Greetings!

Another week with massive losses. More than $20M were stolen across 4 incidents. The top two compromises have interesting stores which we should discuss, but first a quick note from our sponsor Cyfrin!

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

Gala lost $21M after a private key theft was used to mint 2B tokens. As pointed out by Tay, the project has a long history of theft and suspicious mints oddly reminiscent of the current incident. It sounds like a case of insider threat. How else could we explain such a quick identification of the culprit which led to the full return of funds in just one day?

Normie suffered from a weakness in identification of the team wallet which grants special privileges. The smart contract simply checked if sender’s address has the same amount of tokens as the team wallet address!

function _get_premarket_user(address _address, uint256 amount) internal {        
  premarket_user[_address] = !premarket_user[_address]            
  ? (amount == balanceOf(teamWalletAddress))            
  : premarket_user[_address];    
}

The attacker took advantage of this to manipulate token supply and value to make $880K profit. What’s wilder are the familiar ego filled demands to founders trying to negotiate a return bounty from their X account :

@CaesarsCalls must take live recording of him stepping on a scale and showing us his true weight. Do what is right for the people fatso

And again on-chain:

To be clear: no funds will be returned until a new token has been launched and the dev wallet funds have been irrevocably committed to backing it. The dev wallet made significantly more than I did during this exploit, and I have no other way to ensure that those funds are used appropriately.

If this is not our Prisma or KyberSwap attacker then someone new really trying to emulate their thirst for public attention.

In other news, TonUP exploit marks the first publicly known hack on the TON chain with a staking contract exploit which was taken advantage by a number of accounts.

The premium version of the newsletter contains detail information on the incidents above as well as Yon, TonUP, and a failed governance exploit on Relevant.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Oh and be sure to check out fantastic videos with folks like Mudit Gupta, Isaac Patka, and Johnny Time in the Media section. Now let’s dive into the news!