Verichains Weekly Security Digest | August 2023 Week 4
In this week’s digest, the DeFi market experienced a substantial loss of more than $3,000,000 through a series of attacks such as private key compromises, access control breaches, and price manipulations. Among these incidents, the Zunami Protocol incurred the most significant impact, suffering a loss of $2,000,000.
Last Week’s Incidents
🚨Project: Zunami Protocol
⛓️Chain: Ethereum
💥Type: Price Manipulation
💸Loss amount: ~$2,000,000
In the largest hack last week, Zunami Protocol suffered a substantial loss of more than $2,000,000 due to a price manipulation attack. The attack involves an inaccurate calculation of LP price, which is influenced by factors such as the quantity of "sdt" tokens held in the "MIMCurveStakeDao" liquidity pool. The attacker strategically donates a significant amount of "sdt" tokens to artificially inflate the LP price, aiming to exploit this manipulation.
In response to the breach, the project has made a commitment to rectify and enhance the omnipool and zStable systems. Additionally, they have pledged to restore all zStables collateral to holders.
🚨Project: BeLaunch
⛓️Chain: SUI
💥Type: Access Control
💸Loss amount: ~$300,000
Last week, BeLaunch was attacked for roughly $35,000 due to a vulnerability in their smart contract. The contract included a publicly shared TreasuryCap object during its initialization. This object seemingly allowed anyone to interact with the contract and mint tokens. As a result, the attacker was able to exploit this object and authorize the transfer of 500,000 BLAT tokens to five different wallet addresses.
🚨Project: RocketSwap
⛓️Chain: Base
💥Type: Compromised Private Key
💸Loss amount: ~$869,000
RocketSwap was exploited for roughly $869,000. This breach was a result of a brute force attack that exposed the deployer’s private key. The attacker took advantage of this vulnerability and authorized the transfer of 427 ETH from the farm contracts into their own account.
At the time of writing, the project had acknowledged the attack and had since initiated a compensation program for affected users.