Level Finance confirms $1M exploit due to buggy smart contract

May 1, 2023 Coin Telegraph

Level Finance confirms M exploit due to buggy smart contract

An attacker manipulated a “claim multiple” bug in a Level Finance smart contract to steal more than 214,000 LVL tokens from the exchange.

Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token.

Level Finance informed its 20,000 Twitter followers that more than 214,000 of the exchange’s LVL tokens had been drained and swapped into 3,345 Binance Coin (BNB), with an approximate value of $1.01 million.

An exploit targeted our Referral Controller Contract.

- 214k LVL tokens drained to exploiters address.
- Attacker swapped LVL to 3,345 BNB
- Exploit was isolated from other contracts.
- Fix to be deployed in 12 Hrs.
- LP's and DAO treasury UNAFFECTED.

More details to follow.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023

According to blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a bug that allowed for “repeated referral claims” from the same epoch. This was confirmed by Level Finance in a later statement made on Discord.

It seems the @Level__Finance's LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)

Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R
— PeckShield Inc. (@peckshield) May 1, 2023

Meanwhile, data from Binance chain explorer BSC Scan, the V2 controller contract shows multiple calls of the “claim multiple” function over the past 48 hours.

At the time of writing, the implementation of the contract does not appear to have been altered since the advent of the attack, however Level Finance says that it will deploy a new implementation of the referral contract within the next 12 hours.

The exchange also noted that its liquidity pools and related DAOs remain unaffected by the attack.

According to @DeDotFiSecurity on Twitter, the team says that it has “temporarily shut down the referral program,” which has stopped the exploit.

On Discord, Level Finance said that the exploit had been isolated from other exploits and that users of the exchange should “stand by for a full post mortem.”

Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable

Silk Road Hacker Sentenced to a Year in Prison for Wire Fraud

April 16, 2023 Bitcoin.com

Crypto Exchange Bitrue Suffers $23 Million Hack

April 14, 2023 Bitcoin.com

Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered

April 10, 2023 Bitcoin.com

Allbridge exploiter returns most of the $573K stolen in attack

April 4, 2023 Coin Telegraph

Allbridge

An exploit resulted in around $573,000 in crypto looted from Allbridge, but the hacker has now seemingly accepted the offer of a “white hat bounty.”

A large portion of the roughly $573,000 pilfered from the multichain token bridge Allbridge has been returned after the exploiter seemingly took up the project’s offer for a white hat bounty and no legal retaliation.

Allbridge tweeted on April 3 that it received a message from an individual and 1,500 BNB (BNB), worth around $465,000, was returned to the project.

"The remaining funds will be considered a white hat bounty to this person," Allbridge said.

Update on the exploit

1/ Our team was contacted by the owner of https://t.co/EW1uxXBQpD.

1500 BNB was returned to our team. The remaining funds will be considered a white hat bounty to this person.
— Allbridge (@Allbridge_io) April 3, 2023

It explained that all the "received BNB" wa then converted to the stablecoin Binance USD (BUSD) to be used as compensation.

Blockchain security firm Peckshield first identified the attack carried out on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper.

Following the exploit Allbridge offered the attacker a bounty and the chance to escape any legal ramifications.

Allbridge has yet to publicly disclose how much was stolen, but blockchain security firm CertiK said the sum is close to $550,000 while PeckSheild said the exploit netted $282,889 in BUSD and $290,868 worth of Tether (USDT), totaling roughly $573,000.

Allbridge also revealed that a second address used the same exploit and shared a link to a wallet that currently contains 0.97 BNB, valued at around $300.

"We ask the second exploiter to reach out and discuss the return," Allbridge said.

Following the initial exploit, Allbridge made it clear they were hot on the trail of the stolen funds and were working with a wide variety of organizations to retrieve the stolen loot.

BNB Chain was among those who answered the call to arms and reported in an April 2 tweet that it discovered at least one of the culprits involved through on-chain analysis.

BNB Chain has identified the Allbridge attacker following on-chain analysis. We are actively supporting the Allbridge team on the fund recovery. The Allbridge team has offered the hacker a bounty.

We'd like to recognize the effort of AvengerDAO in this recovery effort.
— BNB Chain (@BNBCHAIN) April 2, 2023

According to BNB Chain it’s "actively supporting the Allbridge team on the fund recovery," and gave a shout-out to AvengerDAO for its efforts in the recovery.

Cointelegraph contacted Allbridge for further comment but did not receive an immediate response.

Magazine: US and China try to crush Binance, SBF's $40M bribe claim: Asia Express

Allbridge offers bounty to exploiter who stole $573K in flash loan attack

April 3, 2023 Coin Telegraph

Allbridge

Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.

The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.

Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).

In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.

To hacker's attention: addressing the incident and the next steps

1. We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack.
— Allbridge (@Allbridge_io) April 2, 2023

“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.

In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.

With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”

“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.

Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.

According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.

5/ The bridge has been temporarily suspended to prevent the potential exploits of the other pools. We will restart it once the vulnerability has been patched.
— Allbridge (@Allbridge_io) April 2, 2023

“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.

Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.

CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.

According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million.

#PeckShieldAlert ~26 exploits grabbed $211.5M in March 2023.
Regarding the @eulerfinance exploit, the estimated loss is $197M. The exploiter has returned 84,963.4 $ETH (~$152.8M) and 29.9M $DAI to the Deployer, and he has already transferred 1,100 $ETH to Tornado Cash pic.twitter.com/kf2Ul4uIun
— PeckShieldAlert (@PeckShieldAlert) March 31, 2023

Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi.

Cointelegraph contacted Allbridge for comment but did not receive an immediate response.

Magazine: Crypto winter can take a toll on hodlers’ mental health

Bitcoin ATM maker to refund customers impacted by zero-day hack

March 28, 2023 Coin Telegraph

Bitcoin ATM

General Bytes has implemented several measures in the wake of the hack, including offering to reimburse its cloud-hosted customers and adding new security measures.

Bitcoin ATM manufacturer General Bytes says it is reimbursing its cloud-hosted customers that lost funds in a "security incident" in March that saw its customers' hot wallets accessed.

As previously reported by Cointelegraph, the ATM manufacturer issued a statement about a security incident on March 17 and March 18, which involved a hacker remotely uploading a Java application into its terminals and gaining access to sensitive information, such as passwords, private keys and funds from hot wallets.

In a recent statement to Cointelegraph, the ATM manufacturer said have since been moving swiftly to "address the situation" and has made the decision to refund its "cloud-hosted customers who have lost funds."

On March 17-18th, 2023, GENERAL BYTES experienced a security incident.

We released a statement urging customers to take immediate action to protect their personal information.

We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR…
— GENERAL BYTES (@generalbytes) March 18, 2023

"We have taken immediate steps to prevent further unauthorized access to our systems and are working tirelessly to protect our customers," General Bytes said in a statement.

It was understood that the hack led to at least 56 BTC, worth over $1.5 million at current prices, and 21.82 ETH, $37,000 at current prices, being deposited into wallets connected to the hacker.

According to General Bytes, it has thoroughly assessed the damages from the hack and has been "working tirelessly" to improve security measures and prevent similar incidents from happening again.

*General Bytes told affected customers to implement new security measures after the hack. Source: General Bytes*

Along with the reimbursement for affected customers, the ATM manufacturer has also said they are encouraging all customers to migrate to a self-hosted server installation, where they can effectively secure their server platform using VPN.

"We are investing heavily in additional human resources to assist our clients in migrating their existing infrastructure to a self-hosted server installation."

According to General Bytes, the hack did not affect most ATM operators using self-hosted server installations" as these customers employ VPN technology to protect their infrastructure."

The ATM manufacturer first warned customers about the hacker in a March 18 patch release bulletin. As a result of the security breach, General Btyes shuttered its cloud services.

"General Bytes takes the security of our customers' funds and data very seriously. We apologize for any inconvenience caused and remain committed to serving our customers with integrity and professionalism.”

The company is based in Prague and according to its website has sold over 15,000 Bitcoin (BTC) ATMs to purchasers in over 149 countries all over the world.

Wormhole hacker moves another $46M of stolen funds

February 13, 2023 Coin Telegraph

Wormhole hacker moves another M of stolen funds

Arbitrage

The Wormhole exploiter appears to be seeking arbitrage opportunities with Ethereum-pegged assets.

The ill-gotten crypto from one of the industry’s largest exploits is on the move again, with on-chain data showing another $46 million of stolen funds has just shifted from the hacker’s wallet.

The Wormhole attack was the third largest crypto hack in 2022 resulting from an exploit of Wormhole’s token bridge in February 2022. Around $321 million of Wrapped ETH (wETH) was stolen.

According to blockchain security firm PeckShield, the hacker’s associated wallet has become active once again, moving d $46 million worth of crypto assets.

This was made up of around 24,400 of Lido Finance-wrapped Ethereum staking token (wstETH), worth approximately $41.4 million and 3,000 Rocket Pool Ethereum staking token (rETH), worth about $5 million, which was moved to MakerDAO.

The hacker appears to be seeking yield or arbitrage opportunities on their stolen loot as the assets were exchanged for 16.6 million DAI, PeckShield reported.

The MakerDAO stablecoin was then used to buy 9,750 ETH priced at around $1,537 and 1,000 stETH. These were then wrapped back into 9,700 wstETH.

#PeckShieldAlert The Wormhole Network Exploiter 0x629e supplied $46M worth of cryptos, including 24.4k $wstETH ($41.4M) & 3k $rETH (~$5M), to MakerDAO for 16.6M $DAI & used them to buy 9.75k $ETH ($ETH at $1,537) & 1k $stETH ($ETH at $1,543), then wrapped them for ~9.7k $wstETH pic.twitter.com/BRfygHgpit
— PeckShieldAlert (@PeckShieldAlert) February 12, 2023

On Feb. 10, an on-chain sleuth observed that the hacker was “buying the dip.”

However, the price of Ethereum has since fallen below those levels over the past few hours. At the time of writing, ETH was trading down 2.6% on the day at $1,505 according to CoinGecko.

At the time of the transfers, stETH prices depegged from Ethereum and climbed as high as $1,570. They’re currently trading 2.4% higher than ETH at $1,541. Furthermore, wstETH also has depegged and rose to $1,676, 11.3% higher than the underlying asset.

The latest funds movement comes only a few weeks after the hacker moved another $155 million worth of Ethereum to a decentralized exchange on Jan. 24.

95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets including Lido’s stETH and wstETH.