anyone to impersonate a liquidity provider and drain the fund pool. The hacker has returned 90% of the funds.
(9) On June 23, the online gambling platform Sportsbet was also suspected to have been attacked by BtcTurk hackers, with losses exceeding US$3.5 million.
(10) On June 23, CoinStats was attacked, and hackers pushed notifications containing phishing links to users through the application. Approximately 1,590 wallets were affected. The most affected wallet may be a wallet belonging to Blurr.eth, which had 3,657 MKR (US$8.7 million) stolen and sold on the chain by hackers for 2,482 ETH. This caused the price of MKR to plunge from US$2,462 to US$2,280, a short-term drop of 7%.
Rug Pull / Phishing Scam
8 typical safety incidents
(1) On June 2, an address beginning with 0x6435 lost $1.58 million due to a phishing scam.
(2) On June 5, an address beginning with 0xa38a lost $2.12 million due to signing a license phishing signature.
(3) On June 6, an address starting with 0x2ac2 lost $368,717 due to signing a license phishing signature. The stolen assets were Uniswap and SushiSwap LP tokens.
(4) On June 9, an address starting with 0x1Ea4 lost $1.05 million worth of Pendle USD due to signing a license phishing signature.
(5) On June 13, an address starting with 0x4dc lost $249,365 due to signing the Uniswap Permit2 phishing signature.
(6) On June 17, an address starting with 0x107f lost 170cbETH (663,308 USD) due to signing a license phishing signature.
(7) On June 18, an address starting with 0x6759 lost $445,778 due to signing a phishing signature.
(8) On June 21, an address starting with 0x4e9E suffered a phishing attack, resulting in a loss of approximately US$214,000.
Summarize
From the analysis of the above multiple events, the amount of losses in June increased compared to May, and the number of phishing scams also increased. The Zero Time Technology Security Team recommends that project owners always remain vigilant, conduct internal security training and authority management, and find a professional security company to conduct an audit and conduct a background check on the project before the project goes online.
Note:
The contents of this article are collected and collated from public information.
