- Contract names: Eleven.finance, Nerve Finance, NRV vault, Eleven "MasterMind" farming contract
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Vulnerable function (emergencyBurn()) in the intermediate vault contract
- Flashloan exploit
- Logic issue
- Unauthorized withdrawal
- Contract names: Olympus, 8ight Finance
- Contract hex addresses:
- First transaction: 0x62f7...
- Second transaction: 0x06f43...
- Third transaction: 0x0e351...
- Transfer from xxca1d account to cc541: 0x3880f...
- Bug types mentioned in the article:
- Compromised keys
- Poor OPSEC
- Lack of multi-sig implementation
- Developer accused of pocketing funds
- Potential planned event by developers
- Blatant disregard for cyber security
- Contract names: Feisty Doge, NFD (NFD tokens), EtherRock (PEBBLES)
- Contract hex addresses: 0xdfdb7f72c1f195c5951a234e8db9806eb0635346 (Feisty Doge), unknown (NFD tokens), unknown (PEBBLES)
- Bug types mentioned in the article:
- Scam
- Transparency issues
- Quick cash grabs.
- Contract names and contract hex addresses:
- iBTC/aUSD liquidity pool
- aUSD
- ACA
- INTR
- Moonbeam
- Polkadot
- Interlay
- Bug types mentioned in the article:
- Misconfiguration of the iBTC/aUSD liquidity pool
- Error mints of a significant amount of aUSD
- Exploitation of the situation by sending aUSD to Moonbeam, swapping for DOT and sending it to Polkadot, and swapping for iBTC and sending it to Interlay
- Drainage of the iBTC pool
- Transfer of "good value" off-chain
- Wrongly minted aUSD leaving the chain
- Disabling of stolen funds by Acala and Polkadot
- Contract names and contract hex addresses:
- Agave DAO:
- Contract name: AgaveLending
- Contract hex address: 0xa262141abcf7c127b88b4042aee8bf601f4f3372
- Hundred Finance:
- Contract name: HundredV1
- Contract hex address: 0x534b84f657883ddc1b66a314e8b392feb35024afdec61dfe8e7c510cfac1a098
- Agave DAO:
- Bug types mentioned in the article:
- Reentrancy vulnerability
- Flash loan attack
- Nested borrow functions
- Borrowing assets worth more than collateral supplied
- Hidden dangers in Gnosis (xDai) design
- Failure to consider idiosyncrasies of new environment
- Lack of strict vetting for tokens with reentrancy vulnerabilities
- Failure to follow "checks-effects-interactions pattern"
-
Contract names:
- ParaSwap
- ENS (Ethereum Name Service)
-
Contract hex addresses:
- ParaSwap: N/A
- ENS: 0xed5728d76b6db03c9f792b8f30ac32951524935e
-
Bug types mentioned in the article:
- Distributing too many tokens
- Distributing insufficient tokens
- Exclusion of genuine users due to strict criteria
- Sybil attacks (creating multiple accounts to game the system)
- Blacklisting accounts involved in airdrop farming
Contract names and hex addresses:
- $SOS: 0xd4dbd9e438ad7cfee8be4496bff0b3accf26dae9
- $GAS: 0x7d1afa7b718fb893db30a3abc0cfc608aacfebb0
- $MASK (scam): 0x241357313e802e16eeb9380f2b027224e90b56dd
- fees.wtf: 0x5cb7880035bd592a66aad803ce1cdf6aa385e2a1
Bug types mentioned in the article:
- Airdrops with no real product
- Scams and malicious contracts
- Manipulation and false verification on DEXTools
- Unauthorized fees on transfers
- Cash-out of donation address
- Bots taking advantage of vulnerabilities
- Excessive gas fees and additional transactions
- Negative community reception and backlash
- Contract names and contract hex addresses:
- ETH donation wallet address: 0x165CD37b4C644C2921454429E7F9358d18A45e14
- BTC donation wallet address: 357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P
- Bug types mentioned in the article:
- Airdrop exploitation
- Sybil attack
- Other information mentioned in the article (not bug types):
- Spike in donations
- Amount of wealth received by Ukraine through cryptocurrency donations
- Use of web 3 enabled war bonds
- Total amount of crypto raised for Ukraine
- Cashing out of funds through Kuna.io
- Motives of post-announcement donors
- Importance of data placement choice in the context of elections.
Contract names and hex addresses:
- Akropolis protocol: 0x2eca72c64a8bdb2cb0a72f826cd69f022dec5d13
- Attacker's contract: 0xe2307837524db8961c4541f943598654240bd62f
Bug types mentioned in the article:
- Reentrancy attack
- Flash loan exploit
- Contract names:
- Alchemix
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Protocol assigning no debt
- Exploitation by users
- Reverse-rugpull
- Undercollateralization
- Debt repayment
- Bug causing repayment of all debt
- Voluntary return of withdrawn funds
- Missing funds affecting future development of the protocol
- HomoraBankv2 contract
- Evil spell contract
- Uniswap pool contract
- Cream's Iron Bank contract
- WERC20 contract
- sUSD bank contract
- Aave flashloan
Bug types mentioned in the article:
- Manipulation of internal debt numbers
- Rounding miscalculation in borrowing function
- resolveReserve function can increase totalDebt without increasing totalDebtShare
- Insider information required for the attack
- Contract names: AlphaPo
- Contract hex addresses:
- ETH: 0x6dfc34609a05bc22319fa4cce1d1e2929548c0d7
- ETH: 0x040a96659fd7118259ebcd547771f6ecb9580d17
- ETH: 0x6d2e8a20b8afa88d92406d315b67822c01e53c38
- ETH: 0xde374094C837D192B61972172740BDAfc4eE16E0
- TRON: TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
- TRON: TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
- TRON: TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym
- Bug types mentioned in the article:
- Centralized exchange (CEX) spearphishing
- Phishing techniques (used by Lazarus)
- Compromised hot wallets
- State-sponsored cybercriminals (Lazarus)
- Hack/attack (by Lazarus)
- Contract names: aBNBc, HAY
- Contract hex addresses:
- aBNBc: 0xf3a465c9fa6663ff50794c698f600faa4b05c777
- Ankr deployer: 0x2ffc59d32a524611bb891cab759112a51f9e33c0
- Exploiters address: 0xf3a465c9fa6663ff50794c698f600faa4b05c777
- Bug types mentioned in the article:
- Private key compromise
- Phishing campaign
- Malicious token contract
- Caller verification bypass
- Token minting
- Lack of on-chain liquidity
- Copycat attacks
- Price manipulation
- Smart contract privilege vulnerabilities
- Developer private key hack
- Malicious smart contract update
- Frozen assets on centralized exchange
- Ambitious Student
- A New Generation
- Casino Reaper
- Currency Competition
- DAO Activity
- DeFi Summer - The Rise
- DeFi Summer - The Fall
- Game Theory
- Global Tension
- Greedy Middleman
- High Street Banks
- Radical Transition
- Remote Work
Bug types mentioned in the article:
- The largest exploit ever
- Hack
- BSC bloodbath
- Exploit
- Hackers
- Bug
- Rug pull
- Court cases
- Copying private company stocks
- Volatility
- Mirrored financial market
- Governance protocol wars
- Battle for power
- Manipulation
- Global turmoil
- Printing machines control
- Tokenization
- Redundancy of the greedy middleman
- Implementation of technology
- Radical transition
- Different limitations
- Suffering
- Non-sovereign individuals
- Power struggle
- Radical transformation
- Regulatory approaches
- Remote work challenges
- Contract names and addresses:
- AnySwap v3 prototype: N/A (not mentioned)
- V1 Router: N/A (not mentioned)
- V2 Router: N/A (not mentioned)
- Bug types mentioned in the article:
- Exploit in the AnySwap v3 prototype
- Repeated k value in the V3 Router's transactions
- Back-calculation of private key
- Potential security flaw in the ECDSA algorithm
- Failure of the patch to adequately prevent future attacks
- Contract names: Ape Season, Ape Tax
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Mispricing bug
- Contract reentrancy bug
- Flash loan exploit
- Honeypot scam
- Front-running attack
- Token minting vulnerability
- Liquidity pool exploit
- Oracle manipulation
- Contract names and hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Reckless gambling
- Over-leveraged trading
- Impatient yield farming
- Unrealistic expectations
- Greed
- Lack of strategy or security
- High-risk behaviors
- Risk aversion in some areas but risk-taking in others
- Digital darwinism
- Dumping tokens
- "Greater fool" theory
- Addiction to trying to win back money
- Scams and reputation damage
- Bagholding
- Ape-like behavior and blindly following others
- Contract names: Arbix Finance
- Contract hex addresses:
- BSC wallet: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
- Ethereum: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
- Bug types mentioned in the article:
- Rug pulls
- Theft of user funds
- Deletion of website, Twitter, and Telegram accounts
- Draining of vault funds
- Minting and dumping of tokens
- Conversion of funds to ETH and transfer to another address
- Contract names: Arkham Intelligence's address-doxxing market
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Unencrypted reflinks inadvertently leaking email addresses
- Lack of concern and action from Arkham Intelligence regarding leaked information
- Potential manipulation of the market due to Arkham's role as the central arbiter
- Financial incentives for snooping on regular users
- Lack of transparency and labeling of Arkham-related accounts
- Potential security implications and cross-referencing of data
- Pseudonymity of blockchains as a bug, not a feature, for onboarding new users
- Difficulty in convincing mainstream CEX users to join on-chain DeFi platforms with OPSEC concerns.
- Contract names: Nexus Mutual, Armor
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Refusal to pay policyholders
- Centralised corruption
- Personal greed interfering with insurance policy
- Constant contradiction by team members
- Ambiguous statements in official documentation
- Stolen insurance NFT
- Secretly upgrading staking contract
- Misrepresentation of benefits and rules
- Changing rules without consent
- Failure to fulfill agreements
- Technical documentation not reflecting the product
- Unreliable and false statements
- Invalidation of statements
- Lack of trustworthiness in organization practices.
- BitMart lost ~$196M
- AscendEX lost $77.7M
- Compromised hot wallet
- Claims of "compromised keys"
- AscendEX Twitter intern deleting tweets
- Funds drained from the hot wallet
- Currently investigating the wallet compromise
- Peckshield estimates losses at $60M on Ethereum, $9.2M on BSC, and $8.5M on Polygon
- Stolen funds located in hacker's addresses on Ethereum, BSC, and Polygon
- Bemil Coin dumped over 98% in price since the incident
- Full reimbursement promised to affected users
- Withdrawals suspended
- AscendEX detailing next steps, including refunds and prioritizing users
- Ascendex lost more than their entire series B raise
- Tweet from AscendEX suggesting their platform is safe
- Tweet from AscendEX about long-term support despite the loss
- Quote from Zack Voell questioning the mainstream's readiness for private keys.
- Atlantis Loans
- Atlantis Loans' token contracts
- Attacker's address: 0xEADe071FF23bceF312deC938eCE29f7da62CF45b
- Tornado Cash
- Beanstalk
- Swerve
- Flash loan-enabled governance attack
- Lack of execution delay on proposals
- Governance process vulnerability
- Atomic Wallet contract names: Not mentioned in the article
- Atomic Wallet contract hex addresses: Not mentioned in the article
Bug types mentioned in the article:
- Vulnerabilities in the product
- BGP hijacking
- Leak of logged sensitive data
- DODO V2 Crowdpools: WSZO, WCRES, ETHA, FUSI pools
- DODO V2 Crowdpooling smart contract
- init() function bug
- fake token attack
- sync() function
- reserve variable
- flash loan check
- Individual A
- Individual B
- frontrunning bot
- CHI gastoken
- high gas prices
- ETHA-USDT exploit
- WSZO-USDT exploit
- vETH-WETH exploit
- AudiusAdminUpgradabilityProxy
- Governance contract
- DelegateManagerV2 contracts
- Initializable contract
- Storage collisions
Bug types mentioned in the article:
- Unauthorized transfer
- Reinitializing governance contracts
- Bypassing safeguards
- Collision with OpenZeppelin's Initializable contract
- Taking control of governance contract
- Changing parameters on Audius' contracts
- Erroneous delegation
- Transferring tokens from the community treasury
- Dumping tokens via Uniswap v2
- Major slippage
- Depositing funds into Tornado Cash
- Contract names: Autoshark, PancakeBunny
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Flash loan exploit
- Manipulation of SHARK token and BNB balance in the minter contract
- Minting and dumping of SHARK tokens
- Poorly copied code
- The contract name: Mango Markets
- The contract hex address: Not mentioned in the article
- Bug types mentioned in the article:
- Market manipulation scheme
- Exploit of Mango Markets
- Commodities fraud
- Commodities manipulation
- Price manipulation in DeFi
- Manipulation and other market conduct no-nos
- Consequences for the future of the industry
- Legal risks in an unregulated and experimental sector
- Nine figure exploit
- Badger DAO: 0x3472a5a71965499acd81997a54bba8d852c6e53d
- Front-end attack type
- Infinite approval bug type
- Additional approval bug type
- Smart contract pause bug type
- Cloudflare account compromise bug type
- Security vulnerability bug type
- User approval bug type
- Unusual feature bug type
-
Contract names and hex addresses:
- Experienced DeFi user: 0x51841d9afe10fe55571bdb8f4af1060415003528
- Badger DAO: Badger DAO
- DIGG token: DIGG
- SushiSwap: SushiSwap protocol
- SushiMaker: Contract that takes fees and passes them on to users who have staked SUSHI as xSUSHI
- Onsen: Sushiswaps'
- Nansen: Data source
-
Bug types mentioned in the article:
- Exploit
- Loophole
- Moment of forgetfulness
- Lack of bridge setup
- High slippage
- Small amount of liquidity
- Loss of earnings
- Non-automated fix
- Human error
- Lack of automation
- Constant watch by hackers and arbitrageurs
- Potential pocket-picking or disruption of protocols
- Amateur analysis
Contract names and hex addresses:
- Exploiter addresses:
- 0xB23711b9D92C0f1c7b211c4E2DC69791c2df38c1 (ETH)
- 0xed187f37e5ad87d5b3b2624c01de56c5862b7a9b (ETH)
- 0x429313e53a220c4a5693cad1da26ae5045b5762f (ETH)
- 0x64E08fa89C2bAE9F123cc8a293775f0E6CC86760 (FTM)
- 0xBC794F1ff9AD7711A9d2E69Be5b499e290B8fD3c (OP)
Bug types mentioned in the article:
- Critical vulnerability
- Potential threat
- Rounding down logic
- Price manipulation
- Contract names: BALD
- Contract hex address: 0xccfa0530b9d52f970d1a2daea670ce58e4176389
Bug types mentioned in the article:
- Rug pulling
- Price manipulation attack
- Public transferFeesSupportingTaxTokens() function vulnerability
- Contract names and contract hex addresses:
- Bancor LP contract: N/A
- BNT contract: N/A
- Bug types mentioned in the article:
- Impermanent loss (IL)
- Volatility-related issues
- Value depreciation
- Large quantities of rewards dumped onto the market
- Large centralized entities manipulating the market
- Difficulty in recovering losses
- Sell/emission loop
- Governance blunders
- Lack of community approval for decision-making
- Misuse of powers granted for security reasons
- Contract names and contract hex addresses:
- Contract name: "Great Redistribution of the Climate Change Disaster"
- Contract hex address: 0x495f947276749ce646f68ac8c248420045cb7b5e/769987281610794526370432769847587291321402667277633018751858935165377052673
- Bug types mentioned in the article:
- Hacking of the official Banksy website
- Link redirection from the hacked website to the NFT listing
- Scam targeting high-profile buyers
- Sophisticated scam operation
- Unauthorized minting of NFTs
- Potential promotion through publicity stunt
- Unauthorized access and redirection
- Lack of security measures on the Banksy website
- Vulnerability disclosure issues
- Difficulty in contacting Banksy or their IT team.
