Mediaboss Marketing

DeFi experienced six major exploits that resulted in losses of over $33 million USD, from April 7th to 14th, 2023. The incidents highlighted the need for conducting regular security audits to address vulnerabilities in smart contracts.

We're excited to announce our new security series in collaboration with D3ploy, a leading Web3 security team dedicated to enhancing the safety of the industry. Together, we'll provide regular updates on the most significant security threats and vulnerabilities encountered.

The week of April 7th to 14th, 2023, witnessed a series of high-profile exploits in the decentralized finance (DeFi) industry, causing significant financial losses and demonstrates that while DeFi holds immense potential to revolutionize the financial industry, it is still in its infancy and has a long way to go in terms of security and robustness.

By learning from these exploits we as a DeFi communitiy can work together to strengthen the ecosystem and pave the way for a more secure and stable decentralized financial future.

The six major exploits that occurred during this period include:

The total estimated value lost across these exploits is over $33 million USD, with some funds recovered across various incidents. These security breaches underscore the importance of conducting regular security audits to identify and address vulnerabilities in smart contracts, particularly when releasing updates.

Lets explore each individual exploit in a little more depth

South Korean centralized exchange GDAC experienced a severe hot wallet hack on April 9th, 2023, resulting in the loss of 14,324,040 $USD worth of cryptocurrency. The stolen assets included 60.8 $BTC, 350.5 $ETH, 220,000 $USDT, and 10,000,000 $WEMIX. This theft accounted for approximately 23% of GDACs total assets under custody.

The exchanges emergency response team acted quickly to suspend all deposit and withdrawal services and block related servers. GDAC reported the incident to the police and the Korea Internet & Security Agency (KISA) for technical support, as well as notifying the Financial Intelligence Unit (FIU). GDAC urged asset issuers, exchanges, and DeFi managers to freeze assets and collaborated with various organizations to recover the stolen funds.

Yearn Finance, a yield aggregator, and Aave Protocol, a lending and borrowing platform, fell victim to a flash loan attack on April 8th, 2023, resulting in a combined loss of 11,512,509 $USD worth of $ETH and $DAI. The attacker executed the exploit using two malicious smart contracts and took a flash loan for 2,000,000 $USDT, 5,000,000 $USDC, and 5,000,000 $DAI from Balancer. The borrowed assets were used to exploit a vulnerability in Yearn Finances USDT pool, allowing the attacker to mint a significant number of ycUSDT and yUSDT tokens, which were then swapped for various stablecoins.

A smaller attack occurred simultaneously, affecting Aaves LendingPoolCoreV1 contract. The attacker repaid all users USDT positions in the Aave V1 protocol. The stolen assets were transferred to destination wallets, with 1,000 $ETH bridged through TornadoCash.

On the morning of April 10th, 2023, Terraport was exploited, leading to losses of approximately 4 million USD in Terra, LUNC, and USTC tokens. The exploit was made possible due to a mathematical weakness in the algorithm used to calculate LP prices.

The malicious actor added a small amount of liquidity to the protocol and then manipulated the LP share price, allowing them to withdraw a large amount of liquidity. Two pools were affected, the first one drained for 9,148,426 TERRA ($1.8 million) and 15,100,861,997 LUNC ($1.88 million), and the second one for 576,736 TERRA ($115K) and 5,487,381 USTC ($117K). The total losses amounted to about $4 million USD.

SushiSwap, a cross-chain decentralized exchange, experienced an exploit on April 7th, 2023, due to a bug related to approvals of its RouterProcessor2 contract. The vulnerability led to losses of nearly 3,505,000 $USD from the user named sifuvision.eth.

The hack was caused by a smart contract bug on SushiSwaps RouterProcessor2 contract, which allowed attackers to bypass security checks and withdraw affected users approved tokens. The incident affected users who swapped on the platform within four days before detection. After detecting the exploit, Jared Grey, head developer at SushiSwap, urged users to revoke permissions for all contracts on their platform while they worked with security teams to mitigate issues.

An interesting part of the story is that the initial hack of 100 $ETH was performed by a white hat, who tweeted about the vulnerability and returned 90 $ETH back. However, several EOA addresses used the same vulnerability to exploit the same user for a more significant amount of 1,790 $ETH. Jared Grey announced the returning of 300 $ETH with the help of the community and is working on returning 700 $ETH from the Lido Vault.

MetaPoint, a metaverse running on the Binance Smart Chain, was hacked on April 11th, 2023, through a vulnerability found within their deposit function. When a user used the deposit function, it created a new contract and deposited tokens into that contract. The issue arose because this newly created contract had an approve function that gave unrestricted access to $META tokens without any restrictions or limitations.

An attacker took advantage of this by deploying a malicious smart contract with unverified source code and draining mass amounts of funds from users who had deposited $POT tokens onto their platform. The exploiter was able to steal 2,518 $BNB, worth 803,242 $USD at current market rates. All the stolen money was transferred through TornadoCash.

OpenAI ATF, a BEP20 token trading on PancakeSwap, experienced a rug pull on April 14th, 2023, by the deployer who removed liquidity worth 340,061 $USD. The deployer removed LP funds over nine transactions and swapped them for $WBTC. Part of the stolen assets remains in the deployers original address.

The turbulent week of April 7th-14th, 2023, witnessed six major exploits in the DeFi industry, resulting in over $33 million USD lost. Some of these funds have been recovered, thanks to the quick response of project teams and the collaboration of the wider DeFi community. The incidents serve as a stark reminder of the importance of conducting regular security audits to identify and address vulnerabilities in smart contracts, especially when releasing updates.

It is crucial for developers, project owners, and users to remain vigilant and prioritize security measures to ensure the overall safety of the DeFi ecosystem. As the industry continues to grow and evolve, so too will the need for robust security practices, including regular audits, thorough testing, and close collaboration.

D3ploy is an industry leading smart contract auditing service offering support to all public and private blockchains.

D3ploy offers comprehensive auditing services that cater to projects of any budget. With an impressive track record of auditing over 50 projects with zero security breaches to date and securing more than $6.5 billion in crypto assets, D3ploy is the ideal choice for DeFi projects seeking to ensure the security of their smart contracts.

Website |Twitter | Telegram |Linkedin |

View post:

D3ploy Unpacks Biggest Security Breaches of the Week - BSC NEWS