India-based crypto exchange WazirX is increasing a reward offer in hopes of recovering the $230 million that hackers stole from the platform. In a new announcement, WazirX says they are increasing the reward to 10% of the stolen funds, or $23 million. “We invite white hat hackers, blockchain forensics experts and cybersecurity professionals from around […]
The post Indian Crypto Exchange WazirX Increases Bounty for White Hat Hackers to $23,000,000 appeared first on The Daily Hodl.
The security firm said it was transferring the digital assets obtained in the exploit of Kraken back to the exchange, but many crypto users questioned its motives.
Blockchain security firm CertiK has gone public, identifying itself as the “security researcher” that cryptocurrency exchange Kraken claimed stole $3 million worth of digital assets.
In a June 19 X post, CertiK said it had informed Kraken of an exploit that allowed it to remove millions of dollars from the exchange’s accounts. Kraken Chief Security Officer Nicholas Percoco claimed that an unnamed security team — not revealed to be CertiK at the time — had committed “extortion” by refusing to return any funds until the exchange agreed to provide “a speculated $ amount that this bug could have caused if they had not disclosed it.”
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” said CertiK. “In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users’ security. We urge [Kraken] to cease any threats against whitehat hackers.”
An unknown entity has exploited a Telegram-based game that runs on the newly launched Ethereum (ETH) layer-2 scaling solution Blast Network. In a post on social media platform X, the team behind the game Super Sushi Samurai (SSS) says token transfers are paused after an attacker exploited a vulnerability that allows exploiters to double their […]
The post Telegram Game on Brand-New Ethereum Layer-2 Scaler Blast Exploited for $4,600,000 in Reported White Hat Hack appeared first on The Daily Hodl.
The Web3 security platform now allows projects to deposit bounty funds to a Safe smart contract, proving the funds are available.
Blockchain security platform Immunefi has launched an on-chain system for bug bounties, according to a Sept. 26 announcement. The new system, called “Vaults,” allows Web3 developers to escrow funds in an on-chain address and use them to pay out bug bounties to white hat hackers.
Immunefi believes the new system will help projects “demonstrate to whitehats [...] that they have allocated sufficient funds to pay bounties,” which it hopes will result in “more top-tier bug reports” being submitted.
Software developers often offer rewards, called “bug bounties,” to hackers who discover exploits or other bugs in their software. This sometimes allows vulnerabilities to be found before bad actors can exploit them. Hackers who submit bug reports for rewards instead of taking advantage of an exploit are called “white hat” hackers, while “black hat” hackers use their knowledge for malicious purposes.
Related: Projects would rather get hacked than pay bounties, Web3 developer claims
According to the announcement, the new Immunefi system allows projects to deposit their bug bounty funds to a Safe multisig smart contract (formerly called a “Gnosis Safe”). This provides white hats with on-chain proof that the funds are available. Once a bug is submitted and a project has confirmed it’s genuine, the project can release the funds to the bug reporter’s wallet.
During Vault’s launch, Ethereum infrastructure provider SSV posted a $1 million deposit to help pay bug bounties for its software. Decentralized exchange Ref Finance, which is on the Near network, also uses the new system. SSV DAO contributor Eridian claimed that on-chain bug bounties will help provide better security for the DAO’s validator services, stating:
“The Vaults System will help us provide added reassurance for any researcher engaging with our bounty program, and in turn help secure the protocol even further. A good win-win. Building further trust with the community by showcasing dedicated funding, and streamlining the payment process, will ultimately strengthen our security efforts.”
In December 2022, Immunefi reported that it had facilitated $66 million in bug bounty payouts since the platform’s inception. LayerZero released a $15 million bug bounty through Immunefi on May 17.
Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.
The trading platform has provided instructions for the recovery of funds lost through a contract approval vulnerability.
Crypto trading platform Hashflow has assured affected users will be “made whole” following an exploit that saw at least $600,000 in digital assets removed from the platform.
On June 14, blockchain security firm Peckshield reported an ongoing issue with the Hashflow trading platform.
“It appears there is an approve-related issue,” the firm noted, reporting losses of around $600,000 in Arbitrum (ARB) and Ethereum (ETH).
A couple of hours later, Hashflow alerted users that they were addressing the current situation related to contract approvals as flagged by Peckshield, adding:
“All users comprising the ~$600K affected will be made whole.”
The firm, which provides cross-chain swaps as part of its trading services, added that its decentralized exchange “was in no way impacted and remains fully operational.”
