Days after suffering a security breach, crypto exchange CoinEx is attempting to reach out to the hackers responsible for the incident. In an open letter to the hackers, CoinEx says it is ready to reward the perpetrators of the theft with a “generous bug bounty” if the stolen assets are returned. “We hope you recognize the […]
The post Crypto Exchange CoinEx Promises Generous Bug Bounty Reward to Hacker Following $70,000,000 Exploit appeared first on The Daily Hodl.
Attorneys representing Avraham Eisenberg argued he had already settled his dispute with Mango DAO and shouldn't have to pay back any more funds.
The alleged exploiter of the decentralized finance protocol Mango Markets, Avraham Eisenberg, is seeking to keep his share of crypto gained from his so-called “highly profitable trading strategy.”
On Feb. 15, attorneys for Eisenberg filed a motion in a New York District Court objecting to a lawsuit from Mango that asks for $47 million in damages plus interest starting from the time of Eisenberg’s October attack, whidrained around $117 million from the protocol.
The lawyers argued that Eisenberg shouldn’t need to pay back any more funds to the DeFi platform due to a settlement agreement that he reached with Mango DAO, arguing that the “matter was settled.”
A governance proposal was passed by the Mango DAO following the draining of its treasury that saw Eisenberg keep a portion — $47 million — of the pilfered funds as a bug bounty along with a stipulation that Mango wouldn’t pursue legal action.
“Eisenberg transferred funds totaling approximately $67 million to Mango Markets,” the attorneys wrote, adding:
“Weeks later, eligible Mango Markets’ members received reimbursement from the Mango Markets treasury. At that point, all involved considered this matter closed and Mr. Eisenberg heard nothing further from Mango Markets.”
Mango, however, said in its suit that the settlement should be voided as it was made “under duress” and alleged Eisenberg “was not engaged in lawful bargaining.”
Eisenberg’s attorneys rebuffed these claims, saying the “improper three-month delay” for Mango filing its suit “undermines any alleged irreparable harm.” The lawsuit, they say, aimto “take advantage” of Eisenberg’s December arrest in Puerto Rico by United States authorities.
Related: Alleged Mango Markets exploiter waives bail during hearing in federal court
Eisenberg was charged by the Federal Bureau of Investigation with commodities fraud and manipulation.
He also faces a lawsuit from the U.S. Commodity Futures Trading Commission that alleges market manipulation and a suit from the Securities and Exchange Commission for violating securities laws relating to anti-fraud and market manipulation.
Eisenberg has previously stated his trades on Mango were “legal open market actions, using the protocol as designed,” and called his purported attack a “highly profitable trading strategy.”
Aave Companies, the firm behind the decentralized finance (defi) project Aave, has announced the launch of a stablecoin called GHO on the Ethereum testnet network Goerli. The codebase is available on Github and has undergone audits by Open Zeppelin, Sigmaprime and ABDK. Aave Invites Programmers to Test GHO Before Mainnet Deployment On Thursday, Aave Companies […]
A security firm flagged a now-fixed vulnerability to Uniswap, highlighting the potential for reentrancy attacks on the protocol’s Universal Router smart contract.
Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.
The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.
Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022 as it looked to assure the safety and efficacy of its protocol.
Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!
— Dedaub (@dedaub) January 2, 2023
Funds are safe - Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains
The vulnerability allows re-entertrancy to drain the user's funds, mid-tx.
pic.twitter.com/wFSFsohPvy
According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.
The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.
Related: Immunefi says it has facilitated $66M in bug bounties since inception
However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.
Dedaub then suggested a straight-forward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router. Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.
Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered user error.
More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.
Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure.
Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.
The attacker has scored about a half-million dollar “bug bounty” after choosing to return a majority of the cryptocurrency they exploited from the Celo-based lending protocol.
An attacker has returned just over 93% of the more than $9 million worth of cryptocurrencies they exploited from the Celo (CELO) blockchain-based decentralized finance (DeFi) lending protocol Moola Market.
At around 6PM UTC on Oct. 18 the Moola Market team tweeted it was investigating an incident and had paused all activity, adding it had contacted authorities and offered a bug bounty to the exploiter if funds were returned within 24 hours.
Analysis of the exploit by Web3 security company Hacken shows the attacker manipulated the price of the protocols’ low-liquidity native MOO token by initially purchasing around $45,000 worth and depositing it as collateral to borrow CELO.
The borrowed CELO, along with further CELO provided by the attacker, was then used as collateral to borrow more MOO, driving up the token’s price. The attacker continued repeating this until the MOO token price had increased by 6,400%.
With the inflated token price, the attacker was able to borrow $6.6 million worth of CELO, $1.2 million of MOO, along with $740,000 of Cello Euros (cEUR) and $644,000 Celo Dollars (cUSD) all worth multiples more than their initial posted collateral resulting in the protocol's loss of around $9.1 million.
Five hours after the initial confirmation of the exploit, Moola Market tweeted it had received just over 93% of the funds exploited, with the attacker seemingly keeping the rest making around $500,000 as a bug bounty.
Following today's incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol. (1/2) https://t.co/UsdN44X70X
— Moola Market (@Moola_Market) October 18, 2022
Moola Market did not immediately respond to Cointelegraph’s request for comment.
The attack draws similarities to the $117 million exploit suffered by Mango Markets on Oct. 11 in which Avraham Eisenberg and his team manipulated the price of the Solana (SOL)-based DeFi protocols’ native token to borrow cryptocurrencies with an undercollateralized backing. Eisenberg negotiated to keep $47 million as a “bounty.”
Related: BNB Chain responds with next steps for cross-chain security after network exploit
Multi-chain cryptocurrency wallet BitKeep also suffered an exploit late on Oct. 17 with an attacker making off with $1 million worth of Binance Coin (BNB) through a service used to swap tokens, BitKeep says it will fully reimburse any affected users.
The attacks are the latest in a series of exploits to have taken place in October which has also shaped up to be the biggest month ever for hacking activity with the total hacked value reaching around $718 million up until Oct. 12 according to analytics firm Chanalysis.
The Solana DeFi protocol suffered a $117 million exploit on Oct. 11, and the hacker wants 70M USDC in "bug bounty."
On Oct. , one day after $117 million was drained from Solana DeFi platform Mango Markets via a price feed exploit, the hacker responsible for the attack demanded a settlement. The proposal was filed on the Mango Markets decentralized autonomous organization (DAO) governance forum.
If passed, the procedure would involve the hacker sending stolen Mango Markets (MNGO), Solana (SOL), and Marinade Staked SOL tokens to an address provided by the Mango DAO team. Users without bad debt will be remade whole. However, the hacker demands that any bad debt will be viewed as a bug bounty and insurance, to be paid out via the community treasury worth 70 million USD Coin (USDC).
Adding insult to injury, the hacker has voted for this proposal using millions of tokens stolen from the exploit. However, the proposal has not passed the required quorum to pass. In exchange for the settlement, the hacker requests that users who vote in favor of the proposal agree to pay the bounty, pay off the bad debt with the treasury, waive any potential claims against accounts with bad debt and will not pursue any criminal investigations or freezing of funds.
Reactions were, unsurprisingly, overwhelmingly negative, with one user writing:
"You're disgusting. What you did is wrong in every way possible. The responsible thing to do would have been to disclose the vulnerability to the team, NOT EXPLOIT IT. I hope the law enforcement community shows you ZERO MERCY."
Despite the tragic exploit, losses may be lower than previously estimated. For example, Solana stablecoin protocol UXD said that it had a total exposure of $20 million in Mango Markets. However, its insurance fund contains more than $53.5 million in assets and would be more than enough to cover the losses. The vote on the hacker's proposal is ongoing at the time of publication.
UXD Protocol has a total exposure of $19,986,133.9037 in @mangomarkets. Our insurance fund has more than enough capital to cover losses.
— UXDΔ (@UXDProtocol) October 12, 2022
UXD is 100% backed and users will be able to redeem once Mango Markets recovers from the exploit.
The platform’s treasury was drained of over $100 million worth of cryptocurrency after an attacker manipulated price data of its native token to take out loans against their holdings.
Solana (SOL) based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.
The exploit was first identified by blockchain security firm OtterSec which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of their Mango (MNGO) native token collateral, then taking out “massive loans” from Mango’s treasury.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
The Mango Markets team tweeted soon after warning users not to deposit funds until “the situation was more clear” and asked the attacker to contact them to discuss a bug bounty.
The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits whilst it continued investigations of the incident.
We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.
— Mango (@mangomarkets) October 11, 2022
If you have any information, please contact blockworks@protonmail.com to discuss a bounty for the return of funds. 2/
Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24-hours at the time of writing according to data from CoinGecko.
Related: TempleDAO exploit results in $2M loss
The exploiters' account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of SOL.
Over $14.7 million worth of MNGO was withdrawn and Mango said it’s “taking steps to have third parties freeze funds in flight.”
Meanwhile, the QANplatform blockchain also suffered from an exploit of its ownon Oct. 11, with its Ethereum (ETH) bridge drained of around $1.89 million worth of its native QANX token according to blockchain security company Beosin. QANplatform says it’s investigating the incident.
The ethical exploiter thanked Arbitrium for the 400 ETH payday, but said such a find should be eligible for the max bounty of nearly 1,500 ETH, or $2 million.
A self-described white hat hacker has uncovered a “multi-million dollar vulnerability” in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.
Known as riptide on Twitter, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.
Riptide explained the exploit in a Medium post on Sept. 20:
“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”
The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.
Despite the earning potential from the ill-gotten gains, riptide was thankful that the “extremely based Arbitrum team” provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find “should be eligible for a max bounty,” which is worth $2 million.
No big deal just bridging a cool $470mm through the same Inbox contract
— riptide (@0xriptide) September 20, 2022
Definitely should be eligible for a max bounty
https://t.co/w7S58QNQZu
Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.
Related: ETHW confirms contract vulnerability exploit, dismisses replay attack claims
Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees.
Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and “copycat” hackers repeating the exploit.
According to the Ethereum Foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million.
The Ethereum Foundation has announced it will be increasing the network’s bug bounty payouts fourfold ahead of the blockchain’s transition to proof-of-stake.
In a Wednesday blog post, the Ethereum Foundation said between Aug. 24 and Sept. 8, all “Merge-related bounties for vulnerabilities” will be quadrupled for white hats testing the network. According to the foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million. The bounty program also allows submissions for low, medium and high-risk bugs.
• Merge Bug Bounty Bonus: There is a 4X MULTIPLIER between now and 08 September on all bounties and vulnerabilities, with critical bugs worth up to $1mm USD
— Joseph Schweitzer | (@JBSchweitzer) August 24, 2022
• See full post for updated Execution Layer (EL) and Consensus Layer (CL) client links, more on The Merge, and an FAQ
As part of the transition to proof-of-stake, the foundation said the Ethereum Network “must first be activated on the Beacon Chain with the Bellatrix upgrade,” an event expected to happen on Sept. 6, with the Merge likely following between Sept. 10 and 20. Core developers previously announced a tentative Merge date of Sept. 15 when the Total Terminal Difficulty, or TTD — the difficulty of the final mined block — will trigger the end of proof-of-work and the start of proof-of-stake.
“The incremental difficulty added per block is dependent on the network hash rate, which is volatile,” said the foundation. “If more hash rate joins the network, TTD will be reached sooner. Similarly, if hash rate leaves the network, TTD will be reached later."
The foundation added that Ether (ETH) holders and users largely did not need to take any action prior to the Merge other than to “be on the lookout for scams.” Mining will no longer be possible following the transition, while stakers and node operators will both need to run an execution layer client, with the latter doing so with a consensus layer client.
In July 2020, the Ethereum Foundation announced it had launched public “attack networks” for Ethereum 2.0 for white hats to attempt to exploit potential issues in the clients, offering a $5,000 bounty at the time. However, in August 2021, a vulnerability affecting earlier versions of one of Ethereum's software clients, Geth, caused more than half the network’s nodes to split. The Merge will require the latest version of Geth as an execution client.
Related: MakerDAO launches biggest ever bug bounty with $10M reward
Other projects have offered up to $1 million or more in bug bounties aimed at finding exploits resulting in the theft or risk of losing millions, as Sky Mavis did in April 2022 following a $600-million hack on the Ronin Network. In June, Ethereum bridging and scaling solution Aurora paid a $6-million bounty to a white hat hacker who discovered a critical bug.
The Cardano Foundation recently said it has doubled the payout offered to hackers and bounty hunters that identify bugs or vulnerabilities within the Cardano blockchain. The foundation said the six-week promotion, which runs until March 25, 2022, is part of an ongoing attempt to keep “its businesses and customers safe.” Strengthening the Cardano Brand The […]