Telegram Game on Brand-New Ethereum Layer-2 Scaler Blast Exploited for $4,600,000 in Reported White Hat Hack

March 22, 2024 The Daily Hodl

Immunefi launches on-chain bug bounties through ‘Vaults’ system

September 26, 2023 Coin Telegraph

black hat

The Web3 security platform now allows projects to deposit bounty funds to a Safe smart contract, proving the funds are available.

Blockchain security platform Immunefi has launched an on-chain system for bug bounties, according to a Sept. 26 announcement. The new system, called “Vaults,” allows Web3 developers to escrow funds in an on-chain address and use them to pay out bug bounties to white hat hackers.

Immunefi believes the new system will help projects “demonstrate to whitehats [...] that they have allocated sufficient funds to pay bounties,” which it hopes will result in “more top-tier bug reports” being submitted.

*List of Immunefi bug bounties. Source: Immunefi*

Software developers often offer rewards, called “bug bounties,” to hackers who discover exploits or other bugs in their software. This sometimes allows vulnerabilities to be found before bad actors can exploit them. Hackers who submit bug reports for rewards instead of taking advantage of an exploit are called “white hat” hackers, while “black hat” hackers use their knowledge for malicious purposes.

According to the announcement, the new Immunefi system allows projects to deposit their bug bounty funds to a Safe multisig smart contract (formerly called a “Gnosis Safe”). This provides white hats with on-chain proof that the funds are available. Once a bug is submitted and a project has confirmed it’s genuine, the project can release the funds to the bug reporter’s wallet.

During Vault’s launch, Ethereum infrastructure provider SSV posted a $1 million deposit to help pay bug bounties for its software. Decentralized exchange Ref Finance, which is on the Near network, also uses the new system. SSV DAO contributor Eridian claimed that on-chain bug bounties will help provide better security for the DAO’s validator services, stating:

“The Vaults System will help us provide added reassurance for any researcher engaging with our bounty program, and in turn help secure the protocol even further. A good win-win. Building further trust with the community by showcasing dedicated funding, and streamlining the payment process, will ultimately strengthen our security efforts.”

In December 2022, Immunefi reported that it had facilitated $66 million in bug bounty payouts since the platform’s inception. LayerZero released a $15 million bug bounty through Immunefi on May 17.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Hashflow assures users will be made ‘whole’ following $600K exploit

June 15, 2023 Coin Telegraph

<div>Hashflow assures users will be made 'whole' following 0K exploit</div>

Arbitrum

The trading platform has provided instructions for the recovery of funds lost through a contract approval vulnerability.

Crypto trading platform Hashflow has assured affected users will be “made whole” following an exploit that saw at least $600,000 in digital assets removed from the platform.

On June 14, blockchain security firm Peckshield reported an ongoing issue with the Hashflow trading platform.

“It appears there is an approve-related issue,” the firm noted, reporting losses of around $600,000 in Arbitrum (ARB) and Ethereum (ETH).

A couple of hours later, Hashflow alerted users that they were addressing the current situation related to contract approvals as flagged by Peckshield, adding:

“All users comprising the ~$600K affected will be made whole.”

The firm, which provides cross-chain swaps as part of its trading services, added that its decentralized exchange “was in no way impacted and remains fully operational.”

We’re addressing the current situation flagged by @peckshield. Please be assured that:

1. All users comprising the ~$600K affected will be made whole.
2. The Hashflow DEX was in no way impacted and remains fully operational.

We will share a detailed post mortem once complete.
— hashflow (@hashflow) June 14, 2023

Peckshield suggested that the hacker that carried out the exploit may be a white hat hacker, as they provided a contract with a recovery function along with a second option for a donation.

Hashflow updated its status on June 15 providing recovery instructions for those affected by the exploit which impacted Ethereum, Arbitrum, Avalanche, BNB Chain, and Polygon.

Users were told they must “revoke approvals before recovering funds.”

There are two options for fund recovery, the first is for total funds and the second will donate 10% to the supposed white hat hacker that exploited the vulnerability but prevented further losses in doing so.

DeFi enthusiast ‘YannickCrypto’ detailed the process noting that the white hat had verified the contract but warned that users must revoke token allowances to depreciated contracts or they’ll get hacked again.

