1. Home
  2. White hat hacker

White hat hacker

DeFi lender Tender.fi suffers exploit, white hat hacker suspected

Coin Telegraph
DeFi lender Tender.fi suffers exploit, white hat hacker suspected
Coin Telegraph

DeFi lending platform Tender.fi sees $1.59 million of assets drained by alleged white hat hacker taking advantage of a misconfigured oracle.

An alleged ethical hacker has drained $1.59 million from the decentralized finance (DeFi) lending platform Tender.fi, leading the service to halt borrowing while it attempts to recoup its assets.

Web3-focused smart contract auditor CertiK and blockchain analyst Lookonchain flagged an exploit that saw funds drained from the DeFi lending protocol on March 7. Tender.fi confirmed the incident on Twitter, citing ‘an unusual amount of borrows’ through the protocol:

The latest update from the platform claims that a white hat hacker has made contact, and discussions are underway to recoup assets taken during the exploit. White hat hackers are also known as ethical hackers and typically look for and take advantage of security flaws in different protocols before returning funds.

Cointelegraph reached out to CertiK to unpack the situation, which highlighted that the exploiter left an on-chain message which has been verified on the Arbitrum Blockchain Explorer:

The input data reads: “It looks like your oracle was misconfigured. contact me to sort this out.”

Lookonchain provided further details of the exploit, citing blockchain data that shows that the white hat hacker borrowed $1.59 million worth of assets from the protocol by depositing 1 $GMX token which was valued at $71 at the time of writing.

Related: $700,000 drained from BNB Chain-based DeFi protocol LaunchZone

Cointelegraph has reached out to Tender.fi to ascertain further details of the exploit and whether funds will be returned by the white hat hacker. DeFi protocols have been the target of hackers in early 2023, with seven different platforms losing over $21 million in February alone. Hackers also took advantage of an oracle exploit in Jan. 2023, seeing over $120 million stolen from BonqDAO. 

Read more
Banking Giant JPMorgan Chase Holds 0,000 in Spot Bitcoin ETFs: New SEC Filing

Banking Giant JPMorgan Chase Holds $760,000 in Spot Bitcoin ETFs: New SEC Filing

iOS jailbreak dev wins $2M bounty for finding critical Optimism bug

Coin Telegraph
iOS jailbreak dev wins M bounty for finding critical Optimism bug
$2 million bounty

Ethereum scaling startup Optimism disclosed a “critical bug” fix in the project’s Geth fork that would have allowed malicious hackers to create infinite ETH

Developers from the Ethereum Layer 2 scaling project Optimism announced that a “critical bug” had been identified and subsequently patched earlier this month.

The bug, which could have enabled hackers to create as much ‘ETH’ in a Optimism account balance as they wished, was first discovered by white hat hacker and iOS jailbreak software Cydia developer Jay Freeman.

In a deep-dive blog post, Freeman explained that the bug, “would allow an attacker to replicate money on any chain using their ‘OVM 2.0’ fork of go-ethereum”. For his efforts Freeman was awarded one of largest bug bounties to date, netting a total reward amount of $2,000,042

According to the Optimism team, “The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.”

In a blog post, the Optimism team noted that its chain history showed that the bug had not been exploited, except for an accidental activation by a staffer at Ethereum data startup Etherscan, but “no usable excess was generated.”

“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation,” the team said, thanking Infura, QuickNode, and Alchemy for their fast response times.

“We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”

Late last year Optimism removed its whitelist, allowing for any developer to start building projects on the Optimism network. Prior to this, the network was only accessible to specific projects such as Uniswap and Synthetix. This limitation made it easier for developers to detect and resolve potential bugs

Related: MakerDAO launches biggest ever bug bounty with $10M reward

Optimism is a Layer 2 scaling solution for the Ethereum network, employing “optimistic rollups” that aggregate transactions outside of the Ethereum blockchain.

