<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>Fairyproof</title>
        <link>https://paragraph.com/@fairyproof</link>
        <description>Fairyproof is a pioneering #Blockchain Security Company.

Make It a Safer Place</description>
        <lastBuildDate>Sat, 04 Jul 2026 14:33:47 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <image>
            <title>Fairyproof</title>
            <url>https://storage.googleapis.com/papyrus_images/a252679155302f10559755fea3f5f72fe515f6204016c8b9eb87495cdc8231c2.jpg</url>
            <link>https://paragraph.com/@fairyproof</link>
        </image>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof — June 27 to July 3]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-june-27-to-july-3</link>
            <guid>OAnPR3KLmID15bGLzPTd</guid>
            <pubDate>Mon, 04 Jul 2022 11:13:22 GMT</pubDate>
            <description><![CDATA[During the week from June 27 to July 3, 2022, security incidents that happened in the crypto space are all security hacks. Here is a list of the security hacks: 1. Fishing Attack on Nickydooodles.eth On June 28, the address 0xA97aB7a18133a13fEBeB33Dc661cf5bF3a2eebe1 (Nickydooodles.eth) suffered from a phishing attack. The attacker’s address was 0x0730bCbd6Dfa86389eBF02109A5477fD65536175 on Ethereum. 17.8 ETHs valued at around 1,8000 and all the NFT (including Goblintowns, Doodles, and Sandbox...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from June 27 to July 3, 2022, security incidents that happened in the crypto space are all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Fishing Attack on Nickydooodles.eth</strong></p><p>On June 28, the address 0xA97aB7a18133a13fEBeB33Dc661cf5bF3a2eebe1 (Nickydooodles.eth) suffered from a phishing attack.</p><p>The attacker’s address was 0x0730bCbd6Dfa86389eBF02109A5477fD65536175 on Ethereum.</p><p>17.8 ETHs valued at around 1,8000 and all the NFT (including Goblintowns, Doodles, and Sandbox Lands) held in the address were exploited.</p><p>The holder of Nickydooodles. eth was a famous NFT creator and also the founder of Meta bergs. Nickydooodles.eth claimed in its social media account that its address suffered from a phishing attack and lost ETHs and all the NFTs in the address. The attacker even controlled its Twitter account.</p><p><strong>2. Goldfinch</strong></p><p>On June 28, Goldfinch, a DeFi application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x86c595d81c8ab46d893065c3c674da72555fe7c0 on Ethereum.</p><p>The attacking contract was deployed at 0x541143d5eb30563a478eea23866e203b7c38c1ca on Ehtereum</p><p>The attacked contract (SeniorPool) was deployed at 0x9ffFAD7128152190065C800774443af102B62052 on Ethereum.</p><p>The hash value of the attack transaction was:</p><p>0xd56d801e07df9d8457973c3938f5d3e6343ec1ed11f4ebb76bc3f5cc73001707</p><p>Crypto assets valued at around $500,000 were exploited in the incident.</p><p>The root cause was the incorrect price calculation in USDC/FIDU in the implementation. This led to a big deviation between the price of FIDU in USDC in the SeniorPool contract and the price generated in Curve. The attacker leveraged a flash-loan to borrow USDCs, exchanged them for FIDUs in Curve, and then called “withdrawInFidu” in the SeniorPool contract to burn the FIDUs and get far more USDCs that were borrowed.</p><p>The attacker eventually exploited 28523 USDCs and the Goldfinch lost 541158 USDCs.</p><p><strong>3. Quiuixotic</strong></p><p>On July 1, Quiuixotic, an NFT application deployed on Optimism was attacked.</p><p>The attacker’s address was 0x0a0805082ea0fc8bfdcc6218a986efda6704efe5 on Optimism.</p><p>The attacking contract was deployed at 0xbe81eabdbd437cba43e4c1c330c63022772c2520 on Optimism.</p><p>The attacked contract(ExchangeV4) was deployed at:</p><p>0x065e8A87b8F11aED6fAcf9447aBe5E8C5D7502b6 on Optimism.</p><p>Crypto assets valued at $130,000 were exploited in this incident.</p><p>The root cause was the implementation didn’t correctly validate sell orders.</p><p>The attacked ExchangeV4 contract should ensure that a buyer’s order should match a seller’s order. But it didn’t. Therefore anyone could create an NFT and sell this NFT to a buyer that had been authorized in ExchangeV4 no matter whether or not this NFT was what the buyer expected to buy.</p><p><strong>4. Ankr</strong></p><p>On July 1, Ankr, a popular blockchain service provider suffered from a DNS hijack attack.</p><p>The news was published by Polygon’s chief information security officer Mudit Gupta. Both Polygon and Fantom’s gateway service provided by Ankr suffered from DNS hijack attacks.</p><p>At the time of writing the service had been recovered and back to normal.</p><p><strong>5. Crema Finance</strong></p><p>On July 2, Crema Finance, a DeFi application deployed on Solana was attacked.</p><p>The attacker’s address was Esmx2QjmDZMjJ15yBJ2nhqisjEt7Gqro4jSkofdoVsvY on Solana.</p><p>The attacker got its assets for the attack from 0x8021b2962dB803b73Aa874030B0B42c202E8458F on Ethereum</p><p>The attacker initiated a transaction to modify the “Tick Account” contract on Solana and its hash value was:</p><p>5kfoGgEvhBiHXz1MBVxn8rfJh3cf98m3D64YHE2Q1SsXLiaahvdK4hCJfkMA7jQFXLjP9YdNSTMSor3oXbKrLTev</p><p>Crypto assets valued at around $8.7 million were exploited in this incident.</p><p>The root cause was a lack of validation for Tick Account contracts in the implementation. The attacker exploited this vulnerability to deploy a fake Tick Account contract which would return a fake token price. The attacker used the fake token price and leveraged flash loans to do arbitrage transactions and eventually transferred the exploited assets to Ethereum.</p><p><strong>Besides the security incidents, there was the latest security update from MetaMask.</strong></p><p>On June 28, MetaMask announced that the “eth_decrypt” and “eth_getEncryption PublicKey” APIs had been deprecated and more secure APIs would be released soon. Although these two APIs hadn’t caused any issues, MetaMask suggested users should no longer use them.</p><p><strong>Closing thoughts</strong></p><p>There were five security attacks in the past week. Among the five attacks, three were smart contract vulnerabilities, one was a phishing attack, and one was a DNS hijack attack.</p><p>A reminder to project teams: always test thoroughly, do smart contract audits before deploying smart contracts on-chain, and employ comprehensive security solutions to daily operations and management. In addition, in daily operations, common attacks such as DNS hijack attacks, and DDOS attacks should always be watched.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof — June 20 to June 26]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-june-20-to-june-26</link>
            <guid>OnCn9jQDs7L71iYGw70d</guid>
            <pubDate>Mon, 27 Jun 2022 08:47:58 GMT</pubDate>
            <description><![CDATA[During the week from June 20 to June 26, 2022, security incidents that happened in the crypto space are either security hacks or rug-pulls. Here is a list of the security hacks: 1. Whaleswap Finance On June 20, Whaleswap Finance, a DeFi application deployed on the BNB chain was attacked. The attacker’s address was 0xD793FF8D744828c25DA7F80123B88Dd5c2Bf7A50. The attacking contracts were deployed at the following address on the BNB chain: 0xAA85fc75f2534FAA2668EF40C88e1dAe841Be6ba and 0xAA85fc7...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from June 20 to June 26, 2022, security incidents that happened in the crypto space are either <strong>security hacks or rug-pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Whaleswap Finance</strong></p><p>On June 20, Whaleswap Finance, a DeFi application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0xD793FF8D744828c25DA7F80123B88Dd5c2Bf7A50.</p><p>The attacking contracts were deployed at the following address on the BNB chain:</p><p>0xAA85fc75f2534FAA2668EF40C88e1dAe841Be6ba and</p><p>0xAA85fc75f2534FAA2668EF40C88e1dAe841Be6ba</p><p>The attacked contracts were deployed at the following addresses on the BNB chain:</p><p>0x8Bfee2cAFF6b5D4Ac9F438F4b1f36FeeB5E76794 (WhaleswapPair) and</p><p>0x4000EC3810DFD0A0068b38F64795AE2d521A46f2 (WhaleswapPair)</p><p>The hash values of the attack transactions were:</p><p>0x9f5b02cb1ce2d75ba457a2d152d89b6d3932ff057c03739a0071fb816e0ebab3 and</p><p>0x43ddb5965733ee71c4b29fe685ae76bfc4d121dc606cbdf317fc59d61fec4fcf</p><p>Crypto assets valued at around $12000 were exploited.</p><p>The root cause is the validation of the K value in the AMM algorithm was incorrect.</p><p>In the swap function defined in the WhaleswapPair contract, the ratio of transaction fees should be either 4/10000 or 25/10000 based on the different “stable” values. However, the actual ratio value that was used was 2/10000. This led to the incorrect validation of the k value. The attacker exploited this vulnerability and leveraged a flash loan to borrow a large number of token A and paid back the loan with token B whose price was much lower than token A’s price.</p><p><strong>2. Neo Hunters</strong></p><p>On June 21, Neo Hunters’ team announced that its Discord server suffered from phishing attacks and phishing links were sent to its Discord server. Users should never click on these phishing links.</p><p><strong>3. PandorachainDAO</strong></p><p>On June 22, PandorachainDAO, an application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0xa11e104601582280672d6ed81eec3af2e4d21940 on the BNB chain.</p><p>The attacking contract was deployed at 0x51626f9a6cc5d55c042e43a3c0fa8cd2233a0098 on the BNB chain.</p><p>The attacked contract was deployed at 0x83757110409d993FCF3610260D7Af753e2423529 (PCDNFT) on the BNB chain.</p><p>The hash value of the attack transaction was:</p><p>0x1fff2189ef23e3c6dd3d643cbb91ee7ae20686fb6584e6d987f7fc55d98923be</p><p>Crypto assets valued at around $120,000 were exploited in this incident.</p><p>The root cause is that the implementation used an incorrect algorithm to calculate a token’s price.</p><p>The shouchan function defined in the PCDNFT contract would use the balances of USDT and PCD in the USDT-PCD trading pair to calculate the PCT’s price. The attacker exploited this vulnerability and leveraged a flash loan to manipulate the balance values and push the PCD’s price to an extremely low level such that the attacker used very few USDTs to purchase a large number of PCDs</p><p><strong>4. Harmony ETH Cross-Chain Bridge</strong></p><p>On June 23, Harmony’s ETH cross-chain bridge was attacked.</p><p>The attack was launched from the following three addresses on Ethereum:</p><p>0x0d043128146654C7683Fbf30ac98D7B2285DeD00,</p><p>0x9E91ae672E7f7330Fc6B9bAb9C259BD94Cd08715 and</p><p>0x58F4BACcb411ACef70A5f6DD174Af7854fc48Fa9</p><p>Crypto assets valued at around $100 million were exploited.</p><p>For more details please refer to:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/@FairyproofT/fairyproofs-analysis-of-the-attack-on-harmony-9f95bd76ab9d">https://medium.com/@FairyproofT/fairyproofs-analysis-of-the-attack-on-harmony-9f95bd76ab9d</a></p><p><strong>5. Convex Finance</strong></p><p>On June 24, Convex Finance’s team announced that the project’s website (http://convexfinance.com/) suffered from a DNS hijack. 215 ETHs valued at around $250,000 were exploited in this attack.</p><p><strong>Here is a list of the rug pulls:</strong></p><p><strong>1. LV PLUS</strong></p><p>On June 21, LV PLUS, an application deployed on the BNB chain turned out to be a rug pull.</p><p>The exploiter from 0x7721034753ebe6f5714a7c5ebd0d188fa4a3b167 on the BNB chain deployed the LVP token. The team behind the project claimed the project was part of “LV Metaverse” but it turned out that the project had nothing to do with LV. The exploiter distributed the tokens it held to multiple wallets, dumped them on the market, and got a profit of around $1.5 million.</p><p>All the profits were eventually sent to 0x0786e8682c11312cb547d6db46bc99a392050b26 on the BNB chain.</p><p>At the time of writing, 0x0786e8682c11312cb547d6db46bc99a392050b26 held crypto assets valued at around $8 million.</p><p><strong>2. Justcows</strong></p><p>On June 24, Justcows, a centralized platform that provided custody services turned out to be a rug-pull. The team behind the platform ran away with users’ crypto assets valued at around $5 million. The team distributed a large number of BUSDs via coin-join to thousands of addresses including Hunterswap, exchanges, etc.</p><p>Around one month ago, the team announced that it disabled the withdrawal of crypto assets.</p><p><strong>Closing thoughts</strong></p><p>There were five security attacks and two rug-pulls in the past week. Among the five attacks, the ones that happened to Whaleswap and PandorachainDAO were smart contract vulnerabilities that could have been prevented if they had undergone professional audits. The other three were more related to management and operations.</p><p>A reminder to project teams: always test thoroughly, do smart contract audits before deploying smart contracts on-chain, and employ comprehensive security solutions to daily operations and management.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof — June 13 to June 19]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-june-13-to-june-19</link>
            <guid>b0tY45LraiShX7A9or6n</guid>
            <pubDate>Mon, 20 Jun 2022 08:01:38 GMT</pubDate>
            <description><![CDATA[During the week from June 13 to June 19, 2022, security incidents that happened in the crypto space are all security hacks. Here is a list of the security hacks: 1. FSwap On June 13, FSwap, a DeFi application deployed on the BNB chain was attacked. The attacker’s address was 0x000c84c59385b64c3EA4D48cC3fCa1f08f3ABCfC on the BNB chain. The attacking contract was deployed at 0x7437e7a923a5b467a197c6fae991f0f0ced9af57 on the BNB chain. The attacked contract was deployed at 0x0d5F1226bd91b5582F6E...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from June 13 to June 19, 2022, security incidents that happened in the crypto space are all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. FSwap</strong></p><p>On June 13, FSwap, a DeFi application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0x000c84c59385b64c3EA4D48cC3fCa1f08f3ABCfC on the BNB chain.</p><p>The attacking contract was deployed at 0x7437e7a923a5b467a197c6fae991f0f0ced9af57 on the BNB chain.</p><p>The attacked contract was deployed at 0x0d5F1226bd91b5582F6ED54DeeE739CAC49C37Db on the BNB chain.</p><p>The hash value of the attack transaction was:</p><p>0xe75e30dafd865331e6a002d50effe084c21e413c96d4550d5e09cf647686fcbe</p><p>Crypto assets valued at around $390,000 were exploited in this incident.</p><p>The root cause is a bug in its swap algorithm that led to incorrect prices. This vulnerability was exploited, and a flash loan was leveraged to enlarge the loss.</p><p>2. Known Origin</p><p>On June 14, the team behind one popular NFT platform Known Origin announced that its Discord server was attacked. The team announced on its Twitter that they would never DM anyone or send any mint links.</p><p><strong>3. Inverse Finance</strong></p><p>On June 16, Inverse Finance, a DeFi application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x7b792e49f640676b3706d666075e903b3a4deec6 on Ethereum.</p><p>The attacking contract was deployed at 0xf508c58ce37ce40a40997c715075172691f92e2d on Ethereum.</p><p>The hash value of the attack transaction was:</p><p>0x958236266991bc3fe3b77feaacea120f172c0708ad01c7a715b255f218f9313c</p><p>Crypto assets valued at $1.2 million were exploited in this incident.</p><p>The root cause is that the implementation used an inappropriate algorithm to calculate an LP’s price. The implementation used its pair contract’s balance to calculate an LP’s price and the balance was easily manipulated. The attacker leveraged a flash loan to pump an LP’s price, and used the LP as collateral to borrow 10 million DOLAs valued at around $1.2 million.</p><p>Just two months ago, on April 12, 2022, Inverse Finance suffered from an attack and then followed by this attack.</p><p><strong>4. Tether</strong></p><p>On June 18, Tether’s CTO announced that the website suffered from a DDoS attack. Prior to the attack, the attacker asked for a ransom from Tether but got rejected. Then Tether’s website was flushed with 8 million requests within 5 minutes. In general, the frequency is 2000 requests per 5 minutes.</p><p>Right after the attack was launched, the Tether team used Couldflare’s AS-CHOOPA to mitigate this attack. No losses were found in this incident.</p><p><strong>Closing thoughts</strong></p><p>The ones that happened to FSwap and Inverse Finance were typical smart contract vulnerabilities that could have been prevented if they had undergone professional audits.</p><p>The one that happened to KnownOrigin was a typical phishing attack.</p><p>A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- June 6 to June 12]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-june-6-to-june-12</link>