We’re addressing the current situation flagged by @peckshield. Please be assured that:
— hashflow (@hashflow) June 14, 2023
1. All users comprising the ~$600K affected will be made whole.
2. The Hashflow DEX was in no way impacted and remains fully operational.
We will share a detailed post mortem once complete.
Peckshield suggested that the hacker that carried out the exploit may be a white hat hacker, as they provided a contract with a recovery function along with a second option for a donation.
Hashflow updated its status on June 15 providing recovery instructions for those affected by the exploit which impacted Ethereum, Arbitrum, Avalanche, BNB Chain, and Polygon.
Users were told they must “revoke approvals before recovering funds.”
There are two options for fund recovery, the first is for total funds and the second will donate 10% to the supposed white hat hacker that exploited the vulnerability but prevented further losses in doing so.
DeFi enthusiast ‘YannickCrypto’ detailed the process noting that the white hat had verified the contract but warned that users must revoke token allowances to depreciated contracts or they’ll get hacked again.
Hey @hashflow, it seems like you got exploited from 0xddb19a1bd22c53dac894ee4e2fbfdb0a06769216. https://t.co/oplaYWY4Bn
— yannickcrypto.eth (@YannickCrypto) June 14, 2023
There are two withdraw functions, one with 10% and one without bribe!
Find out how you can withdraw your stolen funds in next tweet
Hashflow’s native token, HFT, fell 7% in the 12 hours following the incident, falling to $0.338 at the time of writing, according to CoinGecko. The token remains down 90% from its November 2022 all-time high of $3.61.
Related: DeFi-type projects received the highest number of attacks in 2022: Report
It is the second DeFi exploit this week as lending platform Sturdy Finance lost around $800,000 worth of Ethereum on June 12. The vulnerability was related to price manipulation, according to Peckshield which issued the alert.
Sturdy Finance offered a bounty of $100,000 to the exploiter for the return of the funds.
Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story
An exploit resulted in around $573,000 in crypto looted from Allbridge, but the hacker has now seemingly accepted the offer of a “white hat bounty.”
A large portion of the roughly $573,000 pilfered from the multichain token bridge Allbridge has been returned after the exploiter seemingly took up the project’s offer for a white hat bounty and no legal retaliation.
Allbridge tweeted on April 3 that it received a message from an individual and 1,500 BNB (BNB), worth around $465,000, was returned to the project.
"The remaining funds will be considered a white hat bounty to this person," Allbridge said.
Update on the exploit
— Allbridge (@Allbridge_io) April 3, 2023
1/ Our team was contacted by the owner of https://t.co/EW1uxXBQpD.
1500 BNB was returned to our team. The remaining funds will be considered a white hat bounty to this person.
It explained that all the "received BNB" wa then converted to the stablecoin Binance USD (BUSD) to be used as compensation.
Blockchain security firm Peckshield first identified the attack carried out on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper.
Following the exploit Allbridge offered the attacker a bounty and the chance to escape any legal ramifications.
Allbridge has yet to publicly disclose how much was stolen, but blockchain security firm CertiK said the sum is close to $550,000 while PeckSheild said the exploit netted $282,889 in BUSD and $290,868 worth of Tether (USDT), totaling roughly $573,000.
Allbridge also revealed that a second address used the same exploit and shared a link to a wallet that currently contains 0.97 BNB, valued at around $300.
"We ask the second exploiter to reach out and discuss the return," Allbridge said.
Following the initial exploit, Allbridge made it clear they were hot on the trail of the stolen funds and were working with a wide variety of organizations to retrieve the stolen loot.
Related: DeFi exploits and access control hacks cost crypto investors billions in 2022: Report
BNB Chain was among those who answered the call to arms and reported in an April 2 tweet that it discovered at least one of the culprits involved through on-chain analysis.
BNB Chain has identified the Allbridge attacker following on-chain analysis. We are actively supporting the Allbridge team on the fund recovery. The Allbridge team has offered the hacker a bounty.
— BNB Chain (@BNBCHAIN) April 2, 2023
We'd like to recognize the effort of AvengerDAO in this recovery effort.
According to BNB Chain it’s "actively supporting the Allbridge team on the fund recovery," and gave a shout-out to AvengerDAO for its efforts in the recovery.
Cointelegraph contacted Allbridge for further comment but did not receive an immediate response.
Magazine: US and China try to crush Binance, SBF's $40M bribe claim: Asia Express
Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.
The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.
Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).
In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.
To hacker's attention: addressing the incident and the next steps
— Allbridge (@Allbridge_io) April 2, 2023
1. We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack.
“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.
In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.
With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”
“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.
Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.
According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.
