October 30, 2022
Beosin: Blockchain Security Weekly Recap of M10W4
Beosin Security Team: 8 security incidents occurred this week, with a total losses exceeding $192.5M.
1. Freeway rugged with $100M+
$FWT price dropped -78%
1. Beosin EagleEye monitored a flashloan attack on $ULME with a loss of 50,646 $BUSD.
Users are advised to revoke BUSD’s approval for ULME contracts and transfer out funds in time. First borrow 1,000,000 BUSD via flashloan and swap for $ULME tokens through Pancakeswap. Here the attacker should have collected the list of users who approved the BUSD to the ULME contract. Then call the buyMiner function of ULME, passing in the previously prepared list of victims and the corresponding amount. There are two vulnerabilities in buyMiner here.
The first vulnerability is that an attacker can manipulate the $BUSD previously approved to ULME users.
The second is that an attacker can manipulate the BUSD of a large number of users and swap to $ULME, thus indirectly increasing the price of ULME.
After increasing the price of ULME through the previous step, swap ULME for BUSD, repay the flashloan and gain 50,646 $BUSD.
2. Melody_SGS was hacked earlier today, causing 2,224.9 $BNB in losses
It is suspected that the off-chain front-end was hacked or the private key was compromised.
The hacker first calls the SGS contract’s coinWithdraw function, which is a function that redeems the user’s assets from the contract. The function has several key parameters: to and signature.
This is a common operation for smart contracts, where the user provides a signature to prove that it is he or she who signed this transaction. So how does the problem occur? Let’s look at what parameters the attacker has passed in.
1. UvToken was exploited for ~$1.5 million
The stolen funds were deposited to Tornado cash.
The attacker uses the 0xc81daf6e method with Controller privileges of another contract deployed by the devs, which calls the 0x7e39d2f8 method of the victim contract. As the contract has Controller privileges, it directly transfers all the UVT tokens through verification.
2. VTF on BNB chain was attacked
The attacker 0x57c112cf4f1E4e381158735B12aaf8384B60E1cE profited 58,000 $BUSD.
There is a bug in VTF’s contract to receive holding rewards. Under normal circumstances, users can claim $VTF token holding rewards via the updateUserBalance function.
However, the function does not determine how long the user has held the token. The attacker deploys a large number of attack contracts in advance, gets the first $VTF via flashloan, then transfers VTF tokens to the attack contract in turn to claim the holding rewards.
3. Team Finance exploited for $14.5M
The NFT id obtained by locking token A can participate in the migration of the FEG-WETH pair, without detecting if the user’s lock is the same as the one being operated. The parameter sqrtPriceX96 relating to the price calculation of the UNI-V3 migration, is also input by user.
1. FriesDAO Hacked for $2.3 Million in the Latest Profanity Exploit
FriesDAO posted a notice in the official Discord that the official developers are currently attempting to negotiate with the attackers to negotiate a white hat bounty in exchange for the return of the stolen funds.
2. We’re seeing new phishing site targeting #Aptos $APT
aptoslabs[.]network is a phishing site
If you have need any blockchain security services, please contact us:
Related Project Secure Score
Guess you like
Beosin’s Analysis of Team Finance’s $13M Exploit
October 28, 2022
Beosin Blockchain Security Monthly Recap of October: $980.04M lost in attacks
October 31, 2022
Beosin KYT: an On-chain Expert to Meet All Your AML Needs
November 10, 2022
Beosin Security Audit Service Fully Upgraded to Build a More Secure Blockchain Ecosystem
November 11, 2022