            <guid>L7kDDu7xPGv4hgs3yp69</guid>
            <pubDate>Mon, 13 Jun 2022 11:32:45 GMT</pubDate>
            <description><![CDATA[During the week from June 6 to June 12, 2022, security incidents that happened in the crypto space were either security hacks or rug pulls. Here is a list of the security hacks: 1. Equalizer Finance On June 7, Equalizer Finance, a DeFi application deployed on both the BNB chain and Ethereum was attacked. The attacker’s address was 0x0000003502aa61A5f1B1fDaDFF2cf947DfDa526e on Ethereum. The attacking contract was deployed at 0xf667e04A8D5910328aE92750c0459d2E9E29a67f on Ethereum. The attacked ...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from June 6 to June 12, 2022, security incidents that happened in the crypto space were either <strong>security hacks or rug pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Equalizer Finance</strong></p><p>On June 7, Equalizer Finance, a DeFi application deployed on both the BNB chain and Ethereum was attacked.</p><p>The attacker’s address was 0x0000003502aa61A5f1B1fDaDFF2cf947DfDa526e on Ethereum.</p><p>The attacking contract was deployed at 0xf667e04A8D5910328aE92750c0459d2E9E29a67f on Ethereum.</p><p>The attacked contracts were deployed at 0xA2B5ee9645f6011b2d6E10f750aB47fB455316EE on Ethereum and 0xcd2d4938350ea9137c5eac19b08b546aa14df075 on the BNB chain.</p><p>The vulnerability was that its FlashLoanProvider contract was incompatible with its Vault contracts. The vulnerability was exploited by the attacker to leverage flash loans to withdraw a large number of tokens from the vaults and eventually drained the vaults.</p><p><strong>2. OSMO</strong></p><p>On June 8, Pool number 678 deployed on the Osmosis blockchain was attacked.</p><p>Crypto assets valued at around $5 million were exploited.</p><p>The vulnerability was a software bug that was exploited to withdraw additional large numbers of tokens.</p><p>For more details please refer to:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/@FairyproofT/analysis-of-the-attack-on-osmosis-by-fairyproof-1899997d5089">https://medium.com/@FairyproofT/analysis-of-the-attack-on-osmosis-by-fairyproof-1899997d5089</a></p><p><strong>3. Apollox</strong></p><p>On June 8, Apollox, a DeFi application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0x9e532b19abd155ae5ced76ca2a206a732c68f261 on the BNB chain.</p><p>The attacking contract was deployed at 0xcC6EEDeb5266AAe42A33b629380B78c570E29956 on the BNB chain.</p><p>The hash value of the attack transaction was:</p><p>0x21e5e6ee42906a840c07eb39fb788553a3fbb5794562825c2a1d37bfc910e5f7</p><p>In this incident, 53 million APX tokens valued at around $2.1 million were exploited.</p><p>The root cause was the Apollox system had a bug in its signature implementation and the attacker exploited this to generate 255 signatures and withdraw 5300 million APX tokens.</p><p><strong>4. GYM</strong></p><p>On June 8, GYM, a DeFi application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0xb2c035eee03b821cbe78644e5da8b8eaa711d2e5 on the BNB chain.</p><p>The attacking contracts were deployed at the following addresses on the BNB chain:</p><p>0x7cbfd7bccd0a4a377ec6f6e44857efe42c91b6ea,</p><p>0xa796406635272448fa30089cd4d71dadae01c169,</p><p>0xd36Ea4756cf157c1A57BFFC8d3F064a1e0EFBE9f,</p><p>0x8aedf4e03f70d0680b760a63c1b4acb0eb437874 and</p><p>0x2cdb504CEFE087e00F13F9283F2FcbbdE7C2A28D</p><p>The attacked contracts were deployed at the following addresses on the BNB chain:</p><p>0xA8987285E100A8b557F06A7889F79E0064b359f2 (GymSinglePool) and</p><p>0x0288FBA0BF19072d30490A0F3C81cD9B0634258a (GymSinglePool).</p><p>In this incident, crypto-assets valued at around $2.1 million were exploited.</p><p>The vulnerability was that the contract implementation didn’t execute a transfer transaction and didn’t check the transfer transaction’s status either.</p><p>The “GymSinglePool” contract’s “depositFromOtherContract” function would update a deposit’s</p><p>status but didn’t check whether or not that deposit was actually executed. Therefore a user could</p><p>call the “depositFromOtherContract” function to update a deposit status but didn’t deposit the tokens.</p><p><strong>5. Optimism</strong></p><p>On June 5, Optimism, a popular Ethereum layer 2 solutions was exploited.</p><p>The attacker’s address was 0x60B28637879B5a09D21B68040020FFbf7dbA5107 on Optimism.</p><p>The exploited address was 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81 on Optimism.</p><p>In this incident, 20 million OP tokens valued at around $17 million were exploited.</p><p>For more details about this incident please refer to:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/@FairyproofT/analysis-solution-to-the-attack-on-optimism-by-fairyproof-95b09443dbf7">https://medium.com/@FairyproofT/analysis-solution-to-the-attack-on-optimism-by-fairyproof-95b09443dbf7</a></p><p><strong>Here is a list of the rug pulls:</strong></p><p><strong>1. Baby Elon</strong></p><p>On June 8, Baby Elon, a dApp deployed on the BNB chain turned out to be a rug-pull.</p><p>623 BNBs valued at around $170,000 were exploited and cashed out via Tornado Cash.</p><p><strong>Closing thoughts</strong></p><p>In the past week, there were six incidents. Five of them were hacks and one was a rug pull.</p><p>The one that happened to Optimisim is a new type of attack which we name “contract hijacking” and can be prevented by following the suggestion raised in <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/@FairyproofT/analysis-solution-to-the-attack-on-optimism-by-fairyproof-95b09443dbf7">https://medium.com/@FairyproofT/analysis-solution-to-the-attack-on-optimism-by-fairyproof-95b09443dbf7</a>.</p><p>The other four hacks could have been prevented if the teams behind these projects had done thorough tests and had their projects audited by professionals.</p><p>A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- May 30 to June 5]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-may-30-to-june-5</link>
            <guid>ahtFjYAr0EiciDzLavNX</guid>
            <pubDate>Mon, 06 Jun 2022 09:01:00 GMT</pubDate>
            <description><![CDATA[During the week from May 30 to June 5, 2022, security incidents that happened in the crypto space were all security hacks. Here is a list of the security hacks: 1. Novo On May 29, Novo, a DeFi application deployed on the BNB chain was attacked. The attacker’s address was 0x31A7CC04987520cEfaCd46F734943A105b29186E on the BNB chain. The attacking contract was deployed at 0x3463a663de4ccc59c8b21190f81027096f18cf2a on the BNB chain. The hash values of the attack transactions were: 0xc346adf14e508...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from May 30 to June 5, 2022, security incidents that happened in the crypto space were all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Novo</strong></p><p>On May 29, Novo, a DeFi application deployed on the BNB chain was attacked.</p><p>The attacker’s address was 0x31A7CC04987520cEfaCd46F734943A105b29186E on the BNB chain.</p><p>The attacking contract was deployed at 0x3463a663de4ccc59c8b21190f81027096f18cf2a on the BNB chain.</p><p>The hash values of the attack transactions were:</p><p>0xc346adf14e5082e6df5aeae650f3d7f606d7e08247c2b856510766b4dfcdc57f and</p><p>0x23fd14a46b539c81ca4491a577de118925d9339a63fcf4c8a3ff36c14d6cec35</p><p>The attacked contracts were deployed at the following two addresses:</p><p>0x6Fb2020C236BBD5a7DDEb07E14c9298642253333 and</p><p>0xa0787DaAD6062349f63b7c228CBFd5d8A3dB08F1</p><p>In this incident, 279 BNBs valued at around $800,000 were exploited.</p><p>The root cause of the incident was that its “transferFrom” function didn’t deduct the “approval” amount.</p><p>The attacker leveraged a flash-loan to borrow BNBs and exchanged the BNBs for NOVOs on Pancake. Then the attacker exploited the vulnerability of the “transferForm” function and eventually pumped NOVO’s price and exchanged the NOVOs for WBNBs.</p><p><strong>2. Mirror</strong></p><p>On May 30, Mirror, a dApp deployed on the Terra 2.0 blockchain was attacked.</p><p>In this incident, crypto-assets valued at around $2 million were exploited.</p><p>The root cause was that Terra 2.0 Mirror still used the oracle that was used on Terra Classic and the price of LUNA fed by this oracle was incorrect. The attack exploited this vulnerability to use LUNAs as collateral to borrow crypto assets including mBTC, ETH, mGLXY, mDOT, etc.</p><p><strong>3. BAYC</strong></p><p>On June 4, BAYC, the most popular NFT application on Ethereum was attacked.</p><p>In this incident, the project’s Discord server was attacked, and quite a few users suffered from a phishing attack. NFTs valued at around 200 ETH were exploited.</p><p><strong>Closing thoughts</strong></p><p>In the past week, there were three incidents, the root cause of the Mirror incident was using an inappropriate oracle. The root cause of the NOVO incident was a smart contract vulnerability. The phishing attack could have been prevented if the victims had paid more attention and acted with care and caution.</p><p>A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- May 23 to May 29]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-may-23-to-may-29</link>
            <guid>c0SckqklOeaEu9tmbfqB</guid>
            <pubDate>Mon, 30 May 2022 08:23:41 GMT</pubDate>
            <description><![CDATA[During the week from May 23 to May 29, 2022, security incidents that happened in the crypto space were either security hacks or rug-pulls. Here is a list of the security hacks: 1. Moonbirds On May 25, an NFT collector’s Moonbirds collection was exploited. The Moonbirds collection is an NFT application deployed on Ethereum. The attackers were from multiple addresses including: 0xe8250Bb4eFa6D9d032f7d46393CEaE18168A6B0D, 0x8e73fe4d5839c60847066b67ea657a67f42a0adf, 0x6035B92fd5102b6113fE90247763...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from May 23 to May 29, 2022, security incidents that happened in the crypto space were either <strong>security hacks or rug-pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Moonbirds</strong></p><p>On May 25, an NFT collector’s Moonbirds collection was exploited. The Moonbirds collection is an NFT application deployed on Ethereum.</p><p>The attackers were from multiple addresses including:</p><p>0xe8250Bb4eFa6D9d032f7d46393CEaE18168A6B0D,</p><p>0x8e73fe4d5839c60847066b67ea657a67f42a0adf,</p><p>0x6035B92fd5102b6113fE90247763e0ac22bfEF63,</p><p>0xBf41EFdD1b815556c2416DcF427f2e896142aa53 and</p><p>0x29C80c2690F91A47803445c5922e76597D1DD2B6</p><p>The attacked NFT collector was a “DigitalOrnithologist”. Basically, the collector suffered from a phishing attack such that the collector’s Moonbirds NFTs were exploited.</p><p>In this incident, this collector lost 29 Moonbirds NFTs which were worth 750 ETHs and valued at around $1.5 million.</p><p>It is highly possible this attack was related to a Twitter account “@DVincent_”. At the time of writing, both this Twitter account and its corresponding Opensea page have been deleted.</p><p>It was reported that before the attack, “@DVincent_” had conversations about NFT deals with other NFT collectors. A Bored Ape holder “@just1n_eth” claimed that they had some agreement on the deals and “@DVincent_” insisted on using a website <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="http://p2peers.io/">http://p2peers.io/</a> for the transactions. This made “@just1n_eth” suspicious because the website was never heard of. At the time of writing, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="http://p2peers.io/">http://p2peers.io/</a> which was registered in Finland was suspended.</p><p><strong>2. Mirror</strong></p><p>On May 28, Mirror, a popular application deployed on the Terra blockchain was publicly reported to be attacked.</p><p>The attacker’s address was terra1200zm8crgjaj949ta8r7p6pay0qq638js4sdmh on Terra.</p><p>In this incident, crypto-assets valued at around $30 million were exploited.</p><p>Basically, the root cause of this incident was the implementation lacked validation for the funding source of crypto assets. This vulnerability was exploited by the attacker to stake assets valued at around only $10 to repeatedly withdraw the staked assets in the application.</p><p>This vulnerability had existed for more than 1 year and had been exploited multiple times. However, it hadn’t been detected by the Mirror team until recently. After the team detected this, it silently patched the bug on May 9.</p><p><strong>Here is a list of the rug-pulls:</strong></p><p>1. Pokemoney</p><p>On May 27, Pokemoney, an NFT application deployed on the BNB Chain turned out to be a rug-pull.</p><p>In this incident, 11800 BNBs valued at around $3.5 million were exploited. The price of Pokemoney plummeted by 99.98%.</p><p><strong>Closing thoughts</strong></p><p>In the past week, there were three incidents, the root cause of the Mirror incident was a smart contract vulnerability. The phishing attack could have been prevented if the victims had paid more attention and acted with care and caution. The rug-pull could have been avoided if the token holders could have done basic research and investigations before buying the token.</p><p>A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- May 16 to May 22]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-may-16-to-may-22</link>
            <guid>X9sntXRmFTGHUpynoLGD</guid>
            <pubDate>Mon, 23 May 2022 09:21:58 GMT</pubDate>
            <description><![CDATA[During the week from May 16 to May 22, 2022, security incidents that happened in the crypto space were all security hacks. Here is a list of the security hacks: 1. FEG On both May 15 and May 16, FEG, a DeFi application deployed on both the BNB Chain and Ethereum was attacked twice. Concerning the first attack, here is the basic information: The attacker’s address was 0x73b359d5da488eb2e97990619976f2f004e9ff7c on both the BNB Chain and Ethereum. The hash value of the attack transaction on the ...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/268e129c2c645b2d7e960f46eb3f6419b01e015ac5ebe7560fcc5d7492c7499b.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from May 16 to May 22, 2022, security incidents that happened in the crypto space were all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. FEG</strong></p><p>On both May 15 and May 16, FEG, a DeFi application deployed on both the BNB Chain and Ethereum was attacked twice.</p><p>Concerning the first attack, here is the basic information:</p><p>The attacker’s address was 0x73b359d5da488eb2e97990619976f2f004e9ff7c on both the BNB Chain and Ethereum.</p><p>The hash value of the attack transaction on the BNB Chain was:</p><p>0x77cf448ceaf8f66e06d1537ef83218725670d3a509583ea0d161533fda56c063</p><p>The hash value of the attack transaction on Ethereum was:</p><p>0x1e769a59a5a9dabec0cb7f21a3e346f55ae1972bb18ae5eeacdaa0bc3424abd2</p><p>3280 BNBs and 144 ETHs valued at around $1.9 million were exploited in the first attack.</p><p>With regard to the second attack, here is the basic information:</p><p>The attacker’s address was 0xF99e5F80486426E7d3e3921269FFee9c2Da258e2 on both the BNB Chain and Ethereum.</p><p>The attacking contract was deployed at 0xf02b075f514c34df0c3d5cb7ebadf50d74a6fb17 on both the BNB Chain and Ethereum.</p><p>4343.147 BNBs valued at around $1.9 million were exploited in the second attack.</p><p>The root cause of the two attacks was its parameter didn’t get verified. Its parameter “path” was passed onto by the caller. Because the parameter didn’t get verified, the attacker passed onto a fake value such that the attacker transferred tokens without doing token swaps.</p><p><strong>2. Scream</strong></p><p>On May 16, Scream, a DeFi application deployed on Fantom was attacked.</p><p>In this incident, crypto-assets valued at around $35 million were exploited.</p><p>The root cause was that Scream didn’t update its prices for fUSD and DEI. When the real prices of fUSD and DEI fell to $0.69 and $0.52 respectively, the prices Scream had were still $1, therefore some attackers including the team behind DEI used fUSDs and DEIs as collateral to borrow a large number of USDCs, DAIs, etc.</p><p><strong>3. Phishing Attack on An RPG NFT Game</strong></p><p>On May 16, it was reported that users that downloaded and ran an executable from a fake website (Pixelmon[.]gw) looked very similar to Pixelmon. club (an RPG NFT game) suffered from phishing attacks. Once the users ran the executable, their passwords for the game would be leaked and exploited by the attacker.</p><p><strong>4. Feminist Metaverse</strong></p><p>On May 18, Feminist Metaverse, a DeFi application deployed on the BNB Chain was attacked.</p><p>In this incident, 1838 BNBs valued at around $500,000 were exploited.</p><p>The attacker’s address was 0xaaA1634D669dd8aa275BAD6FdF19c7E3B2f1eF50 on the BNB Chain.</p><p>The attacked contract was deployed at 0x843528746F073638C9e18253ee6078613C0df0f1 on the BNB Chain.</p><p>The root cause of this incident was that the implementation didn’t use the correct way to add liquidity.</p><p>The attacked contract (FMToken) incorrectly used a transfer function that worked for ERC-20 tokens to add liquidity but didn’t update the liquidity’s reserve value. This caused the tokens that were added to the liquidity could be transferred away by anyone. The attacker, therefore, called the skim function to transfer the tokens added by the FMToken contract away.</p><p><strong>5. Discord MEE6</strong></p><p>On May 18, Discord’s bot MEE6 was attacked. This caused some crypto projects’ Discord servers to be exploited by hackers to send phishing links. The projects that suffered from this attack included Alien Frens, Lazy Lions, Axie Infinity, and LIamascape.</p><p><strong>6. QanPlatform</strong></p><p>On May 19, QanPlatform’s cross-chain bridge deployed on both the BNB Chain and Ethereum was attacked.</p><p>The attacker’s address was 0x1c8465662cAA8005ed41430e433E399c699cbcE2 on both the BNB Chain and Ethereum.</p><p>The hash value of the attack transaction on the BNB Chain was :</p><p>0xcf0a3e8a7a76241075f9c942af2780532295e209d5f89d180adbdc2bab07392b</p><p>The hash value of the attack transaction on Ethereum was :</p><p>0xf5a99333c4eeecf418e3f85079f49964962a32785f3035947f1917889b6788c8</p><p>In this incident, 270 million QANXs were exploited, converted to 325 ETHs valued at around $600,000.</p><p>The root cause of this incident was that the bridge’s server was attacked such that the attacker could save 1 QANX on the BNB Chain and withdraw 4.8 million QANXs on Ethereum. The attacker repeated this procedure 20 times and exploited a total number of 270 million QANXs</p><p><strong>7. LIamascape</strong></p><p>On May 20, the Discord account of a team member of LIamascape was compromised such that LIamascape’s Discord server was exploited by the hacker to send phishing links.</p><p>30 ETHs valued at around 60,000 were exploited in this incident.</p><p><strong>Closing thoughts</strong></p><p>In the past week, there were seven incidents, four of which suffered from smart contract attacks and three of which suffered from phishing attacks.</p><p>Among those suffering from smart contract attacks, all the vulnerabilities were commonly seen and could have been prevented if they had undergone a professional audit and a thorough test. All the phishing attacks were carried out by commonly seen procedures and could have been prevented if the victims had paid more attention and acted with care and caution.</p><p>A reminder to project teams: always test thoroughly and do smart contract audits before deploying smart contracts on-chain.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- May 9 to May 15]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-may-9-to-may-15</link>
            <guid>v1DWuRxd4RWrZoaxrs8i</guid>
            <pubDate>Mon, 16 May 2022 09:31:42 GMT</pubDate>
            <description><![CDATA[During the week from May 9 to May 15, 2022, security incidents that happened in the crypto space fell into two categories: security hacks and rug-pulls. Here is a list of the security hacks: 1. Google’s Vulnerability On May 10, an attacker used a vulnerability detected in Google’s Ad system to display a fake website that showed its name as “http://x2y2.io/” which was the name of a popular NFT trading platform. Users that clicked on the fake site would be exploited. Crypto assets valued at aro...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4580d9308ebec0288e3df0bb0b7a3e047740461639d3b48b46865c89dc9398e6.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from May 9 to May 15, 2022, security incidents that happened in the crypto space fell into two categories: <strong>security hacks and rug-pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Google’s Vulnerability</strong></p><p>On May 10, an attacker used a vulnerability detected in Google’s Ad system to display a fake website that showed its name as “http://x2y2.io/” which was the name of a popular NFT trading platform. Users that clicked on the fake site would be exploited.</p><p>Crypto assets valued at around 100 ETHs ($200,000 equivalently) were exploited in this incident.</p><p><strong>2. OWNLY</strong></p><p>On May 11, OWNLY, an NFT application deployed on the BNB Chain was attacked.</p><p>The attacker’s address was 0xba31058357ea2f474a2ed0d1b3f9183904ebd38a on the BNB Chain.</p><p>The attacking contract was deployed at 0xa81ea095e0c3708e4236c71146748fa15b620386 on the BNB Chain.</p><p>The attacked contract, which was the NFTStaking contract, was deployed at 0x41BF7F818F2Dc41c67932E63E87c86D05AB957e8 on the BNB Chain.</p><p>The hash value of the attack transaction was:</p><p>0x2cbe47edb040c710b7f139cbea7a4bced4d6a0d6c5aa4380f445880437ea072f</p><p>115 BNBs valued at around $36000 were explored in this incident.</p><p>The vulnerability was a lack of validation for a user’s status. The unstake function in the NFTStaking contract didn’t validate a user’s status such that the attacker launched a double-spend attack to exploit all the OWNLY tokens in the staking contract. The attacker exchanged the OWNLYs for 115 BNBs</p><p><strong>3. Venus Protocol</strong></p><p>On May 12, Venus Protocol, a DeFi application deployed on the BNB Chain was exploited.</p><p>The root cause was that the Chainlink oracle didn’t update LUNA’s price after LUNA’s price plummeted dramatically. This resulted in a large number of assets being borrowed by using LUNA as collateral at an obsolete price. Crypto assets valued at around $11.2 million were exploited in this incident.</p><p><strong>4. Blizz Finance</strong></p><p>On May 12, Blizz Finance, a DeFi application deployed on AVAX was attacked.</p><p>The root cause was that the Chainlink oracle didn’t update LUNA’s price after LUNA’s price plummeted dramatically. This resulted in a large number of assets being borrowed by using LUNA as collateral at an obsolete price. Crypto assets valued at around $8 million were exploited in this incident.</p><p><strong>5. Spiritswap</strong></p><p>On May 14, Spiritswap’s homepage that was deployed on AWS was attacked. The attacker modified some of the DEX’s parameters such that users would send crypto assets to the attacker’s designated address.</p><p>Crypto assets valued at around $18000 were exploited in this incident.</p><p><strong>Here is a list of the rug pulls:</strong></p><p><strong>1. Cashera</strong></p><p>In May, Cashera, a dApp deployed on the BNB Chain turned out to be a rug pull.</p><p>The dApp’s Twitter account was @CasheraOfficial.</p><p>Its token was deployed at 0x6e8ff72962750f0fa57a906f7833d1c657614abe on the BNB Chain.</p><p>The address of the token contract’s deployer was:</p><p>0xBaA0C3523877C68d26B88930AEe3FC1C44801344</p><p>The token’s symbol was CSR.</p><p>The hash value of an additional mint transaction that was related to this rug-pull was:</p><p>0x8d6b11a8584a148151fb2a1ca6f5c722b8da85d7839c5f48efc00e641c7adcc4</p><p>The admin withdrew 23 million CSR tokens from a “PinkLock” contract and exchanged the CSRs for BNBs. These operations led to CSR’s price plummeting hugely by 71% and caused a loss of around $90000.</p><p><strong>Closing thoughts</strong></p><p>In the past week, LUNA’s de-pegging was the biggest incident in the crypto space. Its de-pegging caused the Chainlink’s oracle to stop updating its price. DeFi applications that used Chainlink’s service but didn’t take corresponding actions to handle this case would suffer losses. Two incidents in our summary were of this kind. All other incidents were still commonly known issues or risks.</p><p>A reminder to project teams: besides smart contracts, the security of the front-end should be taken care of as well.</p><p>A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[A Comprehensive Research on DAO’s Security by Fairyproof]]></title>
            <link>https://paragraph.com/@fairyproof/a-comprehensive-research-on-dao-s-security-by-fairyproof</link>
            <guid>fghfAt6UQTQVPXw835KL</guid>
            <pubDate>Fri, 13 May 2022 03:53:22 GMT</pubDate>
            <description><![CDATA[DAOs (Decentralized Autonomous Organization) [1] are a new form of organization based on blockchain technology. DAOs can be thought of as a new way for people around the globe to work towards a common goal. What makes DAOs hugely different from existing companies, organizations, institutions, etc. is that part or all of DAOs’ governance is conducted based on the rules encoded in smart contracts that run on blockchains. The first mostly recognized DAO project is “The DAO” [2] which was launche...]]></description>
            <content:encoded><![CDATA[<p>DAOs (Decentralized Autonomous Organization) [1] are a new form of organization based on blockchain technology. DAOs can be thought of as a new way for people around the globe to work towards a common goal. What makes DAOs hugely different from existing companies, organizations, institutions, etc. is that part or all of DAOs’ governance is conducted based on the rules encoded in smart contracts that run on blockchains.</p><p>The first mostly recognized DAO project is “The DAO” [2] which was launched in 2016. However, unfortunately, The DAO eventually failed due to a fatal vulnerability that not only destroyed the project itself but also resulted in a painful hard fork for Ethereum [3].</p><p>It seems that day one security concerns have surrounded the development of DAOs.</p><p>During the past years, although DAOs have evolved and achieved huge progress and today’s DAOs are far more mature than what they were back in 2016 in nearly every aspect, security concerns don’t seem to fade and DAOs still face a lot of security challenges.</p><p>Fairyproof’s research team has done retrospective research on the development of security situations and conditions of DAOs over the past years since 2016 when The DAO was launched.</p><p>Based on the vulnerability types, we think of the development of security situations and conditions of DAOs as having gone through three phases.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/484d59fa424227540159ffc3357f3f6292679c93957699de1bd25884a3fd4be5.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>In the first phase, the biggest security concern lay in smart contracts. In the second phase, the biggest security concern lies in execution mechanisms. In the third phase which is now, the biggest security concern lies in the design of governance rules or mechanisms that apply tokens in governance.</p><p>We analyze the security concern in each of these phases and would like to share our exploratory observations with the crypto industry.</p><p><strong>Phase I: Security Concerns in Smart Contracts</strong></p><p>In this phase, the biggest event was the crash of The DAO. Basically, the root cause of this crash was that a combination of vulnerabilities in The DAO’s smart contracts was exploited by a hacker, and this led to one-third of the project’s funds being drained.</p><p>This overwhelming loss halted The DAO project and forced the Ethereum team to hard-fork Ethereum eventually.</p><p>After this incident, people no longer talked about DAOs and people’s initial passion for DAOs faded soon.</p><p>This incident revealed a painful fact: when smart contract-based dApps were still in their early stages, due to a lack of experience and experimentation in security, smart contract-based DAOs were far from mature to handle even simple cases as expected.</p><p>So, in this phase, security concerns in smart contracts were the biggest challenge.</p><p><strong>Phase II: Security Concerns in Execution Mechanisms</strong></p><p>Although the failure of The DAO severely hit DAOs’ development, there were still teams working hard in this space and pushing the limits of DAOs greatly. The team behind MakerDAO[4] was one of them.</p><p>MakerDAO was officially launched on Ethereum in 2017. Since its deployment on Ethereum the team behind it began to explore governing its operations and driving its development by using a DAO. Through years of careful development and management, MakeDAO had been running pretty well, safely and securely, and hadn’t suffered from serious attacks on its smart contracts or encountered any serious security issues.</p><p>It was considered one of the most robust, secure, and well-established projects on Ethereum.</p><p>MakerDAO’s well-being and accumulated reputation gradually and strongly built-up people’s confidence in DAOs. Meanwhile, over the years, increasingly more teams began to notice the importance of smart contract audits, and more projects got audited before their deployment. This greatly reduced the possibility of being hacked for a project if it had gone through a professional audit.</p><p>However, a disruptive incident that happened in March 2020 put MakerDAO in turmoil. And it raised security concerns that almost disappeared in DAOs again.</p><p>On March 12, 2020, the overall crypto space was brutally hit by a market crash. Ether which was one of the most important collaterals used in MakerDAO suffered from a huge loss in price. Its price plummeted by more than 50% on that single day. This dramatic change in Ether’s price triggered a massive liquidation of Ethers in MakerDAO.</p><p>This liquidation soon caused a serious on-chain traffic jam. However, since MakerDAO had never experienced this massive liquidation, the design of its liquidation mechanism didn’t have adequate resilience to handle this. This led to the liquidation mechanism failing to work as expected.</p><p>MakerDAO suffered huge financial losses in this incident.</p><p>In this incident, as far as MakerDAO’s smart contracts were concerned, there were no vulnerabilities in the implementation. It was the vulnerabilities in its mechanism that caused the loss.</p><p>After this incident, people began to be aware of the design of DAOs’ mechanisms. However, since most of the dApps in the crypto space didn’t apply DAOs that much in their governance like what MakerDAO did, the security concerns in DAOs didn’t last long and DAOs’ security still didn’t gain enough traction broadly.</p><p><strong>Phase III: Security Concerns in Governance</strong></p><p>In June 2020, one famous DeFi application Compound issued its governance token COMP [5]. In Compound’s design, the COMP token was not only used as a governance token but also used to reward people who provided liquidity to the protocol. This innovative design promptly took DeFi by storm. Nearly all DeFi applications or protocols that were launched before or after Compound followed this design and issued their own governance tokens.</p><p>Although Compound was not the first project that issued a governance token it was the project that triggered the issuance of governance tokens among nearly all projects in DeFi.</p><p>Since then, governance tokens have been widely used in DeFi applications to conduct their governance through voting. Anyone that holds a project’s governance token can participate in voting for a proposal or submitting a proposal.</p><p>Among the projects that issued governance tokens, some project teams listed vital decisions for token holds to vote and some teams designed a very low threshold for token holders to submit whatever proposals. This potentially gave opportunities to malicious actors to hack the projects and inevitably introduced risks. For instance, a malicious actor could bribe other token holders of a project into submitting a proposal or voting for a proposal to exploit the project.</p><p>Theoretically, any project that issues its governance token may possibly suffer from such an attack if the majority of the tokens are not held by goodwill actors.</p><p>In addition, with an innovative mechanism called “flash-loan” [6] being created by AAVE [7], a malicious actor could even launch such an attack without needing to hold governance tokens. He can leverage a flash-loan to borrow a large number of governance tokens to enforce a proposal to be passed or submitted for execution by paying only a few fees.</p><p>Since 2020, various DeFi applications have suffered from these attacks [8][9][10] and the loss of such an attack has been trending increasingly high these years.</p><p>Nowadays it has become a major attack on a dApp that uses a DAO to govern its decision-making process. And these attacks are commonly referred to as “governance attacks”.</p><p>Like the security issues we discussed in phase II, most of the projects that suffered from a governance attack are not due to vulnerabilities in their smart contracts but due to vulnerabilities in the design of their governance rules or mechanisms.</p><p>Nevertheless, governance attacks still haven’t gained adequate awareness compared to attacks on smart contracts.</p><p>We think governance attacks will be more popular as more dApps tend to use DAOs. Therefore</p><p>Fairyproof has been watching the development of governance attacks. We are not only researching this topic but also have developed utilities to tackle the challenges in this area.</p><p>Governance attacks are a new kind of attack that specifically pertains to blockchain applications. They are more complicated than attacks on smart contracts. They are a big challenge to both dApp teams and security companies. We will keep working in this area and publish more articles sharing our research results going forward.</p><p><strong>References:</strong></p><p>[1] Decentralized autonomous organizations (DAOs), <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/dao/">https://ethereum.org/en/dao/</a></p><p>[2] The DAO (organization), <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://en.wikipedia.org/wiki/The_DAO_(organization)">https://en.wikipedia.org/wiki/The_DAO_(organization)</a></p><p>[3] Ethereum Classic, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://en.wikipedia.org/wiki/Ethereum_Classic">https://en.wikipedia.org/wiki/Ethereum_Classic</a></p><p>[4] MakerDAO, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://makerdao.com/">https://makerdao.com/</a></p><p>[5] Compound Governance,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/compound-finance/compound-governance-5531f524cf68,">https://medium.com/compound-finance/compound-governance-5531f524cf68</a>, Feb 27, 2020</p><p>[6] Flash Loans, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.aave.com/faq/flash-loans">https://docs.aave.com/faq/flash-loans</a></p><p>[7] AAVE, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://app.aave.com/">https://app.aave.com/</a></p><p>[8] Build Finance DAO Suffers Governance Takeover Attack,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://cryptobriefing.com/build-finance-dao-suffers-governance-takeover-attack/,">https://cryptobriefing.com/build-finance-dao-suffers-governance-takeover-attack/</a>, Feb 15, 2022</p><p>[9] Beanstalk founders dismissed concerns about governance attacks before losing $182 million, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.theverge.com/2022/4/22/23037325/beanstalk-dismissed-governance-attacks-lost-182-million">https://www.theverge.com/2022/4/22/23037325/beanstalk-dismissed-governance-attacks-lost-182-million</a>, April 22, 2022</p><p>[10] Fairyproof’s Analysis of the Attack on Fortress Protocol,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-fortress-protocol-6fb2df687845">https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-fortress-protocol-6fb2df687845</a>, May 9, 2022</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Fairyproof’s Analysis of the Attack on Fortress Protocol]]></title>