- Contract names: Beanstalk, Synapse Protocol bridge, Tornado Cash, Ukraine War Fund
- Contract hex addresses:
- Hacker: 0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
- Hacker Contract: 0x79224bc0bf70ec34f0ef56ed8251619499a59def
- BIP18: 0xe5ecf73603d98a0128f05ed30506ac7a663dbb69
- Propose BIP18 tx: 0x68cdec0ac76454c3b0f7af0b8a3895db00adf6daaf3b50a99716858c4fa54c6f
- Bug types mentioned in the article:
- Governance attack
- Flash loans
- Absence of delay on proposal execution
- bEarnFi's BvaultsBank contract
- ibBUSD token contract (hex address: 0x7c9e73d4c71dae564d41f78d56439bb4ba87592f)
- BUSD token contract (hex address: 0xe9e7cea3dedca5984780bafc599bd69add087d56)
- CREAM flashloan contract (not mentioned in the article)
- Alpaca Vault contract (not mentioned in the article)
- Alpaca FairLaunch contract (not mentioned in the article)
Bug types mentioned in the article:
- Bug in the internal withdraw logic
- Inconsistent asset denominations between BvaultsBank and BvaultsStrategy contract
- Contract names: bEllipsisBUSD strategy, bVenusBUSD strategy
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article: flash loan exploit, vulnerability to attacks
- Contract names and hex addresses:
- Bent Finance cvxCRV contract: 0x270b6aff561284ef380cdd6d8b036f4981049a86
- Exploiter's address: 0xd23cfffa066f81c7640e3f0dc8bb2958f7686d1f
- Exploiter's secondary address: 0x9e966a54082427d7ac56aeaee4baae7d11a6e468
- Bug types mentioned in the article:
- Manual adjustment of balance to assign enormous rewards beyond what is justified
- Lack of detection of the exploit for almost three weeks
- Funds being washed through Tornado Cash for money laundering
- Suspected inside job or rogue team member
- Contract names: TrueBit protocol
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Lack of recent development
- Suspicion of imposter contract
- Lack of communication from the team
- Absence of official Telegram or Discord channels
- Price swings and volatility
- Misunderstanding of the bonding curve
- Panic selling by a whale leading to price crash
- Lack of marketing and promotion
- Lack of communication leading to speculation and uncertainty
- Contract names: Ronin Network, Poly Network
- Contract hex addresses: N/A
- Bug types mentioned in the article:
- Phishing attacks
- Compromised network validator signatures
- Social engineering
- Malicious documents shared via Google Drive
- Browser-in-the-browser (BitB) attacks
- Google Docs comments exploit
- Malicious wallet application
- Spearphishing
- Remote access trojan (RAT)
- Indicators of Compromise (IOCs) mentioned in the CISA report
- Contract names: Bitclout
- Contract hex addresses: 1PuXkbwqqwzEYo9SPGyAihAge3e9Lc71b
- Bug types mentioned:
- Use of people's images without their consent
- Tokenizing people and putting them up for sale
- Legal threats leading to the takedown of certain profiles
- Tokens supposed to be purchased via Bitcoin with shared values
- VC involvement and lack of transparency regarding founders
- Lawsuits filed against Nader Al-Naji
- Illegal activities and moral implications
- Founder pretending to be anonymous after raising venture capital
- Crude and disrespectful monetization of reputation
- Tokenizing people against their will
- Investors and tokenized individuals feeling scammed
- Bitclout's association with failed or disreputable projects
- Reputation damage to all involved parties
- Projects building for creators should empower them instead of feeding off their work
- Uncertainty about the future and potential adjustment to this business model
- Strange new forms of monetization in the future.
- Contract names: BitMart, Celsius, BadgerDAO
- Contract hex addresses:
- BitMart Ethereum Hot Wallet: 0x68b22215ff74e3606bd5e6c1de8c2d68180c85f7
- BitMart BSC Hot Wallet: 0x8c128dba2cb66399341aa877315be1054be75da8
- Attacker Ethereum Address 1: 0x39fb0dcd13945b835d47410ae0de7181d3edf270
- Attacker Ethereum Address 2: 0x4bb7d80282f5e0616705d7f832acfc59f89f7091
- Attacker BSC Address: 0x25fb126b6c6b5c8ef732b86822fa0f0024e16c61
- Bug types mentioned in the article:
- Security breach
- Hot wallet vulnerability
- Attack on front-end
- Loss of funds
- Basic OPSEC error
- Granting unlimited approvals to an EOA (external owned account)
- Risk of "bank run"
- Middlemen profiting from losses
- Refund for affected users.
- Contract names and contract hex addresses: Not mentioned in the article.
- Bug types mentioned in the article:
- "bull market, bear development"
- Liquidations
- Gas fees
- Market crashes
- Anti-scam scams
- Contract names: Not mentioned in the article.
- Contract hex addresses: Not mentioned in the article.
Bug types mentioned in the article:
- Market manipulation
- Total incompetence
- Overleveraging
- Ignoring fundamentals
- Excessive loans
- High liquidation ratio
- Contract names: BSC Token Hub, Venus Protocol
- Contract hex addresses: 0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec
- Bug types mentioned in the article:
- Exploiting the BNB bridge
- Falsifying proofs of deposit
- Vulnerable IAVL verification
- Forgery of arbitrary messages
- Deposit funds as collateral
- High-slippage swaps
- Tether blacklisting funds
- Moving funds across different chains
- Pressing pause on a heavily-used network
- Potential justification issues regarding chain halts
- Setting a dangerous precedent
- Contemplating rolling back the Bitcoin network
- Impact on BNB's credibility in DeFi.
- Contract names: not mentioned in the article
- Contract hex addresses:
- Mint address: 0x58a058ca4b1b2b183077e830bc929b5eb0d3330c
- Associated wallet: 0xc433d50dd0614c81ee314289ec82aa63710d25e8
- Bug types mentioned in the article:
- Infinite mint exploit
- Rug pull
- Chainswap exploit
- Compromised wallet
- Other mentions:
- PolkaPets Trading Card Game
- Digital collectibles
- Brands, influencers, and artists
- Price of BONDLY falling by 80%
- $4.8 million DAI sent to Tornado
- $1.1 million in DAI and BONDLY remaining on the compromised address
- BonqDAO smart contract: 0x8f55d884cad66b79e1a131f6bcb0e66f4fd84d5b
- Attacker's address: 0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642
- Example attack tx: 0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19
Bug types mentioned in the article:
- Oracle manipulation
- Using instant price feeds for collateral valuation
- Contract names and hex addresses: there is no mention of specific contract names or hex addresses in the article.
- Bug types mentioned in the article:
- Congestion issue on the Ethereum network
- Centralisation of decentralised finance
- High gas fees on Ethereum
- Adoption of Binance Smart Chain potentially impacting the adoption of more decentralised products
- Binance's motive to reduce gas fees for their users
- Binance Smart Chain allowing for wrapping and custody of mainnet assets
- Binance Smart Chain not being trustless but cheap
- Binance Smart Chain being populated with scams and meme coins
- Difficulty for newcomers to find correct information in the crypto market
- Contract names: BurgerSwap, PancakeSwap, univ2pair
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Drive-thru convenience exploit
- Flash swap
- Reentrancy attack
- Missing x*y=k check
- Contract names: bZx contracts
- Contract hex addresses:
- Polygon: 0xafad9352eb6bcd085dd68268d353d0ed2571af89
- BSC:
- 0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5
- 0x74487eed1e67f4787e8c0570e8d5d168a05254d4
- 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
- Ethereum: 0x74487eEd1E67F4787E8C0570E8D5d168a05254D4
- Bug types mentioned in the article:
- Phishing attack
- Compromised personal wallet keys
- Code update enabling extraction of tokens
- Unauthorized borrowing of assets
- Vulnerable contract leading to loss of control and funds
- Individual wallets drained after initial attack
-
Contract names and hex addresses:
- Cashio contract: 0x661f782b7f4a2c3ad04483326c75874adda93253
-
Bug types mentioned in the article:
- Infinite mint glitch
- Incomplete collateral validation system
- Fake root contract
- Bypassed depositor_source
- False bank creation
- Fund burning
- Cash swapping
-
Other information mentioned:
- The attacker's SOL address: 6D7fgzpPZXtDB6Zqg3xRwfbohzerbytB2U5pFchnVuzw
- The attacker's ETH wallet: 0x86766247ba3405c5f15f06b895294200809e9cfb
- The attacker's message in the transaction input data
- Tornado Cash: Contract name and hex address not mentioned in the article.
- Privacy Pools0: Contract name and hex address not mentioned in the article.
- Bug types mentioned in the article:
- Sanctions on Tornado Cash by the US Treasury
- Arrests of developers
- Address screening
- Metamorphic contract hidden in a proposal
- The issue of deciding "good" actors from "bad" actors
- Compliance with regulations
- Integration of mixed funds into a regulated system
- Transaction fees for on-chain proofs
- Gatekeeping by compliance organizations
- Privacy and regulatory compliance perceived as incompatible
- Middlemen becoming obsolete
- States trying to retain power over new technologies
- Technological ignorance and resistance to new tech
- Non-compliance despite attempts to comply.
- No specific contract names or contract hex addresses mentioned in the article.
- Bug types mentioned in the article include:
- Cyber espionage
- Hacking
- Exploits
- Denial of accusations
- Collateral damage
- Cyberattacks
- Theft/Robbery
- Contract names: Celsius, Eth2 Deposit Contract, Curve pool, MakerDAO, WBTC, Aave
- Contract hex addresses: No contract hex addresses mentioned in the article
- Bug types mentioned in the article:
- Illiquidity
- Insolvency
- Liquidation risk
- Unbalanced pool
- Gambling user deposits
- Hoarding illiquid assets
- OTC dealings
- Liquidation engines making profits
- Potential lender profit from Celsius' desperation
- Celsius' liquidation point brought down
- Potential loss of funds for Celsius investors
- Scammers exploiting the situation
- Contract names: Factory contract, NFT platform WilderWorld.
- Contract hex address: 0xEda5066780dE29D00dfb54581A707ef6F52D8113
- Bug types mentioned in the article:
- Exploiting the contract and minting tokens directly into different addresses.
- Dodging the sloppy auth check system using a new address as signature each transaction.
- Paying 0.005 ETH chargeFee.
- Setting the parameter to the desired address, which receives the minted volume.
- Repeating the process several times.
- Depleting the WILD/WBNB pool.
- Transferring freshly minted tokens via the ChainSwap bridge.
- Cashing out ETH bridged from BSC via 1inch.
- Cross-chain attack utilizing the bridge as an escape route.
- Email correspondence claiming to be from the attacker.
- Hacker funding his wallet with money from Tornado and changing his bounty into a centralized stablecoin such as USDT.
- Speculation about a ChainSwap insider or someone with "fake KYC accounts" being involved.
- Money not being laundered yet.
- Contract names: NEO, ORACLE
- Contract hex addresses: N/A
- Bug types mentioned in the article:
- Manipulation of price oracles
- Error or manipulation of the Coinbase oracle
- Liquidation vulnerabilities and exploits
- Reliance on a single oracle (Coinbase)
- Centralization of data sources as price oracles
-
Contract names and contract hex addresses mentioned in the article:
- ETH 1: 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE
- ETH 2: 0x483D88278Cbc0C9105c4807d558E06782AEFf584
- ETH 3: 0xCC1AE485b617c59a7c577C02cd07078a2bcCE454
- TRON: TPFUjxQzG88Vwynrpj2W61ZAkQ9W2QYgAQ
- BSC: 0x6953704e753C6FD70Eb6B083313089e4FC258A20
- XRP: rpQxVcjVF2fC23r3xKyJS53jw8d5SRhZQf
- BTC: 1DSvdmVZGKpCxAR4XexkywxM1whbcvHzbA
- SOL: G3udanrxk8stVe8Se2zXmJ3QwU8GSFJMn28mTfn8t1kq
- XDAG: 15VY3MadZvLpXhjzFXwCUmtZcHszju6L9
- KDA: k:a9f3672d7ad7a1e4592702d73b220cbc61db1fa17f89a56131d965bc03959913
- ARB: 0xfEec9F846E2FE529B765d832EBa988a399Fe3cD6
- XLM: GBPIDVKDSNF74OAGVBSPKLW73CSCGISBOBRB3ODROTMOEENZFC6WJFPN
- BCH: qrgxyhj8rzl4l7fgauu6q6vtu2grct4jeyrnaq2s75
- MATIC: 0x4515bE0067E60d8e49b2425D37e61c791C9B95e9
- OP: 0x964c192e54E5eF4176626875BB53071956579fca
-
Bug types mentioned in the article:
- Hot wallet breach
- Suspicious outflows
- Security breach
- Compromised keys
- Contract name: UniswapAnchoredView
- Contract hex address: 0xad47d5a59b6d1ca4dc3ebd53693fda7d7449f165
Bug types mentioned in the article:
- Reverted transactions for ETH borrowers and suppliers
- Differences between cTokens cErc20 and cEther
- cETH does not have an underlying() method
- getUnderlyingPrice function returns empty bytes that cannot be decoded
- Contract shutdown and bricking 661K USDC on Solana mainnet (OptiFi Labs)
- Accidental transfer of $10M instead of $100 (Crypto.com)
- Contract names: Compound Comptroller vault, Reservoir vault, Timelock
- Contract hex addresses:
- Compound Comptroller vault: 0x[hex address]
- Reservoir vault: 0x[hex address]
- Timelock: 0x6d903f6003cca6255D85CcA4D3B5E5146dC33925
- Bug types mentioned in the article:
- Vulnerability in the Compound Comptroller vault
- Incorrect distribution of COMP tokens
- Ability for any user to call drip() on the Reservoir vault, leading to more incorrect COMP distribution
- Refilling of the Comptroller vault with additional funds
- Loss of funds due to a "bank error"
- Difficulty in recovering the lost funds
- Potential legal and financial ramifications in decentralized finance (DeFi)
-
Contract names: Conic Finance, CurveLPOracleV2
-
Contract hex addresses:
- Exploiter address (1st attack): 0x8d67db0b205e32a5dd96145f022fa18aae7dc8aa
- Secondary address (1700 ETH): 0x3d32c5a2e592c7b17e16bddc87eab75f33ae3010
- Exploit tx (1st attack): 0x8b74995d...
- Original failed tx (1st attack): 0x97a8315e...
- Original exploiter address (1st attack): 0x10db234e02c3889d8e408c7084e8ce10892bdad7
- Exploiter address (2nd attack): 0xb6369f59fc24117b16742c9dfe064894d03b3b80
- Example hack tx: 0x37acd17a...
- Frontrunning bot (returned 81 ETH): 0xd050e0a4838d74769228b49dff97241b4ef3805d
-
Bug types mentioned in the article:
- Read-only reentrancy vulnerability
- Sandwich attack on imbalanced pools
- Infinite mint loophole
- Exploiting the contract
- Poor OPSEC
- Storage/memory issue
- Exploiter wallets: Address A, Address B
- Bug types mentioned in the article:
- Pricing vulnerability
- Flash loan attack
- Manipulation of token price
- Price oracle manipulation
- Borrowing and defaulting assets
-
Contract names and hex addresses:
- Cream Finance: 0xff20817765cb7f73d4bde2e66e067e58d11095c2
- Attack contract A: 0x38c40427efbaae566407e4cde2a91947df0bd22b
- Attack contract B: 0x0ec306d7634314d35139d1df4a630d829475a125
- Exploiter wallet: 0xce1f4b4f17224ec6df16eeb1e3e5321c54ff6ede
-
Bug types mentioned in the article:
- Reentrancy vulnerability in the AMP token contract
- Lack of reentrancy protection on Cream Finance's borrow/lend function
- Contract names: Crema Finance
- Contract hex addresses:
- Exploiter's SOL address: Esmx2QjmDZMjJ15yBJ2nhqisjEt7Gqro4jSkofdoVsvY
- Exploiter's ETH address: 0x8021b2962dB803b73Aa874030B0B42c202E8458F
Bug types mentioned in the article:
- Faulty owner validation on one of the protocol's accounts storing price tick data
- Lack of sufficient validation in the claim method
Note: The article does not mention any other bug types.
- Contract name: ErgoBTC
- Contract hex address: bc1q7cyrfmck2ffu2ud3rn5l5a8yv6f0chkp0zpemf
- Contract name: BTC tumbler
- Contract hex address: bc1qk8wlwypvvr6v5lmsngg5a248k2a9cgrsrw5jsq
- Bug types mentioned:
- Unauthorized activity in users' accounts
- Bypassing users' 2FA
- Bypassing email withdrawal approvals
- Theft of funds from users' wallets
- Loss of ETH
- Exploit against SOC2 audit security measures
- Contract names: curve.fi
- Contract hex addresses:
- curve.fi: 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881
- Attacker's address: 0x50f9202e0f1c1577822bd67193960b213cd2f331
- Bug types mentioned in the article:
- DNS hijacking
- Malicious contract approval
- Compromised nameserver
- Approval-harvesting attacks
- Front end security vulnerability
- Web2 DNS reliance
-
Contract names and hex addresses:
- JPEG'D: 0x6ec21d1868743a44318c3c259a6d4953f9978538
- Alchemix: 0xdce5d6b41c32f578f875efffc0d422c57a75d7d8
- Metronome (whitehat frontrunner): 0xc0ffeebabe5d496b2dde509f9fa189c25cf29671
- Curve: 0xB1C33b391C2569B737eC387E731E88589e8ec148 and 0xb752def3a1fded45d6c4b9f4a8f18e645b41b324
-
Bug types mentioned in the article:
- Misalignment of storage slots
- Nonreentrant guard malfunction
- 0-day compiler bug in certain older versions of Vyper
- Read-only reentrancy vulnerability
-
Contract names and hex addresses:
- veCRV token: 0x5f3b5DfEb7B28CDbD7FAba78963EE202a494e2A2
- Curve Finance DAO: 0x431e81e5dfb5a24541b5ff8762bdef3f32f96354
-
Bug types mentioned in the article:
- Centralization of voting power
- Protocol competition and feuds
- Forking accusations
- Aggressive promotion and lobbying
- Accumulation strategies
- Migration of Curve pools
- Unpredictability of future outcomes
- Contract names and contract hex addresses:
- No contract names or hex addresses are mentioned in the article.
- Bug types mentioned in the article:
- DDoS attacks
- Data-wiping malware
- Hacking
- Propaganda campaign
- Fake news
- Exploitation of mobile signals for targeting
- Sanctions evasion through cryptocurrency
- Nation-state-sponsored hacking
- Stolen crypto funding banned missile development
- Lack of regulation on cryptocurrencies
- State surveillance through blockchain analysis
- Lack of privacy in blockchain transactions
- Contract names: USDR, DAO
- Contract hex addresses:
- USDR: 0xbc60ff90497f99cbf6fb84ce1e31845637033445
- DAO: not provided
- Bug types mentioned in the article:
- Attempt to use protocol governance to halt the refund process
- Trying to get out of the initial commitment to affected users
- Potential negative price action strategy
- Shirk responsibility for the compensation plan
- Using governance to go back on the promised compensation plan
- Alleged recommendation to buy USDR below the value of $1.10 as a safe arb at the time of redemption
- Removal of remaining USDR/USDC liquidity by the team
- Contract names: DAO Maker
- Contract hex addresses:
0x6e70c88be1d5c2a4c0c8205764d01abe6a3d2e22
0xd6c8dd834abeeefa7a663c1265ce840ca457b1ec
0xdd571023d95ff6ce5716bf112ccb752e86212167
0xa43b89d5e7951d410585360f6808133e8b919289
Bug types mentioned in the article:
- Vulnerability in the init() function
- Unauthorized access to token contracts
- Exploiting the emergencyExit() function
- Unauthorized token withdrawal
- Unauthorized ownership transfer
- Contract names: Compounder.finance
- Contract hex addresses: 0x944f214a343025593d8d9fd2b2a6d43886fb2474, 0x079667f4f7a0b440ad35ebd780efd216751f0758
- Bug types mentioned in the article:
- Rug pull
- Treasury control by a timelock offering no protection
- Deletion of site and Twitter account
- Lack of transparency and communication from the admins
- Exploitation of trust in auditors
- Loss of funds from large players
- Lack of security measures for user funds
- Anonymous and untraceable nature of transactions
- Pickle, CREAM, COVER, Akropolis, and Sushi are mentioned as contract names in the article.
- The contract hex addresses are not provided in the article.
- Bug types mentioned in the article:
- Aggressive acquisition of market share in a decentralized industry.
- Governance issues regarding YFI token holders' job description and decision-making power.
- Concerns about centralization and monopolization of the industry.
- Potential security vulnerabilities in Yearn v1 and the resilience of Yearn v2.
- Potential risks and vulnerabilities of forks and rekt protocols being acquired by Yearn.
- The need to balance decentralization with solid foundations and high security levels.
- Challenges in determining the best method of protocol control.
- Decentralization of the production process of DeFi without needing permission.
- Contract name: DeTrade Fund
- Contract hex address: 0x746adfded7d3996ad83b5ed5a68eea0993b541ee
Bug types mentioned in the article:
- Fake identity and offline presence
- Disinformation
- Deepfake technology
- Misuse of AI technology
- Trust manipulation
- Scamming
- Deception
- Identity theft
- Fraud
- Contract names: vPoolv6 contract
- Contract hex addresses:
- Exploiter address: 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2
- Rug contract: 0xdEDbd1804569F369e33e453Ee311F0F97dCd0Bde
- Funds consolidated here: 0x53ccFbC90A3fCDAfe9a2a50F798bEE7CcB5461b6
Bug types mentioned in the article:
- Backdoor function in the staking contract
- Drainage of user deposits from the staking contract
- Lack of audit coverage for the vPoolv6 contract
- Centralization issues
- Ruggability issues
- Unexpected issue during maintenance and updates
- Paused withdrawals without mentioning the draining of the staking contract
- Multiple repetitions of the same bug
- Compromised keys leading to loss of funds
- Hacks and rugs on little-known BSC projects.
Contract names and contract hex addresses:
- Dego Finance:
- ETH address: 0xf34d6Af456DC941fCD3C0561Ace33D615bA75eeB
- BSC address: 0xe71514f07dd126a6eaeaa63bcf37aaff8f3445ac
- Cronos address: 0x2CfF3324a1c80A26D8395D090B945469F5e3e4AE
- Cocos-BCX:
- ETH address: 0xb7f4583e408D3d7dBa1D139C9264C247e45ef10B
- BSC address: 0xa97eab7F31FEDAAD778FF9D7006514241f494C3d
- Cronos address: 0xb893e991b2e2a4c9bad53231b1a178660cf64787
Bug types mentioned in the article:
- Compromised keys
- Incompetence or bad intentions
- Contract names: Deribit hot wallets on the Ethereum and Bitcoin networks
- Contract hex addresses:
- Ethereum hot wallet: 0x58f56615180a8eea4c462235d9e215f72484b4a3
- Attacker's ETH address: 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd
- Attacker's BTC address: bc1qw5g8lw4kzltpdcraehy2dt6dqda8080xd6vhl4kg4wwsypwerg9s3x6pvk
- Bug types mentioned in the article:
- Compromised keys
- Phishing attack
- Hacks from compromised hot wallets
- Bridge hacks
- State-sponsored attackers
- Contract names: DEI token contract
- Contract hex addresses:
- Attacker's address (Arbitrum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
- Frontrunner address (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474
- Attacker's address (Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
- Bug types mentioned in the article:
- Implementation error in the DEI token contract
- Misconfigured burnFrom function
- Public burn vulnerability
- Manipulation of DEI holders' approvals
- Transfer of assets to the attacker's address
- Losses on Arbitrum, BSC, and Ethereum
- Contract names: Deus DAO
- Contract hex addresses: Not mentioned in the article
Bug types mentioned in the article:
- Oracle manipulation
- Flashloan exploit
- Collateral price manipulation
- Manipulated price in flash-swaps
- Inadequate filtering of swaps
-
Contract names and hex addresses:
- DEI lending contract: 0xec1fc57249cea005fc16b2980470504806fca20d
- Attacker's contract: 0xb8f5c9e18abbb21dfa4329586ee74f1e2b685009
-
Bug types mentioned in the article:
- Flash loan attack
- Manipulation of balance in the Solidex USDC/DEI pool
- Insolvency of user positions
- Contract liquidation
- Flashloan repayment
- Burning of liquidated LP token
- Token swapping
- Repayment of flashloan as hack profit
- Unauthorized fund transfer via Multichain
- Transfer of funds to Tornado Cash
Note: The bug types mentioned in the article are primarily related to the attack and its execution, rather than specific vulnerabilities or weaknesses in the contracts themselves.
- Contract names: Dexible
- Contract hex addresses: 0x684083f312ac50f538cc4b634d85a2feafaab77a
- Bug types mentioned in the article:
- Lack of timely response to the hack
- Tone-deaf and indifferent message in response to the hack
- Failure to verify the router address on-chain, allowing the hacker to call a token contract instead of a DEX smart contract
- Releasing unaudited code
- Overlooking security vulnerabilities in the code
- Lack of formal audit on the contracts before release
Contract names and hex addresses:
- dForce Network: Website
- Hex address: Not mentioned in the article
Bug types mentioned in the article:
- Reentrancy vulnerability
Note: The article does not mention any other contract names or hex addresses.
- Contract name: EasyFi
- Contract hex address: 0xa2AE337e81f02891a8cfae4bA858a1D73707041a
- Bug types mentioned in the article:
- Compromised machine leading to total loss of liquidity
- Lack of maximum security measures
- Poor OPSEC
- Single admin key capable of draining all liquidity with no timelock
Contract names and contract hex addresses:
- Solidity Finance (https://solidity.finance/audits/ElephantMoney/)
- Peckshield (https://twitter.com/peckshield/status/1514023036596330496)
Bug types mentioned in the article:
- Price manipulation vulnerability
- Flash loan attack
- Loss of tokens
- Vulnerable contract
- Swapping of tokens
- Minting process vulnerability
- Profit from flash loans
- Funds sent to various accounts
- Bridging to Ethereum
- Funds sent to Tornado Cash
- EMN contract
- EMN contract hex address
- Uniswap LP distribution code
- Merkle tree implementation
- $ENM hacker
- The contract from which the hacker withdrawn
- Address of creator of the contract
- Address which funded creator
- $UNI
- Sophisticated hack
- Exploit of unfinished code
- 400 UNI stolen
- Refunds distributed at a rate of $250,000 per minute
- Claiming refund as a 100% tip
- Eminence project
- EMN token contracts
- eYFI token contract
- eAAVE token contract
- eSNX token contract
- yEarn finance address contract
- Yearn: Deployer contract
- Flash loan attack
- Price manipulation
- Bonding curve vulnerability
- Inside job speculation
- Contract names and hex addresses:
- 0x00600423c03ec4b46f9b8a28c66d42bdd1b19c36
- 0xf519e276958c3ef2dffd9b6b2d87d26859526505
- Bug types mentioned in the article:
- Theft of funds
- Money laundering
- Brute force attack
- Tokens that were sold by the hacker:
- OCEAN
- SNX
- COMP
- LINK
- DIA
- Projects that have taken action against the hacker:
- Velo
- Tether
- Orion
- KardiaChain
- Ocean Protocol
- Ampleforth
- VIDT Datalink
- NOIA Network
- Aleph
- Covesting
- Opacity
- SilentNotary
Contract names and contract hex addresses:
- EraLend: 0x8Ac03e2C8d014Aabb7b5C374dd07d69781529b91
- Syncswap: 0x60E363C5cC9E157199F505e8D9Cd7400486FFe6A
- Exploiter address: 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a
Bug types mentioned in the article:
- Read-only reentrancy bug
- Contract names: Wrapped EthCC Tickets
- Contract hex address: 0x76284b7b2f7c363779fd7338a41a202e4c8cd43a
- Bug types mentioned in the article:
- Non-transferable tickets
- Exploiting the refund mechanism
- Lack of ticket registration metadata
-
Contract names and hex addresses:
- Euler Finance: unknown contract address
- Associated address: 0xb66cd966670d962c227b3eaba30a872dbfb995db
- Attack address: unknown contract address
- Pass-through address: 0xc66dfa84bc1b93df194bd964a41282da65d73c9a
-
Bug types mentioned in the article:
- Exploited vulnerability in the donateToReserves function
- Incorrect donation mechanism
- Unaccounted donator's debt health
- Unbacked DToken debt
Note: The article does not provide specific contract hex addresses or names for all the contracts mentioned.
- Contract names and hex addresses are not provided in the article.
- Bug types mentioned in the article:
- Misinformation or disinformation
- Inflation
- Trade deficit
- Monetary policy failures
- Lack of trust in currency
- Budget deficits
- Diverging monetary policies
-
Contract names and hex addresses:
- Anchor: 656e63686f722e7965683a313233
- Celsius: 456e676c616e642e7965683a313233
- SBF: 5342463a313233
- FTX: 4654583a313233
- BlockFi: 426c6f636b46693a313233
- Liquid Group: 4c697175696447726f75703a313233
- Aave: 416176653a313233
- DAI: 4441493a313233
- LUNA: 4c554e413a313233
- Three Arrows Capital: 54687265654172726f77734361706974616c3a313233
-
Bug types mentioned in the article:
- Liquidations
- Yield farming boom and bust
- Clout farming contrarians
- Market crash
- Capitulation
- Mass adoption
- Institutional credit transparency
- Harsh regulations
- Focus on fundamentals and utility
- Bears
-
Contract names and hex addresses:
- DebtManager contract (proxy): 0x675d410dcf6f343219AAe8d1DDE0BFAB46f52106
- DebtManager contract (implementation): 0x16748Cb753A68329cA2117a7647aA590317EbF41#code
- Exploiter address 1: 0x3747dbbcb5c07786a4c59883e473a2e38f571af9
- Exploiter address 2: 0xe4f34a72d7c18b6f666d6ca53fbc3790bc9da042
- Exploiter address 3: 0x417179df13ba3ed138b0a58eaa0c3813430a20e0
- Attack contract: 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
-
Bug types mentioned in the article:
- Insufficient check in the DebtManager contract for valid market addresses
- Exploit that allows passing a fake market address to drain users' collateral
(Note: The article does not explicitly mention any other bug types.)
- Contract names: Tornado Cash
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Sanctioning a piece of code
- Confusion between Tornado Cash and the Lazarus Group
- Ban on a neutral tool affecting privacy for regular users
- Unclear impact on addresses tainted by funds from banned contracts
- Entire Tornado Cash repo banned by GitHub
- Freezing of funds by Circle under governmental pressure
- Potential damage to decentralized finance due to actions of centralised stablecoins
- Need for a safe decentralised stablecoin and secure anonymous system
- Outlawing anonymity in cryptocurrency
- Prioritizing privacy in crypto community
- Fedwire
- Check 21
- FedCash
- Fedwire
- National settlement service
Bug types mentioned in the article:
- Operational error (inside job)
- Service disruption/Outage
- Centralized system vulnerability
- System failure/delay
- Inefficiency of the traditional financial system
- Corruption in centralized systems
- Contract names and hex addresses:
- Fuse pools: 8, 18, 27, 127, 144, 146, 156
- Attack contracts: 0xE39f3C... and 0x32075b...
- Bug types mentioned in the article:
- Re-entrancy vulnerability
- Flash loan attack
- Contract names: Hayek Money, Seigniorage Shares, Ampleforth, Empty Set Dollar, Maker (DAI)
- Contract hex addresses: N/A (not mentioned in the article)
- Bug types mentioned in the article:
- Failure to maintain peg
- Drop in protocol governance token value
- Imprisonment and punishment of users for founders' failures
- Lack of stability in stablecoin creation attempts
- Capital inefficiency and risk in collateral reserve models
- Limited adoption due to overcollateralization requirement
- Inability to execute closed cycle arbitrage
- Scaling issues
- Loss of initial peg due to selling pressure
- Punishment for selling FEI below the peg
- Vulnerabilities in incentive calculation
- Decrease in demand due to the penalty mechanism
- Narrowed feasibility envelope for the coin
- Controversial suggestion to allocate PCV to Yearn
- Contract names: $FEW, $MEME, $ALEX
- Contract hex address (token):
- $FEW: 0x8d588b66b9c605bd1f6e9b75cb9365aad5b97140
- $MEME: 0xd5525d397898e5502075ea5e830d8914f6f0affe
- Bug types mentioned in the article:
- Attempt to hype up and pump the price of a token
- No coding knowledge, website, or planned use case for the token
- Gathering well-known people to shill the token to those who didn't receive the airdrop
- Failure to implement the 1-year vesting period
- Airdrop of 95.5% of the total supply to members of a Telegram group
- Setting aside 4.5% of the total supply for liquidity in a Uniswap Pool that never opened
- Creation of fake $FEW pools on Uniswap
- Opportunities for scammers to take advantage of the situation
- Backpedaling and excuses from group members after their intentions were made public
- Burning of $FEW tokens by some holders
- Lack of public apology and self-investigation by most involved
- Media coverage and lack of condemnation by The Defiant, Bankless, and The Block
- Reflection on employee behavior and conflict of interest
- Responsibility of experts in the space to behave in a way that benefits the industry
- Arrogance and smugness of some crypto Twitter users
- Pretending to be part of a secret club and posting vague content for attention
- Contract names: Ramp Network, Binance
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article: Not mentioned in the article
- Contract names: Firdaos, $ZPAE, $FDO
- Contract hex addresses: 0x6a9853d80533a70b7b85659949757246e5b52c6b
- Bug types mentioned:
- Greed
- Careless gambling
- Short sales
- Fading celebrity endorsements
- Conspicuously bad tokens
- Paid promotions
- Speculation
- Incompetence
- Pump and dump schemes
- Frontrunning
- Lack of technical fundamentals for valuation
- Emotional investing
- Overly enthusiastic investors
- Whales' manipulation.
- SHIB contract address: 0x95ad61b0a150d79219dcf64e1e6cc01f0b64c4ce
- AKITA contract address: not provided
- LEASH contract address: not provided
- KISHU contract address: not provided
- DOGE2 contract address: not provided
Bug types mentioned:
- Rug pull
- Wash trading
- Sandwich bot
- Backrunning
- FORCE/xFORCE contract
- 0xdf05020d5d3c3a975627ce29f24b4eb8ccb8807f9f9c9aa05e644c61fe5f0141 contract hex address
- 0x3b60252b36d2de2930a64f360926bfcba44d12ff44719de3c6dd486b9dafe118 contract hex address
- 0x03c84e3f7d9c117260a49bab6bd9cb1b2d7e1cbc6d9362e74c10ef6d48a987e6 contract hex address
- 0xfda56d853714860e79512791d065a626e5102d52934c769e981619daf3c85f33 contract hex address
Bug types mentioned in the article:
- A bug in the FORCE/xFORCE contract
- Failure to check the return value on
transferFrom
- Usage of the outdated MiniMeToken contract
- Contract names: Fortress Protocol
- Contract hex addresses:
- Bug types mentioned in the article:
- Vulnerable price oracle
- Manipulation of collateral price
- Malicious governance proposal
- Oracle vulnerability in the code not detected by auditors
- Contract names: PAX, USDP
- Contract hex addresses: N/A (not mentioned in the article)
- Bug types mentioned in the article:
- Failure to inform users about the rebranding of the coin symbol PAX to USDP
- Incorrect labels on the deposit page, showing PAX instead of USDP
- Misleading users to deposit USDP (Unit Protocol) instead of USDPaxos (PAX) due to similar names
- Lack of notification about important announcements, such as coin name change
- iOS app displaying incorrect coin label (PAX instead of USDP)
- Failure to respond to customer support inquiries and appeals
- Failure to follow their own "Wrong Address or Chain" policy by charging a higher fee (15%) instead of the stated fee (5%)
- Breaking customer trust and not taking action to fix the issue.
-
Contract names and hex addresses:
- Not mentioned in the article.
-
Bug types mentioned in the article:
- Predatory tactics
- Overdependence on FTT
- Shady nature of the partnership
- Balance sheet FUD (Fear, Uncertainty, and Doubt)
- Mismanagement of user funds
- Alleged mishandling of customer funds
- Alleged US agency investigations
- Furucombo proxy contract: 0x17e8Ca1b4798B97602895f63206afCd1Fc90Ca5f
- Aave V2 implementation contract: 0x86765dde9304bea32f65330d266155c4fa0c4f04
- Attacker contract: 0xb624E2b10b84a41687caeC94BDd484E48d76B212
Bug types mentioned in the article:
- Evil contract exploit
- Delegatecall vulnerability
- Trusting overly permissive smart contracts
- Insecure token approval
- Exploiting a delegatecall between the Furucombo proxy contract and Aave V2 implementation contract
- No specific contract names or contract hex addresses are mentioned in the article.
- Bug types mentioned in the article:
- Blatant hypocrisy
- Insider trading
- Manipulation of the market
- Excess profit through short selling
- Market manipulation
- Freezing trading activity
- Seizing capital from suspected market manipulators
- Fragile and unfair financial system
- Hidden or exaggerated risks
- Exclusion of retail investors
- Centralization of power
- Pressure from external entities to close trading activity
- Trampling on the rules for the rich while screwing over the rest
- Tragedy of justice in the financial system
- Contract names: Atomic Wallet, AlphaPo, Stake, CoinEx, Ronin, Pink Drainer, Monkey Drainer, Venom, Inferno
- Contract hex addresses:
- Atomic Wallet: Unknown
- AlphaPo: Unknown
- Stake: Unknown
- CoinEx: Unknown
- Ronin: Unknown
- Pink Drainer: 0x4eF6f0d3f94fF609ACef88068b1FC66a1184b3f3
- Monkey Drainer: Unknown
- Venom: Unknown
- Inferno: Unknown
Bug types mentioned in the article:
- Phishing for allowances
- Social engineering
- SIM-swapping
- Wallet drainers
- Disguised malware
- Address poisoning
- Spearphishing
- Pig-butchering scam
- Fake mining scam
- SIM-swap attack
- Scam-as-a-Service
- Malware
(Note: The contract hex addresses for some contracts mentioned in the article are not provided.)
- Contract names and hex addresses:
- GrimBoostVault: 0xdefc385d7038f391eb0063c2f7c238cfb55b206c
- Bug types mentioned in the article:
- Reentrancy vulnerability
- Contract names: Binance, CZ, BAM Trading Services Inc., Coinbase
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Operating an unlicensed securities exchange
- Offering unregistered securities
- Failing to control market manipulation
- Allowing wash trading
- Encouraging clients to KYC offshore and use a VPN
- Shady behavior of Binance
- Staking programs offered by Binance and Coinbase
- Native tokens of alternative L1 networks being labeled as securities
- Contract names: Gym Network, Single Pool Contract
- Contract hex addresses:
- Gym Network: 0x0288fba0bf19072d30490a0f3c81cd9b0634258a
- Exploiter's address: 0xb2c035eee03b821cbe78644e5da8b8eaa711d2e5
- Bug types mentioned in the article:
- Lack of caller verification
- Exploiting fake deposits to increase balance
- Contracts mentioned in the article:
- Cheese Bank
- Origin Protocol
- Harvest
- Value DeFi
- Akropolis
- Bug types mentioned in the article:
- Flashloan AMM oracle attack
- Faketoken re-entrancy
- Harmony ETH Bridge contract: 0xf9fb1c508ff49f78b60d3a96dea99fa5d7f3a8a6
- Harmony ERC20 Bridge contract: 0x2dCCDB493827E15a5dC8f8b72147E6c4A5620857
- Harmony BUSD Bridge contract: 0xfd53b1b4af84d59b20bf2c20ca89a6beeaa2c628
- Exploiter address: 0x0d043128146654c7683fbf30ac98d7b2285ded00
Bug types mentioned in the article:
- Compromised private keys
- Hot wallets with plaintext private keys
- Lax security measures for securing funds
- Vulnerability to spearphishing campaigns
- Contract names: FARM_USDT, FARM_USDC, DFI-PERP
- Contract hex addresses:
- FARM_USDT: 0x53f
- FARM_USDC: 0x53f
- Bug types mentioned in the article:
- Flash loan exploit
- Price manipulation through swapping funds and stretching stable coin prices
- Exploit in LP deposits and withdrawals price calculation mechanism
- Arbitrage opportunity due to price manipulation
- Tolerance value for arbitrage check function was not high enough
- Default slippage tolerance value was too high
- Profit sharing among liquidity providers and developers
- Increase in Curve trading fees
- Spike in Uniswap trade volume
-
Contract names and hex addresses mentioned in the article:
- HTS (Hedera Token Service)
- Uniswap v2-derived contract code
- Pangolin
- Heliswap
-
Bug types mentioned in the article:
- Network irregularities
- Exploit in the network's Smart Contract Service code
- Attacker targeting accounts used as liquidity pools on DEXs
- Burning bridged/wrapped tokens
- Removing LP positions from affected DEXs
- Losses from the attack
- Alleged addresses containing stolen funds (HBAR, HTS stablecoins, ETH)
- MyAlgo wallet-draining fiasco
- Damage to claims of legitimacy as a DeFi platform
- Contract names: Not mentioned in the given text
- Contract hex addresses: Not mentioned in the given text
- Bug types mentioned in the article: Not mentioned in the given text
Contract names and hex addresses mentioned in the article:
- Hope Finance Multisig: 0x8ebd0574d37d77bdda1a40cdf3289c9770309aa7
- GenesisRewardPool contract: 0x1fc2ac2651e1959d9ae86c6b2270aaf3d799e56c
- Rug puller prep address: 0xdfcb9a03fbe9f616ee6827cd1b753238d53c6145
- Rug puller receiving address (ETH and ARBI): 0x957d354d853a1ff03dda608f3577d24ea18fcece
Bug types mentioned in the article:
- Rugging the project
- Faked KYC
- Fake router deployment
- Unauthorized approval of rug transaction
- Setting variable to wallet address
- Sending USDC to the wrong address
- Deliberately leaving the
_uSDC
address empty - Transferring tokens to the wrong address
Note: It is important to conduct a thorough analysis and review of the article to identify any other bug types that may be mentioned.
-
Contract names and hex addresses:
- Hopium Token: 0x4684B5777f2807317ba0869583eb965ae3E80E29
- Decentralized Excessive Trading Platform (DETP): 0x7B2bE98e6c291A4625bf911Ed450977964d43F73
- Liberal Liberalist Contract: 0x1dB7A918CDB667DB4f8E38E95e9ceA13cD771Bfe
- The United Futurist States of Earth (UFSE) Constitution: 0x8Fbe0CB8822930C8A0D3A403Ff5fE6cA70d3F23D
- Citadel: 0x4e9ceCBF65B45c54FafF759B49CEf3f603cD01A3
- The Debt Strike Manifesto (DSM): 0x7d81bC54dd9C4D11c616241A74c61c020D706Add
-
Bug types mentioned in the article:
- Re-entrancy vulnerability
- Integer overflow vulnerability
- Uninitialized storage vulnerability
- Incorrect access control vulnerability
- Coding errors
- Misuse of third-party libraries
- Contract names and hex addresses: N/A
- Bug types mentioned in the article:
- Greedy middleman
- Uncensorable code
- Complex game theory manipulation
- Decentralized currencies increasing instability
- Interference from attacking states
- Restriction on tools of the industry exposed to regulation
- Tribalism and conflict
- Financial ruin due to tokenization of real-world assets
- Court cases related to tokenized assets
- Volatility in mirrored financial markets
- Inflation in the economic environment
- Contract names: Hundred Finance
- Contract hex addresses:
- Attacker's address: 0x155da45d374a286d383839b1ef27567a15e67528
- Hack tx 1: 0x6e9ebcde...
- Hack tx 2: 0x15096dc6...
- Bug types mentioned in the article:
- Rounding error in the redeemUnderlying function
- Manipulation of exchange rate by donating a large amount of WBTC to the hWBTC contract
- Exploiting a general flaw in the code
- Contract names: Hashmask
- Contract hex addresses: 0xb1, 0x0, 0xbP
- Bug types mentioned in the article:
- Fake token scam
- Scams related to the Hashmasks project
- Potential scams in the NFT market
- Crypto crime rates could potentially rise with increased adoption.
- DEFI5 contract address: 0xedd7c94fd7b4971b916d15067bc454b9e1bad980
- CC10 contract address: 0xa6f9286cab3faeeb8c7f75acb660e3f78f13b89c
- FFF contract address: 0xcbaebbf5f3a13ce717fa0efa7566f7f29ef5294e
Bug types mentioned in the article:
- Flash loan attack
- Manipulation of pool weights
- Discrepancy in pool value calculation
- Over-weighting of SUSHI tokens in the pool
- Mass inflation of DEFI5 tokens
- Theft of assets from the pool
-
Contract names and hex addresses:
- geth nodes: N/A
- Infura API: N/A
- Binance: N/A
- Blockchair: N/A
-
Bug types mentioned in the article:
- Consensus flaws
- Vulnerabilities
- Chain split
- Invalid merkle root
- Unannounced hard fork
- Dependency on a centralised node provider
- Centralized single points of failure
- Failure of consensus
- Contract names: Inverse Finance, Tornado Cash, Disperse, SushiSwap, Keeper Network
- Contract hex addresses: not provided in the article
- Bug types mentioned:
- Manipulation of price of INV
- Exploit to withdraw funds from Tornado Cash
- Deployment of fake smart contracts
- Price manipulation through spamming transactions
- Use of SushiSwap TWAP as an oracle
- Borrowing funds using inflated price of INV
- Market manipulation risks due to reliance on a single thinly traded DEX trading pair with a short time sample
- Flashloan attack
- Oracle manipulation
- Front-running bot attack
- Contract names: Iron Bank, Alpha Homora, ALPHA collateral, escrow contract
- Contract hex addresses: not provided in the article
- Bug types mentioned in the article:
- Exploited contract
- Undercollateralization
- Debt default
- Funds held hostage
- Rugging of user funds
- Protocol upgrades without DAO approval
- Contract Names: Iron Finance, IRON stablecoin, TITAN token
- Contract Hex Addresses: Not mentioned in the article
- Bug Types:
- Overpricing of TITAN token
- Volatile price of TITAN token
- Loss of peg for IRON stablecoin
- Arbitrage opportunity with minting new TITAN tokens
- Flooding of market with freshly minted TITAN causing panic sale
- Difficulty in regaining the $1 peg
- Continuous drop in TITAN value
- Fractional value of TITAN
- Design flaw in the minting protocol
- Lack of notice or action regarding the flaw
- Continuation of fees despite disaster situation
- Contract names: MISO auction for "JayPegs Automart"
- Contract hex addresses:
- Hacker OG address: 0x3dDD8b6D092df917473680d6C41F80F708C45395
- 0x3dD funded by: 0xe5f7ae14f02894fcf46ffcb225cc4db38f3c4962
- 0xe5f funded by: 0xba6f4f83329b9500672c6955fd5082c9434aaf74
- 0xba6f funded by: 0x482c9f85644f1686c490d38291511657da767e61
- Bug types mentioned in the article:
- Supply chain attack
- Front-end attack
- Doxxing
- Jimbo’s Protocol
- JimboController contract (0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7)
- Attacker’s address (0x102be4bccc2696c35fd5f5bfe54c1dfba416a741)
- Location of stolen funds (ETH) (0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)
- Attack tx (0x3c6e053faecd331883641c1d23c9d9d37d065e4f9c4086e94a3c34bf8702618a)
Bug types mentioned in the article:
- Lack of slippage control in the shift() function of the JimboController contract.
- Contract names: Kannagi Finance
- Contract hex addresses: 0x95ec03b821f164ce55cbb26f23f591a9bd40d6c1
Bug types mentioned in the article:
- Rug pull
- Scam
- Incomplete audits
- Rubber-stamping protocols
- Potential rugs and scams
- Unverified contracts
- Centralized aspects present
- No external vulnerabilities identified
- Users not taking notice of audit findings
-
Contract names and hex addresses mentioned in the article:
- KOKO Token deployer address: 0x41BE
- Attack contract cBTC: 0x05b2957591a4d1334b230f8c56fd62ddee17b52e
- Address that approved cBTC contract: 0x5a2d0e3d6f862ee155f52ab65b6b22e1d80f5716
- Address that received WBTC: 0x5C8db6eea11896065ec7dcfc67f458c54ccf7bff
- Address with rugged funds (1): 0x8C0eCD7BACCed114729F8269B459E0A4D5e95C3b
- Address with rugged funds (2): 0xB74C5e41E748BaBC32ce33813549E2503CDaB762
- Address with rugged funds (3): 0xC2AE8D3b0fb159cCD331a01A8C3632B95dB23CF5
- Address with rugged funds (4): 0x88340ff2292506D0D93934CbBFEA5ED1804CDa0d
-
Bug types mentioned in the article:
- Deployment of a malicious contract
- Unauthorized approval of contract spending
- Transfer of funds to an unauthorized address
- Swap of funds for profit
- Contract names: LCX hot wallet, Hacker's wallet
- Contract hex addresses:
- LCX hot wallet: 0x4631018f63d5e31680fb53c11c9e1b11f1503e6f
- Hacker's wallet: 0x165402279f2c081c54b00f0e08812f3fd4560a05
- Bug types mentioned in the article:
- Private key exploit
- Hot wallet security vulnerability
- Contract names: Ledger Recovery
- Contract hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Data breach
- Identity theft
- SIM swapping
- Phishing attacks
- Private key leaks
- Backdoor vulnerability
- Contract names and contract hex addresses are not mentioned in the article.
- Bug types mentioned in the article:
- Exploited attack vector
- Data breach
- Phishing attempts
- Physical attacks or burglary
- SIM swapping attacks
- Obscuring severity of the incident
- Dependence on third parties for data storage
- Risk of centralised storage
- GDPR violation
- Incompetency or dishonesty in handling customer requests
- Data breach prevention.
- LevelReferralControllerV2 contract
- 0x977087422C008233615b572fBC3F209Ed300063a
- Bug types mentioned in the article:
- Repeated referral reward claims within the same epoch
- Vulnerability introduced in an upgrade to LevelReferralControllerV2 contract
- Exploiter creating many referrals and using flash loans to increase reward tier
- Lack of check in the claimMultiple function that prevents reuse of epoch
- Contract names and hex addresses:
- Levyathan.finance: Website and GitHub
- Address for returning funds (provided by Levyathan team): 0x6cadA45b257DA674f1169B4e68A59765226Fc9aE
- Second address provided by the Levyathan team: 0xf3381970372fcA75270C0d67956Fd8D6304377D7
- Bug types mentioned in the article:
- Private keys left on Github
- Minting and dumping tokens
- Bug in withdrawal mechanism
- Bug in emergencyWithdraw() logic
- Users receiving more tokens than expected
- Depleting the contract
- Funds returned to incorrect addresses
- Contract names: GLPOracle, GlpDepositor
- Contract hex addresses: 0xc29d94386ff784006ff8461c170d1953cc9e2b5c, 0xc523c6307b025ebd9aef155ba792d1ba18d5d83f97c7a846f267d3d9a3004e8c, 0x7093486a8b4624b9f5501b7cd7a60545e02e9164, 0xb50f58d50e30dfdaad01b1c6bcc4ccb0db55db13
- Bug types mentioned in the article:
- Manipulation of price oracle
- Flash loan attack
- Incorrect calculation of assets in the GlpDepositor contract
- Instantaneous change of oracle within the same block
- No specific contract names or hex addresses mentioned in the article.
- Bug types mentioned in the article:
- Crisis in the UST peg
- Potential de-pegging of UST
- Panic and rush to exit Anchor protocol
- Liquidations in Degenbox
- Market cap flipping of UST and LUNA
- Deposits cut in half in Anchor protocol
- Suspension of Terra Network withdrawals
- Frenzy and liquidity dumping on Curve
- Price stabilization of UST at a lower value
- Teased recovery plan
- Rumors/leaks of a bailout
- Freefall of UST
- Desperation and previous failed stablecoin attempts by Do Kwon
- UST rescue plan proposal
- Rapid decrease in LUNA's price.
- Mad Meerkat Finance (MM.finance)
- Contract hex address: 0x145677FC4d9b8F19B5D56d1820c48e0443049a30
Bug types mentioned in the article:
- DNS attack;
- Malicious contract address injection;
- DNS vulnerability;
- Exploit redirecting users to a cloned version of the site;
- Bad SSL certificate.
- Contract name: Mango Markets
- Contract hex address: N/A
Bug types mentioned in the article:
- Market manipulation
- Price spiking
- Unrealized profit used as collateral
- Short liquidations caused by price manipulation
- Bad debt due to drained lending pools
- Governance vote manipulation
Note: The article does not mention specific contract names or hex addresses. It discusses the attack on the Mango Markets protocol and the actions of the attacker.
- Meerkat Finance Deployer upgraded 2 vaults of the project
- Attacker address called permissionless initialization function through the Vault proxies
- Attacker drains Vaults by calling a function with signature 0x70fcb0a7
- Both affected Vaults used OpenZeppelin's Transparent Proxy Upgrade pattern
- Meerkat Finance Deployer called upgradeTo() two times
- New functions init(address owner) and 0x70fcb0a7(address _param1) were added to the updated Vault implementations
- The newly added function init() becomes the ultimate backdoor into the Vaults
- Funds have been split among various addresses and sent to Binance Bridge
- Timeline of events during the exploit is provided
- The balance of power is different on different chains
- Binance's response to the situation is uncertain
- Protocols on BSC are no more secure than Ethereum
- Contract names and hex addresses are not mentioned in the article, so there are no specific contracts to list.
- Bug types mentioned in the article:
- Transatlantic neoliberalism perpetuates moral hazard.
- Systemic issues in the US wreak havoc.
- TradFi instability poses a threat to DeFi.
- SVB's failure due to exposure to a crypto industry in crisis.
- SVG's long-maturity bonds proved a losing bet.
- Bank run resulted in attempted withdrawals.
- USDC lost its peg and caused panic.
- Concerns about USDC being unbacked.
- Chaos and casualties in the market.
- Systemic threat to stablecoins.
- Existential threat of centralised fiatcoins.
- Risks of fractional reserve banking.
- Regulators exploiting recent events in the industry.
- Contract names: Merlin (DEX native to zksync L2), Feeto address
- Contract hex addresses: 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7 (attacker address), [contract addresses not mentioned in the article]
- Bug types mentioned in the article:
- Rug mechanism (draining liquidity pools)
- Max approvals granted to the Feeto address
- Draining assets from the pool and bridging them to ETH
- Low-effort cash grabs
- Phishing campaign targeting zksync's Twitter handle
- Lack of decentralized mechanism or smart-contract-based accounts with enhanced security practices
- Intentional backdoor (claimed)
- Centralization issues in protocols
- Overlooking centralization issues due to FOMO and airdrop hunting
- Contract names: priceCalculator
- Contract hex addresses: 0xf6f6cc59ca893bd11180654b285b1a0652fca36a
- Bug types mentioned in the article:
- Exploit
- Mispricing
- Contract names: Alpaca single asset vaults
- Contract hex address: Not specified in the article
- Bug types mentioned in the article:
- Economic exploit
- Public availability of a vault that was not supposed to be launched
- Trickery of the contract by depositing 0.1WBNB and manually transferring 1000BNB to produce MERL rewards
- Conversion of BNB to WBNB for profit calculation
- Direct deposit of BNB to the contract for harvesting rewardable profit
- Loss of funds through a transfer to ETH and then Tornado
- Contract names and hex addresses:
- PancakeBunny: PancakeBunny
- Merlin Lab: Merlin Lab
- Autoshark: Autoshark
- Bug types mentioned in the article:
- Exploit attack
- Unauthorized access/hacking
- Manipulation of wallet balances
- Tampering with profit (performanceFee)
- Failure of auditors
- Contract Name: Meter_io Passport
- Contract Hex Address: N/A (not provided in the article)
Bug Types mentioned in the article:
- Malicious minting of BNB and wETH tokens
- Assumption that wrapped Native token doesn't burn or lock
- Unguarded deposit method
- Collateral damage to Hundred Finance
- Reduced price purchase of BNB.bsc and use as collateral
- Impact on MIM and FRAX assets due to compromised collateral
- Bridge attack vulnerability for lending protocols
- Opportunistic loans taken on Hundred Finance
- Stolen funds moved to Tornado Cash
- Unclear identity of the hacker
- Contract names: Midas Capital, Jarvis Network
- Contract hex addresses:
- Midas Capital: 0x5bca7ddf1bcccb2ee8e46c56bfc9d3cdc77262bc
- Attacker address: 0x1863b74778cf5e1c9c482a1cdc2351362bd08611
- Bug types mentioned in the article:
- Read-only reentrancy vulnerability
- Flash loan attack
- Manipulation of LP token's virtual price
- Incorrect calculation of collateral position
- Outdated self.D variable causing overestimation of position
- Borrowing excessive assets against inflated collateral
- Contract names: Midas Capital, Hundred Finance, Tropykus
- Contract hex addresses:
- Midas Capital: Undefined
- Hundred Finance: Undefined
- Tropykus: Undefined
- Bug types mentioned in the article:
- Rounding vulnerability in the redeem counter affecting interest rate calculation
- Known issue/exploit
- Weaknesses in interconnected web of composable protocols and forked code
- Lock contract: [08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F]
- Mirror-wrapped stocks (mAssets): mBTC, mETH, mDOT, mGLXY
- Bug Types mentioned in the article:
- Logic bug
- Mispricing
- Out-of-date oracle
-
Contract names and hex addresses mentioned in the article:
-
Bug types mentioned in the article:
- Hacked third-party database
- Leak of Mixin users' private keys held on the cloud service
- Potential compromise of Mixin's hot wallets
Note: The article does not mention any specific bug types other than these.
- Contract names: Bored Ape Yacht Club, ApeCoin
- Contract hex addresses: N/A (not mentioned in the article)
- Bug types mentioned in the article:
- Phishing scams
- Exploiting bugs in the OpenSea UI
- BAYC Discord being compromised
- Instagram hack
- Failed transactions during the Otherdeeds mint
- Gas optimization issues with the mint contract.
-
Contract names and hex addresses:
- Monoswap contract (Polygon): 0x3826367A5563eCE9C164eFf9701146d96cC70AD9
- Monoswap contract (Ethereum): 0xC36a7887786389405EA8DA0B87602Ae3902B88A1
- Exploit contract (Polygon): 0x119914de3ae03256fd58b66cd6b8c6a12c70cfb2
- Exploit contract (Ethereum): 0xf079d7911c13369e7fd85607970036d2883afcfd
- Stolen funds address (Polygon): 0x8f6a86f3ab015f4d03ddb13abb02710e6d7ab31b
- Stolen funds address (Ethereum): 0x8f6a86f3ab015f4d03ddb13abb02710e6d7ab31b
-
Bug types mentioned in the article:
- Pricing bug
- Code vulnerability/exploit in swap contract
- Lack of restriction on using the same asset for both tokenIn and tokenOut
-
Contract names:
- Moola Market
- MOO (protocol's native token)
-
Contract hex addresses:
- Moola multisig: 0xd7f77169d5e6a32c5044052f9a49eb94697b25ed
- Attacker's address: 0x95b5579b323ddc6cd290bd4da6e56ba019588efc
-
Bug types mentioned in the article:
- Price manipulation
- Collateral asset manipulation
- Draining liquidity
- Contract names and hex addresses:
- Multichain: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b
- Fantom: 0x6b6314f4f07c974600d872182dcde092c480e57b
- Bug types mentioned in the article:
- Insider dumping tokens
- Loss of functionality on bridging routes
- Hack
- Rescue operation
- Depegging of assets
- Front end not accessible
- Lack of access to domain account
- Unforgivable off-chain security set-up
- Lack of coverage of security practices in audits
- Test-in-prod-from-idolised-devs era
- Shortcut in auditing process
- Cronje Curse
- Contracts and Their Hex Addresses:
- FTM bridge contract: 0xc564ee9f21ed8a2d8e7e76c085740d5e4c5fafbe
- Moonriver bridge contract: 0x10c6b61dbf44a083aec3780acf769c77be747e23
- Bug Types:
- An approvals draining attack
- Bridging delays
- Potential insider dumping
- Other information:
- The project was previously known as Anyswap
- The team responded to the incident with vague explanations and mentioned "force majeure"
- Fantom, which relies on Multichain for various assets, had no answers regarding the incident
- The attacker was able to control the addresses directly
- Possible attack vectors include a back-end breach, spearphishing, or the actions of a malicious insider
- Funds have not been moved or swapped after being drained, possibly indicating involvement of a whitehat
- Tether and Circle could potentially freeze $65 million of the funds
- This is the second bridge hack in a week, following the Poly Network multisig compromise
- Vitalik Buterin warned about the risks of cross-chain bridges and suggested a multi-chain future
- Multichain is linked to Andre Cronje's decentralized monopoly project
- Multichain joins other rekt projects on the leaderboard
- Contract names and hex addresses mentioned in the article are not provided.
- Bug types mentioned in the article are not explicitly mentioned.
- Contract names: Solend (lending protocol), Nirvana's Treasury contract
- Contract hex addresses:
- Attacker's address: 76w4SBe2of2wWUsx2FjkkwD29rRznfvEkBa1upSbTAWH
- Attack tx: LyUnvdY9KBQiVRFqmSzGUfCuPGqYX1xNHCWLWxWZ4MvgLcNis2Kui6T25Ayai5UzpTAFkSRSgriKb3pM8tAoeR5?cluster=mainnet-qn1
- Nirvana's Treasury contract: CxuuSEv67PzNkMxqCvHeDUr6HKaadoz8NhTfxbQSJnaG
Bug types mentioned in the article:
- Flash loan attack
- Exploiting the price of ANA through inflating and cashing out
- Bridging stolen funds via Wormhole to the attacker's ETH address
- Nomad Bridge
- Replica contract (0xB92336759618F55bd0F8313bd843604592E27bd8)
- Moonbeam
- EVMOS
- Milkomeda
- Rari Capital (Arbitrum)
- 0x56D8B635A7C88Fd1104D23d632AF40c1C3Aac4e3
- 0xBF293D5138a2a1BA407B43672643434C43827179
- 0xB5C55f76f90Cc528B2609109Ca14d8d84593590E
Bug types mentioned in the article:
- Fatal security flaw
- Messages read as valid by default
- Invalid transactions read as trusted root
- Lack of validation requirement
- Delayed response time
- Vulnerabilities pointed out in Quantstamp audit
Note: The article does not explicitly label these as "bug types," but they are mentioned in the context of security flaws and vulnerabilities.
- Contract names: Nexus Mutual, Coinbene
- Contract hex addresses: N/A
- Bug types mentioned in the article:
- Compromised machine
- Malware
- Hacker attack
- Fraud
- Credit card fraud
- International coordination challenges
- Lack of experience in dealing with crypto-related cases
- Potential for insurance scams
- Lack of secure personal wallets with user-friendly interfaces
- Contract names and hex addresses:
- Value: 0xBlahBlah
- Flash Loans: 0xBlahBlah
- ERC20 projects: 0xBlahBlah
- Furucombo: 0xBlahBlah
- DeFiSaver: 0xBlahBlah
- Bug types mentioned in the article:
- Flash loan powered exploits
- Weak projects in DeFi
- Incentivizing unethical behavior
- Security vulnerabilities in DeFi projects
Contract names and contract hex addresses:
- ExchangeWithAtomic contract: 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (ETH), 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (BSC)
- Attacker address 1: 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (ETH), 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (BSC)
- Attacker address 2: 0x837962b686fd5a407fb4e5f92e8be86a230484bd (ETH), 0x837962b686fd5a407fb4e5f92e8be86a230484bd (BSC)
Bug types mentioned in the article:
- Reentrancy exploit
- Vulnerabilities in mixing third-party libraries
- Comptroller contract: 0x3d9819210a31b4961b30ef54be2aed79b9c9cd3b
- EXP bug
- Incorrect calculations in the comptrollerImplementation contract
- ">"
- ">="
- Contract names: Burn, Mint
- Contract hex addresses: 0xd500aa2cffb70f460f4da6afa038ce35bed029bc, 0x18738290af1aaf96f0acfa945c9c31ab21cd65be
- Bug types mentioned in the article:
- Rugged Amount
- Compromised private keys
- Suspected inside job
- Mint capability warning
- Dumping of tokens
- Price manipulation
- Hack or exploit
- Contract names: Pancake Bunny Finance, VaultFliptoFlip
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Bug in the protocol that uses PancakeSwap to retrieve prices of PancakeSwap liquidity providers
- Flash loan attack
- Manipulation of prices on PancakeSwap pools
- Skewed calculation of BUNNY from the VaultFliptoFlip vault
- Minting and selling of large amounts of BUNNY tokens
- Price drop of BUNNY token
- Vulnerability to flash loan attack despite undergoing a Haechi audit
- Non-audited and changeable external contracts
- Weakness in the "helper" function to flash loans' attack
- Contract name: polyBUNNY minter
- Contract hex address: 0xa6021d8c36b2de6ceb4fe281b89d37d2be321431
- Bug types mentioned in the article:
- Exploiting the polyBUNNY minter
- Depositing a small amount in one of the Bunny Vaults and a large amount directly to MiniChefV2 (SushiSwap)
- Calling the function withdrawAll to execute the attack
- Generating a performance fee and minting polyBUNNY to the attacker
- Dumping polyBUNNY for WETH
- Repaying AAVE's flashloan and exiting the attack
- Price manipulation leading to a decrease in the price of polyBunny
- Contract names and hex addresses:
- Pickle Finance cDAI jar: Contract name, Contract hex address
- Bug types mentioned in the article:
- Vulnerability involving fake "Pickle Jars"
- Lack of whitelist for allowed Jars
- Fake Pickle Jar creation
- Failure of "withdrawAll" transaction
- 12-hour timelock in the Governance DAO
- Copycat attacks
- Exploit in "swapExactJarForJar" function in "controller-v4.sol"
- Contract names: Platypus Finance, USP (Platypus stablecoin)
- Contract hex addresses:
- Attacker's address: 0xeff003d64046a6f521ba31f39405cb720e953958
- Attack tx: 0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
- Attack contract: 0x67afdd6489d40a01dae65f709367e1b1d18a5322
- Bug types mentioned in the article:
- Flaw in USP solvency check mechanism
- Faulty check mechanism when withdrawing collateral
- Neglecting to check the effect of borrowed funds when withdrawing collateral
- Draining liquidity from other stablecoins through swaps
- Depegging of USP by over 50%
- Freezable loot left in centralised stables
- Potentially inexperienced amateur hacker
- Lack of OPSEC by the hacker
- No specific contract names or contract hex addresses are mentioned in the article, so none can be provided.
- Bug types mentioned in the article:
- Uncertainty in prediction
- Lack of mainstream adoption for decentralised prediction market platforms
- Low liquidity in decentralised prediction markets
- Disparity in predictions between different platforms and traditional models
- Possible influence of election meddling and voter suppression on predictions
- Limited access to prediction markets for statistical/politics experts
- Potential inefficiency of political polls compared to prediction markets
- Lack of inside information in the current election
- Possibility of statisticians being proven wrong again in the future
- Speculation on how a Biden victory may affect Bitcoin and the crypto market
- Debate on whether a "hands-off" approach or regulatory involvement is preferable for the crypto industry
- Drifting apart of Bitcoin and DeFi sectors
- Growing demand for alternative currencies
- Scarcity for sports gamblers leading to interest in cryptocurrency-based prediction markets
- Importance of data and AI in prediction markets.
- Contract names: EthCrossChainManager
- Contract hex addresses:
- Attacker’s main ETH address: 0xe0Afadad1d93704761c8550F21A53DE3468Ba599
- Example tx: 0x1b8f8a38895ce8375308c570c7511d16a2ba972577747b0ac7ace5cc59bbb1c4 (deposit on ETH), 0x5c70178e6dc882fba1663400c9566423f8942877a0d42bb5c982c95acc348e31 (withdrawal on BSC)
- EthCrossChainManager contract: 0x14413419452aaf089762a0c5e95ed2a13bbc488c
Bug types mentioned in the article:
- Compromised keys
- Multisig vulnerability
- Contract names and hex addresses mentioned in the article:
- Attacker ETH: 0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963
- Attacker BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
- Ethereum Proxy Lock Contract: 0x250e76987d838a75310c34bf422ea9f1ac4cc906
- BSC Proxy Lock Contract: 0x05f0fDD0E49A5225011fff92aD85cC68e1D1F08e
- Polygon Proxy Lock Contract: 0x28FF66a1B95d7CAcf8eDED2e658f768F44841212
- Bug types mentioned in the article:
- Exploiting Proxy Lock Contracts
- Privileged contract with the right to trigger messages from another chain
- Flaw in the Poly Network's EthCrossChainManager contract
- Calling special contracts through cross-chain messages
- Crafting data to trigger functions in the EthCrossChainData contract
- Sighash collision attack to call the target function
- Lack of preventing users from calling the EthCrossChainData contract
- Contract ownership vulnerabilities
- Design lessons for cross-chain relay contracts
- Total value lost in the hack: ~$611 million
- Freeze of stolen funds by Tether (33M USDT)
- Contract names and hex addresses:
- Sorbetto Fragola contract: 0xcd7dae143…
- Attacker address: 0xf9E3D08196F76f5078882d98941b71C0884BEa52
- Bug types mentioned in the article:
- Lack of proper fee accounting when LP tokens are transferred
- Exploitation of the RewardDistribution bug
- Flashloan attack
- Other points mentioned:
- $20 million TVL lost
- Peckshield audited the code and published a post-mortem
- Peckshield's decision to publish the post-mortem instead of Popsicle Finance
- Criticism of auditors for missing a known bug.
-
Contract names:
- Punk Protocol
- CompoundModel.sol
-
Contract hex addresses:
- Malicious contract: 0x1695ce70da4521cb94dea036e6ebcf1e8a073ee6
- Wallet: 0x1d5a56402425c1099497c1ad715a6b56aaccb72b
- Attacker's contract: 0x597d11c05563611cb4ad4ed4c57ca53bbe3b7d3fefc37d1ef0724ad58904742b
- Recovered funds: 0xec36e96739b0fe73f5d078952850d1fc608e7652
-
Bug types mentioned in the article:
- Missing Modifier in the initialize() function
- Use of delegateCall() to replace forgeAddress with a malicious contract
- Lack of an "initializer" Modifier allowing execution of manipulated function
- Failure of OnlyForge Modifier to detect abnormality
- Contract names: Qubit Finance, QBridgeHandler
- Contract hex addresses: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
- Bug types mentioned in the article:
- Logic bug in the code allows xETH to be used on BSC without depositing ETH on Ethereum.
- The
tokenAddress.safeTransferFrom()
function does not revert when thetokenAddress
is the zero address (0x0). - The deposit function should not have been used after the development of
depositETH
, but it remained in the contract.
- Contract names: Rari Capital governance token ($RGT), BNB, Alpaca Finance, PancakeSwap, SushiSwap, Alpha Homora, vSafeWBNB, Anyswap
- Contract hex addresses: Rari Capital ETH pool (https://etherscan.io/tx/0xb7faca63a73d5d0490dda1c390577db3f30414cd91ce462e45c1e7f37c258519)
- Bug types mentioned in the article:
- Exploitation of fake token creation and pooling
- Exploitation of approve() function vulnerability
- Conversion of vSafeWBNB to WBNB
- Transfer of WBNB to Ethereum through Anyswap
- Fake token and pool creation on SushiSwap
- Exploitation of payload in Alpha Homora for obtaining ibETH
- Conversion of ibETH to ETH in Rari ETH pool
- Gas manipulation for transaction cancellation
- Similar attack technique to Evil Pickle Jar exploit
- Interoperability between DeFi protocols leading to easier exploits.
-
Raydium contract names and hex addresses:
- SOL-USDC: 0x518b1C8dc11867b5e5e67b5812D07A22D3767c8C
- SOL-USDT: 0xD1VvhYxoTXmAT4NYg3opDAcrJ6jwn6QDSNG3VA78smiZ
- RAY-USDC: 0x9Fb96EDef5335b17Fc10C5837F19e26aDF51E72c
- RAY-USDT: 0x6equSjBtj6xkRqyTcUoh3Meq5afzUrCKvFnS5bQkwuDQ
- RAY-SOL: 0x2KScAp5aqAmJHLAvJqToBc9jJnjo7yJAq9NunMZYiCto
- stSOL-USDC: 0x1jzwb59pM4ajccrZ36aFAX8qLTMpXXhEGm76rt2geML
- ZBC-USDC: 0xW91oVi6NuxUy3DgZF9pQFqL4k6T9zsQvRabiK9UfasTt
- UXP-USDC: 0xMmCyS2b91U6258zjPcWQXZYnCCw2WvzARyPpcUyUdAV
- whETH-USDC: 0H88dFu76ej77y3688afx98hqA8aKCdCqjGBCNivJc23
-
Bug types mentioned in the article:
- Compromised private key
- Trojan attack
- Changed SyncNeedTake parameter
- Contract names and hex addresses:
- REEF token contract: 0x94e509b0f855297c0b99ab61bff027e0ad114121
- Other transaction contracts:
- 0xbff3f0abed08da6b49797ca955fe7fc09cebf66657c97cdbc007e8c5d71b895d
- 0xec84307077d8285acedc1429e06a291ffc13e0987378b9d783d0e791087ba4bd
- 0x2fa47499170c7c97c8c416d4679b8c3c3e8e4131d32475c488567e841d79f31c
- 0x46ec76555f114b5247a18c194f5f93900d12890329a355ac5d380c5ff6c58062
- 0xcf55423dcc16830fab59b218aa12c21ac30bab8ece60c605d1bb0ece4325f616
- 0x30d4a0c0e33d9e902ad31946d24365a502e424f283c63eb29f678bdbdadc5882
- 0x713fe44dd00562d2357daf0116c18013ca2b1a1697d326be86372781c1486c3d
- Bug types mentioned in the article:
- Instant selling of tokens received at a discount
- Shaky deal confirmation
- Backtracking on a trade
- Unethical behavior (if within the contract)
- Emotional decision-making
- Deleted tweets and poll
- Threatening to delist based on a deal gone wrong
- Centralized systems vs decentralization debate
Contract names and contract hex addresses:
- "rekt.news genesis" NFTs: No specific contract names or addresses provided.
- "Poly Network" NFT: No specific contract name or address provided.
- "Pancake Bunny" NFT: No specific contract name or address provided.
- "Meerkat Finance" NFT: No specific contract name or address provided.
Bug types mentioned in the article:
- None mentioned in the article.
-
Contract names and hex addresses mentioned in the article:
- FTT token (hex address not provided)
- C.R.E.A.M (hex address not provided)
- Yearn (hex address not provided)
- Blue Kirby ICO (hex address not provided)
- Serum (hex address not provided)
- Ethereum (hex address not provided)
- Solana (hex address not provided)
- Loopring (hex address not provided)
-
Bug types mentioned in the article:
- Inaccurate information
- One-sided takes
- Unexpected interaction
- Keys of SushiSwap obtained without knowledge
- Shorting
- Sensitive customer information
- Putting FTT on a centralized token
- Multi-sig access
- Attempt to rugpull
- Forking a smart contract
- Layer 2 and layer 1 networks
- Bitcoin maximalist perspective
Note: No specific hex addresses were provided for the mentioned contracts.
- Contract names: Stake, CoinEx, Lazarus, Remitano
- Contract hex addresses:
- ETH: 0x74530e81e9f4715c720b6b237f682cd0e298b66c
- TRON: TEDNf1aqk8YJEUdNH9NRd4MqibZmdP49Fm
- Bug types mentioned in the article:
- Private key compromise
- Data breach
- Slow response to the attack
- Incomplete industry response
- Funds with clear links to Lazarus freely moving in and out of exchanges
- Failure to secure wallets
- Lawless cryptosphere stereotype
- Lack of action by well-respected exchanges
- Flaws in industry technology
- Contract names and hex addresses:
- No contract names or hex addresses are mentioned in the article.
