Losses from crypto rug pulls outpaced DeFi exploits in May: Beosin

June 2, 2023 Coin Telegraph

Beosin

Over $45 million was lost to exit scams in May while exploits on DeFi protocols racked up less than half that amount over the same period.

The amount of cryptocurrency lost to "rug pull" or "exit scams" — where founders suddenly up and leave with investors’ money — had outpaced the amount stolen from decentralized finance (DeFi) projects in May, a blockchain security firm has revealed.

A June 1 report from Beosin said in May total losses from rug pulls and scams reached over $45 million across six incidents.

Meanwhile, there were 10 attacks on decentralized finance (DeFi) protocols that netted only $19.7 million. The amount is a nearly 80% decrease from April and losses from these types of exploits had been on the decline for two months, it added.

Rug Pull Outpaces Attacks: The total amount involved in #rugpull reached $45.02 million, surpassing losses from attacks

2/5
— Beosin Blockchain Security (@Beosin_com) June 1, 2023

The largest of such rug pulls was the $32 million that crypto project Fintoch is alleged to have made off with on May 24. The $7.5 million attack on the DeFi platform Jimbos protocol was the largest attack last month according to Beosin.

“Hackers and scammers are gradually shifting the target of their attacks from various project parties to ordinary users,” Beosin wrote.

It recommended crypto users “raise their anti-fraud awareness,” undertake due diligence on a project before investing and learn how to better safeguard their crypto.

Beosin also warned against using shared or public charging devices for mobile phones as these could potentially be modified to inject malicious programs that could compromise private keys.

In April, the United States Federal Bureau of Investigation (FBI) issued a similar warning the use of free charging stations such as those found at airports should be avoided.

Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023

“Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices,” the FBI’s Denver office tweeted on April 6. It instead advised carrying a charger and USB cord for use in an electrical outlet.

Hall of Flame: Crypto Wendy on trashing the SEC, sexism, and how underdogs can win

Inverse Finance exploited again for $1.2M in flashloan oracle attack

June 17, 2022 Coin Telegraph

Inverse Finance exploited again for .2M in flashloan oracle attack

Coin Telegraph

No user funds have been affected by the exploit, but Inverse Finance has incurred a debt and offered the attacker a bounty to return the stolen funds.

Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flashloan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC).

Inverse Finance is an Ethereum based decentralized finance (DeFi) protocol and a flashloan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information.

The latest exploit worked by using a flashloan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market application. This allowed the attacker to borrow a larger amount of the protocol’s stablecoin DOLA than the amount of collateral they posted, letting them pocket the difference.

The attack comes just over two months after a similar April 2 exploit which saw attackers artificially manipulate collateralized token prices through a price oracle to drain funds using the inflated prices.

In response to the attack, Inverse Finance temporarily paused borrowing and removed its DOLA stablecoin from the money market while it investigated the incident, saying no user funds were at risk.

Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon.
— Inverse+ (@InverseFinance) June 16, 2022

It later confirmed that only the attacker's deposited collateral was affected in the incident and only incurred a debt to itself due to the stolen DOLA. It encouraged the attacker to return the funds in return for a “generous bounty”.

In total, the attacker’s gained 99,976 USDT and 53.2 WBTC from the attack, swapping them to ETH before sending it all through the cryptocurrency mixer Tornado Cash, attempting to obfuscate the ill-gotten gains.

The previous attack in April saw attackers make off with $15.6 million in ETH, WBTC, YFI and DOLA.

DeFi marketplace Deus Finance suffered from a similar exploit in March, with attackers manipulating a price pairing within an oracle leading to a gain of 200,000 Dai (DAI) and 1101.8 ETH worth over $3 million at the time.

Beanstalk Farms, a credit based stablecoin protocol lost all $182 million worth of collateral in a flash loan attack caused by two malicious governance proposals which in the end drained all funds from the protocol.

How the latest attack went down

Blockchain security firm BlockSec analyzed that the attacker borrowed 27,000 WBTC in a flashloan swapping a small amount to the LP token used to post collateral in Inverse Finance so users can borrow crypto assets.