            <link>https://paragraph.com/@fairyproof/fairyproof-s-analysis-of-the-attack-on-fortress-protocol</link>
            <guid>WugZRCWmBQssUGhLpl7f</guid>
            <pubDate>Mon, 09 May 2022 05:27:27 GMT</pubDate>
            <description><![CDATA[On May 8, 2022, Fortress Protocol, a DeFi application deployed on the BNB Chain suffered from a governance attack. The attacker’s address was 0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad on the BNB Chain. The attacking contract was deployed at** 0xcd337b920678cf35143322ab31ab8977c3463a45** on the BNB Chain. The attacked contract was deployed at 0xc11B687cd6061A6516E23769E4657b6EfA25d78E on the BNB Chain. The hash value of the attack transaction was: 0x13d19809b19ac512da6d110764caee75e2157ea62cb...]]></description>
            <content:encoded><![CDATA[<p>On May 8, 2022, Fortress Protocol, a DeFi application deployed on the BNB Chain suffered from a governance attack.</p><p>The attacker’s address was <strong>0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad</strong> on the BNB Chain.</p><p>The attacking contract was deployed at** 0xcd337b920678cf35143322ab31ab8977c3463a45** on the BNB Chain.</p><p>The attacked contract was deployed at <strong>0xc11B687cd6061A6516E23769E4657b6EfA25d78E</strong> on the BNB Chain.</p><p>The hash value of the attack transaction was:</p><p>0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf</p><p>The vulnerability that was exploited in this incident lay in the project’s governance mechanism.</p><p>Here is how the attack was carried out:</p><p>The attacker deployed a contract to submit a proposal (proposal ID: 11) to modify the parameters of the CollateralFactor contract 5 days prior to the attack. The hash value of the contract deployment transaction was:</p><p>0x12bea43496f35e7d92fb91bf2807b1c95fcc6fedb062d66678c0b5cfe07cc002</p><p>The attacker voted for the project 2 days before the attack. According to the governance rules, the proposal would be executed 2 days after it was passed.</p><p>At 8 AM on May 8 UTC, the attacker launched the attack by executing the proposal to successfully modify the CollateralFactor’s parameters.</p><p>After the parameters were modified, the attacker could mint many fFTS tokens by depositing only a small number of FTS tokens as collateral.</p><p>In this incident, the attacker minted 4999.9 fFTS tokens and used them as collateral to borrow crypto assets including BNBs, BUSDs, BTCBs, and ETHs. The attacker exchanged these borrowed assets for DAIs and ETHs, transferred the DAIs and ETHs from the BNB Chain to Ethereum via Celer Network’s cross-chain bridge, and cashed them out via Tornado Cash.</p><p>This is another typical governance attack that happened after the attack on Rari Capital.</p><p>A reminder from Fairyproof to all projects that are governed by DAOs: be careful with the design of governance rules and mechanisms. Be aware of governance attacks.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Apr 25 to May 1]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-apr-25-to-may-1</link>
            <guid>r0I6PeZimMp221jQ7HiD</guid>
            <pubDate>Mon, 02 May 2022 11:51:21 GMT</pubDate>
            <description><![CDATA[During the week from April 25 to May 1, 2022, security incidents that happened in the crypto space were all security hacks. Here is a list of the security hacks: 1. BAYC On April 26, the most popular NFT project BAYC’s Instagram was attacked. Crypto assets valued at around $2.4 million were exploited. This was a typical phishing attack. The hacker sent phishing links on BAYC’s Instagram, and some users were misled to sign a “safeTransferFrom” transaction which approved the hacker to spend the...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/e525ec221d5e9354315120bef829ecef3f78367247663c3ed14b562fa4027d30.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from April 25 to May 1, 2022, security incidents that happened in the crypto space were all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1.</strong> <strong>BAYC</strong></p><p>On April 26, the most popular NFT project BAYC’s Instagram was attacked.</p><p>Crypto assets valued at around $2.4 million were exploited.</p><p>This was a typical phishing attack. The hacker sent phishing links on BAYC’s Instagram, and some users were misled to sign a “safeTransferFrom” transaction which approved the hacker to spend the NFTs in these users’ wallets.</p><p>A total of 765 ETHs and 91 NFTs including BAYC, MAYC, BACK, and CloneX were exploited. Among these NFTs, 23 including 4 BAYCs, 6 MAYCs, and 2 CloneXs were sold out. The sold NFTs were valued at around $2.4 million.</p><p><strong>2. Deus</strong></p><p>On April 28, Deus, a DeFi application deployed on Fantom was attacked.</p><p>The attaker’s address was 0x701428525cbac59dae7af833f19d9c3aaa2a37cb on Fantom.</p><p>The attacking contract was deployed at 0x1f56CCfE85Dc55558603230D013E9F9BfE8E086C on Fantom.</p><p>The hash value of the attack transaction was:</p><p>0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5</p><p>The exploited assets in this incident were valued at around $13.4 million.</p><p>The vulnerability was the application’s implementation didn’t use a secure price oracle. The hacker leveraged a flash loan to manipulate the price of DEI, exploited a large number of DEIs, migrated these DEIs from Fantom to Ethereum, and cashed them out via Tornado Cash.</p><p><strong>3. Saddle Finance</strong></p><p>On April 30, Saddle Finance, a DeFi application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x63341ba917de90498f3903b199df5699b4a55ac0 on Ethereum.</p><p>The attacking contract was deployed at 0x7336f819775b1d31ea472681d70ce7a903482191 on Ethereum.</p><p>The attacker launched two attack transactions and the hash values of these two transactions were:</p><p>0x2b023d65485c4bb68d781960c2196588d03b871dc9eb1c054f596b7ca6f7da56 and</p><p>0xe7e0474793aad11875c131ebd7582c8b73499dd3c5a473b59e6762d4e373d7b8 respectively.</p><p>In this incident, a total of 3540 ETHs valued at around $10 million were exploited.</p><p>The root cause of this incident was an incorrect use of a smart contract. The implementation should use a newly deployed MetaSwapUtils’ lib however it used an obsolete MetaSwapUtils’ lib. This vulnerability was exploited, and the attack was enlarged by using a flash loan.</p><p><strong>4. Rari Capital</strong></p><p>On May 1, Rari Capital, a DeFi application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x6162759edad730152f0df8115c698a42e666157f on Ethereum.</p><p>The attacking contract was deployed at 0x32075bad9050d4767018084f0cb87b3182d36c45 on Ethereum.</p><p>The contract that had the vulnerability that was exploited was deployed at:</p><p>0xd77E28A1b9a9cFe1fc2EEE70E391C05d25853cbF on Ethereum.</p><p>Crypto assets valued at $79.21 million were exploited in this incident.</p><p>For more details about this incident please refer to:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-rari-capital-d8fb4538fbdf">https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-rari-capital-d8fb4538fbdf</a></p><p><strong>5. Solana</strong></p><p>On May 1, the Solana blockchain suffered from a DOS attack.</p><p>The incident was caused by a crawler application deployed by Metaplex, an NFT application. After this crawler application ran, Solana’s TPS hiked to 4 million which was far beyond what Solana could afford.</p><p>This issue caused Solana to shut down for nearly 7 hours. After Solana’s mainnet was restarted it resumed its work.</p><p><strong>Closing thoughts</strong></p><p>Among these 5 incidents, the incidents with Deus, Saddle Finance, and Rari Capital were all common issues that could have been prevented if they had undergone a thorough audit and system test.</p><p>The incident with Solana was not the first time in Solana’s development. And incidents of this kind may happen again if it is not carefully maintained and managed since Solana was designed to achieve high performance at the cost of relatively less decentralization.</p><p>Phishing attacks happen quite often these days as NFT projects keep gaining traction among people. It is easy to be exploited if users pay no attention to fake sites.</p><p>A reminder to smart contract developers: smart contracts should be thoroughly tested before being deployed. A third-party performed professional audit is a must-have step before being deployed.</p><p>A reminder to crypto users: be cautious about suspicious links, emails, or websites.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Apr 18 to Apr 24]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-apr-18-to-apr-24</link>
            <guid>hiAvZtp8aKAyPEalTFqT</guid>
            <pubDate>Mon, 25 Apr 2022 08:31:17 GMT</pubDate>
            <description><![CDATA[During the week from April 18 to April 24, 2022, security incidents that happened in the crypto space can be categorized into security hacks and rug pulls. Here is a list of the security hacks: 1. ZEED On April 21, ZEED, a DeFi application deployed on the BNB Chain was attacked. The attacker’s address was 0xEc14207D56E10F72446576779d9b843e476e0fB0 on the BNB Chain. The attacking contract was deployed at 0x05e55d051AC0a5fb744E71704a8fA4Ee3B103374 on the BNB Chain. The attacked contract was the...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4fa6bf5a1a03736c0c6eb3f8adcfbd5a2443497c38d5c0b6a06e0c3428ee7d3c.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from April 18 to April 24, 2022, security incidents that happened in the crypto space can be categorized into <strong>security hacks and rug pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. ZEED</strong></p><p>On April 21, ZEED, a DeFi application deployed on the BNB Chain was attacked.</p><p>The attacker’s address was 0xEc14207D56E10F72446576779d9b843e476e0fB0 on the BNB Chain.</p><p>The attacking contract was deployed at 0x05e55d051AC0a5fb744E71704a8fA4Ee3B103374 on the BNB Chain.</p><p>The attacked contract was the “YEED” contract deployed at:</p><p>0xe7748FCe1D1e2f2Fd2dDdB5074bD074745dDa8Ea on the BNB Chain.</p><p>The hash value of the attack transaction was:</p><p>0x0507476234193a9a5c7ae2c47e4c4b833a7c3923cefc6fd7667b72f3ca3fa83a</p><p>Crypto assets valued at around $1 million were exploited in this incident.</p><p>The vulnerability was in the “_takeReward” function in the YEED contract as follows. It was a logic error that caused the reward to be incorrectly calculated.</p><p>The function implemented an algorithm for how the “rewardFee” should be distributed. The expected behavior was that swapPair, swapPairZeed, and swapPairHo each should be given 1/2 * rewardFee, 1/4 * rewardFee, and 1/4 * rewardFee respectively. However, the implementation gave each of them the rewardFee. The pair contract had a “skim” function which could be called by any address to transfer the surplus tokens in the contract. The attacker called this function to exploit the distributed token rewards.</p><p>The attacker leveraged a flash loan to borrow 662 YEEDs and used it to launch the attack and eventually exploited 87 million YEEDs, exchanged the YEEDs for BSC-USDs, and sent them to the attacking contract. The attacker eventually destroyed the attacking contract and this means that the hacker didn’t take away the exploited tokens.</p><p><strong>2. AKuDreams</strong></p><p>On April 23, AKuDreams, an NFT application deployed on Ethereum was attacked.</p><p>The attacked contract was the “AkuAuction” contract deployed at:</p><p>0xf42c318dbfbaab0eee040279c6a2588fa01a961d on Ethereum.</p><p>A total of 11000 ETHs valued at around $34 million were locked permanently in its contract.</p><p>There were two vulnerabilities in this application:</p><p>The first one was in the processRefunds() function defined in the AkuAuction contract.</p><p>The “bidData.bidder” was the address where the bidder’s fee was returned. The “bidData.bidder” address was a contract address. If its fallback function reverted, the execution of the processRefunds() function might suffer from a DOS attack. And in this case, it DID suffer from a DOS attack.</p><p>The second one was in the claimProjectFunds() function defined in the AkuAuction contract.</p><p>The “require(refundProgress &gt;= totalBids” would never hold true. This resulted in the ETHs being locked in the contract permanently. The “totalBids” should be “bidIndex”</p><p><strong>Here is a list of the rug pulls:</strong></p><p><strong>1.MaxAPY</strong></p><p>On April 20, MaxAPY Finance, a DeFi application deployed on the BNB Chain was found to be a rug-pull.</p><p>A total of 1042 BNBs valued at around $420,000 were taken away.</p><p>The project’s Twitter account has been deleted; the Telegram group has been closed.</p><p><strong>Closing thoughts</strong></p><p>Among these 3 incidents, 2 incidents including YEED and AKuDreams were attacked due to issues that could have been prevented if they had undergone a thorough audit. Specifically, in the AKudreams project, the second vulnerability was very likely a typo that should be easily uncovered if the contract had been carefully tested before being deployed.</p><p>A reminder to smart contract developers: smart contracts should be thoroughly tested before being deployed. A third-party performed professional audit is a must-have step before being deployed.</p><p>A reminder to crypto users: be cautious about projects which are created by teams’ lack of established reputation.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Security Considerations in EIP-4626 by Fairyproof ]]></title>
            <link>https://paragraph.com/@fairyproof/security-considerations-in-eip-4626-by-fairyproof</link>
            <guid>LeiGcWlwFpjWsASwymW2</guid>
            <pubDate>Thu, 21 Apr 2022 05:15:28 GMT</pubDate>
            <description><![CDATA[Led by DeFi application Fei Protocol’s co-founder Joey Santoro, recently an EIP to create a new token standard for tokenized vaults was proposed. And it is EIP-4626[1]. Although it was just proposed in December 2021, it soon garnered significant attention and great support from the Ethereum community and has been reported to be adopted by a few DAOs [2] including Tribe DAO [3] and Rari Capital DAO [4]. This EIP is intended to solve a pain point in the existing implementations of tokenized vau...]]></description>
