BlockThreat - Week 41, 2022
Mango | TemplateDAO | Rabby | ATK | FTX | Earning Farm | Lazarus
The Hacktober continues! This week’s edition is loaded with post-mortems, writeups, and indicators from various DeFi exploits netting attackers more than $120M. One of the compromises was particularly interesting since attacker’s identity was revealed as someone associated with multiple scams and price manipulation attacks in the past. Profanity wallet generator vulnerability continues claiming new victims with even 1inch, which originally reported it, joining their ranks. Lazarus is at it again with several reported social engineering and phishing attacks against Japanese crypto companies.
Hacks Dashboard by DeFi Llama.
On October 10, 2022 Carrot lost $30K due to insufficient function access controls.
On October 11, 2022 Mango Markets was exploited with a price oracle manipulation attack with losses over $116M. Interestingly, the attacker was soon discovered and engaged in public discourse on Twitter.
On October 11, 2022 TempleDAO insufficient function access controls vulnerability was exploited to steal $2.36M.
On October 11, 2022 QANPlatform private keys were cracked using the profanity with the losses exceeding $2M.
On October 11, 2022 multiple users of Rabby Swap lost $190K in approved assets due to insufficient function parameter validation.
On October 12, 2022 The Journey of Awakening ATK suffered a $120K loss from a price oracle manipulation exploit.
On October 12, 2022 FTX lost about $100K in gas fees when an attacker tricked its withdrawal system to mint tokens.
On October 14, 2022 Earning Farm lost $971K due to insufficient verification of who originated a flash loan.
Ocean Protocol patched an insufficient function access control vulnerability thanks to a responsible disclosure by chiefdestroyer.eth.
Cosmos patched a critical vulnearbility in all IBC-enabled Cosmos blockchains following due diligence review after the BNB hack last week.
Aptos fixed a DoS vulnerability in its Move VM nodes thanks to a responsible disclosure by Numen Cyber Labs.
The Fall of Hydra Market by OXT Research.