This provides the benefits of reducing slippage, decreasing transaction costs and vastly improving transaction speeds. However, as this bug has made clear, while Layer 2 protocols offer improvements in efficiency, security during ongoing development remains a common point of concern.

While this bounty is one the largest to have been paid out so far, MakerDAO has just announced that it will be offering a maximum bounty of $10M to anyone who can point out critical security threats in its smart contracts. This is the largest series of bug bounties ever to have been hosted on bug bounty platform Immunefi.

Read more
Banking Giant JPMorgan Chase Holds 0,000 in Spot Bitcoin ETFs: New SEC Filing

Banking Giant JPMorgan Chase Holds $760,000 in Spot Bitcoin ETFs: New SEC Filing

Immunefi to bolster DeFi security service with new funds

Coin Telegraph
Immunefi to bolster DeFi security service with new funds
Coin Telegraph

The platform has paid out more than $7.5 million in bug bounties since inception in December 2020.

DeFi security platform Immunefi has announced a $5.5 million funding from a panoply of eleven institutional investors including Blueprint Forest, Electric Capital, Framework Ventures and Bitscale Capital, in addition to a series of private individuals. 

Immunefi will utilize the funds to advance its services in DeFi security, providing asset protection to smart contract protocols, as well as implementing financial incentives to benevolent hackers.

The service is reportedly responsible for protecting more than $50 billion in protocol assets from projects such as Synthetix, Chainlink, SushiSwap and PancakeSwap. It has paid out $7.5 million in bug bounties throughout its history.

According to analytical data from REKT Database, the DeFi space has experienced malicious hacks totaling more than $1.74 billion in its entire lifespan, a vast proportion of which has been witnessed in the months since July 2021.

The $609 million hack of cross-chain protocol Poly Network in early August this year bears the undesirable crown for the industry's largest-ever hack. However, in welcomely unusual circumstances, Mr. White Hat — as they came to be known — returned all of the available funds, the remaining balance being the $33 million USDT tokens initially frozen.

Over the past year, the prevalence and severity of financial breaches within the DeFi space have established a surging demand for security services such as Immunefi.

Related: ​​White hat hacker paid DeFi’s largest reported bounty fee

Founder and CEO of Immunefi, Mitchell Amador, spoke of the importance of offering DeFi protective measures:

“DeFi is unique because vulnerabilities in code represent a possibility of a direct loss of users’ money. Bug bounty programs are open invitations to security researchers to find those vulnerabilities in exchange for a reward, and have proved one of the most effective ways to deal with critical security holes.”

In late September, a $1.05 million bug bounty fee was paid to renowned white hat programmer Alexander Schlindwein in the aftermath of the Belt Finance saga, for his instrumental role in preventing a potential $10 million downfall for the protocol. The claim was facilitated through Immunefi’s specialist bounty program.

More recently, white-hat hacker, Gerhard Wagner, pocketed a cool $2 million for diligently advising a solution to a “double-spend” flaw on the Polygon network, preventing a potentially catastrophic $850 million, the former of which now stands as an industry record.

Immunefi’s Amador also commented on the potential impact a service such as Immunefi could have on the wider technology landscape:

"We believe that by helping launch such programs on Immunefi, we contribute not only to protecting DeFi projects for today, but also to shaping the tech industry for the future.”
Read more
Banking Giant JPMorgan Chase Holds 0,000 in Spot Bitcoin ETFs: New SEC Filing

Banking Giant JPMorgan Chase Holds $760,000 in Spot Bitcoin ETFs: New SEC Filing

Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDT

Bitcoin.com
Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDT
$600 Million
Poly Network Says Stolen User Assets on ETH Have Been Returned, Except Frozen USDTOn Friday, a few days after the initial hack for $611 million, the Poly Network project detailed that the company has obtained all the assets stolen minus the frozen tether that was blacklisted by Tether Limited. The Poly Network team said they are in control of the funds along with “Mr. White Hat,” but the […]
Read more