            <content:encoded><![CDATA[<p>Led by DeFi application Fei Protocol’s co-founder Joey Santoro, recently an EIP to create a new token standard for tokenized vaults was proposed. And it is EIP-4626[1].</p><p>Although it was just proposed in December 2021, it soon garnered significant attention and great support from the Ethereum community and has been reported to be adopted by a few DAOs [2] including Tribe DAO [3] and Rari Capital DAO [4].</p><p>This EIP is intended to solve a pain point in the existing implementations of tokenized vaults, that is “tokenized vaults have a lack of standardization leading to diverse implementation details” [1]. This pain point makes integration of tokenized vaults “difficult at the aggregator or plugin layer for protocols which need to conform to many standards and forces each protocol to implement their own adapters which are error-prone and waste development resources” [1].</p><p>This EIP is based on ERC-20[5] which is a widely adopted standard in Ethereum’s DeFi applications and has considerable security issues or risks that need smart contract developers’ awareness.</p><p>As a blockchain security company, Fairyproof’s research team is quite interested in whether the issues or risks of ERC-20 implementation might be introduced in ERC-4626 as well. We studied this EIP, explored possible security checkpoints, and would like to share some ideas on these checkpoints.</p><p>This EIP requires that a tokenized vault MUST implement ERC-20 to represent shares and add new interfaces to convert shares to tokens or tokens to shares in both viewable functions and transfer functions. And these newly added functions introduce security considerations that need our awareness.</p><p>Here is a list of security considerations when implementing a tokenized vault based on this EIP:</p><p>- Implementation of Malicious Functions</p><p>Consider a vault’s implementation which conforms to the interfaces defined by this EIP but doesn’t conform to the specification. This happens quite often in rug-pulls where a proxy mechanism is used, and the proxy interface seems to conform to a token standard but actually, the real implementation is a malicious contract.</p><p>So, auditors or users need to carefully check its real implementation before taking further actions.</p><p><strong>- Support for EOA Accounts</strong></p><p>The EIP states that “If implementors intend to support EOA account access directly, they should consider adding an additional function call for deposit/mint/withdraw/redeem with the means to accommodate slippage loss or unexpected deposit/withdrawal limits” [1].</p><p>Besides the slippage loss and the unexpected deposit/withdrawal limits, there is another case that is commonly seen as well: a token burns on its transfers. This mechanism is used by some DeFi applications to decrease their tokens’ circulation supplies and inflate the tokens’ prices.</p><p>We would suggest ERC-4626 vaults disallow tokens of this kind to be deposited in the vaults.</p><p><strong>- Using Interfaces as Oracles</strong></p><p>The EIP states that “The preview methods return values that are as close as possible to exact as possible. For that reason, they are manipulable by altering the on-chain conditions and are not always safe to be used as price oracles.” [1], and “it would be correct to implement the convert methods as using a time-weighted average price in converting between assets and shares.” [1]</p><p>The most popular use case of oracles in the crypto space is to use them to obtain a token’s price, but any information that a smart contract needs may rely on an oracle. Hence, the preview methods which return information may be used as oracles as well. Although this may not seem to have significant use cases, for now, this listed potential issue needs our awareness. And a popular method to mitigate the risk of on-chain information being manipulated is to use a time-weighted average algorithm introduced by Uniswap[6].</p><p><strong>- Rounding Issues</strong></p><p>Vault implementers need to handle rounding directions carefully for the interfaces that calculate the vault shares or the number of tokens, and that convert shares to assets or assets to shares.</p><p>The specification suggests that when calculating the shares issued to a user for the amount of the underlying tokens, he/she supplies or the amount of the underlying tokens sent to him/her for a certain number of shares returned by him/her, it should round down.</p><p>When calculating the number of shares a user has to supply to receive a specific amount of the underlying tokens or the number of underlying tokens a user has to provide to receive a specific number of shares, it should round up.</p><p>When calculating the amour of shares or the underlying tokens in the converTo functions, the specification requires vault implementers to round down to ensure consistency across all ERC-4626 vault implementations.</p><p>These suggestions and requirements ensure there are always a sufficient number of underlying tokens reserved for transfers. This is what auditors need to be aware of when auditing vault implementations based on this EIP.</p><p><strong>- Token Compatibility Issues</strong></p><p>This EIP specifically mentions the ERC-20 token standard. It is the most widely adopted token standard for implementing fungible tokens. However, in our past audit experience, we audited some fungible tokens which were implemented based on alternative Ethereum tokens standards such as EIP-777[7] as well.</p><p>These alternative token standards are compatible with ERC-20 tokens but have some differences.</p><p>Let us take the EIP-777 token standard as an example. The token standard allows implementers to use a registry to look up the interfaces. If the registry has bugs, anything depending on it will have an adverse impact. A commonly seen issue that is introduced by this feature is a re-entrancy risk [8].</p><p>So, there might exist two kinds of scenarios that we need to pay attention to.</p><p>The first scenario is a vault is implemented based on an ERC-20 compatible but alternative standard. The second is an ERC-4626 value that interacts with a token that is ERC-20 compatible but is implemented based on an alternative token standard.</p><p>In both scenarios, the alternative token standard may introduce issues or risks. And the implementations based on the alternative standard should be carefully reviewed and audited.</p><p><strong>Closing Thoughts:</strong></p><p>In this paper, we list some possible security considerations when auditing an ERC-4626-based vault. Some of these considerations are already mentioned in the EIP and others are listed based on our audit experience.</p><p>We wish our tentative suggestions would give implementers, users, and auditors some rough ideas on how to handle ERC-4626 vaults securely and safely.</p><p>References:</p><p>[1] EIP-4626: Tokenized Vault Standard, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://eips.ethereum.org/EIPS/eip-4626">https://eips.ethereum.org/EIPS/eip-4626</a> Dec 22, 2021</p><p>[2] Decentralized Autonomous Organizations, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/dao/,">https://ethereum.org/en/dao/</a></p><p>[3] Tribe, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.fei.money/governance/tribe">https://docs.fei.money/governance/tribe</a></p><p>[4] Rari Capital, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="http://rari.capital/">http://rari.capital/</a></p><p>[5] ERC-20 Token Standard, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/developers/docs/standards/tokens/erc-20/">https://ethereum.org/en/developers/docs/standards/tokens/erc-20/</a></p><p>[6] Uniswap, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://uniswap.org/">https://uniswap.org/</a></p><p>[7] EIP-777: Token Standard, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://eips.ethereum.org/EIPS/eip-777">https://eips.ethereum.org/EIPS/eip-777</a></p><p>[8] Samreen N F, Alalfi M H. Reentrancy vulnerability identification in Ethereum smart contracts[C]//2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE). IEEE, 2020: 22–29.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Apr 11 to Apr 17]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-apr-11-to-apr-17</link>
            <guid>28tG7PRk1MZ7ENBPdSnj</guid>
            <pubDate>Mon, 18 Apr 2022 08:18:10 GMT</pubDate>
            <description><![CDATA[During the week from April 11 to April 17, 2022, security incidents that happened in the crypto space were all security hacks. Here is a list of the security hacks: 1. Creat Future On April 11, Creat Future, an application deployed on the BNB Chain was attacked. The attacker’s address was 0xde33456644c08c4CeFa05237D429CCDa158FE0b5 on the BNB Chain. The hash value of the attack transaction was: 0x85b5a2f8210e499ff6a84d4e7d9969558418191c6aa9df2b2145edec13036fce The attacked contract was deploye...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4fa6bf5a1a03736c0c6eb3f8adcfbd5a2443497c38d5c0b6a06e0c3428ee7d3c.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from April 11 to April 17, 2022, security incidents that happened in the crypto space were all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Creat Future</strong></p><p>On April 11, Creat Future, an application deployed on the BNB Chain was attacked.</p><p>The attacker’s address was 0xde33456644c08c4CeFa05237D429CCDa158FE0b5 on the BNB Chain.</p><p>The hash value of the attack transaction was:</p><p>0x85b5a2f8210e499ff6a84d4e7d9969558418191c6aa9df2b2145edec13036fce</p><p>The attacked contract was deployed at 0x8B7218CF6Ac641382D7C723dE8aA173e98a80196 on the BNB Chain.</p><p>In this incident, the hacker exploited crypto assets valued at $1.9 million.</p><p>The vulnerability was its token contract didn’t have a proper validation for an input address.</p><p>The Creat Future’s token (CF) contract had a “_transfer” function whose visibility was public, and the function had a “from” parameter which was an address but wasn’t validated. Therefore, anyone could call this function to transfer the CF tokens from the “from” specified address.</p><p>The hacker exploited this vulnerability to launch 6 transactions to transfer a total of 4.2 million CF tokens and exchanged them into at least 4200 BNBs and cashed out via Tornado Cash.</p><p><strong>2. Marvin Inu</strong></p><p>Marvin Inu, a cross-chain application was attacked. Fortunately, the team behind the project promptly shut down its cross-chain bridge and fixed the issue. The team announced that it would take further actions to compensate for the loss.</p><p><strong>3. Elephant Money</strong></p><p>On April 12, Elephant Money, a stable coin deployed on the BNB Chain was attacked.</p><p>The attacker’s address was 0xe552133cc829a7f7e98e349763fac7ab0f3828b0 on the BNB Chain.</p><p>The attacking contract was deployed at 0xbceda90b2880fea5d511d54716229145508996da on the BNB Chain.</p><p>The attacked contract was deployed at 0xD520a3B47E42a1063617A9b6273B206a07bDf834 on the BNB Chain.</p><p>The hash value of the attack transaction was:</p><p>0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577</p><p>The vulnerability lies in an unverified contract of the application. This contract used an instant price obtained from Uniswap and the price was manipulated by the hacker.</p><p>The hacker leveraged a flash loan to exploit this vulnerability and exploited 27416 BNBs valued at around $11 million.</p><p><strong>4. Rikkei Finance</strong></p><p>On April 15, Rikkei Finance, a DeFi application deployed on the BNB Chain was attacked.</p><p>The attacker’s address was 0x803e0930357ba577dc414b552402f71656c093ab on the BNB Chain.</p><p>There were two attacking contracts deployed at the following two addresses respectively:</p><p>0x9aE92CB9a3cA241D76641D73B57c78F1bCF0B209 and</p><p>0xe6df12a9f33605f2271d2a2ddc92e509e54e6b5f respectively.</p><p>The attacked contracts were deployed at 0xD55f01B4B51B7F48912cD8Ca3CDD8070A1a9DBa5 and 0x157822ac5fa0efe98daa4b0a55450f4a182c10ca respectively.</p><p>The hash values of the two attacking transactions were:</p><p>0x4e06760884fd7bfdc076e25258ccef9b043401bc95f5aa1b8f4ff2780fa45d44 and</p><p>0x93a9b022df260f1953420cd3e18789e7d1e095459e36fe2eb534918ed1687492.</p><p>In this incident, the hacker exploited 2671 BNBs valued at around $1.1 million.</p><p>The vulnerability was a lack of validation for access control in the function “setOracleData”. The hacker exploited this vulnerability to change the oracle contract to a malicious contract, exploited all the USDCs, BTCBs, DAIs, USDTs, BUSDs, and BNBs, and exchanged these tokens to BNBs and cashed out via Tornado Cash. After the hacker successfully finished the attack, it destroyed the attacking contracts.</p><p><strong>5. FaceDAO</strong></p><p>On April 16, FaceDAO, an application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0xAAAA3467Ca1F70494Ca8B821Eef3E34DE2c139E5 on Ethereum.</p><p>The attacked address was deployed at 0xd432e8611377E307D3e5710132515be1E6AA6156 on Ethereum.</p><p>In this attack, the hacker exploited 121 ETHs valued at around $360,000.</p><p>For more details, please refer to:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-facedao-e34e24e711c0">https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-facedao-e34e24e711c0</a></p><p><strong>6. Beanstalk</strong></p><p>On April 17, Beanstalk, a stable coin deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x1c5dCdd006EA78a7E4783f9e6021C32935a10fb4 on Ethereum</p><p>The attacking contract was deployed at 0x728ad672409da288ca5b9aa85d1a55b803ba97d7 on Ethereum</p><p>The hash value of the attack transaction was:</p><p>0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7</p><p>The attacked contract was deployed at 0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5 on Ethereum.</p><p>In this incident crypto assets valued at around $182 million were exploited.</p><p>The vulnerability lies in its governance mechanism. The hacker proposed a malicious BIP-18 proposal, leveraged flash loans to borrow 350 million DAIs, 500 million USDCs, 150 million USDTs, 32 million Beans, and 11.6 LUSDs, converted these tokens to 795,425,740 BEAN3Crv-f and 58,924,887 BEANLUSD-f, used them to vote and pass the BIP-18, and called the “emergencyCommit()” function to execute the BIP-18 and exploited the assets in the application.</p><p><strong>Closing thoughts</strong></p><p>Among these 6 incidents, 2 incidents including Creat Future and Rikkei Finance were attacked due to a lack of validations for either access control or an address parameter, Elephant Money was attacked due to using an insecure oracle, FaceDAO was attacked due to a phishing attack and Beanstalk suffered from a governance attack.</p><p>Lack of validation and insecure oracles could have been prevented if these projects had gone through a professional audit. The governance attack was not a smart contract issue but still could have been prevented if the governance mechanism had gone through a mechanism audit. All these issues are common and solvable.</p><p>A reminder to smart contract developers: there are already mature solutions to prevent risks such as lack of validation, insecure oracles, and governance attacks. It is better to do a professional audit before deploying contracts.</p><p>A reminder to crypto users-always be highly cautious about any suspicious links or emails.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Fairyproof’s Analysis of the Attack on FaceDAO - Fairyproof Tech - Medium]]></title>
            <link>https://paragraph.com/@fairyproof/fairyproof-s-analysis-of-the-attack-on-facedao-fairyproof-tech-medium</link>
            <guid>v0zSykySir7zjApJYdPU</guid>
            <pubDate>Sun, 17 Apr 2022 03:49:45 GMT</pubDate>
            <description><![CDATA[FaceDAO, an application deployed on Ethereum was attacked at 12:22:47 PM on Apr 16, 2022, UTC. The attacker’s address was 0xAAAA3467Ca1F70494Ca8B821Eef3E34DE2c139E5 The attacked contract was deployed at 0xd432e8611377E307D3e5710132515be1E6AA6156 The hash values of the two attack transactions were: 0xad8123a858804254184ffda793b7416d2bf8958ade3e990a0361f45d6cfee68e and 0xb313ab9e845e461c7a795336d54b60cd4ede72f7a084bb26c26a4c4275f79ee0. In this incident, 121 ETHs valued at around $360,000 were e...]]></description>
