The total loss of the entire network in July was approximately US$290 million, of which losses due to private key leakage accounted for 88.31% of the total losses. Among them, WazirX suffered a loss of approximately US$235 million due to the leakage of multi-signature wallet private keys, which was the largest security incident in July.
Biggest security incident - private key leakage
On July 18, the private key of WazirX multi-signature wallet was leaked, causing losses of approximately US$235 million.
Biggest security incident - phishing scam
On July 24, the ETH on-chain address 0x07...fDC9 lost $4.69 million worth of Pendle re-collateralized tokens.
Biggest safety event - REKT
On July 16, the LiFi Protocol cross-chain bridge aggregation protocol was attacked, resulting in a loss of approximately 10 million US dollars. The attacker exploited an arbitrary call vulnerability, which allowed the attacker to steal assets authorized to the user of this contract.
Biggest Security Event - RugPull
On July 21, the ETH TrustFund RugPull occurred and stole approximately $2 million worth of cryptocurrency on Base.
case analysis
On July 15, Minterest suffered a major security incident on Mantle, which resulted in a loss of approximately $1.4 million. Currently, its project team has suspended the protocol.
Process analysis:
1) Flash loaned 4.265 million USDY from the USDY/USDT pool of Mantle DEX;
In its callback function: the FlashLoan & Redeem Underlying action is performed 25 times in total;
2) Flash loan 392,700 USDY from the mUSDY market;
In its callback function: two methods are called: wrap & lendRUSDY;
3) Deposit 4.265 million USDY and exchange for 4.473 million mUSD according to the share price;
4) Use the 4.473 million mUSD share tokens obtained in the previous step to borrow 27.47677 million mUSDY;
Step 1: Transfer 4.473 million mUSD share tokens;
Step 2: Unwrap 4.473 million mUSD back to 4.265 million USDY and place it in the mUSDY market contract;
Step 3: Transfer 27,476,770,000 mUSDY to the user;
5) To retrieve the underlying USDY assets, the hacker calculated how many Redeem Tokens (mUSDY) were needed to retrieve 4.265 million USDY. When they found out that Redeem Underlying was happening, the hacker only needed to return 25,669,630,000 mUSDY. In this way, the hacker could keep 180,714,000 mUSDY.
6) After repeating the above steps about 25 times, the hacker made a profit of about 1.4 million US dollars.
OKLink Tips
In July, the total loss of the entire network was about 290 million US dollars, an increase of 38.01% from June. The loss caused by private key leakage accounted for 88.31% of the total loss. OKLink reminds users not to disclose your private key or mnemonic phrase to anyone, and not to save and memorize it through screenshots, etc. Do not click on unverified links. Security awareness is an important line of defense to protect yourself in the Web3 world.
Web3 on-chain tools have become an important means of risk avoidance. OKLink provides tools such as address query and monitoring, on-chain data broadcasting, and private label establishment. Multi-dimensional data comparisons safeguard every operation.
At the same time, OKLink launched EaaS (Explorer-as-a-Service), a scalable solution designed to address the challenges faced by projects, providing zero-cost setup, rapid deployment, multi-chain support, advanced block analysis and open API.
