1. Home
  2. White Hat

White Hat

White hat hackers have returned $32.6M worth of tokens to Nomad bridge

The cross-chain bridge was drained of its assets in less than three hours.

Mere hours after the Nomad token bridge published an Ethereum wallet address last week for the return of funds following a $190 million hack, whitehat hackers have since returned approximately $32.6 million worth of funds. The vast majority of funds consisted of stablecoins USD Coin (USDC), Tether (USDT) and Frax, along with altcoins. 

According to research published by Paul Hoffman of BestBrokers, the vulnerability of the Nomad protocol was highlighted in Nomad's recent audit by Quantstamp on June 6 and was deemed "Low Risk." As soon as the exploit was discovered, members of the public joined the attack by copy-pasting the initial hack transaction, which was akin to a "decentralized robbery." More than $190 million worth of cryptocurrencies were drained from Nomad in less than three hours.

The attack came just four months after the project raised $22.4 million in a seed round in April. As told by Hoffman, the attack took advantage of a wrongly initialized Merkle root, which is used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered. A programming error effectively auto-proved any transaction message to be valid.

Related: Nomad reportedly ignored security vulnerability that led to $190M exploit

Not all participants of the heist were capitalizing on the opportunity, though. Almost immediately after the hack began, whitehat hackers copied the same transaction hash as the original hacker to withdraw funds for their safe return. Conversely, one hacker allegedly used their Ethereum Domain Name to launder the stolen funds, leading to the possibility of cross-verification with Know-Your-Customer information also utilizing the domain. 

Crypto Trader Says One Top-50 Altcoin Could Go Up by Over 100%, Updates Outlook on Bitcoin and Ethereum

Multichain hacker returns 322 ETH, keeps hefty finders fee

Owing to a security vulnerability in six tokens, Multichain users lost more than $3M over the week. A white hat hacker returned 322 ETH, but in excess of 527 ETH is still exploited.

In a dramatic twist, one of this week’s Multichain hackers has returned 322 ETH ($974,000 at the time of writing) to the cross-chain router protocol and one of the affected users.

However the hacker kept 62 ETH ($187,000) as a “bug bounty”, and a total of 528 ETH (worth $1.6M) remains outstanding after the exploits.

Earlier this week, news emerged of a security vulnerability with Multichain relating to the tokens WETH, PERI, OMT, WBNB, MATIC, and AVAX, and $1.43 million was stolen. Multichain announced on Jan. 17 the critical vulnerability had been “reported and fixed.”

However, publicity about the vulnerability reportedly encouraged a number of different attackers to swoop in, and more than $3 million in funds were stolen. The critical vulnerability in the six tokens still exists, but Multichain has drained around $44.5m of funds from multiple chain bridges to protect them.

One of the hackers, calling himself a "white hat" has been in communication with both Multichain and a user who lost $960,000 in the past day or so, to negotiate returning 80% of the money in return for a hefty finders fee.

According to a Jan. 20 tweet from ZenGo wallet co-founder Tal Be’ery, the hacker claimed they hadbeen “saving the rest” of the Multichain users who were being targeted by bots, in an act of defensive hacking.

The funds were returned across four transactions. On Jan. 20 the hacker returned 269 ETH ($813,000) in two transactions directly to the user he stole it from and kept a bug bounty of 50 ETH ($150,000).

The relieved user responded to the hacker:

“Well received, thank you for your honesty.”

Overnight, the hacker also returned 50 ETH ($150,000) across two transactions to the official Multichain address, and kept a bug bounty of 12 ETH ($36,000).

Related: Multichain asks users to revoke approvals amid ‘critical vulnerability’

Multichain (formerly Anyswap) aims to be the “ultimate router for Web3.” The platform supports 30 chains at the moment, including Bitcoin (BTC), Ethereum (ETH), Avalanche (AVAX), Litecoin (LTC), Terra (LUNA), and Fantom (FTM).

