Discover more from Verichains
Verichains Weekly Security Digest | April 2023 Week 1
In this week’s digest, Verichains demonstrate how we have helped our client Multichain in securing their platform through our Security Advisory service.
The DeFi market hemorrhaged another USD 9 million last week in recent hacks with SafeMoon in the spotlight.
Verichains Security Advisory
Multichain is an infrastructure developed for arbitrary cross-chain interactions. Born as Anyswap on the 20th July 2020 to service the clear needs of different and diverse blockchains to communicate with each other.
In December 2022 while Verichains was conducting extensive research into threshold ECDSA security. We discovered a specific vulnerability in Multichain’s fastMPC implementation and immediately contacted their team with a Proof-of-Concept ready for their reference.
The vulnerability allows a single malicious party to recover the TSS private key of a TSS group, reducing a t/n threshold scheme to 1/n. The attacker only needs to participate in 1 signing ceremony to do so. All Multichain mainnet and testnet smpc nodes, using version 7.2.5 and 7.2.6 respectively, were at risk.
Through our joint efforts, Multichain was able to quickly patch the vulnerability before any exploitation could happen.
This case study underscores the value and protection afforded to our clients through our Security Advisory service. We express our gratitude to the Multichain team for their prompt efforts in addressing the bug as well as the bounty rewarded.
Read the full Security Advisory here:
Last Week’s Incidents
💥Type: Access Control
💸Loss amount: $8.9 million
Last week kicked off with the second-largest hack this year (so far) with SafeMoon, a DeFi project hacked for $8.9 million due to an access control vulnerability in the burn() function of the SFM token contract. A malicious actor took advantage of this vulnerability by burning a large number of SFM tokens, causing a sudden surge in the price of SFM tokens. After that, the attacker swapped the SFM tokens for their WBNB equivalent and withdrew a substantial amount of tokens, leading to significant losses for SafeMoon users.
It's also worth noting that the transaction was intercepted and executed by the 0x286e MEV bot. MEV stands for "Maximal Extractable Value," and it refers to the amount of value that can be extracted from a blockchain transaction by miners or other actors. MEV bots are automated tools that seek to maximize this value by executing transactions in a way that maximizes their profits.
Overall, this incident highlights the importance of strong access control mechanisms in smart contracts and the need for constant vigilance in the rapidly-evolving world of blockchain.
💥Type: Price Manipulation
💸Loss amount: $570,000
A project called Allbridge was hacked for over half a million dollars due to price manipulation. The attacker acted as both LP and swapper, allowing them to control the pool and manipulate the swap price. Consequently, the attacker executed trades and drained the pool, resulting in a loss of 282,889 BUSD and 290,868 USDT. At the time of writing, the attacker had agreed to return 1500 BNB tokens (approximately $465,000), keeping the difference as a white hat bounty, a happy ending.
🚨Project: Polar Bear
💸Loss amount: $110,000
In an incident that may raise a few eyebrows, a project called Polar Bear was hacked for $110,000 due to a backdoor in the Nuwa contract 0x344, which was not publicly available. The function 0xfa319eee was found to be the culprit, allowing for the swapping of $BUSD for $NUWA and the transfer of all $NUWA in the contract to the caller. During the execution of the transaction, the 0x286E Mev bot front-ran the transaction, resulting in the original transaction being reversed. After the reversal, the 0x286E bot sold the $NUWA for a profit of approximately $110k.
💥Type: Flashloan Attack
💸Loss amount: $100,000
A token called $UNMS suffered a $100,000 flashloan attack last week. The attacker leveraged a flash loan to borrow a substantial amount of $BUSD and modify the ratio between $BUSD and $UNMS in the pair. This alteration enabled the attacker to withdraw a significant amount of $UNMS from the contract, which they later sold for $100K. The use of flash loans in this attack allowed the attacker to perform a large-scale manipulation of the liquidity pool in a short amount of time.