Star arena ,a best social platform experience defi hacking. The hackers able to access their contract and exploit a reentrancy vulnerability within the code which allowed them to inflate the share's value, reaching approximately $274K per share. Hackers steal almost 2.9 million worth of AVAX token. This hacks happened in October 2023.
Defi hacking is increased so much in 2023 and most of hacker target contract address and this hacks also is part of it. Need lot of protection and audit check everytime.
SOURCE
https://www.halborn.com/blog/post/explained-the-stars-arena-hack-october-2023
Topic: DeFi hacks [history] - page 3. (Read 19119 times)
Galxe platform experiences DNS attack, losses top $150K
The Web3 platform’s website has been restored, but the company still warns against using it. The hack may be linked to September’s attack on Balancer.
The website of Web3 community platform Galxe was offline for about an hour on Oct. 6. Galxe reported on X (formerly Twitter) that its website was down at 14:44 UTC, confirming 40 minutes later that it had experienced a security breach affecting its Domain Name System (DNS) record. It warned against visiting the domain until the situation was remedied.
At the time of writing, Galxe had not confirmed that its website was safe to use again. After the website was restored, some X posters were reporting that it was blocked by Google.
https://cointelegraph.com/news/galxe-protocol-experiences-dns-attack-october-6
The Web3 platform’s website has been restored, but the company still warns against using it. The hack may be linked to September’s attack on Balancer.
The website of Web3 community platform Galxe was offline for about an hour on Oct. 6. Galxe reported on X (formerly Twitter) that its website was down at 14:44 UTC, confirming 40 minutes later that it had experienced a security breach affecting its Domain Name System (DNS) record. It warned against visiting the domain until the situation was remedied.
At the time of writing, Galxe had not confirmed that its website was safe to use again. After the website was restored, some X posters were reporting that it was blocked by Google.
https://cointelegraph.com/news/galxe-protocol-experiences-dns-attack-october-6
https://russia.postsen.com/local/484395/Fraudsters-began-to-take-advantage-of-the-departure-of-the-Binance-crypto-exchange-from-Russia.html
"The largest cryptocurrency platform Binance announced its final departure from Russia a week ago. However, cyber fraudsters are already trying to make money from this. “In the first five days, several fake groups were created on Telegram, eight fake tokens, one of which had a daily trading volume of $130,000, and, of course, a classic scam began on the P2P marketplace,” the CEO of CommEX (the buyer of the Russian business Binance) told Forbes ) for the development of the region and the CIS Anton Toroptsev"
"The largest cryptocurrency platform Binance announced its final departure from Russia a week ago. However, cyber fraudsters are already trying to make money from this. “In the first five days, several fake groups were created on Telegram, eight fake tokens, one of which had a daily trading volume of $130,000, and, of course, a classic scam began on the P2P marketplace,” the CEO of CommEX (the buyer of the Russian business Binance) told Forbes ) for the development of the region and the CIS Anton Toroptsev"
Combining all the incidents in September we’ve confirmed ~$332M lost to exploits, hacks and scams.
Exit scams were ~$1.9M
Flash loans were ~$0.4M
Exploits were ~$329.8M
Picture and graphics
https://twitter.com/CertiKAlert/status/1708094695832682893
Cumulative losses since the beginning of the year amount to approximately 1.34 billion dollars, including various hacks for 925.4 million.
https://bitcointalksearch.org/topic/m.62936942
Exit scams were ~$1.9M
Flash loans were ~$0.4M
Exploits were ~$329.8M
Picture and graphics
https://twitter.com/CertiKAlert/status/1708094695832682893
Cumulative losses since the beginning of the year amount to approximately 1.34 billion dollars, including various hacks for 925.4 million.
https://bitcointalksearch.org/topic/m.62936942
https://dune.com/21co/lazarus-group-crypto-holdings
"This dashboard tracks the crypto holdings of the cybercrime unit Lazarus Group (also known as APT38), which has conducted multiple hacks on behalf of the North Korean government. In total, we track 295 wallets identified by the U.S. Federal Bureau of Investigation (FBI) and Office of Foreign Assets Control (OFAC). For context, these are the largest hacks conducted by the Lazarus Group, as confirmed by the FBI:
March 29, 2022: ~$620 million theft from Sky Mavis’ Ronin Bridge.
June 22, 2022: ~$100 million Harmony’s Horizon Bridge hack.
June 2023: ~$100 million theft from Atomic Wallet.
July 22, 2023: ~$60 million theft from Alphapo.