            <content:encoded><![CDATA[<p>FaceDAO, an application deployed on Ethereum was attacked at 12:22:47 PM on Apr 16, 2022, UTC.</p><p>The attacker’s address was <strong>0xAAAA3467Ca1F70494Ca8B821Eef3E34DE2c139E5</strong></p><p>The attacked contract was deployed at <strong>0xd432e8611377E307D3e5710132515be1E6AA6156</strong></p><p>The hash values of the two attack transactions were:</p><p>0xad8123a858804254184ffda793b7416d2bf8958ade3e990a0361f45d6cfee68e and</p><p>0xb313ab9e845e461c7a795336d54b60cd4ede72f7a084bb26c26a4c4275f79ee0.</p><p>In this incident, 121 ETHs valued at around $360,000 were exploited.</p><p>Here is how the attack was carried out:</p><p>Before the attacker launched the attack, it tricked the FaceDAO deployer into doing three approval transactions to allow the attacker to transfer the FaceDAO tokens from the FaceDAO deployer.</p><p>Then the attacker exploited 60 billion and 5940.1 billion FaceDAO tokens in two transactions respectively. It exchanged the exploited FaceDAO tokens into 121 ETHs via Uniswap and cashed out the ETHs via Tornado.Cash.</p><p>It was claimed that it was the private key being leaked that led to this attack. However, based on our analysis this was a typical phishing attack because of two reasons.</p><p>The first reason is that if it were a private key being leaked the attack would just directly transfer the tokens rather than tricking the deployer into approving token transfers.</p><p>The second reason is that after the attack happened the attacker launched another attack on another application and exploited some STRONG tokens.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Apr 4 to Apr 10]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-apr-4-to-apr-10</link>
            <guid>9jAIPnQVf6wawhfpQmob</guid>
            <pubDate>Mon, 11 Apr 2022 10:07:04 GMT</pubDate>
            <description><![CDATA[During the week from April 4 to April 10, 2022, security incidents that happened in the crypto industry were all security hacks. Here is a list of the security hacks: 1. Juno On April 5, Juno, a COSMOS-based blockchain suffered from a DOS attack. The attacker first deployed a malicious “hello world” smart contract on the blockchain. And then sent a total of 400 transactions in three days to this contract and uncovered a vulnerability in the blockchain. The attacker then launched a DOS attack ...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4fa6bf5a1a03736c0c6eb3f8adcfbd5a2443497c38d5c0b6a06e0c3428ee7d3c.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from April 4 to April 10, 2022, security incidents that happened in the crypto industry were all <strong>security hacks</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Juno</strong></p><p>On April 5, Juno, a COSMOS-based blockchain suffered from a DOS attack.</p><p>The attacker first deployed a malicious “hello world” smart contract on the blockchain. And then sent a total of 400 transactions in three days to this contract and uncovered a vulnerability in the blockchain. The attacker then launched a DOS attack on the blockchain.</p><p>After the attack was detected, the team behind the blockchain installed a fix and put it back to work within three days.</p><p><strong>2. Starstream Finance</strong></p><p>On April 8, Starstream Finance, a DeFi application deployed on an Ethereum Layer 2 solution Metis was attacked.</p><p>The attacker’s address was 0xFFD90C77eaBa8c9F24580a2E0088C0C940ac9C48 on Metis.</p><p>The attacking contract was deployed at 0x75381c1f12733fff9976525db747ef525646677d on Metis</p><p>The attacked contract was deployed at 0x1075daD8CFd8bCbCfc7bEB234e23D507990C90e9 which was the StarstreamTreasury contract deployed on Metis.</p><p>The hash value of the attack transaction was:</p><p>0xb1795ca2e77954007af14d89814c83b2d4f05d1834948f304fd9d731db875435</p><p>The vulnerability that was exploited in this incident was in the DistributorTreasury contract deployed at 0x6f99b960450662d67bA7DCf78ac959dBF9050725 on Metis. The vulnerability was that the call to the “execute” function lacked necessary access control such that anyone could call this function.</p><p>Before the attack happened, the owner of the StarstreamTreasury contract was transferred to the DistributorTreasury contract. The attacker then called the execute function in the DistributorTreasury contract to call the withdrawTokens function in the StarstreamTreasury contract and withdrew 532,571,155.859 STARS tokens. The attacker sent these tokens to Agora DeFi as collateral to borrow a huge quantity of assets and used partial of the assets to pump the price of the STARS token and again borrow more assets.</p><p>In this incident, crypto-assets valued at around $8.2 million were exploited.</p><p><strong>Closing thoughts</strong></p><p>Both the vulnerability found in Starstream Finance and the one found in Juno were common issues.</p><p>A reminder to blockchain developers: there are mature solutions to prevent common risks such as DOS attacks. It is better for the developers to implement these solutions and carry out thorough tests before deploying their products online.</p><p>A reminder to smart contract developers: lack of access control is a common issue that could have been uncovered and fixed without being exploited if they had undergone a professional audit.</p><p>A reminder to crypto users: make sure you always interact with applications or platforms that haven’t endured long-time challenges with great care and caution.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Mar 28 to Apr 3]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-mar-28-to-apr-3</link>
            <guid>oJoGbJ7qYKoMnHuJFzf5</guid>
            <pubDate>Mon, 11 Apr 2022 10:06:43 GMT</pubDate>
            <description><![CDATA[During the week from March 28 to April 3, 2022, security incidents that happened in the crypto industry can be categorized into three security hacks, publicly announced vulnerabilities and rug-pulls. Here is a list of the security hacks: 1. Cryptovoxels On March 28, Cryptovoxels, a virtual social platform deployed on Ethereum was attacked. The attacker’s address was 0x794ca38bc1e15e528a7991ce25707a25ad71b675 on Ethereum. The platform’s Discord server suffered from a phishing attack. The attac...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4fa6bf5a1a03736c0c6eb3f8adcfbd5a2443497c38d5c0b6a06e0c3428ee7d3c.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>During the week from March 28 to April 3, 2022, security incidents that happened in the crypto industry can be categorized into three <strong>security hacks, publicly announced vulnerabilities and rug-pulls</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p><strong>1. Cryptovoxels</strong></p><p>On March 28, Cryptovoxels, a virtual social platform deployed on Ethereum was attacked.</p><p>The attacker’s address was 0x794ca38bc1e15e528a7991ce25707a25ad71b675 on Ethereum.</p><p>The platform’s Discord server suffered from a phishing attack. The attacker pretended to be a team member of Cryptovoxels and sent out a phishing link. Some users clicked on the link and approved their tokens to be spent.</p><p>In this incident, crypto-assets valued at around $171 thousand were exploited.</p><p>For more details about this attack please refer to Fairyproof’s report at:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://twitter.com/FairyproofT/status/1508476086182502409">https://twitter.com/FairyproofT/status/1508476086182502409</a></p><p><strong>2. Ronin Network</strong></p><p>On March 29, Ronin Network, an Ethereum sidechain was attacked.</p><p>The attacker’s address was 0x098b716b8aaf21512996dc57eb0615e2383e2f96 on Ethereum.</p><p>The attacked contract was Axie’s Ronin bridge deployed on Ethereum at:</p><p>0x1a2a1c938ce3ec39b6d47113c7955baa9dd454f2</p><p>The vulnerability that was exploited in this attack was in the system that managed its private key. The system more specifically, the gas-free RPC node had a backdoor such that the attacker eventually got the signature for the Axie DAO validator to abuse the system.</p><p>Crypto assets valued at around $610 million were exploited.</p><p>For more details, please refer to Fairyproof’s report at:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-the-ronin-bridge-of-axie-infinity-13933c22ecbc">https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-the-ronin-bridge-of-axie-infinity-13933c22ecbc</a></p><p><strong>3. BasketDAO</strong></p><p>On March 30, BasketDAO, an application deployed on Ethereum was attacked.</p><p>The attacked contract was deployed at 0x4622aFF8E521A444C9301dA0efD05f6b482221b8 on Ethereum.</p><p>The vulnerability was a lack of validation for the input parameters of a “call” in the “_primitiveToBMI” function. This was exploited such that the attacker passed a malicious address to take away all the approved crypto assets by the BMIZapper contract.</p><p>The total exploited assets were valued at around $1.1 million.</p><p><strong>4. Ola Finance</strong></p><p>On March 31, Ola Finance, a DeFi application deployed on both Fuse and Ethereum was attacked.</p><p>The attacker’s address was 0x371D7C9e4464576D45f11b27Cf88578983D63d75 on Ethereum.</p><p>The vulnerability was an incompatibility issue. The application’s lending protocol was not compatible with ERC-677 tokens therefore it suffered from a re-entrancy attack.</p><p>The total exploited crypto assets were valued at around $4.67 million.</p><p><strong>5. Discord Servers</strong></p><p>On around April 1, the Discord servers of various NFT projects including BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz suffered from phishing attacks. Quite a few users lost their NFTs. The biggest loss was with a famous pop star who lost his BAYC 3738 which was worth around $430,000.</p><p><strong>Here is a list of the publicly announced vulnerabilities:</strong></p><p>1. Jet Protocol</p><p>On March 30, the team behind Jet Protocol, a DeFi application, announced that a vulnerability was uncovered.</p><p>The vulnerability was a lack of validation for input parameters. If this vulnerability were exploited, the crypto assets of the users that interacted with this application would be withdrawn at will.</p><p>The team had already fixed this issue before it was exploited therefore no loss was caused.</p><p><strong>Here is a list of the rug pulls:</strong></p><p><strong>1. Meerkat Finance</strong></p><p>On March 30, Meerkat Finance, a DeFi application deployed on BSC was attacked.</p><p>The attacker’s address was: 0x9542966F1114eaA5859201aA8d34358BFedBFa79 on BSC.</p><p>The vulnerability was the contract’s upgradeability. And the team had the access control to upgrade the contract.</p><p>This vulnerability was exploited such that malicious contracts were deployed and then the attacker exploited all the crypto assets in the application’s vaults. The loss was around $30 million.</p><p>The whole process was like this:</p><p>Firstly, Meerkat Finance made an announcement saying that the application was attacked. Then two transactions were launched to take away crypto assets valued at around $31 million including BUSDs valued at $13.96 million, and BNBs valued at $17.4 million.</p><p>Soon after that, the application’s website couldn’t be opened, and the team members couldn’t be contacted either. Later on, the team’s Twitter was deleted as well.</p><p>Therefore, the incident was highly suspected to be a rug pull.</p><p><strong>Closing thoughts</strong></p><p>There were five security hacks in the past week. The vulnerabilities that were uncovered in BasketDAO and Ola Finance were commonly known issues that could have been uncovered and fixed without being exploited if they had undergone a professional audit. The one with Ronin Network was a leak of private keys. This incident should have been avoided if the team could have employed more stringent management of private keys. The other two hacks targeting Discord servers could have been prevented if the users participated in these activities with more caution and care.</p><p>The publicly announced vulnerability was a commonly known issue as well and it could have been uncovered if the project was audited before it was deployed.</p><p>The rug-pull project had a serious risk in its smart contract implementation. In general, if projects with this risk are audited by professional audit companies, this risk should be indicated. Therefore, this should remind users of the importance of checking a project’s audit report.</p><p>A reminder to smart contract developers: input parameters especially addresses should be handled with great care.</p><p>A reminder to project teams: always audit projects before deploying them.</p><p>A reminder to crypto users: always be cautious and alert to suspicious links, websites, and emails, and always be careful with interacting with applications whose teams don’t have established reputations or which haven’t gone through serious audits.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Fairyproof’s Overview of the Audit of the GameFi Ecosystem]]></title>
            <link>https://paragraph.com/@fairyproof/fairyproof-s-overview-of-the-audit-of-the-gamefi-ecosystem</link>
            <guid>A4gZQ9eTH69wYQI9YxQJ</guid>
            <pubDate>Wed, 06 Apr 2022 03:34:48 GMT</pubDate>
            <description><![CDATA[Blockchain games have a relatively long history compared to other applications such as DeFi in the whole blockchain ecosystem. CryptoKitties[1] which may be the earliest blockchain game was deployed and released in 2017 and it opened the infinite possibilities for blockchain games. However, blockchain games didn’t see their rapid development or gain significant traction until Axie Infinity [2] became popular in Southeast Asia with strong promotion from YGG [3] since 2020. A significant reason...]]></description>
            <content:encoded><![CDATA[<p>Blockchain games have a relatively long history compared to other applications such as DeFi in the whole blockchain ecosystem.</p><p>CryptoKitties[1] which may be the earliest blockchain game was deployed and released in 2017 and it opened the infinite possibilities for blockchain games. However, blockchain games didn’t see their rapid development or gain significant traction until Axie Infinity [2] became popular in Southeast Asia with strong promotion from YGG [3] since 2020. A significant reason why Axie Infinity could grow its user base rapidly was that it introduced DeFi into its game. The success story of Axie Infinity encouraged numerous developers and teams to enter the blockchain game area and follow its example or provide services pertaining to blockchain games that have in-built DeFi mechanisms. This combination of games and DeFi was later on called GameFi.</p><p>Although the blockchain GameFi ecosystem has achieved tremendous progress, neither has research on the ecosystem’s security in academies gained sufficient awareness nor have comprehensive practices in tackling the security issues or risks been carefully carried out or studied.</p><p>Based on the accumulated experiences and research results from Fairyproof’s technical team in years’ practice, Fairyproof would like to share some understanding and thoughts on the overall blockchain GameFi ecosystem and the audit of the applications in this ecosystem.</p><p>In this paper, we firstly present our understanding of the overall blockchain GameFi ecosystem, analyze the applications, and the roles and functions these applications play; then present the applications’ underlying technologies and list typical security issues or risks associated with the underlying technologies; and finally present our ideas and thoughts about the audit of each of these applications.</p><p><strong>1.</strong> <strong>Overview of the Blockchain GameFi Ecosystem</strong></p><p>Currently, although the blockchain GameFi ecosystem may not be as mature as some experts would expect, it is already an ecosystem with various players, roles, applications, services, etc. that are rapidly growing and developing.</p><p>Typical applications/roles in the current blockchain GameFi ecosystem mainly consist of games, game guilds [4], game developers, services, or applications pertaining to games.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/34c8a5058b221de6e9ade19a362a91b7677368c42ad3b6102870fe47544c1db9.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Games in this ecosystem are applications that mainly implement play rules and logic. Users/players directly interact with games. From an application’s point of view, games are the core component of the GameFi ecosystem. CryptoKitties and Axie Infinity are typical blockchain games.</p><p>Game guilds are a special player in this ecosystem. Popular blockchain games in general have an in-built play-to-earn mechanism that rewards tokens to its players. To earn rewards, a player may need to use in-game utilities which may not be affordable to every player. In this case, a game guild comes to play. It is an organization that acts as a facilitating intermediary to help hundreds or thousands or even more players play and earn yields in blockchain games by lending these players in-game assets or utilities. A guild will usually take profits by sharing a portion of the earnings earned by the players that rely on its help and the rent paid by the players that borrow in-game utilities or assets from the guild. YGG is the most famous blockchain game guild.</p><p>Game developers here don’t mean individuals but organizations, teams, or even DAOs (Decentralized Autonomous Organizations) [5] that develop games, services, or applications pertaining to games. Some famous game developers include SkyMarvis[6], Vulcan Verse[7], etc.