5/ The bridge has been temporarily suspended to prevent the potential exploits of the other pools. We will restart it once the vulnerability has been patched.
— Allbridge (@Allbridge_io) April 2, 2023
“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.
Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.
CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.
Related: DeFi exploits and access control hacks cost crypto investors billions in 2022: Report
According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million.
#PeckShieldAlert ~26 exploits grabbed $211.5M in March 2023.
— PeckShieldAlert (@PeckShieldAlert) March 31, 2023
Regarding the @eulerfinance exploit, the estimated loss is $197M. The exploiter has returned 84,963.4 $ETH (~$152.8M) and 29.9M $DAI to the Deployer, and he has already transferred 1,100 $ETH to Tornado Cash pic.twitter.com/kf2Ul4uIun
Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi.
Cointelegraph contacted Allbridge for comment but did not receive an immediate response.
Magazine: Crypto winter can take a toll on hodlers’ mental health
The bounty, which was offered via an on-chain message was approximately $97,000 or approximately 6% of the exploit amount.
The hacker behind the exploit of the decentralized finance (DeFi) lending platform Tender.fi has returned the stolen funds for a $97,000 bounty reward in Ether (ETH).
The exploit was executed at 10:28 am UTC on Mar. 7, with Tender.fi confirming the incident on Twitter soon after citing “an unusual amount of borrows,” and adding it has paused all borrowing.
Blockchain data showed the exploiter used a price oracle glitch to borrow $1.59 million worth of assets from the protocol by depositing 1 GMX token, valued at around $71.
“It looks like your oracle was misconfigured. contact me to sort this out,” wrote the hacker in an on-chain message.
Eight hours later, the DeFi protocol announced it had come to an agreement with the “White Hat” exploiter, in which the hacker would repay all loans minus a 62.16 ETH “bounty,” worth around $97,000 at current prices.
Translation: The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The https://t.co/H4ZMPLH9pz Team will repay the Bounty s value to the protocol, so that there will be no bad debt and users will remain… https://t.co/5bbmKu7zEe
— Tender.fi (@tender_fi) March 7, 2023
Another hour later, Tender.fi confirmed on Twitter that the exploiter had completed the loan repayments.
“Funds are officially SaFu, post mortem on the way,” it wrote.
Related: DeFi lender Tender.fi suffers exploit, white hat hacker suspected
Last year in August, cross-chain Nomad Bridge appealed to exploiters that participated in a smart contract exploit that extracted $190 million in funds from the bridge in less than three hours.
Mere hours later, approximately $32.6 million worth of funds were already returned, suggesting some of the exploiters may have been white hat hackers attempting to extract funds for a later safe return.
Later in the month, nonfungible token (NFT) firm Metagame even offered a “Whitehat Prize” in the form of an NFT for anyone that proved they returned at least 90% of the funds they stole from the protocol.
1/ Our friends at @metagame created an earned NFT as a thank you to whitehats who returned funds from the Nomad Bridge Hack. Head over https://t.co/TWwuJwnRXj to claim it! pic.twitter.com/V87rkGhBEE
— Nomad (⤭⛓) (@nomadxyz_) August 23, 2022
Blockchain data from the Official Nomad Funds Recovery Address shows that funds continued to be returned to the recovery address since then, with the latest transaction recorded on Feb. 18, 2023, for $7,868 in Covalent Query Token (CQT).
The ethereum wallet known as the “FTX Accounts Drainer” has started to offload the ethereum it collected this past week after becoming the 27th largest ether address. On Nov. 19, 2022, the wallet held 250,735 ether, but by 7:44 a.m. (ET) on Nov. 20, the “FTX Accounts Drainer” transferred roughly 50,000 ether out of the […]
The ethical exploiter thanked Arbitrium for the 400 ETH payday, but said such a find should be eligible for the max bounty of nearly 1,500 ETH, or $2 million.
A self-described white hat hacker has uncovered a “multi-million dollar vulnerability” in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.
Known as riptide on Twitter, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.
Riptide explained the exploit in a Medium post on Sept. 20:
“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”
The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.
Despite the earning potential from the ill-gotten gains, riptide was thankful that the “extremely based Arbitrum team” provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find “should be eligible for a max bounty,” which is worth $2 million.
No big deal just bridging a cool $470mm through the same Inbox contract
— riptide (@0xriptide) September 20, 2022
Definitely should be eligible for a max bounty
https://t.co/w7S58QNQZu
Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.
Related: ETHW confirms contract vulnerability exploit, dismisses replay attack claims
Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees.
Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and “copycat” hackers repeating the exploit.
