Subscribe to yaletown
Subscribe to yaletown
Share Dialog
Share Dialog
Over 8,000 Solana wallets stolen
On August 3rd around 7am BST, the Solana ecosystem was hit by a major hack with losses of around $8 million. This mainly includes SOL tokens, USDC, some Solana-based tokens and Solana-NFT, in addition to some assets from other chains.
About 8,000 Solana addresses were hacked and the stolen funds were siphoned off to 4 different wallets (i.e. attacker addresses).
Wallet 1: Htp9M... .g4wxV holding $3,770,247.17 Wallet 2: CEzN7... .b3iEu holds $2,072,147.49 Wallet 3: 5WwBY.... .h1J3n holds $1,391,621.06 Wallet 4: GeEcc.... .Dbmuy holds $456,217.77 According to the preliminary investigation by CertiK security experts, the transactions involved in the incident were signed directly by the actual owner, which at least indicates that the private key was compromised. The private key compromise may have been caused by the accidental disclosure of the helper word while the wallet was interacting with a third-party data analysis platform.
CertiK will investigate further and update the official Twitter feed as well as WeChat and other platforms with the latest findings.
ZB Exchange Attacked, Suspends Withdrawals After $4.3 Million Loss
CertiK's security team has monitored a hack of the ZB Exchange (ZBExchange) with a total loss of approximately $4.3 million. Currently 2,224 ETH (approximately $3.6 million) have been transferred to the hacker's wallet. These funds are currently in an external account and will most likely be sent to TornadoCash.
Incident history. The exchange was attacked after a private key was compromised in ZBExchange's hot wallet. (A hot wallet is a wallet that stores assets and connects directly to the Internet. Such hot wallets are more vulnerable to attacks than cold wallets)
ZBExchange has informed their community on August 2 that deposit and withdrawal activity will be suspended due to a "sudden outage". The reason for this is a "sudden failure of the core application".
Notably, the attack actually occurred on August 1, but was overshadowed by the overwhelming news of the Nomad vulnerability attack.
According to experts on the CertiK security team, attacks such as these highlight the need for decentralized rights management, and the fact that ZBExchnage describes itself as "the world's most secure digital asset exchange" certainly proves that no matter how secure a project thinks it is, it needs to be on constant alert for hacking attacks, as hackers are always on the lookout for vulnerabilities as projects raise their security standards. looking for vulnerabilities.
Reaper Farm Attacked, $1.6 Million Lost
On August 2, 2022 Beijing time, the CertiK security team monitored a malicious exploit of Reaper Farm's ReaperVaultV2 contract, resulting in over $1.6 million worth of losses.
The attackers exploited a vulnerability in the ReaperVaultV2 contract - the ability to destroy other users' vault shares and extract tokens, thereby withdrawing a large amount of tokens from multiple vaults.
As of August 3, 2022, 8:00 p.m. BST, 1.6 million DAI, 62 ETH, and 200 Matic have been deposited into TornadoCash.
Attack Steps
1. The attacker deploys an attacker contract through which the attacker can withdraw assets from Reaper vault from multiple users in a single transaction.
2. The ReaperVaultV2 contract does not check the relationship between the share owner and the message sender, so the attacker can withdraw the vault user's assets multiple times through the attacker contract.
3. The attacker exchanges the tokens withdrawn from the vault for DAI, ETH and Matic and deposits them in TornadoCash.
Vulnerability Analysis In the withdraw() function of the ReaperVaultV2 contract, the vault share owner can be an account other than msg.sender. Also, the relationship between the owner and msg.sender or allowance is not checked, meaning that one can withdraw assets from the vault for other users
This attack could have been audited to identify the risk factor "Lack of Access Control". This risk factor would have been categorized as a severe level risk. In addition to auditing, the CertiK security team recommends that new code be tested in a timely manner before going live.
Although it is a bear market, attacks have been frequent recently. The clear takeaway from these attacks is that no project is 100% immune to hacking. Despite being the "safest exchange", hackers are constantly looking for vulnerabilities and attack vectors. Therefore, Web3 projects must always be vigilant and turn to anticipating attacks, not just responding to them.
Over 8,000 Solana wallets stolen
On August 3rd around 7am BST, the Solana ecosystem was hit by a major hack with losses of around $8 million. This mainly includes SOL tokens, USDC, some Solana-based tokens and Solana-NFT, in addition to some assets from other chains.
About 8,000 Solana addresses were hacked and the stolen funds were siphoned off to 4 different wallets (i.e. attacker addresses).
Wallet 1: Htp9M... .g4wxV holding $3,770,247.17 Wallet 2: CEzN7... .b3iEu holds $2,072,147.49 Wallet 3: 5WwBY.... .h1J3n holds $1,391,621.06 Wallet 4: GeEcc.... .Dbmuy holds $456,217.77 According to the preliminary investigation by CertiK security experts, the transactions involved in the incident were signed directly by the actual owner, which at least indicates that the private key was compromised. The private key compromise may have been caused by the accidental disclosure of the helper word while the wallet was interacting with a third-party data analysis platform.
CertiK will investigate further and update the official Twitter feed as well as WeChat and other platforms with the latest findings.
ZB Exchange Attacked, Suspends Withdrawals After $4.3 Million Loss
CertiK's security team has monitored a hack of the ZB Exchange (ZBExchange) with a total loss of approximately $4.3 million. Currently 2,224 ETH (approximately $3.6 million) have been transferred to the hacker's wallet. These funds are currently in an external account and will most likely be sent to TornadoCash.
Incident history. The exchange was attacked after a private key was compromised in ZBExchange's hot wallet. (A hot wallet is a wallet that stores assets and connects directly to the Internet. Such hot wallets are more vulnerable to attacks than cold wallets)
ZBExchange has informed their community on August 2 that deposit and withdrawal activity will be suspended due to a "sudden outage". The reason for this is a "sudden failure of the core application".
Notably, the attack actually occurred on August 1, but was overshadowed by the overwhelming news of the Nomad vulnerability attack.
According to experts on the CertiK security team, attacks such as these highlight the need for decentralized rights management, and the fact that ZBExchnage describes itself as "the world's most secure digital asset exchange" certainly proves that no matter how secure a project thinks it is, it needs to be on constant alert for hacking attacks, as hackers are always on the lookout for vulnerabilities as projects raise their security standards. looking for vulnerabilities.
Reaper Farm Attacked, $1.6 Million Lost
On August 2, 2022 Beijing time, the CertiK security team monitored a malicious exploit of Reaper Farm's ReaperVaultV2 contract, resulting in over $1.6 million worth of losses.
The attackers exploited a vulnerability in the ReaperVaultV2 contract - the ability to destroy other users' vault shares and extract tokens, thereby withdrawing a large amount of tokens from multiple vaults.
As of August 3, 2022, 8:00 p.m. BST, 1.6 million DAI, 62 ETH, and 200 Matic have been deposited into TornadoCash.
Attack Steps
1. The attacker deploys an attacker contract through which the attacker can withdraw assets from Reaper vault from multiple users in a single transaction.
2. The ReaperVaultV2 contract does not check the relationship between the share owner and the message sender, so the attacker can withdraw the vault user's assets multiple times through the attacker contract.
3. The attacker exchanges the tokens withdrawn from the vault for DAI, ETH and Matic and deposits them in TornadoCash.
Vulnerability Analysis In the withdraw() function of the ReaperVaultV2 contract, the vault share owner can be an account other than msg.sender. Also, the relationship between the owner and msg.sender or allowance is not checked, meaning that one can withdraw assets from the vault for other users
This attack could have been audited to identify the risk factor "Lack of Access Control". This risk factor would have been categorized as a severe level risk. In addition to auditing, the CertiK security team recommends that new code be tested in a timely manner before going live.
Although it is a bear market, attacks have been frequent recently. The clear takeaway from these attacks is that no project is 100% immune to hacking. Despite being the "safest exchange", hackers are constantly looking for vulnerabilities and attack vectors. Therefore, Web3 projects must always be vigilant and turn to anticipating attacks, not just responding to them.
<100 subscribers
<100 subscribers
No activity yet