</p><p>Services or applications pertaining to games refer to those that help grow and develop games’ user bases or help games evolve. Typical services or applications include marketplace applications such as OpenSea[8] and SkyMarvis’ marketplace[9], and asset or utility lending applications such as NFTFI[10].</p><p><strong>2. Blockchain GameFi Ecosystem’s Underlying Technologies and Associated Issues or Risks</strong></p><p>If we review these applications/roles listed in the previous section from a technical point of view and study their underlying technical standards or protocols, the whole blockchain GameFi ecosystem can be depicted as follows:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/203f94a4328421f9919071a1aa2152bebf823dead08b22e9db0ddfc7064b889d.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The top layer is what we call an application layer that contains the major applications/roles in the ecosystem. The underlying layer is what we call an infrastructure layer that contains two kinds of technologies: web 2.0 technologies/protocols and decentralized technologies/protocols. These two interact with each other via RPC calls.</p><p>The web 2.0 technologies/protocols can be viewed as being composed of two sub-layers: the sub-layer of C/S infrastructure, and the sub-layer of application UIs and backend services that run on the C/S infrastructure.</p><p>A UI (user interface) is the front-end of an application. When a user interacts with an application, he/she directly interacts with its UI.</p><p>Backend services execute functions based on the requests sent from UIs and respond to UIs with results and feedback.</p><p>The decentralized technologies/protocols can be viewed as being composed of three sub-layers:</p><p>the bottom sub-layer is an infrastructure layer which contains blockchain infrastructure, decentralized storage protocols such as IPFS [11] and Arweave [12], and other decentralized protocols.</p><p>The one on top of the blockchain infrastructure is the token sub-layer which contains fungible tokens and non-fungible tokens implemented based on various token standards.</p><p>The one that relies on the token layer, the blockchain infrastructure, the decentralized storage protocols, and other decentralized protocols is the utility/asset sub-layer which provides various utility or functional building blocks for all the applications that users interact with.</p><p><strong>3. Typical Issues or Risks Associated with The Components in The Infrastructure Layer</strong></p><p>When we review the security condition of an application, we first need to study how the application works and what technologies or protocols are applied to make it work and then analyze what issues or risks might be introduced when these technologies or protocols are applied.</p><p>So, in this section, we review in general what typical issues or risks are associated with each of the components in the infrastructure layer.</p><p><strong>3.1 Web 2.0 Technologies/Protocols</strong></p><p><strong>C/S Infrastructure</strong>: this refers to commonly used utilities, tools, and various network protocols. This is the infrastructure that all internet applications or conventional software applications rely on.</p><p>Professionals from around the globe have been working on this for a long time and overall, it has been pretty much mature so far. Occasionally bugs or vulnerabilities pertaining to it would be reported and bug fixes would be promptly released as well.</p><p>So, <strong>when we audit an application, we don’t usually audit this component but would check if the application has already been updated with the latest patches that are released for newly uncovered vulnerabilities or bugs</strong>.</p><p><strong>UIs</strong>: a UI is what a user directly interacts with when the user interacts with an application. Therefore, if an application’s UI has vulnerabilities, its users would be easily exploited. Hackers have developed various ways to exploit vulnerabilities to attack UIs.</p><p><strong>Typical vulnerabilities pertaining to UIs are including XSS attacks, CSRF attacks, CSS injection attacks, session hijacking, using unsafe third-party libraries, DDoS attacks, feature requests or access, etc.</strong></p><p><strong>Backend Services</strong>: in general, the backend service of an application processes requests sent by the application’s UI and returns the result to the UI.</p><p>With regard to a blockchain application, besides the commonly known communication between the backend and the UI, there is communication between the backend and a blockchain as well. <strong>Therefore, a security company needs to audit specifically the security condition of the latter as well. This somehow might be overlooked</strong>.</p><p><strong>Typical vulnerabilities pertaining to backend services of blockchain applications are injection flaws, broken authentication, compromised access control, data breaches, insecure deserialization, server XSS attacks, etc.</strong></p><p><strong>3.2 Decentralized Technologies/Protocols</strong></p><p><strong>Blockchain Infrastructure</strong>: this refers to blockchains including layer 1 blockchains, layer 2 solutions, and sidechains. The blockchain infrastructure provides the fundamental security and consensus of the whole blockchain GameFi ecosystem. Therefore, its security condition is vital to the whole ecosystem.</p><p>Among the existing blockchains, some such as Ethereum have endured challenges but most of them were just online in the past two years and haven’t endured enough challenges. Thus, the security condition of these less mature blockchains needs our great awareness.</p><p><strong>Typical vulnerabilities pertaining to blockchain infrastructure are 51% attacks, DDoS attacks, Sybil attacks, double-spend, race attacks, eclipse attacks, routing attacks, replay attacks, etc.</strong></p><p><strong>Decentralized Storage Protocols (IPFS, Arweave …)</strong>: this refers to the protocols that are specifically used for storage in the GameFi ecosystem. The most popular protocols include IPFS and Arweave.</p><p><strong>Typical vulnerabilities pertaining to decentralized storage protocols are DDoS attacks, Sybil attacks, etc.</strong></p><p><strong>Other decentralized protocols</strong>: these are protocols that may be introduced in the future. So, for now, no specific vulnerabilities are listed here.</p><p><strong>Fungible Tokens</strong>: most of the fungible tokens today are implemented based on Ethereum’s ERC-20[13] standard. Some tokens are implemented based on Solana’s [14] token templates. Issues or risks related to fungible tokens are mostly in the tokens’ smart contract implementation.</p><p><strong>Specifically for ERC-20 tokens,</strong> t<strong>ypical vulnerabilities are re-entrancy attacks, excessive admin rights, integer overflow/underflow, gas consumption issues, inappropriate callback, inappropriate function visibility, inappropriate arithmetic precision, and incorrect using tx. origin, fake deposit, shadow variable, token issuance issue, inappropriate proxy design, inappropriate use of slots, contract upgrade/migration issue, etc.</strong></p><p><strong>For fungible tokens implemented on Solana, typical vulnerabilities are missing ownership checks, missing signer checks, signed invocation of unverified programs, Solana account confusions, missing freeze authority checks, insufficient SPL account verification, missing rent exemption assertion, casting truncation, arithmetic overflow/underflow, numerical precision errors, instructions account checks, rug pull mechanisms or hidden backdoor checks, outdated dependencies, none returned during any failure, unreferenced accounts checks, serialize and deserialize checks, account address checks, unaudited external dependencies, program upgrade checks, account mutable checks, etc.</strong></p><p><strong>Non-Fungible Tokens</strong>: most of the non-fungible tokens are implemented based on Ethereum’s ERC-721[15] or ERC-1155[16] standard. Some tokens are implemented based on Solana’s token templates. Issues or risks related to non-fungible tokens are mostly in the tokens’ smart contract implementation.</p><p><strong>For ERC-721 or ERC-1155 tokens,</strong> t<strong>ypical vulnerabilities are re-entrancy attacks, excessive admin rights, integer overflow/underflow, incorrect nonce values, gas consumption issues, inappropriate callback, inappropriate function visibility, incorrect using tx. origin, fake deposit, shadow variable, token issuance issue, inappropriate proxy design, inappropriate use of slots, contract upgrade/migration issue, etc.</strong></p><p><strong>For fungible tokens implemented on Solana, typical vulnerabilities are missing ownership checks, missing signer checks, signed invocation of unverified programs, Solana account confusions, missing freeze authority checks, insufficient SPL account verification, missing rent exemption assertion, casting truncation, arithmetic overflow/underflow, instructions account checks, rug pull mechanisms or hidden backdoor checks, outdated dependencies, none returned during any failure, unreferenced accounts checks, serialize and deserialize checks, account address checks, unaudited external dependencies, program upgrade checks, account mutable checks, etc.</strong></p><p><strong>Tokenomics</strong>: tokenomics is a term coined by combining the two words “token” and “economics”. It means the economics of a crypto token and it usually covers the issuance, functionality, objective, allocation policy, and more of the crypto token. These factors all together form the characteristics of the crypto token’s supply and demand. A good tokenomics makes a crypto token appeal to both investors and users. Therefore, the tokenomics of an application is vital to an application’s long-term development and success. For a blockchain game e.g., a play-to-earn game, its tokenomics plays a key role.</p><p>Vulnerabilities in tokenomics can usually be uncovered in the design of the rules and functionality of a crypto token. This is more from an economical point of view rather than a technical point of view. In general, an awful tokenomics lacks a mechanism to incentivize users or investors to buy and hold tokens.</p><p><strong>Typical vulnerabilities pertaining to tokenomics from an economical point of view are lack of token utilities, unlimited token supply, lack of liquidity, etc.</strong></p><p><strong>Governance</strong>: a significant feature that a blockchain application has compared with a conventional web 2.0 application is that it has a governance mechanism with which its token holders can participate in its activities and make decisions in guiding its development by voting with the application’s token. Vulnerabilities in the governance usually are uncovered in its rules and voting mechanism.</p><p><strong>Typical vulnerabilities in governance are including inappropriate voting rules, inappropriate staking rules, inappropriate snapshot rules, inappropriate proposal submission rules, etc.</strong></p><p><strong>In-Game Assets or Utilities</strong>: in-game assets or utilities are implemented by smart contracts as either fungible tokens or non-fungible tokens. They have utilities that can be used in games for specific purposes.</p><p>Vulnerabilities concerning in-game assets or utilities are those that cause the assets or utilities out of work. These vulnerabilities are usually uncovered in the functional design or logic design.</p><p><strong>Typical vulnerabilities about in-game assets or utilities are implementation vulnerabilities, design vulnerabilities, functional vulnerabilities, etc.</strong></p><p><strong>Implementation of On-Chain Logic</strong>: this refers to the business logic of an application. Specifically, for a blockchain application, to make its rules and logic tamper-proof and censorship-resistant, the team behind the application would code some or all of its business rules or logic in smart contracts.</p><p>Popular on-chain logic that is implemented in smart contracts includes decentralized exchange rules, borrowing, and lending rules, staking rules, liquidity mining rules, NFT fractionalization rules, etc.</p><p><strong>Typical vulnerabilities in the implementation of on-chain logic are using improper oracles, missing emergent withdrawal functions, inappropriate LP price algorithm, unsafe token transfer, excessive admin rights, hidden backdoors, risky contract upgrade/migration, implementation vulnerabilities, design vulnerabilities, etc.</strong></p><p><strong>Data Storage Solutions</strong>: for blockchain applications, a popular way to handle data storage is to use a decentralized solution to save data. These decentralized solutions in general are based on decentralized protocols such as IPFS, Arweave, etc.</p><p>A good data storage solution should be able to save data consistently and permanently. This is especially important for NFT projects which need to have long-term data availability and reliability for metadata.</p><p><strong>Vulnerabilities in a data storage solution would cause data loss or data inconsistency. Typical vulnerabilities pertaining to data storage solutions are unreliable data storage, lack of data redundancy, lack of data consistency, unreliable data retrieval service, etc.</strong></p><p><strong>Other Solutions/Services</strong>: these will be solutions based on the protocols that may be introduced in the future. For now, no specific vulnerabilities are listed here for this.</p><p><strong>4. Security Checkpoints That Should Be Covered for Each Kind of Application in the Ecosystem</strong></p><p><strong>4.1 Games</strong></p><p>Specifically, a blockchain game is backed and supported by the technologies depicted in the following diagram:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/321c357459ad6db8b8b156403aad1f846640fe0f26f1dbd6ec71b6f9e572d1c1.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The components represented by solid green blocks are the ones that Games must rely on. The components represented by transparent blocks are the ones that Games may optionally rely on.</p><p>From this diagram, we can see that the major technologies that a blockchain game directly relies on including **UIs, Backend Services, Tokenomics, Governance, In-Game Assets or Utilities, Implementation of On-Chain Logic, and Data Storage Solutions. **Optionally Other Decentralized Solutions may be relied on as well.</p><p>Consequently, the vulnerabilities we listed for each of the direct technologies and their underlying technologies in the previous section should be considered as the checkpoints for a blockchain game.</p><p><strong>4.2 Game Guilds</strong></p><p>Specifically, a blockchain game guild is backed and supported by the technologies depicted in the following diagram:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/d7f74551cc109e79a548c24dc5937da0729c7bdb603bda5b9c9ac6cc9bf9a2f0.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The components represented by solid green blocks are the ones that Game Guilds must rely on. The components represented by transparent blocks are the ones that Games may optionally rely on.</p><p>From this diagram, we can see that the major technologies that a blockchain game guild directly relies on upon including **UIs, Backend Services, Tokenomics, and Governance. **Optionally In-Game Assets or Utilities, Implementation of On-Chain Logic, Data Storage Solutions, and Other Decentralized Solutions may be relied on as well.</p><p>So, the vulnerabilities we listed for each of the direct technologies and their underlying technologies in the previous section should be considered as the checkpoints for a blockchain game guild.</p><p><strong>4.3 Game Developers</strong></p><p>Specifically, a blockchain game developer is backed and supported by the technologies depicted in the following diagram:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4bcf13cfc28496b7c3b5ef1733078b18540d3017ff674ee5125428f36055b777.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The components represented by solid green blocks are the ones that Game Developers must rely on. The components represented by transparent blocks are the ones that Games may optionally rely on.</p><p>From this diagram, we can see that the major technologies that a blockchain game developer directly relies on including **UIs, Backend Services, Tokenomics, Governance, Implementation of On-Chain Logic, and Data Storage Solutions.**Optionally In-Game Assets or Utilities and Other Decentralized Solutions may also be relied on.</p><p>So, the vulnerabilities we listed for each of the technologies and their underlying technologies in the previous section should be considered as the checkpoints for a blockchain game developer.</p><p><strong>4.4 Services or Apps Pertaining to Games</strong></p><p>Specifically, service or app pertaining to blockchain game(s) is backed and supported by the technologies depicted in the following diagram:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/7d08f421043ba5e88e0e373ae0ab3f94f6d06c6ce1fecc7a481346823433880b.