October 14, 2022

Web3 Security Weekly Recap of M10W2

Beosin Security Team:

8 security incidents occurred this week, with a total losses exceeding $122.03M.

Oct 9

1. Xave Finance allowing an attacker to mint 100,000,000,000,000$RNBW

Analysis by Beosin Security Team:

Beosin EagleEye reported an exploit on Xave Finance, allowing an attacker to mint 100,000,000,000,000 $RNBW.

Attack tx:


The attacker first created the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3 to call the DaoModule 0x8f90 contract’s executeProposalWithIndex() function to execute a proposal.

The proposal is to call the mint() function to mint 100,000,000,000,000 $RNBW and transfer ownership to the attacker. Finally the hacker swapped them to $xRNBW, which sit at the attacker’s address 0x0f44f3489D17e42ab13A6beb76E57813081fc1E2.

2. JUMPN Finance $JST rugged with ~$1.15M

2,100 $BNB sent to http://Tornado.Cash; 2,058 $BNB sit at hacker’s address.

Analysis by Beosin Security Team:

The scammer calls the 0xe156 contract’s 0x6b1d9018() function and withdraws the user assets and transfers to the scammer’s address https://bscscan.com/address/0xd3de02b1af100217a4bc9b45d70ff2a5c1816982

Oct 11

1. QANplatform has been exploited for ~$1.89 million due to suspected private key compromise

Analysis by Beosin Security Team:

The two attack txs: 0xf93047e41433d73ddf983cfa008aeb356ec89803c0a92b0e97ccdc6c42a13f51(bsc), 0x048a1a71fd41102c72427cc1d251f4ecbf70558562564306e919f66fd451fe82(eth).

The attacker first used 0x68e8198d5b3b3639372358542b92eb997c5c314 address (suspected the project owner’s address) to call the bridgeWithdraw function in the contract to withdraw the QANX tokens, and then swapped them for the corresponding platform tokens. The stolen funds currently remain on the attacker’s address 0xF163A6cAB228085935Fa6c088f9Fc242AFD4FB11

2. Rabby Swap suffered an exploit with a loss of ~$200,000

Analysis by Beosin Security Team:

There is an external call to RabbyRouter’s _swap function, resulting anyone can call this function and transfer out users’ funds who have approved this contract. Pls revoke approval for the following contracts:

BSC: 0xf756a77e74954c89351c12da24c84d3c206e5355 ETH: 0x6eb211caf6d304a76efe37d9abdfaddc2d4363d1 Optimistic: 0xda10009cbd5d07dd0cecc66161fc93d7c9000da1 Avax: 0x509f49ad29d52bfaacac73245ee72c59171346a8 Ftm: 0x3422656fb4bb0c6b43b4bf65ea174d5b5ebc4a39

Arbiscan: 0xf401c6373a63c7a2ddf88d704650773232cea391 The attacker 0xb687550842a24D7FBC6Aad238fd7E0687eD59d55 has deposited all stolen funds into http://Tornado.cash

3. TempleDAO was hacked for ~$2.36M

Analysis by Beosin Security Team:

The root cause is the lack of permission checks in the migrateStake function of the StaxLPStaking contract. Anyone can withdraw StaxLP from the contract through this function.

Tx: 0x8c3f442fc6d640a6ff3ea0b12be64f1d4609ea94edd2966f42c01cd9bdcf04b5 Attacker: 0x9c9fb3100a2a521985f0c47de3b4598dafd25b01 Beosin Trace have found that all the stolen funds have been transferred to the 0x2B63d4A3b2DB8AcBb2671ea7B16993077F1DB5A0 address.

Oct 12

1. The Journey of awakening project $ATK suffered a flashloan attack with a loss of ~$120,000

Analysis by Beosin Security Team:

The ATK project’s strategy contract (0x96bF2E6CC029363B57Ffa5984b943f825D333614) was targeted by flashloan and a large amount of $ATK tokens were taken from the contract.

Beosin Trace found that the attacker 0xf2ade5950cdfb43b47fdb0a7bf87e9c84467981f has swapped all the stolen $ATK tokens into $BSC-USD, converted to $BNB and sent to http://tornado.cash/.

2. Mango Markets attacker manipulated the price and made $116M in profit

Analysis by Beosin Security Team:

The attacker got 5.5M funds from FTX and deposited 5M to Mango Markets.

The attacker then created a 483M PlacePerpOrder2 position in the MNGO-PERP market.

The price of MNGO was manipulated from 0.0382 USDC to 0.91 USDC by countertrading against their position using a separate account (account 2).

Account 2 now has 483*($0.91-$0.03298) = 423M, which allowed the attacker to borrow $116M out.

The hacker has made a proposal on Mango Governance to try and negotiate for a bounty. The proposal asks the Mango Treasury to pay 70M to repay the bad debt. The hacker will give up half of his proceeds to avoid legal prosecutions.

Oct 13

1. FTX was under an gas stealing attack. The attacker deploys the arbitrage contract and then initiates an ETH withdrawal operation from FTX to the arbitrage contract

Analysis by Beosin Security Team:

In the fallback function of the arbitrage contract, the claim/mint function of the XEN project is called to obtain $XEN.

As the sender of the withdrawal transaction is the FTX exchange, the FTX exchange will pay gas for the whole process.

The claimRank() function passes in a term (at least 1 day) for minting, requiring only to pay the gas fee of calling, without other costs.

claimMintRewardAndShare() function only judges whether to reach the term (>= 1 day as set by hacker), then it can be withdrawn unconditionally to any non-zero address.

However, in the calling process, the transaction initiator is the FTX hot wallet address, so the entire call process of gas is paid by the FTX hot wallet address, and the Xen mint address is the attacker’s address.


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Blockchain Security Alliance Held Its First Meeting to Secure the Web3 Ecosystem

    October 11, 2022

  • Q3 2022 Blockchain Security Report

    October 28, 2022

  • Blockchain Security Alliance Q3 2022 Blockchain Security Report

    October 28, 2022

  • Beosin and ChainUp have entered into a strategic partnership

    October 28, 2022

Join the community to discuss.