In a tweet on Jan. 20, the Co-Founder and CEO of Multichain Zhaojun conceded that Multichain bridge contracts need a pause function to deal with similar incidents in future..

Cointelegraph has contacted the project for comment.

Crypto Trader Says One Top-50 Altcoin Could Go Up by Over 100%, Updates Outlook on Bitcoin and Ethereum

SushiSwap denies reports of billion dollar bug

Claims by a self professed white-hat hacker about a major security risk to SushiSwap liquidity providers have been rejected by one of the exchange’s devs.

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.” 

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform's "Shadowy Super Coder Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

Related: SushiSwap’s token launchpad, MISO, hacked for $3M

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.

Crypto Trader Says One Top-50 Altcoin Could Go Up by Over 100%, Updates Outlook on Bitcoin and Ethereum

Poly Network hacker returns nearly all funds, refuses $500K white hat bounty

"The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back," said the hacker.

The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.”

According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack.

The hacker had been communicating with the Poly Network team and others through embedded messages in Ethereum transactions. They seemed to have not planned to transfer the funds after successfully stealing them, and claimed to do the hack “for fun” because “cross-chain hacking is hot.”

Related: DAO Maker crowdfunding platform loses $7M in latest DeFi exploit

However, after speaking with the project and users, the hacker returned $258 million of the funds on Wednesday. Poly Network said it determined that the attack constituted “white hat behavior” and offered the hacker, whom it dubbed “Mr. White Hat,” a $500,000 bounty:

"We assure you that you will not be accountable for this incident. We hope that you can return all the tokens as soon as possible [...] We will send you the 500k bounty when the remainings are returned except the frozen USDT.”

"The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back," said the hacker.

With the remainder of the funds, with the exception of the frozen USDT, now returned, the biggest hack in decentralized finance seems to be coming to an end. Though the hacker’s identity has yet to be made public, Chinese cybersecurity firm SlowMist posted an update shortly after news of the hack broke, saying its analysts had identified the attacker's email address, IP address and device fingerprint.

Crypto Trader Says One Top-50 Altcoin Could Go Up by Over 100%, Updates Outlook on Bitcoin and Ethereum

Millions Drained in ForceDAO Attacks, White Hat Returns Funds

Another multi-million dollar rug pull has hit the DeFi space. This weekend, ForceDAO is the victim. 

Disaster for ForceDAO 

ForceDAO has suffered a major attack. 

The exploit centers on a bug in the xFORCE contract’s code, which allowed anyone to call the “deposit” function regardless of whether they were holding FORCE tokens. That meant it was possible to mint xFORCE tokens from the contract without locking any tokens in the vault.

Anyone could then exchange these tokens for FORCE by calling the “withdraw” function in the contract. 

Several attackers took advantage of the exploit earlier this morning. One of them took about 14.8 million FORCE, which had a notional value of around $34 million at the time. They’ve since returned the funds to the pool.

However, four others drained another 6.75 million tokens and have begun exchanging their takings for ETH on various exchanges. As the white hat attacker had already found the exploit, liquidity plunged, which meant every subsequent attacker earned significantly less for their FORCE. 

Mudit Gupta, blockchain team lead at Polymath Network, detailed the attack in a tweetstorm.   

ForceDAO organized a highly anticipated airdrop yesterday, in which FORCE tokens were distributed to active Ethereum users. It was trading at around $2.30 earlier this morning but has since plummeted. At one point, it was down 95% and is now worth around $0.26

One of the black hat attackers used an address linked to the centralized exchange FTX, which gives some hope that the funds may be recovered. Most of the rest, though, has already been sold through the decentralized exchanges 1inch and SushiSwap. 

ForceDAO took to Twitter to confirm the attack. According to the team, a post-mortem will follow. 

This is a developing story and will be updated as further details surface.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. They also had exposure to SUSHI in a cryptocurrency index. 

Crypto Trader Says One Top-50 Altcoin Could Go Up by Over 100%, Updates Outlook on Bitcoin and Ethereum