Security Incidents in Jan. 2023

Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of January 2023.   

1. Nikhil Gopalani

January 1, 2023:  Nike’s encrypted fashion brand RTFKT’s Chief Operating Officer Nikhil Gopalani provided confidential information to hackers posing as Apple representatives and lost 19 CloneX NFTs, 18 RTKFT Space Pods and 11 CryptoKicks.

Root cause: Private Key Leakage

Loss: approx. $173K 

Reference: Twitter Announcement

Claimable event: No 

2. GDS Chain

January 1, 2023: GS Chain was hit with a flash loan attack that due to a contract vulnerability that resulted in a total loss of $187,000. There was a vulnerability in one of the smart contract functions that resulted in users with higher staking balances will receive higher rewards. The attacker manipulated the liquidity pool mining mechanism by transferring a huge amount of tokens using flash loan and continuously collecting rewards from the GDS token contract till the liquidity has dried up.

Root cause: Contract Vulnerability

Loss: $187K 

Reference: Analysis by QuillAudits

Claimable event: Yes (Smart Contract Cover) 

3. GMX Whale

January 3, 2023: A large GMX holder got hacked and 82,519 GMX tokens and 2,627 tokens were stolen. The hacker cross-chained the assets to the Ethereum network using Hop Protocol and Across Protocol. The total loss was estimated to be 3.4 million.

Root cause: Unknown

Loss: $3.4M

Reference: Online News

Claimable event: No

4. FUT

January 4, 2023: The deployer of FUT has committed an exit scam on the FUT project. Through the MasterChef contract, he withdrew approximately 67 million FCS tokens and swapped them for FUT tokens. These FUT tokens were then swapped for 2.6 million of USDT.

Root cause: Exit Scam

Loss: $2.6M

Reference: Analysis by Certik

Claimable event: No 

5. DNP3

January 4, 2023: Twitch streamer DNP3 and founder of Goobers NFT, Gridcraft Network and ClucCoin has revealed that he has gambled away investors funds.

Root cause: Gambling

Loss: Unknown

Reference: Online News

Claimable event: No 

6. CyberKongz

January 7, 2023: The official twitter of CyberKongz, an NFT project was hacked and original links were replaced by malicious, phishing links.

Root cause: Social Engineering Attack

Loss: $3.4M

Reference: Online News

Claimable event: No 

7. Mycelium

January 7, 2023: One of Mycelium’s three oracle data vendors went offline, resulting in an overreliance of the remaining price oracles. The oracle feeding problem was magnified when Bitfinex’s ETH-USD feed price fluctuated significantly, leading to a large spread. This invited arbitrage bots to take advantage of this spread, resulting in a loss of MLP.

Root cause: Oracle Failure

Loss: $300K

Reference: Twitter Announcement

Claimable event: No 

8. Twity

January 8, 2023: Web 3 Twitter marketing platform Twity’s telegram was hacked, leaking its chat record that contained the project’s private key and resulted in the disclosure of private administrator account information.

Root cause: Social Engineering Attack

Loss: Unknown

Reference: Online News

Claimable event: No 

9. Chimpers

January 10, 2023: The official twitter of Chimpers, an NFT project was hacked and original links were replaced by malicious, phishing links that lured users to mint NFTs.

Root cause: Social Engineering Attack

Loss: Unknown

Reference: Online News

Claimable event: No

10. BRA

January 10, 2023: BRA token was exploited through a logical flaw in the BRA contract that allowed the hacker to gain additional rewards through a transfer process if the caller or receiver were a pair.

Root cause: Contract Vulnerability

Loss: 820BNB, approx. $225K

Reference: Analysis by BlockSec

Claimable event: Yes (Smart Contract Cover)

11. Sui Name Service

January 10, 2023: Sui Name Service, a provider of eco-friendly domain names, announced via social media that their Discord server had been hacked by a former employee who pretended to be an admin. Currently, Sui Name Service is fixing the user’s role labels.

Root cause: Social Engineering Attack

Loss: Unknown

Reference: Analysis by Slowmist

Claimable event: No

12. $ACS

January 11, 2023: $ACS was rug pulled for $10K via a backdoor function. The attacker used the transferFrom function to transfer $ACS within the BSC-USD-ACS pair and caused an imbalance in the K value. He then used a small number of $ACS to transfer out a large amount of BSC-USD within the pair.

Root cause: Rug Pull

Loss: $10K

Reference: Analysis by Beosin

Claimable event: No

13. Google Chrome

January 11, 2023: A security flaw referred to as CVE-2022-3656 impacts over 2.5 billion users of Google Chrome and browsers based on Chromium engine. This flaw enables the theft of confidential files such as encrypted wallets and cloud service provider files. The flaw was uncovered by investigating the interaction between the browser and the file system. The browser failed to properly verify if a symbolic link directed to an unreachable location, making it possible to steal sensitive files. This is commonly referred to as symbolic link following. Hackers can exploit encrypted phishing websites to access users’ confidential files.

Root cause: Browser Vulnerability

Loss: Unknown

Reference: Online News

Claimable event: No

14. RoeFinance

January 12, 2023: ROE Finance suffered an attack on the Ethereum blockchain. The attacker utilized flash loans to disrupt one of the pools that had limited liquidity, affecting the price, then drained the funds from the target pool resulting in a loss of $80K.

Root cause: Economic Attack

Loss: $80K

Reference: Analysis by BlockSec

Claimable event: No

15. CirculateBUSD and CirculateWBNB

January 12, 2023: An externally owned address 0x5695E created two contracts named CirculateBUSD and CirculateWBNB along with an additional unverified contract, referred to as “SwapHelper”. A function had a third party dependency with SwapHelper that allowed any funds deposited into this contract to be transferred to the deployer’s own address

Root cause: Exit Scam

Loss: $2.5M

Reference: Analysis by Certik

Claimable event: No

16. LendHub

January 13, 2023: The LendHub hack was a result of not properly removing a outdated token during a market update. LendHub switched the existing IBSV token with a new version that had its own Comptroller contracts, but failed to eliminate the old token, causing both to coexist with the same market value. This error enabled the attacker to manipulate both token contracts independently, exploiting their differences. The attacker utilized the mint and redeem options in the old market and obtained loans in the new market, leading to discrepancies in the liabilities calculation between the two markets, allowing the attacker to steal about $6 million from the new token.

Root cause: Ops Failure

Loss: $6M

Reference: Analysis by Slowmist

Claimable event: No

17. UF Dao

January 13, 2023: xdaoapp’s UF DAO has been hacked due to a contract vulnerability caused by incorrect parameter settings. The attacker took advantage of UF Dao’s 1:1 public offer and then redeemed almost all of it in USDC

Root cause: Contract Vulnerability

Loss: $90K

Reference: Analysis by QuillAudits

Claimable event: Yes (Smart Contract Cover)

18. NFT God

January 14, 2023: An NFT influencer by the name of NFT God has been hacked after downloading a malicious software when he clicked a sponsored advertisement. His crypto wallet was compromised, leading to a loss of his entire crypto and NFT portfolio. At least 19 Ether and a Mutant Ape Yacht Club NFT were stolen..

Root cause: Wallet Compromise

Loss: Unknown

Reference: Twitter Announcement

Claimable event: No

19. Midas Capital

January 16, 2023: The Jarvis Network and Midas Capital were considering expanding collateral options and setting supply limits to prevent excessive borrowing, but this was not enough to stop the flash loan exploit that has been a persistent problem in the market. The attacker inflated the price of the LP token and took out a flash loan, stealing over $660,000 in jAssets. The team acknowledged their mistake in assuming that the reentrancy issue they had encountered before would not impact the native “raw_call” function of the chain.

Root cause: Contract Vulnerability

Loss: $650K

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover)

20. Yield Robot

January 17, 2023: The Yield Robot project on BSC has been rug pulled for 2.1 million. Initially, the team described it the drainage was an exploit by a hacker. However, the project’s social media accounts were deleted after 48 hours and no further announcements were made.

Root cause: Rug Pull

Loss: $2.1M

Reference: Analysis By Certik

Claimable event: No

21. OMNI Real Estate Token

January 17, 2023: The attack OMNI Real Estate occurred due to a weakness in the StakingPool Contract, which lacked adequate parameter validation. The rewards were calculated in the contract using the “_Check_reward” function, which had two parameters (durations and balance) that were controlled by the user.

Root cause: Contract Vulnerability

Loss: $70K

Reference: Analysis By QuillAudits

Claimable event: Yes (Smart Contract Cover)

22. Upswing Finance

January 17, 2023: Upswing Finance was hit with a flash loan attack due to a design flaw in its UPStkn token, allowing the attacker to manipulate the price of the token in the liquidity pool.

Root cause: Price Manipulation

Loss: $35K

Reference: Online News

Claimable event: No

23. Thoreum Finance

January 19, 2023: Thoreum Finance was exploited due to vulnerabilities in its smart contract. The vulnerability arose from an incorrect implementation of the transfer function in the contract, where if a wallet sent funds to itself, the number of tokens in the wallet would increase by the amount sent.

Root cause: Contract Vulnerability

Loss: $580K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

24. FFF

January 20, 2023: The FFF token on BSC experienced an unusual additional issuance event where the administrator of the project party utilized the pre-set additional issuance contract to purchase and sell the extra tokens. Over $1.03 million worth of FFF tokens were sold in this event.

Root cause: Rug Pull

Loss: $1M

Reference: Online News

Claimable event: No

25. Doglands

January 21, 2023: Dogechain’s ecological Doglands project has been rug pulled. Its official Twitter and Website have been removed and 2 addresses have drained all the reserves in the LP token which had around $204,000. The funds have since been transferred to Ethereum via a cross chain bridge and transferred to multiple addresses.

Root cause: Rug Pull

Loss: $204K

Reference: Analysis By QuillAudits

Claimable event: No

26. Robinhood

January 26, 2023: The Robinhood Twitter account was compromised and used to promote a fake crypto project. The hackers advertised a new token called $RBH, claiming it would be priced at $0.0005 on Binance Smart Chain. Approximately 25 individuals bought the fraudulent tokens for a total of nearly $8,000 before the link was taken down. Robinhood stated in a blog post that the unauthorized posts on their Twitter, Instagram, and Facebook were removed promptly, and the company believes the cause was a third-party vendor.

Root cause: Social Engineering Attack

Loss: $8K

Reference: Online News

Claimable event: No

27. Kevin Rose

January 26, 2023: Kevin Rose, founder of NFT project Moonbirds’s personal wallet was hacked and a total of around 40 NFTs were stolen. Rose signed a malicious signature which gave the hackers the authority to transfer his NFTs.

Root cause: Private Key Leakage

Loss: $2M

Reference: Online News

Claimable event: No

28. UniswapV2Pair WETH-BCI

January 26, 2023: The WETH-BCI pool was attacked due to a contract vulnerability which highlighted a flawed logic in the internal_transfer function of the BCI token contract. The logic allowed 1% of BCI tokens to be burnt every 10 minutes when there is a transfer, inflating the value of the BCI tokens. Note: The vulnerability does not stem from Uniswap’s smart contracts and hence is not claimable for Uniswap’s Smart Contract Cover on InsurAce.

Root cause: Contract Vulnerability

Loss: $11K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

29. Azuki

January 27, 2023: Azuki’s Twitter account was hacked and a tweet was posted that asked followers to “claim land” in The Garden, which was Azuki’s native metaverse platform. The malicious link has since been deleted and followers were warned not to click any links from the account.

Root cause: Social Engineering Attack

Loss: 1.7M

Reference: Twitter Announcement

Claimable event: No

30. Bevo

January 30, 2023: The BEVO NFT Art Token on BSC suffered an attack resulting in a loss of around $45,000. The exploit was due to the token being deflationary, where the attacker manipulated the token balance by calling the deliver() function, decreasing the value of _rTotal and affecting the calculation of the balance using getRate(). The attacker then transferred the increased PancakePair balance to their account using skim, and exchanged the increased BEVO back to WBNB after another call to deliver().

Root cause: Economic Attack

Loss: $45K

Reference: Analysis by BlockSec

Claimable event: No

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top