July 22, 2023: ~$37 million theft from CoinsPaid.
September 4, 2023: ~$41 million theft from Stake.com.
We should note that this is a lower-bound estimation of Lazarus Group’s crypto holdings based on publicly available information. If you have identified or are aware of any other hacks that have been disclosed, please get in touch with us so we can track the assets here.
Find the reports of the FBI disclosing the wallet addresses here: January 23, 2023, August 22, 2023, September 6, 2023."
"This dashboard tracks the crypto holdings of the cybercrime unit Lazarus Group (also known as APT38), which has conducted multiple hacks on behalf of the North Korean government. In total, we track 295 wallets identified by the U.S. Federal Bureau of Investigation (FBI) and Office of Foreign Assets Control (OFAC). For context, these are the largest hacks conducted by the Lazarus Group, as confirmed by the FBI:
March 29, 2022: ~$620 million theft from Sky Mavis’ Ronin Bridge.
June 22, 2022: ~$100 million Harmony’s Horizon Bridge hack.
June 2023: ~$100 million theft from Atomic Wallet.
July 22, 2023: ~$60 million theft from Alphapo.
July 22, 2023: ~$37 million theft from CoinsPaid.
September 4, 2023: ~$41 million theft from Stake.com.
We should note that this is a lower-bound estimation of Lazarus Group’s crypto holdings based on publicly available information. If you have identified or are aware of any other hacks that have been disclosed, please get in touch with us so we can track the assets here.
Find the reports of the FBI disclosing the wallet addresses here: January 23, 2023, August 22, 2023, September 6, 2023."
Amazing Korean exchange upbit incident today
1. The Largest S.Korean exchange
@Official_Upbit
, abruptly halted Aptos' deposits and withdrawals, citing a wallet system maintenance without any specific reason
2. Various Korean users have posted authentication claiming that they received $APT without sending themselves
3. Reports have emerged that the Upbit customer center has been making phone calls to users who sold the deposited FAKE-APT tokens, requesting refunds.
4. What's so fucked up about this situation is that the deposited tokens are not the native
@Aptos_Network
coin but a scam token called ClaimAPTGift
The only explanation for this situation is that Upbit's wallet system only checked the type and data and processed deposits and withdrawals
Scam token's address
https://apscan.io/account/0xc4f4e73e689b13799d6a1a52a9db1e0099de2e16967ca9bff97e9946dbedc4e9
https://twitter.com/definalist/status/1705900412208029894
1. The Largest S.Korean exchange
@Official_Upbit
, abruptly halted Aptos' deposits and withdrawals, citing a wallet system maintenance without any specific reason
2. Various Korean users have posted authentication claiming that they received $APT without sending themselves
3. Reports have emerged that the Upbit customer center has been making phone calls to users who sold the deposited FAKE-APT tokens, requesting refunds.
4. What's so fucked up about this situation is that the deposited tokens are not the native
@Aptos_Network
coin but a scam token called ClaimAPTGift
The only explanation for this situation is that Upbit's wallet system only checked the type and data and processed deposits and withdrawals
Scam token's address
https://apscan.io/account/0xc4f4e73e689b13799d6a1a52a9db1e0099de2e16967ca9bff97e9946dbedc4e9
https://twitter.com/definalist/status/1705900412208029894
https://www.coindesk.com/tech/2023/09/25/mixin-network-losses-nearly-200m-in-hack/
"Mixin Network has confirmed a report from SlowMist, a blockchain security consultancy, that it has been hacked for nearly $200 million.
“In the early morning of September 23…the database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet,” Mixin Network said in a statement. “The funds involved are approximately US$200 million.”
Mixin Network is a service similar to a layer-2 protocol, designed to make cross-chain transfers cheaper and more efficient.
But the problem with this, as many have pointed out on Twitter, is that it's reliant on a centralized database, creating a single point of failure."
"Mixin Network has confirmed a report from SlowMist, a blockchain security consultancy, that it has been hacked for nearly $200 million.
“In the early morning of September 23…the database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet,” Mixin Network said in a statement. “The funds involved are approximately US$200 million.”
Mixin Network is a service similar to a layer-2 protocol, designed to make cross-chain transfers cheaper and more efficient.
But the problem with this, as many have pointed out on Twitter, is that it's reliant on a centralized database, creating a single point of failure."