Hey @hashflow, it seems like you got exploited from 0xddb19a1bd22c53dac894ee4e2fbfdb0a06769216. https://t.co/oplaYWY4Bn

There are two withdraw functions, one with 10% and one without bribe!

Find out how you can withdraw your stolen funds in next tweet
— yannickcrypto.eth (@YannickCrypto) June 14, 2023

Hashflow’s native token, HFT, fell 7% in the 12 hours following the incident, falling to $0.338 at the time of writing, according to CoinGecko. The token remains down 90% from its November 2022 all-time high of $3.61.

It is the second DeFi exploit this week as lending platform Sturdy Finance lost around $800,000 worth of Ethereum on June 12. The vulnerability was related to price manipulation, according to Peckshield which issued the alert.

Sturdy Finance offered a bounty of $100,000 to the exploiter for the return of the funds.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Allbridge exploiter returns most of the $573K stolen in attack

April 4, 2023 Coin Telegraph

Allbridge

An exploit resulted in around $573,000 in crypto looted from Allbridge, but the hacker has now seemingly accepted the offer of a “white hat bounty.”

A large portion of the roughly $573,000 pilfered from the multichain token bridge Allbridge has been returned after the exploiter seemingly took up the project’s offer for a white hat bounty and no legal retaliation.

Allbridge tweeted on April 3 that it received a message from an individual and 1,500 BNB (BNB), worth around $465,000, was returned to the project.

"The remaining funds will be considered a white hat bounty to this person," Allbridge said.

Update on the exploit

1/ Our team was contacted by the owner of https://t.co/EW1uxXBQpD.

1500 BNB was returned to our team. The remaining funds will be considered a white hat bounty to this person.
— Allbridge (@Allbridge_io) April 3, 2023

It explained that all the "received BNB" wa then converted to the stablecoin Binance USD (BUSD) to be used as compensation.

Blockchain security firm Peckshield first identified the attack carried out on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper.

Following the exploit Allbridge offered the attacker a bounty and the chance to escape any legal ramifications.

Allbridge has yet to publicly disclose how much was stolen, but blockchain security firm CertiK said the sum is close to $550,000 while PeckSheild said the exploit netted $282,889 in BUSD and $290,868 worth of Tether (USDT), totaling roughly $573,000.

Allbridge also revealed that a second address used the same exploit and shared a link to a wallet that currently contains 0.97 BNB, valued at around $300.

"We ask the second exploiter to reach out and discuss the return," Allbridge said.

Following the initial exploit, Allbridge made it clear they were hot on the trail of the stolen funds and were working with a wide variety of organizations to retrieve the stolen loot.

BNB Chain was among those who answered the call to arms and reported in an April 2 tweet that it discovered at least one of the culprits involved through on-chain analysis.

BNB Chain has identified the Allbridge attacker following on-chain analysis. We are actively supporting the Allbridge team on the fund recovery. The Allbridge team has offered the hacker a bounty.

We'd like to recognize the effort of AvengerDAO in this recovery effort.
— BNB Chain (@BNBCHAIN) April 2, 2023

According to BNB Chain it’s "actively supporting the Allbridge team on the fund recovery," and gave a shout-out to AvengerDAO for its efforts in the recovery.

Cointelegraph contacted Allbridge for further comment but did not receive an immediate response.

Magazine: US and China try to crush Binance, SBF's $40M bribe claim: Asia Express

Allbridge offers bounty to exploiter who stole $573K in flash loan attack

April 3, 2023 Coin Telegraph

Allbridge

Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.

The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.

Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).

In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.

To hacker's attention: addressing the incident and the next steps

1. We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack.
— Allbridge (@Allbridge_io) April 2, 2023

“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.

In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.

With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”

“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.

Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.

According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.

5/ The bridge has been temporarily suspended to prevent the potential exploits of the other pools. We will restart it once the vulnerability has been patched.
— Allbridge (@Allbridge_io) April 2, 2023

“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.

Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.

CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.

According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million.