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The components represented by solid green blocks are the ones that Services or Apps Pertaining to Games must rely on. The components represented by transparent blocks are the ones that Games may optionally rely on.</p><p>From this diagram, we can see that the major technologies that service or app pertaining to blockchain game(s) relies on upon including <strong>UIs, Backend Services, Tokenomics, Governance, and Implementation of On-Chain Logic.</strong> Optionally In-Game Assets or Utilities, Data Storage Solutions, and Other Decentralized Solutions may also be relied on.</p><p>So, the vulnerabilities we listed for each of the items in the previous section should be considered as the checkpoints for a service or app on blockchain game(s).</p><p><strong>Conclusion:</strong></p><p>In this paper, we explore the applications and technological modules of the existing blockchain GameFi ecosystem, list typical vulnerabilities of each of the technological modules and present our ideas on what specific areas we would study when we audit or check the security condition of an application in this ecosystem.</p><p>We are keeping our work and close attention to the GameFi ecosystem’s development and would always do our best to contribute to the ecosystem’s security and expansion.</p><p>References:</p><p>[1] CryptoKitties, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.cryptokitties.co/">https://www.cryptokitties.co/</a></p><p>[2] Axie Infinity, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://axieinfinity.com/">https://axieinfinity.com/</a></p><p>[3] YGG, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://yieldguild.io/">https://yieldguild.io/</a></p><p>[4] Crypto VCs Are Making a Big Bet on Gaming Guilds. Why?</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.coindesk.com/markets/2021/12/21/crypto-vcs-are-making-a-big-bet-on-gaming-guilds-why/,">https://www.coindesk.com/markets/2021/12/21/crypto-vcs-are-making-a-big-bet-on-gaming-guilds-why/,</a> December 27, 2021</p><p>[5] Decentralized autonomous organizations (DAOs), <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/dao/">https://ethereum.org/en/dao/</a></p><p>[6] Sky Mavis, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://skymavis.com/,">https://skymavis.com/,</a> 2021</p><p>[7] Vulcan Verse, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://vv.vulcanforged.com/,">https://vv.vulcanforged.com/,</a> 2022</p><p>[8] OpenSea, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://opensea.io/">https://opensea.io/</a></p><p>[9] SkyMarvis’ Marketplace, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://marketplace.axieinfinity.com/">https://marketplace.axieinfinity.com/</a></p><p>[10] NFTFI, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.nftfi.com/">https://www.nftfi.com/</a></p><p>[11] IPFS, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ipfs.io/">https://ipfs.io/</a></p><p>[12] Arweave, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.arweave.org/">https://www.arweave.org/</a></p><p>[13] ERC-20 Token Standard,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/developers/docs/standards/tokens/erc-20/">https://ethereum.org/en/developers/docs/standards/tokens/erc-20/</a></p><p>[14] Solana, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://solana.com/">https://solana.com/</a></p><p>[15] ERC-721 Non-fungible Token Standard,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/developers/docs/standards/tokens/erc-721/">https://ethereum.org/en/developers/docs/standards/tokens/erc-721/</a></p><p>[16] EIP-1155: Multi Token Standard, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://eips.ethereum.org/EIPS/eip-1155">https://eips.ethereum.org/EIPS/eip-1155</a></p><p><em>About the author:</em></p><p><strong>Yuefei TAN, CEO of Fairyproof</strong></p><p><em>About Fairyproof:</em></p><p>Fairyproof Tech is a blockchain security company, established in Jan 2021.</p><p>It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating several draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.</p><p>The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, and decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&amp;D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.</p><p>Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Exploring Security Checkpoints in Shard Blob Transactions Based on EIP-4844 by Fairyproof]]></title>
            <link>https://paragraph.com/@fairyproof/exploring-security-checkpoints-in-shard-blob-transactions-based-on-eip-4844-by-fairyproof</link>
            <guid>gv0Gxz04bS8tQat51SIS</guid>
            <pubDate>Tue, 29 Mar 2022 02:41:46 GMT</pubDate>
            <description><![CDATA[Led by Ethereum’s co-founder Vitalik Buterin, recently an EIP to create a new transaction format for “blob-carrying transactions” was proposed. And it is EIP-4844[1]. According to this EIP’s specification, although it is a stop-gap solution, the format it introduced for blob transactions will be the same as the format that will exist in Ethereum’s final sharding specification [2]. And eventually, all rollup solutions [3] will have to use sharded data (i.e., blobs) instead of calldata which th...]]></description>
            <content:encoded><![CDATA[<p>Led by Ethereum’s co-founder Vitalik Buterin, recently an EIP to create a new transaction format for “blob-carrying transactions” was proposed. And it is EIP-4844[1].</p><p>According to this EIP’s specification, although it is a stop-gap solution, the format it introduced for blob transactions will be the same as the format that will exist in Ethereum’s final sharding specification [2]. And eventually, all rollup solutions [3] will have to use sharded data (i.e., blobs) instead of calldata which they use now if they expect to submit rollup data to Ethereum.</p><p>Therefore, this EIP will very likely be adopted and implemented in Ethereum’s clients and existing rollup solutions will eventually have to make changes to be compliant with this EIP.</p><p>Whenever changes are introduced, issues or risks might be introduced as well.</p><p>As a blockchain security company, Fairyproof’s research team is extremely interested in the issues or risks that might be introduced by these changes. We studied this EIP, explored possible security checkpoints, and would like to share some ideas on these checkpoints.</p><p>There are significant changes introduced by this EIP in both the implementation of Ethereum clients and rollup solutions.</p><p>On the Ethereum client-side, a new blob transaction is proposed, therefore new data structures such as SignedBlobTransaction and BlobTransactionNetworkWrapper are introduced, and new algorithms such as validate_blob_transaction_wrapper are introduced.</p><p>On the rollup solution side, both Optimistic-Rollup solutions [4] and ZK-Rollup solutions [5] need to put rollup data in a blob transaction.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/2abd5544a8016a07d0e4a691e468621c5ed70dfbc642b4386b49f57e13e8f9f8.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The changes in both Ethereum’s client-side and rollup solutions may not introduce noticeable vulnerabilities however the newly introduced blob transaction may render two kinds of mempool issues.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/c76b1f94b0968cc813fa973ee8c6b758e1e5438d4c65b4bd7edb74cb1d9bafb3.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The first one is that a blob transaction has a variable intrinsic gas cost. And this would expose a mempool to attacks since a transaction may be qualified to be included in one block but may not be qualified to be included in the next block. To prevent such an attack, this EIP recommends only broadcasting transactions “whose gas is at least twice the current minimum” to greatly increase a legitimate transaction’s chance of being included in a block.</p><p>The second one is that a blob transaction has a large data size at the mempool layer, which would expose a mempool to DoS attacks. This EIP recommends increasing “the minimum increment for mempool replacement from 1.1x to 2x” to increase an attacker’s cost thus decreasing his/her attempt to attack.</p><p>It is worth noting that the EIP says these two are just recommendations. This means a developer may not need to follow them in his/her implementation. But as far as security is concerned the developer needs, by all means, to handle these issues in his/her code.</p><p>This is what a blockchain security company needs to pay close attention to when auditing an Ethereum client implementing this EIP.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/bdc078ad794f3814e3c0189a51661faacb541d92a3c4f49b93898a289e999e54.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>In addition, these two recommendations were proposed to counteract attacks on mempools. If they are implemented it implies that if a non-malicious user wants his/her transaction to be promptly handled, he/she needs to pay a gas fee that meets these recommendations.</p><p>This is something a user should be aware of.</p><p>References:</p><p>[1] EIP-4844: Shard Blob Transactions, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://eips.ethereum.org/EIPS/eip-4844">https://eips.ethereum.org/EIPS/eip-4844</a>, Feb 25, 2022</p><p>[2] Shard Chains, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://ethereum.org/en/upgrades/shard-chains/">https://ethereum.org/en/upgrades/shard-chains/</a></p><p>[3] An Incomplete Guide to Rollups, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://vitalik.ca/general/2021/01/05/rollup.html,">https://vitalik.ca/general/2021/01/05/rollup.html,</a> Jan 5, 2021</p><p>[4] Optimistic Rollups,</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://metamask.io/,">https://docs.ethhub.io/ethereum-roadmap/layer-2-scaling/optimistic_rollups/,</a></p><p>[5] ZK-Rollups, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.ethhub.io/ethereum-roadmap/layer-2-scaling/zk-rollups/">https://docs.ethhub.io/ethereum-roadmap/layer-2-scaling/zk-rollups/</a></p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
        <item>
            <title><![CDATA[Weekly Blockchain Security Report by Fairyproof- Mar 21 to Mar 27]]></title>
            <link>https://paragraph.com/@fairyproof/weekly-blockchain-security-report-by-fairyproof-mar-21-to-mar-27</link>
            <guid>x1elJOsD1sV4u8hGULQk</guid>
            <pubDate>Mon, 28 Mar 2022 06:27:05 GMT</pubDate>
            <description><![CDATA[It has truly been another eventful week! During the week from March 21 to March 27, 2022, security incidents that happened in the crypto industry can be categorized into two security hacks and publicly announced vulnerabilities. Here is a list of the security hacks: 1. OneRing On March 21 UTC time, OneRing Finance, a DeFi application deployed on Fantom was attacked. In this attack, the attacker leveraged a flashloan to exploit a total of 1,454,672.244369 USDCs valued at around $1,454,672.24. ...]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/bf9647bb25f2a6a01b1640c64b72b68b83f7284ab12f36eac195695dc66caa4c.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>It has truly been another eventful week!</p><p>During the week from March 21 to March 27, 2022, security incidents that happened in the crypto industry can be categorized into two <strong>security hacks and publicly announced vulnerabilities</strong>.</p><p><strong>Here is a list of the security hacks:</strong></p><p>1. <strong>OneRing</strong></p><p>On March 21 UTC time, OneRing Finance, a DeFi application deployed on Fantom was attacked. In this attack, the attacker leveraged a flashloan to exploit a total of 1,454,672.244369 USDCs valued at around $1,454,672.24.</p><p>The vulnerability that was exploited was an inappropriate algorithm used to calculate an LP token’s price. This inappropriate algorithm caused the price of the LP token involved in this attack to be manipulated. And a flashloan was facilitated to enlarge the loss.</p><p>For more details about this attack please refer to Fairyproof’s article at:</p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-onering-finance-94d25b66f63c">https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-onering-finance-94d25b66f63c</a></p><p><strong>2. Cashio Dollar</strong></p><p>On March 23 UTC time, Cashio Dollar, a DeFi stable coin application deployed on Solana was attacked.</p><p>The attacker’s address was 6D7fgzpPZXtDB6Zqg3xRwfbohzerbytB2U5pFchnVuzw on Solana.</p><p>The hash value of the attack transaction was:</p><p>4fgL8D6QXKH1q3Gt9GPzeRDpTgq4cE5hxf1hNDUWrJVUe4qDJ1xmUZE7KJWDANT99jD8UvwNeBb1imvujz3Pz2K5</p><p>The vulnerability that was exploited was that the right to mint tokens was not properly verified.</p><p>Basically, the attacker exploited the vulnerability to mint 2 billion CASH tokens, exchanged them to 8.64 million USTs, 17.04 million USDCs, and 26.34 million USDT-USDC LP tokens, and exploited a total of around $50 million.</p><p>3.<strong>Revest Finance</strong></p><p>On March 27 UTC time, Revest Finance, a DeFi application deployed on Ethereum was attacked.</p><p>The attacker’s address was 0xef967ECE5322c0D7d26Dab41778ACb55CE5Bd58B on Ethereum.</p><p>The attacking contract was deployed at 0xb480Ac726528D1c195cD3bb32F19C92E8d928519 on Ethereum.</p><p>The attacked contract was deployed at 0x2320a28f52334d62622cc2eafa15de55f9987ed9 on Ethereum.</p><p>The root cause of this attack was that there was a re-entrancy vulnerability in its ERC-1155 implementation.</p><p>In this attack, the attacker exploited 592 ETHs and some other crypto assets valued at around $120,000. The total loss was around $2 million.</p><p>Right after the attack was detected, the team behind the project promptly announced that emergent measures had been taken to protect the remaining crypto assets.</p><p>4. <strong>Maison Ghost’s Discord Server</strong></p><p>Sometime near March 25 UTC time, Maison Ghost, an NFT project was attacked. Basically, the project’s Discord server suffered from a phishing attack.</p><p>Around 265 NFTs including those from Sandbox and 3Landers were exploited.</p><p>5. <strong>Wallet Compromised</strong></p><p>On March 22 UTC time, Arthur Cheong, Founder of Defiance Capital claimed that his Ethereum wallet was exploited.</p><p>The attacker’s address was 0xe47E8cD58c8E95F765e642d7dCB898f622ceFA83 on Ethereum.</p><p>This was a typical phishing attack. The victim received an email containing a phishing link from a suspicious source that had a similar name to the name of a company which the victim was familiar with. The victim opened the malicious link and got exploited.</p><p>In this incident, 78 NFTs including Azukis, CloneX, and Second Self, and fungible tokens including 68 WETHs, 4349 stkDYDXs, and 1578 LOOKS were exploited. The total loss exceeded $1.5 million. The attacker cashed out 500 ETH at the time when the victim announced the incident.</p><p><strong>Here is a list of the publicly announced vulnerabilities:</strong></p><p>1. <strong>Chrome’s Vulnerability</strong></p><p>On March 27 UTC time, Google announced that a zero-day vulnerability was detected in Chrome, and this vulnerability exposed plugins including MetaMask to huge risks. Google tagged this vulnerability as CVE-2022–1096. The vulnerability could be exploited by a hacker to insert malicious code to launch attacks.</p><p>This was the second zero-day vulnerability detected since 2022. The first one was tagged as CVE-2022–0609 and was fixed by Google in February 2022.</p><p>Google has released a patch for this bug and urged users of Chrome to install this patch as soon as possible.</p><p><strong>Closing thoughts</strong></p><p>There were five security hacks in the past week. The vulnerabilities that were uncovered in three of them including OneRing, Cashio Dollar and Revest Finance were commonly known issues and could have been uncovered and fixed without being exploited if these projects had undergone a professional audit. The other two hacks targeting a Discord server and an Ethereum Wallet could have been prevented if users operated these utilities with more caution and care.</p><p>The one publicly announces vulnerability could hardly be detected by third parties. The first and most important thing that users of Chrome need to do is to install the fix right after this bug was announced.</p><p>A reminder to smart contract developers: using an appropriate algorithm to calculate an LP token’s price, correctly handling access control to core token functions, and using effective measures to prevent re-entrancy risks in token implementation and always be kept in mind carried out in smart contract implementation.</p><p>A reminder to crypto users, always be cautious and alert to suspicious links, websites, and emails, watch for news about security issues with the tools and utilities often used, and install bug fixes as soon as possible.</p>]]></content:encoded>
            <author>fairyproof@newsletter.paragraph.com (Fairyproof)</author>
        </item>
    </channel>
</rss>