DeFi security project ‘Lossless’ helps recover $16.7M from Cream Finance hack

October 4, 2021 Coin Telegraph

<div>DeFi security project 'Lossless' helps recover .7M from Cream Finance hack</div>

Lossless also plans to ship a security tool that will reportedly aid DeFi projects in preventing hacks and exploits on their platforms.

Lossless, a decentralized finance (DeFi) security outfit, has assisted in the recovery of 5,152.6 Ether (ETH) siphoned during the Cream Finance exploit that occurred in August.

Tweeting on Monday, Lossless identified white hat security expert Pascal Caversaccio as being pivotal to the successful recovery of the siphoned funds.

As previously reported by Cointelegraph, DeFi lending protocol, Cream Finance suffered a flash loan attack to the tune of $19 million in ETH and Amp tokens back in August. Following the exploit, Cream stated that it would repay the siphoned funds via fees collected on the protocol to compensate affected users.

Detailing the asset retrieval process, Lossless stated that it used its extensive connections within the world of hackers to enable the return of the funds taken during the flash loan attack.

Commenting on the recovery process, Dominykas A. van Otterlo, chief business development officer at Lossless told Cointelegraph:

"We managed to track down the hacker manually and retrieve the stolen funds for CREAM Finance. You could say it was sort of cyber detective work, not an easy task. Thanks to Pascal Caversaccio, one of our white hat hackers, who helped us to track down the hacker."

Lossless also stated that the project is looking to launch a hack mitigation tool that will allow protocol developers to adopt a “hands-on” approach to preventing such malicious exploits of their platform.

Part of this mitigation will reportedly include a 24-hour freeze on suspicious transactions to allow time for robust investigations.

According to van Otterlo, Lossless is leveraging the project's knowledge-base acquired while manually tracking down hackers. Lossless plans to offer security support for DeFi projects across the Ethereum, Polygon, and Binance Smart Chain networks, and deployment on layer-two protocols.

According to a Cream Finance statement from Oct. 1, Lossless and Caversaccio earned the 50% bug bounty from the successful fund recovery. “This is our first recovery of such scale,” Lossless tweeted in response to Cream Finance’s announcement.

DeFi platforms continue to fall victim to hackers and opportunistic profiteers who take advantage of vulnerabilities in smart contract codes to siphon funds from these projects.

Indeed, in August, Poly Network suffered a massive $610 million hack across multiple networks. The entity responsible eventually returned the stolen funds but the incident offered a pointer to the security loopholes prevalent in the DeFi space.

DeFi projects continue to offer bug bounties to white hat hackers to discover vulnerabilities that escaped the code auditing process. In September, white hat programmer Alexander Schlindwein reportedly received $1.05 million in bug bounty payments from Belt Finance.

SushiSwap denies reports of billion dollar bug

September 23, 2021 Coin Telegraph

Coin Telegraph

Claims by a self professed white-hat hacker about a major security risk to SushiSwap liquidity providers have been rejected by one of the exchange’s devs.

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.”

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform's "Shadowy Super Coder Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.

Avalanche Defi Platform Vee Finance Attacked — $35 Million in ETH, BTC Siphoned

September 21, 2021 Bitcoin.com

Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN Custodians

September 20, 2021 Bitcoin.com

Hacker Returns All Stolen Assets From $643,000,000 Crypto Heist

August 28, 2021 The Daily Hodl

Crypto Exchange Liquid Hacked, Loses Millions in Various Currencies

August 19, 2021 Bitcoin.com

White hat potentially saves SushiSwap $350M by finding ‘obvious’ exploit

August 18, 2021 Coin Telegraph

White hat potentially saves SushiSwap 0M by finding ‘obvious’ exploit

BitDAO

The security researcher found a flaw in a dutch auction smart contract that could have resulted in the loss of 109,000 ETH.

The SushiSwap decentralized exchange has narrowly avoided becoming the latest DeFi hack victim thanks to assistance from a white hat hacker.

A security researcher from venture capital firm Paradigm known on Twitter as “samczsun” has managed to save SushiSwap and its MISO platform from a potential loss of as much as 109,000 ETH.

In a blog post published on Aug. 17, the programmer described how he began examining the smart contract code for the BitDAO token sale at SushiSwap’s token launchpad platform, MISO.

Just pulled off maybe the biggest whitehat rescue ever. Story time soon
— samczsun (@samczsun) August 17, 2021

On closer inspection, he found a flaw in the MISO Dutch auction contract whereby some of the functions lacked access controls.

“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”

Upon deeper investigation, the white hat discovered a vulnerability that, if exploited, could result in all of the crypto assets in the token auction contract being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”

Samczsun tested the vulnerability with a successful exploit before contacting colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. He also discovered that a hacker could steal the funds from the contract by triggering a refund by sending a higher amount of ETH than the auction hard cap.

“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”

It was then time to reach out to SushiSwap CTO Joseph Delong to formulate a rescue plan before the exploit was discovered in the wild. It was decided that the BitDAO team holding the token sale would manually end the auction by purchasing the remaining allocation and immediately finalizing the process and rescuing the funds.

SushiSwap noted that no funds were lost in the salvage effort, adding that it will pause the use of its MISO Dutch auction format until the smart contract can be updated. Crypto community member “DC Investor” commented:

“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”

The BitDAO token sale went off without a hitch raising more than 112,000 ETH, valued at roughly $336 million, from over 9,200 participants according to a tweet from the protocol on Aug. 17.