Discover more from Verichains
Verichains Weekly Security Digest | June 2023 Week 2
In this week’s digest, Verichains partners with VNG Cloud to provide our mobile application security expertise at their upcoming workshop on Safeguarding Fintech’s Evolution: Navigating Top Threats and Sustainable Growth on June 14th.
Last week, the crypto market lost over $237,000 due to exploits.
Events And Partnerships
VNG Cloud: Safeguarding Fintech Evolution
On June 14th, Verichains will be joining VNG Cloud’s workshop on Safeguarding Fintech’s Evolution: Navigating Top Threats and Sustainable Growth, sharing our insights and best practices on mobile application security for enterprises and SMEs
View more information about the event here: https://event.vngcloud.vn/top-trends-and-cybersecurity-in-fintech
Verichains Partners with Capshort
Verichains announced our latest partnership with CapShort, an all-in-one blockchain mobile application and successful participant of the BNB Chain Kickstart Program powered by AvengerDAO.
As a founding member of AvengerDAO, Verichains will extend our expertise in smart contract auditing to ensure the utmost security of CapShort’s platform.
View CapShort public audit report here: https://github.com/verichains/public-audit-reports/blob/main/Verichains
Last Week’s Incidents
💥Type: Insufficient Input Validation
💸Loss amount: ~$135,000
The attacker exploited a tax exemption on the FarmZAP contract for BabyDoge transactions. They manipulated the price of BabyDoge on the Pancake pair by buying tokens through FarmZAP, dumping them on the exchange, triggering a swapAndLiquify function, and selling at a lower price. They made a profit by buying back at the reduced price and dumping through FarmZAP again. The developer tried to prevent further attacks by including the farm in the fee address.
💥Type: Price Manipulation
💸Loss amount: ~$108,000
The "doExchange" function in the "ExchangeBetweenPools" contract enables on-chain swapping of tokens with unlimited slippage. This can be exploited by attackers to manipulate prices and profit from the exchange. However, in this case, the attack was front-run by an MEV bot.
💥Type: Wrong Visibility in Function
💸Loss amount: ~$2,000
An unverified ERC20 contract has a vulnerability that allows the attacker to gain unauthorized access to the "_transfer" function. This function is responsible for transferring tokens between users. By exploiting this vulnerability, the attacker can transfer tokens from any user to themselves without permission, potentially manipulating balances and stealing tokens.
Visibility issues in critical functions like "_transfer" pose serious risks to the security and integrity of ERC20 contracts. To prevent unauthorized token transfers and protect user assets, it is crucial to implement proper access controls and visibility restrictions.