Verichains

Share this post

Verichains Weekly Security Digest | July 2023 Week 2

blog.verichains.io

Discover more from Verichains

Leading web3 security firm in APAC. Trusted by top blockchain customers such as BNBChain (Binance), Klaytn (Kakao Talk), Wemix (Wemade), Solana, Axie Infinity/Ronin Network (Sky Mavis)
Continue reading
Sign in

Verichains Weekly Security Digest | July 2023 Week 2

Verichains
,
LowK
, and
lifebow
Jul 14, 2023
1
Share this post

Verichains Weekly Security Digest | July 2023 Week 2

blog.verichains.io
Share

Last week, the DeFi market was exploited for over $200,000. The Biswap DEX hack alone accounted for more than half of the amount, totaling $110,000. This exploit was made possible by the lack of input validation.


Last Week’s Incidents

🚨Project: Biswap
⛓️Chain: BSC
💥Type: Lack of Input Validation
💸Loss amount: ~$110,000

Biswap, a decentralized exchange was hacked for over ~$110,000 due to a vulnerability in the V3Migrator contract's migrate method. Attackers were able to exploit this vulnerability and steal tokens from users who had approved their LP tokens for the contract. The vulnerability was related to the lack of verification in the transferFrom method's parameters, allowing unauthorized transfers and resulting in the attackers obtaining the tokens fraudulently.

At the time of writing, Biswap had acknowledged and took full responsibility for the consequences of the incident and is recouping the losses for its users.


🚨Project: MyAI
⛓️Chain: BSC
💥Type: Lack of Input Validation
💸Loss amount: $2,500

A DeFi project called MyAI was exploited for $2,500 due to a vulnerability in the MultiSender contract of the MyAI project. The contract allowed batch transfers of tokens to multiple addresses, but the verification of the sender's eligibility in the "tokenTransfer" method was incorrect. Exploiting this flaw, an attacker could deposit tokens on behalf of anyone into the contract and transfer all the tokens to their own address, effectively stealing them. Proper authorization checks are crucial to prevent unauthorized transfers in smart contracts.


🚨Project: BambooAI
⛓️Chain: BSC
💥Type: Price Manipulation
💸Loss amount: ~$48,000

A DeFi project called BambooAI was hacked last week for roughly $48,000. The attack exploited a vulnerability caused by the invocation of the private updatePool function from within the _transfer function. As a consequence, the balance of the token pair involved in the pool was manipulated, resulting in an artificial shift in the token's price. The attacker took advantage of this manipulation to gain an unfair advantage or potentially profit from the price movement.

At the time of writing, the team at BambooAI had acknowledged the attack and devised a plan to apprehend the developer responsible for deploying the contract.


🚨Project: Bao Finance
⛓️Chain: BSC
💥Type: Donate Inflation Attack & Rounding Error
💸Loss amount: $48,000

On July 4, Bao Finance was exploited due to a vulnerability in the baoETH vault and the bdbSTBL contract. They manipulated the exchange rate, borrowed a significant amount of baoETH, depleted the liquidity pool on Balancer, and converted it into wETH. Finally, they exploited a bug in the Compound V2 contracts, enabling them to withdraw their collateral without repaying the loan. In total, they stole around 41.3 baoETH, which was equivalent to approximately 21 ETH after considering the gas expenses.


1
Share this post

Verichains Weekly Security Digest | July 2023 Week 2

blog.verichains.io
Share
Previous
Next
A guest post by
LowK
Smart Contracts Security Auditor
Subscribe to LowK
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Verichains
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing