foreword
foreword
The following is the summary of various types of security information in June by Zhichuangyu Blockchain Security Lab, and discusses the problems exposed by it.
DeFi Security Type Events
DeFi Security Type Events
On June 2, the project CoFiXProtocol on BNB Chian suffered a price manipulation attack, and the attacker made a profit of about 140,000 US dollars.
On June 4th, the fomo-dao project was attacked, and the attacker has made $110,000 in profit, which has been transferred to Tornado.cash.
On June 7, Equalizer Finance suffered a flash loan attack. The main reason for this attack is that the FlashLoanProvider contract of the Equalizer Finance protocol is not compatible with the Vault contract. The loss was about $831.
On June 9, pool 678 deployed on the Osmosis blockchain was attacked, possibly involving $5 million. By exploiting this vulnerability, a user can withdraw from the pool and receive an additional 50% of the assets originally deposited in the pool.
On June 14, Fswap officially stated that it was hacked at 22:08 on June 13. This attack was not a vulnerability incident of the attacked project, but a malicious loan attack incident. Lost 1,751 BNB, worth about $390,000.
On June 21, the whaleswap.finance project was attacked, and at least 5,946 BUSD and 5,964 USDT were lost, worth about $11,910.
On June 23, the pandorachainDAO project suffered from a flash loan attack, resulting in asset losses worth approximately $128,000.
On June 24, Horizon, an asset cross-chain bridge between Ethereum and Harmony developed by the Layer1 public chain Harmony, was attacked, with a loss of approximately US$100 million.
On June 28, the SeniorPool contract of the Goldfinch project was attacked. The attacker gained a total of 28,523 USDC through arbitrage, and the project party lost a total of 541,158 USDC.
scam security type event
scam security type event
On June 1, a Rug Pull occurred on the project ArmadilloCoin on BNB Chian, and the scammers transferred 663.4 BNB to Tornado Cash. The loss was valued at approximately $210,000.
On June 3, a Rug Pull occurred on StarMan, and the currency price fell by 99.5%. The scammers have transferred about 640.4 BNB to Tornado Cash. The loss was valued at approximately $196,000.
On June 6, the ACC token plummeted by more than 70%. Seven of the recent transactions were identified as suspicious Rug Pulls, with a loss of $120,000.
On June 8, a Rug Pull occurred on the project BabyElon on BNB Chian, and the tokens fell by 98%. The scammers have transferred 623 BNBs to Tornado Cash, with a loss of about $180,000.
On June 12, HEGE Coin has been confirmed as a Rug Pull project, and the price of HEGE tokens plummeted by more than 97%. The current loss amount is about 430,000 USC-USD (approximately 430,000 U.S. dollars).
On June 13, a Rug Pull occurred on the ElonMVP token, and the price of the token fell by 99%. More than 622 BNB were transferred to Tornado.Cash, and the loss was about 130,000 US dollars.
On June 14, the blockchain cloud infrastructure Chain (XCN) may have a Rug Pull, and the Token price fell by 96.28% in 24 hours.
On June 20, the Move To Earn app StepUp Games had a Rug Pull, and the price of Token dropped by 84%. Deployers minted a large amount of STP and sold it.
On June 21, a Rug Pull occurred in the DHE project, causing the price of DHE tokens to drop by more than 91%. The total loss is currently approximately $142,000.
On June 29th, the LV Metaverse (token LVP) project had another Rug Pull, and the contract deployer took away tokens worth $50,000 again.
Phishing Security Type Events
Phishing Security Type Events
On June 4, the Discord of Homeless Friends NFT was attacked, and homelessfriends[.]net was a phishing website.
On June 4, the Discord of the NFT project Not Bored Apes was hacked, and a mod account appeared to be hacked and began posting frequent phishing links. Please be wary of official unannounced Mint.
On June 4, the Discord server of the NFT project Wibin Wolves was attacked, community users were kicked, and all server invitation links were closed.
On June 5, the Discord server of the NFT project "Boring Ape" was briefly attacked, and NFT worth about 200 ETH was stolen.
On June 6, the Discord of the NFT project Aiternate has been attacked, please do not click on any Discord private messages or links.
On June 7, the Elrond network was recently hacked, and more than $1.65 million in EGLD was stolen, some of which were sold through the decentralized trading platform Maiar, causing Maiar to be down for maintenance, and some of it was sent to Binance.
On June 7, the Discord of Boss Beauties, an NFT series focused on women's empowerment, was attacked. As of now, NFTs are still frequently transferred in and out, with a total of more than 40.http://dapperdrop.comOn June 8, the Discord of the NFT project Dapper Dinos was attacked.
It's a phishing site.http://mint-samsung.comJune 9,
is a phishing site. The phishing site impersonated the Samsung minting site to steal the VeeFriends Series 2 #44451 NFT.http://alphakongsclubnft.orgOn June 9, the Discord of the NFT project Alpha Kongs Club was attacked.
is a phishing site, users should not interact with any links sent by the project's Discord.
On June 12, the Discord of NFT project Gooniez Gang was hacked and a phishing link was posted.
According to news on June 12, the sci-fi NFT card game Parallel tweeted that its Discord was attacked and the team is recovering. Users are asked not to click on any Mint links.http://knownoriginpass.ioOn June 14, the Discord of KnownOrigin, an NFT discovery and trading platform, was hacked.
It is a phishing website, please do not click on any Discord private messages or links.
On June 21, the official Twitter of the NFT project Neo Hunters posted that its official Discord had been hacked, reminding users not to click on any links.
On June 22, rrbayc.art was a phishing website, beware of being deceived. The real RR/BAYC project page has been taken down by OpenSea.http://punkcomics.netJune 23,
The website has been identified as a fraudulent website, and scammers have obtained more than 100 NFTs such as Otherdeed, The Sandbox LAND, etc. for $0.
On June 26, the Discord of Ugly Bros, an NFT project on the Cardano chain, was attacked and posted an announcement including a phishing link. Community users are requested not to click any links to interact with it.
On June 27, encrypted KOL ZachXBT posted on his social networking site that the Nouns official Twitter account (@nounsdao) was stolen, and hackers took the opportunity to post phishing website information, reminding users to click on relevant links carefully.
Other Security Event Types
Other Security Event Types
On June 9, the decentralized trading platform ApolloX released the latest statement on the hacking incident, "A hacker exploited a loophole in ApolloX's transaction reward contract to accumulate 255 signatures, and then used these signatures to steal from the withdrawal contract. 53 million APX Tokens were taken.
On June 24th, Ribbon Finance tweeted that it suffered a DNS attack and a user lost 16.5 WBTC.
Summarize
Summarize
Judging from the security situation of DeFi, flash loan attacks and oracle machine manipulation are still common occurrences in security incidents this month, and the project side needs to pay special attention to the security of these aspects. At the same time, the cross-chain bridge Harmony Bridge security incident also reminds us to protect our private keys and how to achieve better security protection against private key leakage. Knowing that Chuangyu Blockchain Security Lab hereby reminds that it is necessary to perform regular audits and compound audits for contract security to protect contracts from other attacks. At the same time, it attaches great importance to authorization issues, and there must be a clear time limit for authorization.
