BlockThreat - Week 44, 2022
Deribit | Pando | Gala | Solend | Skyward | Solana
This week a concerning pattern emerged of DeFi projects failing to implement sufficient function access controls and allowing attackers to trigger functionality used to steal funds. Exchange hot wallet compromises are rare. Unfortunately, Deribit fell victim to bad actors who managed to steal whopping $28M from their hotwallets. Are these our North Korean “friends” again? Another rare exploit vector is the infinite mint which also happened this week with $4.3M stolen from a gaming company.
In other news almost half of Solana validators went offline after they were kicked out by a single hosting provider. The event not only halved security of the network but also could have been much more painful if the chain also implemented inactivity slashing like on Ethereum. Let’s hope AWS doesn’t get mad at the largest staking providers Lido and Coinbase.
Twitter verification phishing campaign.
On October 27, 2022 Yearn discovered an actively exploited veCRV Brive V2 reward manipulation logic error.
On November 1, 2022 Deribit exchange lost $28M in a private key theft incident.
On November 1, 2022 Solend ended up with $1.26M in bad debt due to a price oracle manipulation attack.
On November 1, 2022 Skyward Finance lost $3.2M due to insufficient parameter validation.
On November 2, 2022 Rubic’s private keys were stolen which resulted in the theft of $212K in assets
On November 4, 2022 Loopring L2 chain was targeted with a DDoS attack.
On November 4, 2022 Peak DeFi lost $30K due to insufficient function access controls.
On November 6, 2022 Moo Cake lost $140K due to insufficient function access control and reward manipulation bugs.
On November 6, 2022 Pando Rings suffered a price oracle manipulation exploit which resulted in the loss of $20M.
40% of Solana validators went offline after they were kicked out by a hosting provider.
New Laplas Clipper Distributed Via SmokeLoader report by Cyble.
Kai Stealer analysis by Harry.eth.
Reentrancy Attacks on Smart Contracts Distilled by Officer Cia.
Front Running and Sandwich Attack Explained by Quillaudits.
Brive V2 Attackers
Pando Rings Attackers
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.