#PeckShieldAlert ~26 exploits grabbed $211.5M in March 2023.
Regarding the @eulerfinance exploit, the estimated loss is $197M. The exploiter has returned 84,963.4 $ETH (~$152.8M) and 29.9M $DAI to the Deployer, and he has already transferred 1,100 $ETH to Tornado Cash pic.twitter.com/kf2Ul4uIun
— PeckShieldAlert (@PeckShieldAlert) March 31, 2023

Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi.

Cointelegraph contacted Allbridge for comment but did not receive an immediate response.

Magazine: Crypto winter can take a toll on hodlers’ mental health

Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

March 7, 2023 Coin Telegraph

Hacker returns stolen funds to Tender.fi, gets K bounty reward

Coin Telegraph

The bounty, which was offered via an on-chain message was approximately $97,000 or approximately 6% of the exploit amount.

The hacker behind the exploit of the decentralized finance (DeFi) lending platform Tender.fi has returned the stolen funds for a $97,000 bounty reward in Ether (ETH).

The exploit was executed at 10:28 am UTC on Mar. 7, with Tender.fi confirming the incident on Twitter soon after citing “an unusual amount of borrows,” and adding it has paused all borrowing.

Blockchain data showed the exploiter used a price oracle glitch to borrow $1.59 million worth of assets from the protocol by depositing 1 GMX token, valued at around $71.

“It looks like your oracle was misconfigured. contact me to sort this out,” wrote the hacker in an on-chain message.

*Message sent to Tender.fi from the price oracle exploiter. Source: Arbiscan*

Eight hours later, the DeFi protocol announced it had come to an agreement with the “White Hat” exploiter, in which the hacker would repay all loans minus a 62.16 ETH “bounty,” worth around $97,000 at current prices.

Translation: The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The https://t.co/H4ZMPLH9pz Team will repay the Bounty s value to the protocol, so that there will be no bad debt and users will remain… https://t.co/5bbmKu7zEe
— Tender.fi (@tender_fi) March 7, 2023

Another hour later, Tender.fi confirmed on Twitter that the exploiter had completed the loan repayments.

“Funds are officially SaFu, post mortem on the way,” it wrote.

Last year in August, cross-chain Nomad Bridge appealed to exploiters that participated in a smart contract exploit that extracted $190 million in funds from the bridge in less than three hours.

Mere hours later, approximately $32.6 million worth of funds were already returned, suggesting some of the exploiters may have been white hat hackers attempting to extract funds for a later safe return.

Later in the month, nonfungible token (NFT) firm Metagame even offered a “Whitehat Prize” in the form of an NFT for anyone that proved they returned at least 90% of the funds they stole from the protocol.

1/ Our friends at @metagame created an earned NFT as a thank you to whitehats who returned funds from the Nomad Bridge Hack. Head over https://t.co/TWwuJwnRXj to claim it! pic.twitter.com/V87rkGhBEE
— Nomad (⤭⛓) (@nomadxyz_) August 23, 2022

Blockchain data from the Official Nomad Funds Recovery Address shows that funds continued to be returned to the recovery address since then, with the latest transaction recorded on Feb. 18, 2023, for $7,868 in Covalent Query Token (CQT).

‘FTX Accounts Drainer’ Offloads 50,000 ETH, Entity Uses Ren’s Bitcoin Gateway to Acquire BTC

November 20, 2022 Bitcoin.com

White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty?

September 21, 2022 Coin Telegraph

Arbitrum

The ethical exploiter thanked Arbitrium for the 400 ETH payday, but said such a find should be eligible for the max bounty of nearly 1,500 ETH, or $2 million.

A self-described white hat hacker has uncovered a “multi-million dollar vulnerability” in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.

Known as riptide on Twitter, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.

Riptide explained the exploit in a Medium post on Sept. 20:

“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”

The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.

Despite the earning potential from the ill-gotten gains, riptide was thankful that the “extremely based Arbitrum team” provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find “should be eligible for a max bounty,” which is worth $2 million.

No big deal just bridging a cool $470mm through the same Inbox contract

Definitely should be eligible for a max bounty

https://t.co/w7S58QNQZu
— riptide (@0xriptide) September 20, 2022

Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.

Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees.

Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and “copycat” hackers repeating the exploit.

White hat hackers have returned $32.6M worth of tokens to Nomad bridge

August 8, 2022 Coin Telegraph

White hat hackers have returned .6M worth of tokens to Nomad bridge

Coin Telegraph

The cross-chain bridge was drained of its assets in less than three hours.

Mere hours after the Nomad token bridge published an Ethereum wallet address last week for the return of funds following a $190 million hack, whitehat hackers have since returned approximately $32.6 million worth of funds. The vast majority of funds consisted of stablecoins USD Coin (USDC), Tether (USDT) and Frax, along with altcoins.

According to research published by Paul Hoffman of BestBrokers, the vulnerability of the Nomad protocol was highlighted in Nomad's recent audit by Quantstamp on June 6 and was deemed "Low Risk." As soon as the exploit was discovered, members of the public joined the attack by copy-pasting the initial hack transaction, which was akin to a "decentralized robbery." More than $190 million worth of cryptocurrencies were drained from Nomad in less than three hours.

The attack came just four months after the project raised $22.4 million in a seed round in April. As told by Hoffman, the attack took advantage of a wrongly initialized Merkle root, which is used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered. A programming error effectively auto-proved any transaction message to be valid.

Not all participants of the heist were capitalizing on the opportunity, though. Almost immediately after the hack began, whitehat hackers copied the same transaction hash as the original hacker to withdraw funds for their safe return. Conversely, one hacker allegedly used their Ethereum Domain Name to launder the stolen funds, leading to the possibility of cross-verification with Know-Your-Customer information also utilizing the domain.

Nomad Bridge Funds Recovery Process

Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens,

Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 pic.twitter.com/UF623JSZ8u
— Nomad (⤭⛓) (@nomadxyz_) August 3, 2022

Multichain hacker returns 322 ETH, keeps hefty finders fee

January 21, 2022 Coin Telegraph

Coin Telegraph

Owing to a security vulnerability in six tokens, Multichain users lost more than $3M over the week. A white hat hacker returned 322 ETH, but in excess of 527 ETH is still exploited.

In a dramatic twist, one of this week’s Multichain hackers has returned 322 ETH ($974,000 at the time of writing) to the cross-chain router protocol and one of the affected users.

However the hacker kept 62 ETH ($187,000) as a “bug bounty”, and a total of 528 ETH (worth $1.6M) remains outstanding after the exploits.

Earlier this week, news emerged of a security vulnerability with Multichain relating to the tokens WETH, PERI, OMT, WBNB, MATIC, and AVAX, and $1.43 million was stolen. Multichain announced on Jan. 17 the critical vulnerability had been “reported and fixed.”

However, publicity about the vulnerability reportedly encouraged a number of different attackers to swoop in, and more than $3 million in funds were stolen. The critical vulnerability in the six tokens still exists, but Multichain has drained around $44.5m of funds from multiple chain bridges to protect them.

Yeah, bridge contract need pause function. https://t.co/lPjLsE5EtR
— Zhaojun (@zhaojun_sh) January 20, 2022

One of the hackers, calling himself a "white hat" has been in communication with both Multichain and a user who lost $960,000 in the past day or so, to negotiate returning 80% of the money in return for a hefty finders fee.

According to a Jan. 20 tweet from ZenGo wallet co-founder Tal Be’ery, the hacker claimed they hadbeen “saving the rest” of the Multichain users who were being targeted by bots, in an act of defensive hacking.

The funds were returned across four transactions. On Jan. 20 the hacker returned 269 ETH ($813,000) in two transactions directly to the user he stole it from and kept a bug bounty of 50 ETH ($150,000).

The relieved user responded to the hacker:

“Well received, thank you for your honesty.”

Overnight, the hacker also returned 50 ETH ($150,000) across two transactions to the official Multichain address, and kept a bug bounty of 12 ETH ($36,000).

Multichain (formerly Anyswap) aims to be the “ultimate router for Web3.” The platform supports 30 chains at the moment, including Bitcoin (BTC), Ethereum (ETH), Avalanche (AVAX), Litecoin (LTC), Terra (LUNA), and Fantom (FTM).

In a tweet on Jan. 20, the Co-Founder and CEO of Multichain Zhaojun conceded that Multichain bridge contracts need a pause function to deal with similar incidents in future..

Cointelegraph has contacted the project for comment.

White Hat

Share this video