It has come to our notice that Harbor protocol has been exploited over the past few hours, resulting in a drain on a portion of the funds sitting in the stable-mint and stOSMO, LUNA and WMATIC vaults.
exploit against a Harbor DeFi protocol
$250,000 losses
Over $7m Stolen in Separate Attacks Against DeFi Protocols Exactly And Harbor
https://www.bitdegree.org/crypto/news/over-7m-stolen-in-separate-attacks-against-defi-protocols-exactly-and-harbor
GMBL Computer, a DeFi gambling protocol, was exploited for nearly 500 ETH, worth around $800,000 in today's prices.
The hacker's identity is known, and GMBL has offered a bounty for the return of funds to avoid legal action.
Despite accusations of an inside job, GMBL reported that half the stolen funds have already been recovered.
https://beincrypto.com/defi-gmbl-computer-exploited-eth-funds-returned/
exploit against a Harbor DeFi protocol
$250,000 losses
Over $7m Stolen in Separate Attacks Against DeFi Protocols Exactly And Harbor
https://www.bitdegree.org/crypto/news/over-7m-stolen-in-separate-attacks-against-defi-protocols-exactly-and-harbor
GMBL Computer, a DeFi gambling protocol, was exploited for nearly 500 ETH, worth around $800,000 in today's prices.
The hacker's identity is known, and GMBL has offered a bounty for the return of funds to avoid legal action.
Despite accusations of an inside job, GMBL reported that half the stolen funds have already been recovered.
https://beincrypto.com/defi-gmbl-computer-exploited-eth-funds-returned/
https://www.bleepingcomputer.com/news/security/crypto-casino-stakecom-loses-41-million-to-hot-wallet-hackers/
Crypto casino Stake.com loses $41 million to hot wallet hackers
"Online cryptocurrency casino Stake.com announced that its ETH/BSC hot wallets had been compromised to perform unauthorized transactions, with over $40 million in crypto reportedly stolen.
The platform immediately reassured users that their funds were safe, and all other wallets not directly impacted by the attack, including those holding BTC, LTC, XRP, EOS, and TRX, remained fully operational."
___
https://twitter.com/peckshieldalert/status/1698870451815285045
"PeckShieldAlert A total of ~$41M worth of cryptos were drained from Stake.com , with ~$15.7M on #Ethereum (9.62K $ETH), ~$7.85M on #Polygon (14.24M $MAITC), and $17.75M on #BNBChain (82.65K $BNB)"
Crypto casino Stake.com loses $41 million to hot wallet hackers
"Online cryptocurrency casino Stake.com announced that its ETH/BSC hot wallets had been compromised to perform unauthorized transactions, with over $40 million in crypto reportedly stolen.
The platform immediately reassured users that their funds were safe, and all other wallets not directly impacted by the attack, including those holding BTC, LTC, XRP, EOS, and TRX, remained fully operational."
___
https://twitter.com/peckshieldalert/status/1698870451815285045
"PeckShieldAlert A total of ~$41M worth of cryptos were drained from Stake.com , with ~$15.7M on #Ethereum (9.62K $ETH), ~$7.85M on #Polygon (14.24M $MAITC), and $17.75M on #BNBChain (82.65K $BNB)"
North Korean hackers have allegedly stolen hundreds of millions in crypto to fund nuclear programs
North Korea-linked hackers stole $200 million worth of crypto from January to Aug. 18, accounting for over 20% of all stolen crypto this year, according to a recent report by TRM Labs.
https://www.cnbc.com/2023/09/06/north-korea-hackers-stole-crypto-to-fund-nuclear-program-trm-chainalysis.html
North Korea-linked hackers stole $200 million worth of crypto from January to Aug. 18, accounting for over 20% of all stolen crypto this year, according to a recent report by TRM Labs.
https://www.cnbc.com/2023/09/06/north-korea-hackers-stole-crypto-to-fund-nuclear-program-trm-chainalysis.html
https://www.theblock.co/post/246196/exactly-protocol-exploited-7-million-optimism-layer-2-network
"The exploit has resulted in estimated losses of over $7 million, according to security firms.
Exactly Protocol, a DeFi project that offers interest rate markets on the Optimism Layer 2 network, has become the latest victim of a security attack. The exploit, which was detected by security firms including BlockSec and Beosin, has resulted in estimated losses of over 4300 ether ($7.3 million)."
https://www.msn.com/en-us/money/markets/magnate-finance-executes-64-million-exit-scam-on-base-network-details/ar-AA1fLTXK
"Magnate Finance executes $6.4 million exit scam on Base Network
Magnate Finance, a lending project operating on the Ethereum Layer 2 network Base, has executed an exit scam, making off with an estimated $6.4 million. The event, described as a rug pull by security firm PeckShield, has sent shockwaves through the cryptocurrency community."
"The exploit has resulted in estimated losses of over $7 million, according to security firms.
Exactly Protocol, a DeFi project that offers interest rate markets on the Optimism Layer 2 network, has become the latest victim of a security attack. The exploit, which was detected by security firms including BlockSec and Beosin, has resulted in estimated losses of over 4300 ether ($7.3 million)."
https://www.msn.com/en-us/money/markets/magnate-finance-executes-64-million-exit-scam-on-base-network-details/ar-AA1fLTXK
"Magnate Finance executes $6.4 million exit scam on Base Network
Magnate Finance, a lending project operating on the Ethereum Layer 2 network Base, has executed an exit scam, making off with an estimated $6.4 million. The event, described as a rug pull by security firm PeckShield, has sent shockwaves through the cryptocurrency community."
Base project RocketSwap Labs has outlined its emergency program to bounce back from a brute force hack that swiped $865,000 or 471 Ether from the protocol on Aug. 14.
The team explained on Aug. 15 that they plan on redeploying a new farm contract and open-source it on-chain, relinquish minting rights — presumably of RCKT — and will soon call on the hackers to return the assets, among other things
https://cointelegraph.com/news/base-dex-rocketswap-announces-emergency-plan-after-exploit
The team explained on Aug. 15 that they plan on redeploying a new farm contract and open-source it on-chain, relinquish minting rights — presumably of RCKT — and will soon call on the hackers to return the assets, among other things
https://cointelegraph.com/news/base-dex-rocketswap-announces-emergency-plan-after-exploit
"In August 2023, Steadefi — a leveraged yield aggregation platform — was the victim of an attack. The attacker gained access to the private keys used to manage the project’s deployed contract, resulting in about $1.1 million in losses."
https://www.halborn.com/blog/post/explained-the-steadefi-hack-august-2023
"Blockchain security firm PeckShield revealed fresh vulnerabilities targeting decentralized finance (DeFi) projects on Aug. 9. According to the firm, Aave’s Earning Farm has been compromised by a reentrancy attack, resulting in the theft of at least $287,000 worth of Ether "
https://cointelegraph.com/news/aave-earning-farm-protocol-targeted-by-reentrancy-attack-peckshield
"Uwerx Loses $327,000 To A Flash Loan Attack
A flash loan attack on August 2 cut Uwerx's successful launch celebration short. The attacker flash-loaned 20,000 ETH (approximately $36,726,400) and swapped it for 5,053,637 WERX."
https://www.theportugalnews.com/news/2023-08-12/uwerxs-road-to-redemption-overcoming-hurdles-after-successful-launch-due-to-hack/80409
UZD Stablecoin Plummets As Zunami Protocol Loses Over $2.1 Million To Exploit
https://www.ibtimes.com/uzd-stablecoin-plummets-zunami-protocol-loses-over-21-million-exploit-3708535
https://www.halborn.com/blog/post/explained-the-steadefi-hack-august-2023
"Blockchain security firm PeckShield revealed fresh vulnerabilities targeting decentralized finance (DeFi) projects on Aug. 9. According to the firm, Aave’s Earning Farm has been compromised by a reentrancy attack, resulting in the theft of at least $287,000 worth of Ether "
https://cointelegraph.com/news/aave-earning-farm-protocol-targeted-by-reentrancy-attack-peckshield
"Uwerx Loses $327,000 To A Flash Loan Attack
A flash loan attack on August 2 cut Uwerx's successful launch celebration short. The attacker flash-loaned 20,000 ETH (approximately $36,726,400) and swapped it for 5,053,637 WERX."
https://www.theportugalnews.com/news/2023-08-12/uwerxs-road-to-redemption-overcoming-hurdles-after-successful-launch-due-to-hack/80409
UZD Stablecoin Plummets As Zunami Protocol Loses Over $2.1 Million To Exploit
https://www.ibtimes.com/uzd-stablecoin-plummets-zunami-protocol-loses-over-21-million-exploit-3708535
Solana-based decentralized exchange Cypher lost close to $1 million in crypto Monday due to an exploit or security incident.
The protocol’s contracts are now frozen as contributors attempt to make contact with hackers to negotiate a return of funds.
Cypher is one of the fastest-growing protocols on the solana blockchain in part because of its loyalty program, which rewards depositors and traders with points that many users expect is the setup for an airdrop.
The exploit comes during Cypher’s biannual hacker house mtnDAO which it hosts in Salt Lake City alongside fellow Solana trading protocol marginfi. In its discord channel, marginfi said it was not impacted by the hack.
https://www.coindesk.com/business/2023/08/07/solana-based-cypher-protocol-experiences-exploit-freezes-smart-contract/
The protocol’s contracts are now frozen as contributors attempt to make contact with hackers to negotiate a return of funds.
Cypher is one of the fastest-growing protocols on the solana blockchain in part because of its loyalty program, which rewards depositors and traders with points that many users expect is the setup for an airdrop.
The exploit comes during Cypher’s biannual hacker house mtnDAO which it hosts in Salt Lake City alongside fellow Solana trading protocol marginfi. In its discord channel, marginfi said it was not impacted by the hack.
https://www.coindesk.com/business/2023/08/07/solana-based-cypher-protocol-experiences-exploit-freezes-smart-contract/
Curve Offers Hackers 10% Bounty in Exchange for Return of Crypto
Curve Finance and other victims of this week’s crypto lending heist have offered their hackers a 10% bounty in exchange for the return of the rest of their tokens.
"You will have no risk of us pursuing this further, no risk of law enforcement issues, etc," Curve, Metronome and Alchemix wrote in an on-chain message sent to a hacker's Ethereum address. The trio gave a deadline of August 6 at 0800 UTC, at which point their bounty will become a vigilante payout to whomever provides information that leads to the hacker's arrest and conviction.
https://markets.businessinsider.com/news/currencies/curve-offers-hackers-10-bounty-in-exchange-for-return-of-crypto-1032514282
https://twitter.com/curvefinance/status/1687180381714358272?
Curve Finance and other victims of this week’s crypto lending heist have offered their hackers a 10% bounty in exchange for the return of the rest of their tokens.
"You will have no risk of us pursuing this further, no risk of law enforcement issues, etc," Curve, Metronome and Alchemix wrote in an on-chain message sent to a hacker's Ethereum address. The trio gave a deadline of August 6 at 0800 UTC, at which point their bounty will become a vigilante payout to whomever provides information that leads to the hacker's arrest and conviction.
https://markets.businessinsider.com/news/currencies/curve-offers-hackers-10-bounty-in-exchange-for-return-of-crypto-1032514282
https://twitter.com/curvefinance/status/1687180381714358272?
News update. It appears that the hacker did not return the stolen funds to Curve Finance.
Curve is offering a $1.85 million bounty to anyone who can accurately identify the DeFi protocol's exploiter in a way that leads to definitive legal repercussions.
"The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC," Curve publicly wrote in an Ethereum transaction's input data, adding: "We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts."
Source https://www.theblock.co/post/243464/curve-exploit-identity-bounty
However, he returned the funds of 2 DeFi protocols, Alchemix and Jpeg'd which he also sent a message telling eveyone that he was returning them because he was not scared, only returning them because he did not want to ruin the projects.
"I want to clarify that I'm refunding you not because you can find me, it's because I don't want to ruin your project," they explained in a transaction, adding: "Maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you."
From the same news source.
Curve Offers Hackers 10% Bounty in Exchange for Return of Crypto
Curve Finance and other victims of this week’s crypto lending heist have offered their hackers a 10% bounty in exchange for the return of the rest of their tokens.
"You will have no risk of us pursuing this further, no risk of law enforcement issues, etc," Curve, Metronome and Alchemix wrote in an on-chain message sent to a hacker's Ethereum address. The trio gave a deadline of August 6 at 0800 UTC, at which point their bounty will become a vigilante payout to whomever provides information that leads to the hacker's arrest and conviction.
https://markets.businessinsider.com/news/currencies/curve-offers-hackers-10-bounty-in-exchange-for-return-of-crypto-1032514282
https://twitter.com/curvefinance/status/1687180381714358272?
Curve Finance and other victims of this week’s crypto lending heist have offered their hackers a 10% bounty in exchange for the return of the rest of their tokens.
"You will have no risk of us pursuing this further, no risk of law enforcement issues, etc," Curve, Metronome and Alchemix wrote in an on-chain message sent to a hacker's Ethereum address. The trio gave a deadline of August 6 at 0800 UTC, at which point their bounty will become a vigilante payout to whomever provides information that leads to the hacker's arrest and conviction.
https://markets.businessinsider.com/news/currencies/curve-offers-hackers-10-bounty-in-exchange-for-return-of-crypto-1032514282
https://twitter.com/curvefinance/status/1687180381714358272?
https://beincrypto.com/kannagi-finance-zksync-era-rug-pull/
A Rocky Week for zkSync Era: EraLend Security Breach and Kannagi Finance Rug Pull
Kannagi Finance has walked away with $2.4 million worth of users' assets.
The incident is the first rug pull to affect the scaling solution zkSync Era.
It comes off the back of the $3.4 million hack EraLend suffered earlier.
"EraLend Loses $3.4M in Security Breach
On Tuesday, July 25, cyber attackers pilfered a staggering $3.4 million from EraLend, a lending platform operating on the zkSync Era. In the aftermath, the EraLend team promptly halted all activities.
A subsequent update revealed they had pinpointed a potentially involved crypto exchange account. Furthermore, they suspect that the culprits may have utilized a certain VPN provider to obscure their online tracks.
“We’ve pinpointed a suspicious CEX account that appears to be linked to an individual potentially involved in the incident. We are collaborating closely with the local police department, providing them with all relevant information,” said EraLend."
A Rocky Week for zkSync Era: EraLend Security Breach and Kannagi Finance Rug Pull
Kannagi Finance has walked away with $2.4 million worth of users' assets.
The incident is the first rug pull to affect the scaling solution zkSync Era.
It comes off the back of the $3.4 million hack EraLend suffered earlier.
"EraLend Loses $3.4M in Security Breach
On Tuesday, July 25, cyber attackers pilfered a staggering $3.4 million from EraLend, a lending platform operating on the zkSync Era. In the aftermath, the EraLend team promptly halted all activities.
A subsequent update revealed they had pinpointed a potentially involved crypto exchange account. Furthermore, they suspect that the culprits may have utilized a certain VPN provider to obscure their online tracks.
“We’ve pinpointed a suspicious CEX account that appears to be linked to an individual potentially involved in the incident. We are collaborating closely with the local police department, providing them with all relevant information,” said EraLend."
Curve Finance lost $52 million as a result of the hack, this was caused by the exploitation of several liquidity pools as a result of an error in smart contracts using versions 0.2.15, 0.2.16 and 0.3.0. XNUMX.
https://twitter.com/PeckShieldAlert/status/1685794015915229184
https://twitter.com/PeckShieldAlert/status/1685794015915229184
first ZKsync protocol
https://www.bitcoininsider.org/article/220933/era-lend-zksync-exploited-34m-reentrancy-attack
Era Lend on zkSync exploited for $3.4M in reentrancy attack
The lending app was drained of funds using a “read-only reentrancy” bug, a type of vulnerability that is often difficult for auditors to spot.
"Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract."
https://www.bitcoininsider.org/article/220933/era-lend-zksync-exploited-34m-reentrancy-attack
Era Lend on zkSync exploited for $3.4M in reentrancy attack
The lending app was drained of funds using a “read-only reentrancy” bug, a type of vulnerability that is often difficult for auditors to spot.
"Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract."
https://cointelegraph.com/news/eth-curve-omnipool-platform-conic-finance-hacked-for-3-2-million-in-eth
Curve omnipool platform Conic Finance hacked for $3.2 million in ETH
"According to initial analysis by Peckshield, the root cause for Conic Finance’s hack was the new CurveLPOracleV2 contract.
Conic Finance, a liquidity pool balancing platform for the decentralized finance (DeFi) protocol Curve, has suffered an exploit on the Ethereum omnipool.
Conic Finance has been exploited for $3.26 million in Ether, the Web3 risk-alert source Beosin Alert reported on July 21. Nearly the entire amount of stolen cryptocurrency was sent to a new Ethereum address in just one transaction, according to data provided by Beosin."
Curve omnipool platform Conic Finance hacked for $3.2 million in ETH
"According to initial analysis by Peckshield, the root cause for Conic Finance’s hack was the new CurveLPOracleV2 contract.
Conic Finance, a liquidity pool balancing platform for the decentralized finance (DeFi) protocol Curve, has suffered an exploit on the Ethereum omnipool.
Conic Finance has been exploited for $3.26 million in Ether, the Web3 risk-alert source Beosin Alert reported on July 21. Nearly the entire amount of stolen cryptocurrency was sent to a new Ethereum address in just one transaction, according to data provided by Beosin."
sad to see this and fortunately only Ethereum pool exploits and all other pools are safe. according to latest tweet, Conic team has fixed this pool issue now and all withdrawl can be done safely. They also claim that it not possible to exploit Ethereum mining pool gain.
hackers are in the search of finding any small door to enter and trying their best to steal fund. Dex projects should do many security audit to be safe and should close all doors for hackers.
Jump to: