Beosin Security Team: 8 security incidents occurred this week, with a total losses exceeding $192.5M.

Oct 24

1. Freeway rugged with $100M+

$FWT price dropped -78%

Oct 25

1. Beosin EagleEye monitored a flashloan attack on $ULME with a loss of 50,646 $BUSD.

Users are advised to revoke BUSD’s approval for ULME contracts and transfer out funds in time. First borrow 1,000,000 BUSD via flashloan and swap for $ULME tokens through Pancakeswap. Here the attacker should have collected the list of users who approved the BUSD to the ULME contract. Then call the buyMiner function of ULME, passing in the previously prepared list of victims and the corresponding amount. There are two vulnerabilities in buyMiner here.

The first vulnerability is that an attacker can manipulate the $BUSD previously approved to ULME users.

The second is that an attacker can manipulate the BUSD of a large number of users and swap to $ULME, thus indirectly increasing the price of ULME.

After increasing the price of ULME through the previous step, swap ULME for BUSD, repay the flashloan and gain 50,646 $BUSD.

2. Melody_SGS was hacked earlier today, causing 2,224.9 $BNB in losses

It is suspected that the off-chain front-end was hacked or the private key was compromised.

The hacker first calls the SGS contract’s coinWithdraw function, which is a function that redeems the user’s assets from the contract. The function has several key parameters: to and signature.

This is a common operation for smart contracts, where the user provides a signature to prove that it is he or she who signed this transaction. So how does the problem occur? Let’s look at what parameters the attacker has passed in.

Oct 27

1. UvToken was exploited for ~$1.5 million

The stolen funds were deposited to Tornado cash.

The attacker uses the 0xc81daf6e method with Controller privileges of another contract deployed by the devs, which calls the 0x7e39d2f8 method of the victim contract. As the contract has Controller privileges, it directly transfers all the UVT tokens through verification.

2. VTF on BNB chain was attacked

The attacker 0x57c112cf4f1E4e381158735B12aaf8384B60E1cE profited 58,000 $BUSD.

There is a bug in VTF’s contract to receive holding rewards. Under normal circumstances, users can claim $VTF token holding rewards via the updateUserBalance function.

However, the function does not determine how long the user has held the token. The attacker deploys a large number of attack contracts in advance, gets the first $VTF via flashloan, then transfers VTF tokens to the attack contract in turn to claim the holding rewards.

3. Team Finance exploited for $14.5M

The NFT id obtained by locking token A can participate in the migration of the FEG-WETH pair, without detecting if the user’s lock is the same as the one being operated. The parameter sqrtPriceX96 relating to the price calculation of the UNI-V3 migration, is also input by user.

Oct 28

1. FriesDAO Hacked for $2.3 Million in the Latest Profanity Exploit

FriesDAO posted a notice in the official Discord that the official developers are currently attempting to negotiate with the attackers to negotiate a white hat bounty in exchange for the return of the stolen funds.

2. We’re seeing new phishing site targeting #Aptos $APT

aptoslabs[.]network is a phishing site

Contact

If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn