Verichains Weekly Security Digest | February 2023 Week 3
During the third week of February 2023, the DeFi market experienced a concerning uptick in attacks. In this week's digest, we will be covering four major incidents, which left the market with a shortfall of nearly $3.5 million with one of the hacks allegedly involving a "rug pull" that resulted in a loss of $2 million.
🚨Project: Hope Finance
💥Type: Renouncing ownership
💸Loss amount: $2 million
Let’s kick things off this week with an alleged rug pull that lost an eye-watering $2 million from a DeFi project called Hope Finance. The hack was carried out through a vulnerability in the GenesisRewardPool contract, which allowed the attacker to send tokens directly to themselves instead of through the original Sushiswap router. Most interestingly, prior to the hack, the smart contract code had been audited by Cognitos which spotted other vulnerabilities, passed the audit, and overlooked the exploit. This is a prime example of the limitations of audits in identifying all potential attack vectors. Rather than relying solely on a single audit, it's essential to consider the value of multiple audits and establish a long-term partnership with a security expert to ensure ongoing protection.
🚨Project: FEG (Feed Every Gorilla)
💥Type: Business Logic Flaw
💸Loss amount: $285,000
The runner-up is a quarter-of-a-million-dollar hack from another DeFi project called FEG. A vulnerability lies within the FEXex Pro(LP Token) smart contract, specifically in the addBothLiquidity() function. This function did not properly verify the amount value being passed in, which allowed an attacker to mint a large amount of LP tokens. The LP tokens were then used in the Migrate() function, which allowed the attacker to obtain a significant number of FEG tokens. This resulted in an exploit where the attacker was able to gain unauthorized access to FEG tokens.
💥Type: Business Logic Flaw
💸Loss amount: $21,000
Our second runner-up this week is yet another DeFi project called Dynamic. The project was hacked for $21,000 due to incorrect accounting on the staking DYNA deposit function, which did not handle the deposit time correctly. As a result, 73.8 BNB equivalent to $23,000 was drained from the DYNA liquidity pool. The core vault smart contracts for lending and borrowing and the DYNA contract address are unaffected. The hacker has not moved the funds yet, but the team expects them to use a mixer to wash them.
💥Type: Deflationary Token
💸Loss amount: $10,000
Last but not least, a project called HakunaMatata was hacked by manipulating their deflationary token. Specifically in the functions deliver() and burn(), which allowed the attacker to manipulate the tTotal and rTotal values. The attacker used a flash loan to swap a large number of $TATA tokens and then called the deliver() function to update rTotal and tFeeTotal. Next, the attacker burned tTotal via the burn() function, which caused a reduction in the total token supply. Since the balance corresponding to the liquidity pool in this deflationary token was very small, the attacker was able to swap out more Wbnb after synchronizing the reserve. By manipulating the tTotal and rTotal values, the attacker was able to increase their own token balance and profit at the expense of other token holders.
Since 2017, Verichains has been a pioneer and leading blockchain security firm in APAC, with extensive expertise in security, cryptography and core blockchain technology. More than 200 clients trust us with $50 billion in assets under protection, including several high-profile clients such as BNB Chain, Klaytn, Wemix, Multichain, Line Corp, Axie Infinity, Ronin Network, and Kyber Network.
Our world-class security and cryptography research team have found several vulnerabilities in layer-1 protocol, crypto library, bridge, and smart contracts. We are also proud to be the firm that helped to investigate, root cause analysis, and fix security issues in the two largest global crypto hacks: BNB Chain Bridge and Ronin Bridge (Sky Mavis).
With the in-depth research and development of blockchain technology, Verichains provides blockchain security services such as blockchain protocol and smart contract security audit, mobile application protection, key management solution, on-chain risk monitoring, and red team/penetration testing services.