The remaining WBTC was swapped to USDT, causing the price of the attacker's collateralized LP token to rise significantly in the eyes of the price oracle. With the value of these LP tokens now worth far more due to the price rise, the attacker borrowed a larger amount than usual of the DOLA stablecoin.

The value of the DOLA was worth much more than the deposited collateral, so the attacker swapped the DOLA to USDT, and the earlier WBTC to USDT swap was reversed to repay the original flashloan.

Maiar decentralized crypto exchange goes offline after bug discovery

June 7, 2022 Coin Telegraph

Coin Telegraph

The DEX has been taken offline due to the discovery of the bug, and the team has implemented an “emergency fix” and update.

The Maiar Exchange, a decentralized exchange (DEX) native to the Elrond blockchain, has been temporarily taken offline after an attacker utilized an exploit and made off with roughly $113 million worth of Elrond eGold (EGLD).

Minutes before 12:00 am UTC on Monday, the co-founder and CEO of Elrond, Beniamin Mincu, tweeted that he and his team were “investigating a set of suspicious activities” on the Maiar decentralized cryptocurrency exchange.

Soon after, the DEX was taken offline, with Mincu reporting that the issue had been identified and an “emergency fix” was being implemented.

In a Twitter thread posted almost 24 hours later at around 11:00 pm UTC on Monday, Mincu said a potentially critical bug was identified that opened “an exploit area that we simply had to address and mitigate immediately.”

The suspicious activities have been possibly identified and explained in a Twitter thread by pseudonymous on-chain analyst Foudres, who revealed that the potential attacker deployed a smart contract that somehow allowed them to withdraw over 1.65 million EGLD.

Three wallets were able to mysteriously withdraw 800,000, 400,000 and 450,000 EGLD, respectively, which at current prices is worth nearly $113 million in total.

The attackers were able to sell around 800,000 EGLD, worth around $54 million, which caused the price of EGLD on Maiar to plummet from $76 down to around $5. The rest of the crypto is either still held in various wallets, has been bridged to USD Coin (USDC) and Ether (ETH), or was sold on centralized exchanges.

The price of EGLD dropped 9.5% from around $74 down to a 24-hour low of $65.50 but has since slightly recovered, now trading near $68.

Mincu stated in his update that an upgrade was implemented to fix the bug and a technical explanation would be provided after clarification that the implemented solutions are tested and working.

He claimed that all funds are safe and will be available when the DEX restarts, which is scheduled for Tuesday, saying most exploited funds have been either recovered in full or will be covered by the Elrond Foundation.

As previously reported by Cointelegraph, approximately $1.6 billion in cryptocurrency has been stolen from decentralized finance (DeFi) platforms in the first quarter of 2022, and over 90% of all stolen crypto is from hacked decentralized finance (DeFi) protocols such as DEXs.

More than $1.6 billion exploited from DeFi so far in 2022

May 3, 2022 Coin Telegraph

More than .6 billion exploited from DeFi so far in 2022

2022 crypto stolen

The amount exploited this year so far surpasses the total amount stolen in all of 2020 and 2021 combined, with the month of March alone beating 2020 by over $200 million.

The decentralized finance (DeFi) space has been rife with hacks, exploits, and scams so far this year with over $1.6 billion in crypto stolen from users, surpassing the total amount stolen in 2020 and 2021 combined.

Analysis from blockchain security firm CertiK revealed the statistics on May 2 showing the month of March having the most value stolen at $719.2 million, over $200 million more than what was stolen in all of 2020. The March figure is largely due to the Ronin Bridge exploit where attackers made off with over $600 million worth of crypto.

We have seen $1.6B lost in the #crypto/#web3 world so far this year.

In just the first 4 months on 2022 we have passed the total amount lost in 2021 ($1.3B) and in 2020 ($516MM). https://t.co/jDohhaUYUN
— CertiK (@CertiKTech) May 2, 2022

April was a busy month for attacks with CertiK recording 31 major incidents, an average of nearly one a day. The most valuable was the $182 million siphoned from Beanstalk Farms using a flash loan attack.

