Hyacinth Weekly Periodical #1

Published in

Hyacinth Friday Periodical

3 min readJan 19, 2024

Happy Friday! At Hyacinth Audits, beyond simply utilizing market forces to match the best auditors with protocols looking for high quality, high value audits, it is part of our mission to spread awareness in the web3 space to maximize security for all users. Consequently, we’ve decided to create a regular serialization discussing a variety of web3 security topics. This week, we are going to highlight some recent exploits and hacks as well as hopefully outlining ways in which projects can remain safe while building the next generation of web3 technology.

It’s unfortunate that there were multiple high profile exploits that occurred this week, but hopefully by spreading awareness like this we can decrease the frequency of exploits in the space by making people more apt to utilize high quality smart contract audits.

Socket

On Tuesday, Socket/Bungee was hacked which affected 233 individual wallets (source). Socket is an interoperability protocol which bridges transactions across a myriad of chains (e.g. Ethereum, Optimism, Arbitrum, Polygon, ZKSync, Zora, Aurora, etc.) With well over $1M in exploited funds from the top five wallets alone, this was a massive exploit from an otherwise very reputable protocol. The exploit took advantage of users who gave unlimited approval for Socket contracts in their wallet. Despite the massive drainage of funds, Socket did act as fast as possible by pausing the exploited contract which halted the draining

It’s not our style to kick a project while they’re down, so instead we will use this as a teachable moment for our readers. One of the most common methods of exploitation is to take advantage of approvals — either by accessing wallets who have given unlimited approval or by sending cryptic approvals to users and having them consent to having their wallet drained. Best practice to avoid losing your funds is to approve each individual use of a protocol; if you choose to grant unlimited approval to a protocol, it is critical to disconnect your wallet after each use. This is quite literally the same as leaving the back door to your home unlocked and telling everyone in the neighborhood (in case it wasn’t obvious, this is not a good idea!)

Rosa Finance

More recently, on Jan 18th, 2024, Rosa Finance was exploited for what amounts to $44K worth of various cryptos. While this was not a large hack monetarily, it was one of multiple protocols which were exploited due to a common Compound/Aave v2 exploit. This unfortunately is a known issue in the Compound/Aave v2 codebase which has yet to be resolved.

Radiant Capital

Radiant Capital is an omni-chain money market which allows for interoperable borrowing. They were exploited on January 2nd.

This exploit, just like Rosa Finance, took advantage of a known rounding issue in the Compound/Aave v2 codebase. Due to the prevalence of this exploit in recent hacks, we plan to do a deep dive on this issue in a future article. This hack was the largest of all of the ones we have discussed, as over 1.9k ETH (~$4.5M) was lost. This exploit happened a mere six seconds after the USDC pool was launched, as the exploit relies on a rounding error which exists during a small time window after a new pool is launched.

When auditors are sifting through the code, precision errors such as this should be high on their checklist.

Wise Lending

Last Friday, Jan 12th, Wise Lending, a decentralized lending protocol on Ethereum and Arbritrum, was exploited. This exploit occurred because of a precision error within the share accounting logic. These types of errors can be avoided with constant quality audits like those we facilitate at Hyacinth Audits. This was a massive exploit that drained as much as 177ETH (roughly $464k).

More specifically as noted by the analysis from Peckshield, “it takes advantage of a nearly empty market PLP-stETH-Dec2025 in Wise to inflate the share price. After the share price is inflated, most funds in the lending markets are then borrowed.”

Conclusion

Thanks for reading our first Friday periodical. We hope you enjoyed it and learned something about some of the exploits we highlighted. If you are building something and would like to prevent similar hacks, or any exploit, from harming to your project, please reach out to Hyacinth Audits at egansman@hyacinthaudits.xyz or post your own bounty so we can match you with the best auditor for your project!