Hyacinth Friday Periodical #4

Happy Friday!

I hope everyone has had a great week and special thanks to those who joined us at our event at ETH Denver this year! Now that all of the commotion is finished, we’re back to our regularly scheduled programming.

This week we’re going to do another round-up of recent exploits as well as showcase the increase of phishing attacks as of late.

WooFi

The most prominent exploit in the last month has been the WooFi exploit which occurred on March 5th on the Arbitrum L2. The exploit stole 2023 $ETH from their vault which totaled just around $7.2M at the time and has since appreciated to over $9M. The protocol attempted to reach out to the exploiter with an on-chain message to negotiate a whitehat bounty, currently to no avail.

The attack was noticed within thirteen minutes and all associated accounts were frozen and the threat has been contained. WooFi has released a statement stating that no other contracts have been affected and they are currently operational.

This attack was a price manipulation attack where the attacker borrowed large quantities of $WOO then sold to drop the price heavily, then swapped back at a low price. Effectively, they short sold their $WOO by borrowing against it and manipulated the price in order to resolve the “debt” in the now massively depreciated asset.

Phishing

Now that the crypto markets are in the public eye again due to the Bitcoin ETF, the amount of phishing has increased dramatically. The SFC (Security and Futures Commission) recently released a warning issued about suspicious sites impersonating Hash Blockchain Limited and OSL Digital Securities Limited.

Outside of those mentioned in the SFC public service announcement, many users and protocols have reported their assets stolen due to phishing attacks. While phishing is not explicitly within the wheelhouse of Hyacinth Audits, web3 security as a whole is of vital importance to us and should be of concern to anyone participating in the web3 space.

Phishing is an old method of attack that is surprisingly effective in the web3 paradigm. Effectively, the attacker impersonates a trusted site, user, etc. then gets you to approve a transaction on your wallet which typically drains the wallet of funds. In the last week alone, several major wallets were attacked, losing blue chip Ethereum based NFTs.

Many of these attacks are coming from a contract known as Pink Drainer. In the past couple weeks hundreds of thousands of dollars have been lost to this singular contract which has been connected to dozens of phishing sites. And over the course of this account’s lifetime it has targeted over 10,000 users and drained over 20 million USD.

A quick search along #PinkDrainer on X (formerly Twitter) reveals dozens of phishing attacks across multiple chains.

This brings to light how important it is to only interact with trusted sites and to check urls and transactions thoroughly before approving anything.

Conclusion

Thanks for reading our Friday periodical. We hope you enjoyed it and learned something about some of the exploits we highlighted. If you are building something and would like to prevent similar hacks, or any exploit, from harming to your project, please reach out to Hyacinth Audits at tthomas@hyacinthaudits.xyz or post your own bounty so we can match you with the best auditor for your project!