CertiK noted the nearly $80 million lost by Fei Protocol, the second most valuable heist last month, and the $10 million lost from automated market maker protocol Saddle Finance which both took place at the end of the month.

Both protocols took to Twitter to offer their respective attackers a bounty in exchange for returning the stolen funds. Whilst the chances of that happening may be slim, it’s not unheard of as the Poly Network hacker in 2021 returned nearly all of the $610 million stolen from the network along with refusing a $500,000 bounty reward.

CertiK said that April 2022 “holds the record for highest dollar amount losses in flash loan attacks ever recorded by us” with losses from that type of exploit reaching $301.4 million. In comparison, flash loan attack losses in January, February, and March 2022 combined were only $6.7 million.

The analysis of this year's DeFi exploits comes as the total value locked (TVL) in DeFi has dropped below $200 billion for the first time since March 16 according to DeFiLlama.

Between April 30 and May 1, TVL dropped by just over 3.5% to $195.87 billion, only slightly recovering to $199.42 billion today Tuesday, May 3. The last 30 days since April 3 have seen a 13.5% decrease in TVL and a nearly 22% decline since the all-time high of over $254 billion on December 2, 2021.

Attackers Steal $80 Million From Rari Capital’s Fuse Platform, Fei Protocol Suffers From Exploit

April 30, 2022 Bitcoin.com

Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

April 22, 2022 Coin Telegraph

Hacker bungles DeFi exploit: Leaves stolen M in contract set to self destruct

attacker

A hacker apparently so thrilled by a successful theft left behind over $1 million in a smart contract that was set to destruct, permanently ensuring the crypto could never be moved.

In a rare comedic bungle among DeFi exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto.

Just after 8AM UTC on Thursday April 21st, blockchain security and analytics firm BlockSec shared it had detected an attack on a little known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem”.

The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter.

Blockchain analytics firm PeckShield noted the stolen crypto was transferred to an “attack contract”, a smart contract which automatically and quickly executes the found exploit.

#PeckShieldAlert It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract. https://t.co/bSHHGM623Q @peckshield https://t.co/jXVj0oGI8B
— PeckShieldAlert (@PeckShieldAlert) April 21, 2022

However the attacker was apparently so excited by their successful heist that they forgot to transfer over $1 million worth of stolen crypto out of their attack contract before they set it to self-destruct, permanently and irreversibly ensuring the funds can never be moved.

Interesting. The hacker kills the contract, but forgets to transfer the profit. https://t.co/HbS2fiztuc https://t.co/uApZyK8Uym pic.twitter.com/FwpZweNLHU
— PeckShield Inc. (@peckshield) April 21, 2022

Using a blockchain scanner to view the attack contract address shows that $1,041,237.57 worth of BSC-USD Binance-Peg token is forever stuck in the contract and the successful self-destruction of the contract was confirmed at 7:15AM UTC on April 21.

It's one of the more bizarre turns of events since the Polygon hacker did an “Ask Me Anything” using embedded messages on Ethereum(ETH) transactions after stealing $612 million from the protocol in August 2021. The question and answer session revealed the attacker hacked “for fun” and thought “cross-chain hacking is hot.”

This latest hack is on the smaller end regarding the amount stolen, and other DeFi protocol hacks have seen hundreds of millions siphoned off as with the recent Ronin bridge hack where attackers made off with over $600 million.

Other notable DeFi exploits include the $80 million worth of crypto stolen from Qubit Finance in January where attackers tricked the protocol into believing they had deposited collateral, allowing them to mint an asset representing a bridged crypto.

DeFi marketplace Deus Finance was exploited in March when hackers manipulated the price feed of a pair of stablecoins resulting in the insolvency of user funds, netting the hackers over $3 million.

Defi Project Rari Capital Hacked for $10M in Ether, Project’s Pool Drained for 2,600 ETH

May 9, 2021 Bitcoin.com

Defi Attack