Crypto-Sec is Cointelegraph’s bi-weekly round-up of crypto and cybersecurity stories and tips.

Polter Finance drained in “classic” flash loan attack

Fantom-based decentralized finance (DeFi) protocol Polter Finance was drained of over $7 million through a “classic” flash loan attack on Nov. 18, according to blockchain analyst Nick Franklin.

The attacker artificially increased the price of the SpookySwap governance token, BOO, by borrowing “almost all BOO tokens from LP [the liquidity pool].” Once the price was sufficiently high, the attacker “was able to deposit 1 BOO and drain all pools.”

Source: Nick Franklin

Data from blockchain analytics platform BlockSec Phalcon confirms that before the attack, there were only 269,042.22851562786 tokens in the liquidity pool.

The attacker then borrowed 269,042.22851562785 BOO tokens ($1.3 million based on the BOO price at the time) through a flash loan, leaving only 0.000000000001 tokens remaining.

Since the price of a token in a decentralized exchange is determined by the ratio between it and the token it is priced in, this must have caused the price of BOO to skyrocket. 

The attacker then deposited a single BOO token and proceeded to borrow $9.1 million worth of wrapped Fantom (FTM) tokens, profiting $7.8 million in the process.

The attacker then repeated the attack to gain other tokens, including Magic Internet Money (MIM), sFTMX, Axelar USDC (axlUSDC), Bitcoin (BTC), Ether (ETH), and USD Coin (USDC). Some estimates have claimed that the attack drained a total of $12 million.

Franklin did not speculate on how the attacker was able to regain enough BOO to pay back the flash loan. However, one likely explanation is that they purchased it from a different liquidity pool at a much lower price.

DeFi users should consider the risks of depositing to platforms that carry low liquidity tokens, as the prices of these tokens can often easily be manipulated.

The pseudonymous founder of Polter Finance, known as Whichghost, has filed a police report regarding the incident and is attempting to negotiate with the attacker.

CoinPoker hit with hot wallet hack

Crypto poker platform CoiPoker was recently the victim of a private key hack, according to a Nov. 18 report from blockchain analytics platform Cyvers. The attacker made transfers across several different networks, including BNB Smart Chain, Ethereum and Polygon.

On Nov. 16, the poker platform attempted to open negotiations with the attacker by posting a message to the Ethereum network.

“We are aware of the activity involving funds stolen from the wallet address [beginning with 0x3c17],” the message stated. “We seek to establish secure communication to address this matter constructively. [ …] We are willing to discuss terms, including a potential bounty, for the safe return of the funds.”

Blockchain data shows the attacker has already deposited most of the stolen funds to privacy mixer Tornado Cash, making it difficult to trace, which may create weakness in the platform’s negotiating position.

Coinpoker attacker launders funds through tornado cash: Source: Etherscan

Web3 users should be aware that they can lose funds if a centralized gaming platform is hacked and loses customers’ deposits. Luckily, CoinPoker appears to have been resilient in the face of this particular attack, as withdrawals appear to be functioning normally at present.

Man gets 24 years for bank-crashing crypto scam

A man from the United States city of Elkhart, Kansas received a 24-year prison sentence for his role in a crypto scam that crashed the Heartland Tri-State Bank, according to a Nov. 5 report from United Kingdom technology news site The Register. The leader behind the scam has still not been apprehended by authorities.

According to the report, 53-year-old Shan Hanes was the CEO of Heartland Tri-State Bank at the time that he came in contact with a crypto scammer via WhatsApp in 2023.

The scammer reportedly convinced Hanes to invest in a fake cryptocurrency investment scheme. But Hanes didn’t just contribute his own money. He also embezzled funds from the Elkhart Church of Christ and the Santa Fe Investment Club, organizations for which he was in charge of handling the finances. 

In addition, Hanes eventually began draining funds from the bank itself. Over $47 million was drained from Heartland Tri-State Bank deposits and sent into this crypto scam, but the scam never turned any real profits, and the money was simply pocketed by its unnamed founder.

The bank’s chief financial officer eventually reported Hanes’ embezzlement to authorities. But by that time, the losses were so large that they were greater than the bank’s capitalization, causing it to go bankrupt.

According to a July 2023 CNN report, the failed bank was first bailed out by the US Federal Deposit Insurance Corporation, then purchased by Dream First Bank of Syracuse and reopened.

According to the report, authorities managed to recover $8 million from Hanes’ wallets, but the remaining $39 million was lost forever.

Crypto investors may want to be skeptical of crypto investments that cannot be tracked on a blockchain through a public block explorer. These types of “projects” often turn out to be fictional.