In June, the total loss of the entire network was about 210 million US dollars. There were 31 fraud and phishing incidents on official social media, accounting for 9.91% of the losses, a decrease of 75.69% month-on-month. However, security awareness cannot be relaxed, as one click may bring irreversible losses.
case analysis
On June 10, the Ethereum lending protocol UwU Lend was attacked, resulting in a total loss of $22.7 million. The attacker exploited a vulnerability in the contract that allowed oracle price manipulation, causing a loss of approximately $19 million. On June 13, the attacker took advantage of the project's error in contract governance operations to attack again, making a profit of $3.7 million.
Video Link
Attack process:
1) Flashloan obtains USD, thereby manipulating SUSDE to lower its price;
2) Address 0xf19d66 deposited 19,979 WBTC, 615 million DAI, and 301 million SUSDSE into pool_2409;
3) Address 0x87ed92 deposited 318,000 ETH (equivalent to approximately 1.193 billion SUSDSE) into pool_2409;
4) Address 0x87ed92 borrows 302 million SUSDSE and transfers it to address 0xf19d66, and then address 0xf19d66 uses these SUSDSE to deposit into pool_2409. Address 0x87ed92 repeats this operation four times;
5) Address 0xf19d66 borrows 319,000 ETH to address 0x87ed92, and then address 0x87ed92 repeats steps 3 and 4;
6) Address 0x87ed92 withdraws 344,000 WETH from UwULend;
7) Address 0xf19d66 manipulates the SUSDSE price and liquidates the loan at address 0x87ed92;
8) Using uSUSDE as collateral, address 0x4cd6fe borrowed 3.5 million DAI and 4.2 million USDT from UwU.
Biggest Security Event - RugPull
On June 8, a Rugpull occurred in the zkSync ecosystem emholicECO, resulting in a loss of approximately $3.4 million.
Biggest security incident - phishing scam
On June 23, a whale user suffered a phishing attack and lost approximately $11 million.
Biggest security incident - private key leakage
On June 22, some hot wallets in BtcTurk were attacked, which was suspected to be related to the leakage of private keys, resulting in a loss of US$90 million in funds, of which US$5.3 million of stolen funds were frozen and recovered.
OKLink Tips
The proportion of fraud and phishing incidents decreased in June, but we still cannot take it lightly. OKLink reminds everyone not to reveal your private key or mnemonic phrase to anyone, and to be skeptical of projects that promise abnormally high returns. Before investing, be sure to conduct in-depth research on the project and team, and do not ignore any click, such as messages in the community, a link in a text message, or a private message link impersonating an official customer service representative, which may hide irreversible traps.
Use tools such as OKLink to query currency, project and other information, and conduct thorough research. With data as the cornerstone, you can stay calm and build a defense line for your own chain security first.
