Friday Periodical #9: Updates and Major Exploits
Happy Friday auditors! It’s been a little while since our last update so we wanted to take this time to update you on what’s been going on here at Hyacinth as well as cover some major exploits that have occurred in web3 since we’ve last written.
Hyacinth Updates
Now that the industry security updates are out of the way, we are excited to show off our new website! We put a lot of time and passion into the new website design to make it even easier for auditors and protocols to navigate. Check it out for yourself over at www.hyacinthaudits.xyz!
Crypto Unicorns
Since our last update we’ve completed two major audits, the first of which is from Crypto Unicorns, the preeminent play and collect game by Laguna Games on the XAI network.
This game is incredibly robust and has a very active ecosystem, so we were excited to get the chance to secure their smart contracts. This was a sizable $30k bounty which covered the CU token, the main “hard currency” within the game and was conducted by AstraSec. This coin is an ERC-20 implemented on the ERC-2535 diamond architecture launched on the Arbitrum network then ported into XAI. AstraSec found one medium security issue and two low security issues and they were resolved.
You can read the full audit report here:
https://github.com/astrasecai/audit-reports/blob/main/AstraSec-AuditReport-CryptoUnicorns-Token.pdf
Volmex
The other major audit we just completed was by 0xWeiss for Volmex.
Volmex is one of the leading companies providing a suite of utility products which gauge volatility metrics and indices as well as hosting their own in-house perpetual futures and perpetual futures DEX. This audit was for about 50 SLOC which covered features associated with their perpetual futures contracts. The audit found four minor issues which were resolved or acknowledged.
You can read the full audit report here: https://bafybeigsvkekn2c226crnsxrcxqau2vwejvyhlxwbe2urkg4b6pwsj3b6q.ipfs.dweb.link/
WazirX Exploit
This is a currently unfolding situation and the information on the exploit itself is fairly limited, but reports have stated that 234.9M USD worth of cryptocurrency has been stolen by North Korean hackers known as Lazarus Group. As of right now, the on-chain tracking has shown ~22.6k ETH (roughly 56M USD) have been laundered by the WazirX labelled address via TornadoCash.
It was stated in their June 2024 proof-of-reserves disclosure that the WazirX exchange owned about $500M in various cryptoassets. This hack has been catastrophic and has caused them to cease operations as of July 18th, 2024. WazirX was a major Indian cryptocurrency exchange which is owned by Binance. There is a settlement currently underway between WazirX and Binance to grant WazirX a moratorium in order for them to release funds owned by Zettai and Binance to recoup the losses faced by users in this massive hack.
As it stands, there is no official ruling and the affidavit released on September 10th, hasn’t put users at ease. The details of the hack itself have yet to be revealed. India is one of the largest customer bases for Binance and it’s creating hostility among that constituency.
Penpie Exploit
The second exploit we’re going to discuss is from Penpie, a yield optimizer and liquid locker built on Pendle. This was another multimillion dollar hack which amounted to ~27M USD being stolen.
Twitter user 0xLouieT did a fantastic analysis of the exploit which amounted to the attacker creating a fake market and counterfeit SY tokens which enabled the attacker the ability to implement a reentrancy attack. Unfortunately, reentrancy attacks are fairly common and one of the most devastating attacks which can transpire within an EVM smart contract.
A reentrancy attack occurs when a function makes an external call to another untrusted contract. Then the untrusted contract makes a recursive call back to the original function in an attempt to drain funds. When the contract fails to update its state before sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds. Due to the critical risk posed by these attacks, auditors tend to take special care to check for attacks like these, but it appears they did not plan for this attack vector. Here at Hyacinth, we specifically implemented an on-chain audit feature that eliminates the possibility of this occurring. When using our on-chain audit feature, the code is locked during and after the audit so the contract being audited cannot be interacted with or upgraded, therefore it would be impossible for the contract to interact with an untrusted contract or be recursively called upon.
Fortunately, Pendle acted quickly and paused all of the smart contracts preventing an additional $105M being stolen from users. An attack like this poses no risk to Pendle so the fallout was contained to users of Penpie.
Phishing Scams
In addition to these major exploits from exchanges and protocols, a number of phishing scams occurred in the last several weeks of note.
A common phishing tactic being deployed is known as address poisoning which amounts to getting the user to send funds to a slightly altered version of the intended address. This is an incredibly easy way to lose a lot of money so it’s important that you check the digits of the intended public address anytime you’re transferring funds. In the case below, the exploiter received 410 ETH (~1M USD).
Another recent phishing attack which was reported by ZachXBT was implemented by one of the InfernoDrainer labelled wallets which we mentioned in a previous article draining the victim of 55.4M DAI. This attack similarly involved a fake phishing address, so we repeat it is imperative that you never send funds without verifying the intended address is correct. A wise practice when moving large amounts of capital is to send a test transaction of a small amount to make sure the source is the intended one, then to send the larger transaction afterwards. This practice lowers the risk associated with transfers and the gas fees spent can be viewed as a small insurance policy.
Conclusion
Thanks for reading, we hope that you found our deep dive informative and interesting. If you are building something and would like to prevent similar hacks, or any exploit, from harming to your project, please reach out to Hyacinth Audits at tthomas@hyacinthaudits.xyz or post your own bounty so we can match you with the best auditor for your project!
