Weekly Blockchain Security Report by Fairyproof — June 20 to June 26
During the week from June 20 to June 26, 2022, security incidents that happened in the crypto space are either security hacks or rug-pulls.
Here is a list of the security hacks:
1. Whaleswap Finance
On June 20, Whaleswap Finance, a DeFi application deployed on the BNB chain was attacked.
The attacker’s address was 0xD793FF8D744828c25DA7F80123B88Dd5c2Bf7A50.
The attacking contracts were deployed at the following address on the BNB chain:
The attacked contracts were deployed at the following addresses on the BNB chain:
0x8Bfee2cAFF6b5D4Ac9F438F4b1f36FeeB5E76794 (WhaleswapPair) and
The hash values of the attack transactions were:
Crypto assets valued at around $12000 were exploited.
The root cause is the validation of the K value in the AMM algorithm was incorrect.
In the swap function defined in the WhaleswapPair contract, the ratio of transaction fees should be either 4/10000 or 25/10000 based on the different “stable” values. However, the actual ratio value that was used was 2/10000. This led to the incorrect validation of the k value. The attacker exploited this vulnerability and leveraged a flash loan to borrow a large number of token A and paid back the loan with token B whose price was much lower than token A’s price.
2. Neo Hunters
On June 21, Neo Hunters’ team announced that its Discord server suffered from phishing attacks and phishing links were sent to its Discord server. Users should never click on these phishing links.
On June 22, PandorachainDAO, an application deployed on the BNB chain was attacked.
The attacker’s address was 0xa11e104601582280672d6ed81eec3af2e4d21940 on the BNB chain.
The attacking contract was deployed at 0x51626f9a6cc5d55c042e43a3c0fa8cd2233a0098 on the BNB chain.
The attacked contract was deployed at 0x83757110409d993FCF3610260D7Af753e2423529 (PCDNFT) on the BNB chain.
The hash value of the attack transaction was:
Crypto assets valued at around $120,000 were exploited in this incident.
The root cause is that the implementation used an incorrect algorithm to calculate a token’s price.
The shouchan function defined in the PCDNFT contract would use the balances of USDT and PCD in the USDT-PCD trading pair to calculate the PCT’s price. The attacker exploited this vulnerability and leveraged a flash loan to manipulate the balance values and push the PCD’s price to an extremely low level such that the attacker used very few USDTs to purchase a large number of PCDs
4. Harmony ETH Cross-Chain Bridge
On June 23, Harmony’s ETH cross-chain bridge was attacked.
The attack was launched from the following three addresses on Ethereum:
Crypto assets valued at around $100 million were exploited.
For more details please refer to:
5. Convex Finance
On June 24, Convex Finance’s team announced that the project’s website (http://convexfinance.com/) suffered from a DNS hijack. 215 ETHs valued at around $250,000 were exploited in this attack.
Here is a list of the rug pulls:
1. LV PLUS
On June 21, LV PLUS, an application deployed on the BNB chain turned out to be a rug pull.
The exploiter from 0x7721034753ebe6f5714a7c5ebd0d188fa4a3b167 on the BNB chain deployed the LVP token. The team behind the project claimed the project was part of “LV Metaverse” but it turned out that the project had nothing to do with LV. The exploiter distributed the tokens it held to multiple wallets, dumped them on the market, and got a profit of around $1.5 million.
All the profits were eventually sent to 0x0786e8682c11312cb547d6db46bc99a392050b26 on the BNB chain.
At the time of writing, 0x0786e8682c11312cb547d6db46bc99a392050b26 held crypto assets valued at around $8 million.
On June 24, Justcows, a centralized platform that provided custody services turned out to be a rug-pull. The team behind the platform ran away with users’ crypto assets valued at around $5 million. The team distributed a large number of BUSDs via coin-join to thousands of addresses including Hunterswap, exchanges, etc.
Around one month ago, the team announced that it disabled the withdrawal of crypto assets.
There were five security attacks and two rug-pulls in the past week. Among the five attacks, the ones that happened to Whaleswap and PandorachainDAO were smart contract vulnerabilities that could have been prevented if they had undergone professional audits. The other three were more related to management and operations.
A reminder to project teams: always test thoroughly, do smart contract audits before deploying smart contracts on-chain, and employ comprehensive security solutions to daily operations and management.
A reminder to crypto users: be cautious about suspicious links, emails or websites, and projects that are launched by teams without an established reputation.
- Crypto Trading bots | Top 15 P2E NFT Games
- Binance Futures Trading | 3Commas vs Mudrex vs eToro
- How to buy Monero | IDEX Review | BitKan Trading Bot
- YouHodler vs CoinLoan vs Hodlnaut | Cryptohopper vs HaasBot
- Top paid cryptocurrency and blockchain courses
- MXC Exchange Review | Pionex vs Binance | Pionex Arbitrage Bot