You’re Wrong About Economics and Why You Should Learn To Love Bitcoin

Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi Tokens

Bitcoin.com
Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi Tokens
$600 Million
Poly Network Hacker Says ‘In the Defi World Code Is Law’ While Returning Millions in Defi TokensTwo days after the notorious Poly Network hack, the hacker continues to send funds back to the project. On August 12, the Poly Network hacker so far has returned millions worth of ether, thousands of uni tokens, 1,032 wrapped bitcoins, and 96 million in stablecoins. The day prior, after returning $260 million in tokens, the […]
Read more

You’re Wrong About Economics and Why You Should Learn To Love Bitcoin

Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain Movements

Bitcoin.com
Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain Movements
$260 Million
Poly Network Defi Hacker Returns a Large Fraction of Tokens, Chainalysis Evaluates Hacker’s Onchain MovementsOn August 11, the blockchain intelligence firm Chainalysis published its findings on the recent Poly Network hack which saw the loss of approximately $611 million crypto tokens. The assessment from Chainalysis backed up the claims made by the security company called Slowmist that shows the hacker left a fingerprint on the relatively unknown exchange Hoo.com. […]
Read more

You’re Wrong About Economics and Why You Should Learn To Love Bitcoin

Poly Network hacker returns $258M, conducts AMA on how it went down

Coin Telegraph
Poly Network hacker returns 8M, conducts AMA on how it went down
$600 million hack

$258 million worth of stolen crypto assets have been returned so far and the hacker claims they are keeping the rest of the funds safe while they negotiate with Poly.

The Poly Network hacker has now returned $258 million to the cross-chain DeFi protocol and  conducted a question and answer session detailing how the initial hack went down.

In what is being described as the largest DeFi hack to date, the Poly Network suffered a $612 million exploit on Aug. 10 which saw the hacker steal assets from Ethereum, Binance Chain and the Polygon Network.

Tom Robinson, the chief scientist at blockchain analytics firm Elliptic told Forbes on Aug. 11 that the hacker has now returned roughly $258 million worth of funds to Poly so far — with $342 million yet to be returned.

The attacker stated their willingness to return the stolen funds on multiple occasions, which has led to suggestions that it may have been a white hat hack to teach Poly an expensive lesson about its security flaws.

However, that view wasn’t necessarily shared by Robinson who stated that the returning of funds “demonstrates that even if you can steal crypto-assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain.”

The hacker has conducted an AMA (Ask Me Anything) using embedded messages in Ethereum transactions, and while they appear to be a non-native English speaker, what's lost in translation is their grand plan.

When asked why they were hacking and why the Poly protocol, in particular, the hacker states “for fun” and because “cross-chain hacking is hot.”

Despite such answers, they then proceed to claim the hack was conducted for noble causes, and that they have since been transferring tokens between addresses only to keep them safe:

"When spotting the bug, I had a mixed feeling. Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.”

“Now everyone smells a sense of conspiracy. Insider? Not me, but who knows? I take the responsibility to expose the vulnerability before any insiders hiding and exploiting it!” they added.

Users on Twitter noted that the hacker was asking for guidance on how to deposit funds into Tornado Cash, which is a decentralized protocol that enables private Ethereum transactions.

The attacker was also quizzed on why they had been selling and swapping some of the stolen stablecoins, in which they responded with: “I was pissed by the Poly team for their initial response.”

Related: Possible ‘white hat hacker’ exploits THORChain for $8M, proposes 10% bounty

The Poly team posted an open letter to the hacker yesterday that urged them to return the stolen assets as “law enforcement in any country will regard this as a major economic crime and you will be pursued.”

The hacker goes on to say that “they urged others to blame me and hate me before I had any chance to reply!” and that they had no intentions of laundering the money:

“In the meanwhile, depositing the stables could earn some interest to cover potential cost so that I have more time to negotiate with the Poly team.”
Read more

You’re Wrong About Economics and Why You Should Learn To Love Bitcoin

WordPress Theme by cactus.com
Close

Share this video