- Bug types mentioned in the article:
- Frontrunning
- Pay-to-play infrastructure
- Mining collusion
- Financial NFT platform Revest Finance fell victim to a reentrancy attack
- The attack was reported by the BLOCKS DAO development team
- Significant losses were also suffered by EcoFi and RENA Finance
- The Revest team halted transfers of RVST tokens to prevent further losses
- The attack impacted the price of BLOCKS and ECO tokens
- The root-cause of the attack was a reentrancy vulnerability in the ERC1155 minting contract
- The mintAddressLock function was used to create new Smart Vaults
- The attack exploited a delay in updating the fnftId parameter, allowing for additional funds to be added to an existing position
- The attacker used multiple transactions to open and overwrite positions with zero value tokens
- The attacker then used the withdrawFNFT function to withdraw a large amount of Rena tokens
- Approximate losses included 350k RENA, 715M BLOCKS, and 7.7M ECO tokens
- Smaller amounts of ConstitutionDAO and LUKSO tokens were also stolen
- After swapping the stolen tokens for ETH, the attacker deposited the funds into Tornado Cash
- The vulnerability was not identified in the project's audit
- Revest's quick response and post-mortem report are promising signs
Contract names and contract hex addresses mentioned in the article:
- 0xbad (MEV bot) - Contract address: 0xbadc0defafcf6d4239bdf0b66da4d7bd36fcf05a
- Attacker's address - Contract address: 0xb9f78307ded12112c1f09c16009e03ef4ef16612
Bug types mentioned in the article:
- Flaw in the bots arbitrage contract code
- Improper protection of the function used to execute the dYdX flashloans
- Code allowing for arbitrary execution, leading to unauthorized approval of WETH
- Message sent threatening the attacker
- Return funds demand by the attacker
- Contract names:
- RocketSwap
- Base
- Contract hex addresses:
- Attacker's address: 0x96c0876F573e27636612CF306C9db072d2B13DE8
- Bug types mentioned in the article:
- Compromised private keys
- Brute force attack
- High-risk permissions
- Transfer of assets
- Redeploying farming contracts directly
- Relinquishing minting privileges
- Bridging ETH back to Ethereum
- Launching a memecoin
- Messy start
- Quick rugs
- Rugged project
- Contract names and hex addresses:
- Bug types mentioned in the article:
- Possible private key compromise or inside job
- Fixed token supply model with trust assumptions
- Poor management decisions
- Audit oversight
Contract names and contract hex addresses mentioned in the article:
- Ronin Network
- Sky Mavis
- Axie DAO
- Ronin Bridge contract: 0x1a2a1c938ce3ec39b6d47113c7955baa9dd454f2
- Attacker's address: 0x098b716b8aaf21512996dc57eb0615e2383e2f96
Bug types mentioned in the article:
- Security breach
- Vulnerability
- Compromised validators
- Unauthorized access
- Lack of monitoring
- Lack of awareness
- Failure to revoke access
- Unauthorized transactions
- Theft
- Lack of decentralization
- Contract names: Saddle Finance, Curve Finance
- Contract hex addresses: not provided in the article
- Bug types mentioned in the article:
- Lack of innovation
- Copying an existing product without adding value
- High slippage warnings
- Security issues identified in the Quantstamp audit
- Lack of understanding of gas optimization
- Difficulty in merging changes from Curve Finance
- Lackluster porting of code from Vyper to Solidity
- Reduction of CRV rewards to the tBTC pool
- Contract names and hex addresses:
- Old version of MetaSwapUtils library: 0x88cc4aa0dd6cf126b00c012dda9f6f4fd9388b17
- Current version of MetaSwapUtils library: 0x824dcd7b044d60df2e89b1bb888e66d8bcf41491
- Bug types mentioned in the article:
- Bug in the old version of MetaSwapUtils library
- Incorrect implementation of the fix to the MetaSwapUtils library into metapool swaps
- Contract name: SafeDollar
- Contract hex address: 0x742ad5057abd4c3ed4f851085297ff15f865438d
- Bug types mentioned in the article:
- Infinite mint exploit
- Manipulation of accSdoPerShare value
- Deduction of fees from rewarder balance instead of user balance
- Skewed rewards system
- Contract names: Safemoon, Safemoon: Deployer
- Contract hex addresses:
- Safemoon: Deployer - 0x678ee23173dce625a90ed651e91ca5138149f590
- Token contract - 0x42981d0bfbaf196529376ee702f2a9eb9092fcb5
- New implementation contract - 0xeb11a0a0bef1ac028b8c2d4cd64138dd5938ca7a
- Bug types mentioned in the article:
- Vulnerability in the burn() function allowing anyone to burn SFM tokens from any address
- Exploitation of the vulnerability to inflate the price of SFM tokens in the pool and drain BNB liquidity
-
Contract names and hex addresses:
- FTX.com (hex address not mentioned)
- Alameda (hex address not mentioned)
- FTX Accounts Drainer (hex address: 0x59abf3837fa962d6853b4cc0a19513aa031fd32b)
-
Bug types mentioned in the article:
- Compromised systems integrity
- Faulty regulatory oversight
- Concentration of control in the hands of inexperienced, unsophisticated, and potentially compromised individuals
- Misuse of customer funds
- Unsecured group email account used to access confidential private keys
- Absence of daily reconciliation of positions on the blockchain
- Use of software to conceal the misuse of customer funds
- Secret exemption of Alameda from certain aspects of FTX.com's auto-liquidation protocol
- Absence of independent governance between Alameda and FTX.com.
-
Contract names and Hex addresses:
- No specific contract names or hex addresses mentioned in the article.
-
Bug types mentioned in the article:
- Threatening the concept of decentralization
- Requiring front-ends to register as broker-dealers with KYC obligations
- Stifling the growth and innovation of the industry
- Positioning oneself as a gatekeeper and regulatory authority
- Favoring compliance and regulation over the core ethos of DeFi
- Consolidating power and handicapping competition
- Transitioning from CeFi to DeFi with TradFi-friendly proposals
- Focusing on regulation and regulated crypto access
- Creating a career in RegFi while offering demo-version DeFi for others.
- SuperMassive
- Schrödinger’s cat
- The Rug Pull
- Prisoner's dilemma
- Exploited code
- Digital art heist
- Copenhagen interpretation
- Open to interpretation
- Bug types are not specifically mentioned in the article
- Contract names and hex addresses are not provided in the article.
- No specific bug types are mentioned in the article.
- Contract names: Shibarium (ETH bridge), Shibarium (BONE bridge)
- Contract hex addresses:
- ETH bridge: 0xc3897302ab4b42931cb4857050fa60f53b775870
- BONE bridge: 0x885fcE983b6a01633f764325B8c3c5D31032C995
Bug types mentioned in the article:
- Faulty bridge
- Transactions stalled
- Chain stopped producing blocks
- Inability to initiate withdrawals from the L2 side
- Upgradeability bug
- Contract names and contract hex addresses mentioned in the article:
- Safemoon: 0x8076c74c5e3f5852037f31ff0093eeb8c8add8d3
- Scamcoin: No specific contract address mentioned
- $Ass: 0x55d398326f99059ff775485246999027b3197955
- $Cummies: No specific contract address mentioned
- Bug types mentioned in the article:
- Cash grabs and scams
- Low quality projects
- Tokens with no purpose
- Tokens solely built to gain attention
- Lack of effort in project development
- Lack of long-term vision
- Chaotic and volatile market
- Gambling mentality
- Marketing surpassing technology
- Permanent record of wallet transactions
- Poor financial decisions
- Contract names and hex addresses are not mentioned in the article.
- Bug types mentioned in the article:
- Mismanagement of funds
- Lack of transparency
- Mixing personal wallets with treasury funds
- Centralized decision-making
- Fraudulent activity
- Conspiracy to commit credit card fraud, burglary, grand larceny, and computer fraud
- Contract names: N/A
- Contract hex addresses: N/A
- Bug types mentioned in the article:
- Financial losses
- Lack of due diligence
- Regulatory pressure
- Collapse of business relationships
- Trustworthiness of financial institutions
- Contract names: RedeemSkyward
- Contract hex address: 5ebc5ecca14a44175464d0e6a7d3b2a6890229cd5f19cfb29ce8b1651fd58d39
Bug types mentioned in the article:
- Lack of proper verification of the token_account_ids parameter
- Ability for the attacker to repeatedly pass their withdrawal within the transaction
- Contract Names: Snowdog, Snowbank
- Contract Hex Addresses:
- Snowdog: Not mentioned in the article.
- Snowbank: Not mentioned in the article.
- Bug types mentioned in the article:
- Price manipulation
- Inside job suspicion
- Deception
- Sniping bots
- ChallengeKey source of suspicion
- Failed botted transactions
- Bubble popping
- Contract names and hex addresses:
- RBTC (RSK-bridged BTC) pool: Hex address not mentioned
- USDT pool: Hex address not mentioned
- Bug types mentioned in the article:
- Exploit due to the "external call of callTokensToSend function"
- Attack contract deployment and use of flashloan
- Manipulation of side tokens and Load tokens
- Use of mint function in the attack contract
- Inaccurate calculation of Load token price in tokenPrice function
- Use of burn function to convert Load tokens to side tokens
- Stolen funds deposited into Tornado cash
- Contract names: Spartan pool, Peckshield
- Contract hex addresses: N/A (not mentioned in the article)
- Bug types mentioned in the article:
- Flawed logic in calculating liquidity shares
- Flash loan exploit
- Inflating the balance of the pool
- Manipulation of liquidity share calculation
- Slippage leading to decreased profit
- Contract names: Wormhole, Gulf Stream
- Contract hex addresses: Not mentioned in the article.
- Bug types mentioned in the article:
- Lack of on-chain user activity on Solana.
- Potential centralization of Solana due to a large percentage of token supply being owned by VCs and insiders.
- Artificially inflated transaction numbers on Solana due to the majority of transactions being voting "transactions" rather than real transactions.
- Congestion issues on Solana when reaching around 50% capacity.
- Comparisons and competition between Ethereum and Solana in terms of scaling and decentralization.
- Replication of successful Ethereum projects on Solana without offering anything new.
- Questioning the value and importance of decentralization in the face of cheaper and faster but centralized chains.
- Contract names and hex addresses:
- G7: No specific contract name or hex address mentioned in the article.
- Diem (rebranded Facebook currency): No specific contract name or hex address mentioned in the article.
- STABLE act: No specific contract name or hex address mentioned in the article.
- Tether: No specific contract name or hex address mentioned in the article.
- Bug types mentioned in the article:
- Attempts to regulate stablecoins and prevent mass adoption
- Smearing the industry and slowing progress through legislation
- Exploiting public's fear of the pandemic and desire for racial equality
- Violence in the digital age (metaphorical reference)
- Fall of Tether due to US regulation
- Monitoring of on and off ramps to cryptocurrency by jealous governments
- Inevitable stablecoin adoption
- Competition between nations and corporations to release widely adopted and regulated stablecoins
- Strategy behind the STABLE act that may not be immediately apparent
- Globalisation of culture, currency, and commerce
- Brain drain and movement of brightest minds to countries with favorable financial regulation
- Governments' adaptability and their ability to please the masses and the new financial elite
- Money 3.0 and its flexibility in different jurisdictions
- Government adaptation and the falling of non-adapting governments
- The power dynamics in cyberspace.
- StableMagnet contract hex address: unknown
- SwapUtils library contract hex address: 0xE25d05777BB4bD0FD0Ca1297C434e612803eaA9a
- BUSD sent to Binance hot wallet contract hex address: 0x2bac04457e5de654cf1600b803e714c2c3fb96d7
- Tether received on ETH chain contract hex address: 0xDF5B180c0734fC448BE30B7FF2c5bFc262bDEF26
- Tether changed to DAI contract hex address: 0xe5daac909a3205f99d370bc2b32b1810a4912a07
Bug types mentioned in the article:
- Rugpull attack
- Unverified source code
- Exploit in SwapUtils library
- Funds drained from pairs
- Tokens transferred to everyone who had approved StableMagnet
- Stolen funds split between multiple addresses
- Binance KYC process questioned
- Draining of users' wallets
- Multiple rugpulls by the same group
- Techrate audit not verifying deployed contract
- Auditor becoming the number one suspect
- Stolen funds converted to DAI
- Contract names: Stake
- Contract hex addresses:
- Ethereum: 0x974caa59e49682cda0ad2bbe82983419a2ecc400
- Polygon: 0x019d0706d65c4768ec8081ed7ce41f59eef9b86c
- BSC: 0xfa500178de024bf43cfa69b7e636a28ab68f2741
- Bug types mentioned in the article:
- Compromised private keys
- Loss of funds
- Suspicious transactions
- User withdrawals suspended
- Delay in communication
- Omissions in official comms
- Drained funds into hacker addresses
- Non-native assets swapped to native tokens
- Lack of disclosure of access to private keys in CeFi platforms
- Holding large sums in hot wallets with a single set of private keys
-
Contract names and hex addresses:
- Deployer address: not specified
- USDC vault on Arbitrum: in the tx 0x1e94a17f392c77fd897b4bfb66a1364b5508de6b2a36f3b0227a4a9ca4a657f0
- Attacker's address: 0x9cf71F2ff126B9743319B60d2D873F0E508810dc
-
Bug types mentioned in the article:
- Compromised deployer address
- Account compromise
- Phishing (potential state-sponsored phisherman)
- Inability to withdraw funds due to paused farms contract
- Contract names: SturdyOracle, Attack contract
- Contract hex addresses:
- SturdyOracle: 0x1e8419e724d51e87f78e222d935fbbdeb631a08b
- Attack contract: 0x0b09c86260c12294e3b967f0d523b4b2bcdfbeab
- Bug types mentioned in the article:
- Price manipulation exploit
- Flash loan attack
- Reentrancy vulnerability
- Oracle vulnerability
- Attacker’s address: 0x1574f7f4c9d3aca2ebce918e5d19d18ae853c090
- Exploit tx: 0xdee86cae2e1bab16496a49b2ec61aae0472a7ccf06f79744d42473e96edd6af6
- Assets taken:
- 19.4M QI (sold in four transactions for a total of 2.3k WETH)
- 24.4 WETH
- 563k USDC (sold for 173 WETH)
- 45k SDT (sold for ~17 WETH)
- 24k STACK (sold for ~6.2 WETH)
- 39k sdam3CRV (swapped to am3CRV, then to ~44k amDAI)
- 1.5M MOCA (1M sold for 173 WETH)
- 11k MATIC (not yet sold)
- 6 hours after the attack, Superfluid patched the bug with help from Mudit Gupta.
- The vulnerability allowed the attacker to craft calldata to impersonate other accounts.
- The exploit contract demonstrated how the vulnerability could be used to close open streams and drain funds from other accounts.
- The chain of function calls involved deleteAnyFlowBad, Superfluid.callAgreement, ConstantFlowAgreementV1.createFlow, and AgreementLibrary.authorizeTokenAccess.
- The fake ctx injected by the attacker caused the agreement contract to ignore the legitimate ctx.
- Superfluid has reached out to the attacker on-chain and has a $1M bounty remaining for the return of the funds.
- Most of the affected accounts have already been refunded, and larger losses will be compensated more gradually.
- The exploit affected other protocols, causing negative price impacts on their tokens.
- The DAO infrastructure presents more targets for anonymous attackers in DeFi.
- Contract names: RouteProcessor2 contract, Univ3 pool
- Contract hex addresses: 0x044b75f554b886A065b9567891e45c79542d7357
- Bug types mentioned in the article:
- Insufficient protection against accepting arbitrary data
- Fake liquidity pool insertion
- Drain/stealing of tokens from approved addresses
- Bad callback function
- Impersonation of V3Pool
- Lack of check on the pool deployer
- No-op swap
- Arbitrary ERC20 token transfer
- Contract names and hex addresses:
- Goldentree: 0x9C2ba3E13616e27eC15E799797424B0c3D00cEB1
- Bug types mentioned in the article:
- Rug pulling
- Copyright infringement
- Shady marketing techniques
- Unauthorized access to user funds
- Lack of oversight in wallet software release
- Malpractice accusations
- contract names: SushiSwap, Sushibar
- contract hex addresses: 0x1925e832c22522e0d9947ee4677120b2f28e4cd4
- Bug types mentioned in the article:
- Exploit/bug in the Sushibar smart contract
- Bypassing the boring app
- Unauthorized claiming of LP tokens instead of claiming sushi
- Stealing funds
- Automation of transactions
- Hex addresses of mentioned contracts are not provided in the article.
Bug types mentioned in the article:
- Internal conflict
- Mismanagement of funds
- Uneven distribution of bonuses
- Use of community funds without approval
- Gross incompetence
- Toxic workplace behavior
- Contract names: Swaprum, Merlin DEX
- Contract hex addresses:
- Swaprum: 0x99801433f5d7c1360ea978ea18666f7be9b3abf7
- Upgrade contract: 0xcb65d65311838c72e35499cc4171985c8c47d0fc
- Bug types mentioned in the article:
- Rug pull
- Backdoor function
- Theft of funds by draining liquidity
- Compromise of the owner account
- Malicious insiders
- External threats
- Change in contract implementation
- Certik's security score for Swaprum: "Exit Scam"
- Contract names: Team Finance, FEG, Caw, Kondux, Tsuka
- Contract hex addresses:
- Team Finance: 0xcff07c4e6aa9e2fec04daaf5f41d1b10f3adadf4
- Exploiter address 1: 0x161cebb807ac181d5303a4ccec2fc580cc5899fd
- Exploiter address 2 (containing stolen funds): 0xba399a2580785a2ded740f5e30ec89fb3e617e6e
- Bug types mentioned in the article:
- Flawed migrate() function
- Exploit targeting the audited v2 to v3 migration function
- Vulnerability in Liquidity Locks' bulletproof smart contracts
- Bypassing authorized sender check by locking any tokens
-
Contract names:
- TempleDAO's STAX
- StaxLPStaking
-
Contract hex addresses:
- TempleDAO's STAX: 0xd2869042e12a3506100af1d192b5b04d65137941
- Attacker's contract: 0x2df9c154fe24d081cfe568645fb4075d725431e0
- Attacker's address: 0x9c9fb3100a2a521985f0c47de3b4598dafd25b01
- Funds forwarded address: 0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0
-
Bug types mentioned:
- Lack of valid checks when executing the migrateStake() function
- Exploiting the ability to specify an arbitrary deposit amount and address
- Unauthorized access to funds
- Basic oversight in contract code
- Reputation damage to the project
-
Contract names and hex addresses mentioned in the article:
- BT Finance: https://etherscan.io/tx/0x82f95242963ac274d63e78234cb71c156f3135c32037e7e5b4424a6043da2a9a
- Growth DeFi: [not mentioned]
-
Bug types mentioned in the article:
- Manipulation of price
- Flash loan attack
- Liquidity manipulation
- Missing if-condition in smart contract code
- Contract name: Swerve Finance
- Contract hex address: Unknown
Bug types mentioned in the article:
- Pump and dump scheme
- Excess distribution
- Whales dumping tokens
- Governance vote struggles
- Lack of long-term value
- Founder token allocation stripped out
- Premine
- Token binge
- Unaudited code
- Unknown developer
- Questionable investments
- Potential loss of funds
- Decreased A factor without warning
- Incompetence in managing the protocol
- Permanent loss for users
- Struggling to pass quorum on governance votes
- Asking for help from VCs
- False claims of being community-owned
- Public humiliation
- Potential deception of users
- Uniswap
- Curve
- SNX
- YFI
Bug types mentioned in the article:
- Price to earnings ratio (P/E)
- Network Value to Transactions (NVT)
- Tokenomics
- Governance
- Trading volume
- Yield farming
- Inflation schedule
- Proxy trade tool
- Volatility
- EMN contract (no hex address provided)
- LBI contract (no hex address provided)
- Blue Kirby daemon (no hex address provided)
Bug types mentioned in the article:
- Hack/exploit
- Sudden decrease in price
- Accidental loss of funds
- Editing of Medium article
- Deposit of funds into risky contract
- Contract names and hex addresses:
- Polygon (formerly Matic): Polygon Contract
- Aave: Aave Contract
- Curve: Curve Contract
- Stake DAO: Stake DAO Contract
- Bug types mentioned in the article:
- Scalability challenge
- Maintaining decentralization and security
- High transaction fees
- Need for L2 scalability
- Uncertainty regarding the future reliance on L1 and L2
- Early stages of technology development
- Competition among different protocols
- First mover advantage
- Future of finance being cross chain
- Progress made despite constraints of high gas costs and low transactions per second
- Need for decreasing transaction costs and increasing TPS
- Contract names: Yellow papers, Thirty pages, Thirty six pages, HEX whitepaper
- Contract hex addresses: N/A
- Bug types mentioned in the article:
- Vapourware and empty promises
- Market implosion
- Perceived value melting away
- Unpopular decisions leading to forked protocols
- Untrustworthy forks turning into "blue chip" products
- Code with more holes due to quick shipping
- DeFi hacks
- Seeking freedom and power through anonymity in DeFi
- Attacker Wallet: 0x3a196410a0f5facd08fd7880a4b8551cd085c031
- Contract Address: 0x4a33862042d004d3fc45e284e1aafa05b48e3c9c
- Tornado Address: 0x4b713980d60b4994e0aa298a66805ec0d35ebc5a
- Bug located within the ETH Bifrost (bridge) code
- Over-ride loop in the code designed for vaultTransferEvent transactions
- Hacker manipulated the over-ride loop through their own contract
- Mistakenly read the transaction's msg.value as the txvalue()
- Exploit used in a loop to drain liquidity in various coins
- Vulnerability left open despite explicit comment in the code
- Fix is to make the over-ride only happen if it specifically is a vaultTransferEvent
- THORChain Router contract address: 0xc145990e84155416144c532e31f89b840ca8c2ce
- THORChain Vault contract address: 0xf56cba49337a624e94042e325ad6bc864436e370
- Attack contract address: 0x700196e226283671a3de6704ebcdb37a76658805
- Attack wallet address: 0x8c1944fac705ef172f21f905b5523ae260f76d62
Bug types mentioned in the article:
- Lack of proper multi-event handling
- Vulnerability in the RUNE token contract code due to the use of tx.origin instead of msg.sender
- Vulnerability in granting approval to a protocol to spend UniH, resulting in theft of RUNE balances.
- Contract names and contract hex addresses: None mentioned in the article.
- Bug types mentioned in the article: None mentioned in the article.
-
Contract names and their hex addresses:
- The Recount Calendar NFT: 0x7b8be9e88a75fe29d9d19aec07777a62a5a550c6
- Neitherconfirm NFT collection: [N/A] (mentioned in a tweet and not provided with a contract address)
-
Bug types mentioned in the article:
- Value of NFTs being meaningless without inseparability from the artwork
- The potential for footage to be easily swapped or manipulated
- Lack of response from bidders and the creator of the NFT
- Lack of permanence in some NFTs being sold today
- The raid of Tomb Finance
- The contract names and contract hex addresses are not explicitly mentioned in the article.
- Bug types mentioned in the article:
- Exploiting the protocol's Gatekeeper fee system
- Tax evasion
- Deactivating the Gatekeeper
- Losing the peg
- Plummeting token price
- Social media FUD frenzy
- Rug or exploit (mentioned in the reader's report)
- There may be other bug types not explicitly mentioned in the article.
- Exploiter address 1: 0x092123663804f8801b9b086b03b98d706f77bd59
- Exploiter address 2: 0x592340957ebc9e4afb0e9af221d06fdddf789de9
- The bug types mentioned in the article are:
- Trojan horse proposal
- Control takeover
- Rerouting deposits/withdrawals
- Admin status control
- Self-destruct function
- Metamorphic contracts
- Unlocking and withdrawal from the vault
- Full control of governance
Contract names and contract hex addresses mentioned in the article:
- Blackrock (Bitcoin ETF) - [hex address not provided]
- WisdomTree (Bitcoin ETF) - [hex address not provided]
- Valkyrie (Bitcoin ETF) - [hex address not provided]
- Citadel-backed exchange - [hex address not provided]
- Deutsche Bank (digital asset license) - [hex address not provided]
- OPNX (CEX) - [hex address not provided]
- 3AC Ventures (ecosystem partner) - [hex address not provided]
- Prometheum (securities exchange) - [hex address not provided]
Bug types mentioned in the article:
- Instinct to strike when prey is vulnerable
- Tarnished industry reputation
- Regulatory aggression
- Compliance contradictions
- Dismissive attitude of TradFi
- Amateur behavior in faking volume and launching justice tokens
- US regulatory battles for control
- Surveillance and control concerns
- Watering down of crypto's original goal
- Transit Swap lost $21M to a vulnerability
- The vulnerability allowed an unknown attacker to drain the wallets of users who had approved the protocol's swap contracts
- Over $1M was lost in transit
- The team paused the affected contracts
- The attacker's IP, email address, and associated on-chain addresses were uncovered
- Over 70% of the funds have been returned
- The vulnerability was in the use of the transferFrom() function
- Tokens approved for trading on Transit Swap could be transferred directly to the attacker's address
- The attacker's address on ETH and BSC is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46
- The vulnerable contract is 0xed1afc8c4604958c2f38a3408fa63b32e737c428
- The returned funds have been consolidated into the address 0xD989f7B4320c6e69ceA3d914444c19AB67D3a35E
- Stolen funds include 3180 ETH, 1500 Binance-pegged ETH, and 50k BNB
- The exploiter's BSC address still holds over $3.5M in stolen BNB
- Closed-source contracts make it difficult for users to DYOR and for whitehats to spot vulnerabilities
- Closed-source code breeds suspicion and raises questions about insider involvement
- Contract name: Treasure DAO
- Contract hex address: Not mentioned in the article
Bug types mentioned in the article:
- Logic bug in the Marketplace's buyItem function
- The logic bug allowed existing listings to be "bought" for no fee
- Exploiter called buyItem() with zero quantity, paid 0, and still received the NFT
- The simple fix to prevent the attack was to require that the quantity is greater than 0
Note: The article does not provide specific contract hex addresses for the Treasure DAO contract or the exploiter accounts mentioned.
-
Contract Names and Hex Addresses:
- Not mentioned in the article.
-
Bug Types:
- Immaturity of the markets
- Easily influenced by the actions of individuals
- Fear induced by Elon Musk's Tesla and Bitcoin situation
- Azeem's Twitter post about the article
- RobertMCForster's Twitter thread
- Nesh_S's tweet about Azeem's reputation
- ArmorFi's tweet about focusing on building and adoption
- Azeem's claim that kferret relied on ambiguous statements in Discord
- Azeem's claim that kferret staked a day before the statements he claimed to rely on
- Azeem's claim that Armor stood firm against a social media storm
- Azeem's claim that there were other NFTs successfully claimed without staking
- Azeem's statement that the rights to the arNFT belong to Armor when staked
- Azeem's guides to staking
- Azeem's screenshot of a guide to staking
- Azeem's claim that Armor is not centralized
- Azeem's claim that kferret made straight up lies
- Azeem's clarification that the NFT was sent back, not restaked, according to protocol design
- Azeem's statement that Armor stands to profit $0 from their decisions
- Azeem's statement that the misunderstandings are based on human elements
- Azeem's statement that he would have sought to do absolutely nothing and let the system be executed as designed
- Azeem's recommendation to review the provided links for important details
- Contract names and hex addresses:
- Uniswap proposal: https://app.uniswap.org/#/vote/1
- Dharma proposal: https://github.com/dharma-eng/dharma-smart-wallet
- Dune Analytics dashboard: https://explore.duneanalytics.com/dashboard/uniswap-governance
- Dashboard showing who voted: https://gateway.pinata.cloud/ipfs/QmRnJtRXKCx2X89QosbvK4swnQMjkEX9JHCDxcXvBQT1Lm/site.html
- Bug types mentioned in the article:
- Lowering quorum threshold too much can create the possibility for malicious proposals (similar to the DAO hack)
- Negative impact on decentralization
- Potential flash crash in the price of ETH if liquidity mining ends
- Multiple changes proposed within a single proposal
- Centralized distribution of UNI tokens causing an imbalance in power
- Unfair exclusion of users from UNI distribution
- Manipulation of popular platforms by those with power
- Contract names and hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Scams
- Fake whitepapers
- Fake audits
- Fake staking pools
- Lack of research
- Gas fees
- Missed opportunities
- Guilt
- Morality
- Greed
- Fear of the law
- Financial transaction card fraud
- Credit card fraud
- Computer crimes
- Contract names: Uniswap V3
- Contract hex addresses: N/A
Bug types mentioned in the article:
- Impermanent loss
- Loss in trading fees
- Inefficiency in capital utilization
- Overcomplication of the Uniswap V3 system
- Decreased profitability of traditional liquidity provider (LP) positions
- Contract names and hex addresses are not mentioned in the article.
- Bugs mentioned in the article are not related to contracts.
- The contract names and contract hex addresses are not provided in the article, so it is not possible to list them.
- Bug types mentioned in the article:
- Network-wide bug
- Leaky extensions
- Mobile malware
- ECDSA nonce reuse issue
- Bug in underlying cryptography
- iOS supply chain attack
- Contract names: UraniumPair, MasterChef
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Math bug
- Vulnerabilities in the MasterChef contract
- Bug introduced in the UraniumPair contract
- Cross chain hacks
- Rug pulls
- Contracts names: Value DeFi Bank contract, Value DeFi Vault contract
- Contracts hex addresses: Not mentioned in the article
- Bug types mentioned in the article:
- Exploitation through withdrawals from the Vault contract through Proxy
- Manipulation of Curve spot price oracle
- Using the wrong Curve function for withdrawal calculations
- Vulnerability to flash loans
- Contract names:
- Value DeFi
- Contract hex addresses:
- Exploiter: 0xef63ad578e75d498d0723e5420fa1962b1d28764
- Affected pool contract: 0x7a8ac384d3a9086afcc13eb58e90916f17affc89
- Bug types mentioned in the article:
- Flash loan vulnerability
- Copy-paste error
- Missing initialization line in the contract code
- Value DeFi
- vSwap AMM
- Paid actress (co-founder)
- Complex exponentiation power() function
- Incorrect use of Bancor formula
- Exploited pools with liquidity split other than 50/50
- Stolen funds (15k BNB, 2.7k FARM, 1.7k BASv2, 8.5M BDO, 68.3k BUSD, 41.4k MDG, 945k VBOND, 1.2M BAC, 11k FIRO)
- Attack steps:
- Sending a small amount of a second token to pair addresses
- Making a swap to withdraw a small amount of the first token and a large amount of the second token
- Incorrect use of Bancor formula leading to successful swap
- Power() function assumption violation
- Decreasing DEX volume
- Lack of trust in anonymous developers
- Use of paid actress for co-founder role
- Ape tax for users of Value DeFi
- Lack of user safety focus and worthless security audits
- Potential final exit scam.
- Contract names and hex addresses mentioned in the article:
-
Vee Finance:
- Exploiter ETH Address: 0xeeee458c3a5eaafcfd68681d405fb55ef80595ba
- Exploiter AVAX Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA
-
Zabu Finance:
- Exploiter ETH Address: Not mentioned
- Exploiter AVAX Address: Not mentioned
- Bug types mentioned in the article:
- Exploit contract deployment
- Price manipulation
- Slippage check bypass
(Note: The article does not go into detail about specific bug types, so these are the general bug types that can be inferred from the information provided.)
- Contract names: Venus Protocol, Blizz Finance
- Contract hex addresses:
- Venus Protocol: 0xec72d46011d67a6ac4fa7d3f476fa2049dc807ee
- Blizz Finance: (address not mentioned in the article)
- Bug types mentioned in the article:
- Inaccurate price feed
- Lack of failsafe mechanisms
- Failure to establish preventative measures
- Minimum price hardcoded in the oracle contract
- Timelock delay in reacting to the issue
- Blame on Chainlink for pausing price feeds
- Failure to update oracle's parameters to reflect reality
- Lack of automated circuit-breakers in protocols
- Potential loss of $3B of BTC belonging to the Luna Foundation
- Contract names: vVISR Rewards Contract
- Contract hex addresses: 0xc9f27a50f82571c1c8423a42970613b8dbda14ef, 0x10c509aa9ab291c76c45414e7cdbd375e1d5ace8, 0x8efab89b497b887cdaa2fb08ff71e4b3827774b2
- Bug types mentioned:
- Vulnerable require() check in the vVISR Rewards Contract's deposit() function
- Ability for the hacker to mint unlimited shares using their own contract
- Attacker transferring ownership of the contract to their own address
- Minting of vVISR tokens by the attacker
- Burning of vVISR tokens for VISR
- Swapping of VISR for ETH via Uniswap v2
- Washing of ETH via Tornado Cash
- Contract A: 0x632942c9BeF1a1127353E1b99e817651e2390CFF
- Contract B: 0x9E5b7da68e2aE8aB1835428E6E0c83a7153f6112
Bug types mentioned in the article:
- Reentrancy vulnerability in the ERC 677 standard
- Abuse of the callAfterTransfer() function
- Lack of following the recommended checks-effects-interactions routine of execution in the underlying code
- Update of internal states after an external call in the borrow() function
- Funds frozen by Circle for USDC
-
Contract names:
- Vulcan Forged
-
Contract hex addresses:
- Ethereum: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
- Polygon: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
-
Bug types mentioned in the article:
- Compromised keys
- Tornado Cash
- Alexey Pertsev
Bug types mentioned in the article:
- Money laundering
- Warp Oracle [0x4A224CD0517f08B26608a2f73bF390b01a6618c8]
- Warp Control [0xBa539B9a5C2d412Cb10e5770435f362094f9541c]
- wBTC-wETH LP Vault [0x3c37f97F7d8f705cc230f97a0668f77a0e05D0aA]
- WETH-DAI LP Vault [0x13db1CB418573f4c3A2ea36486F0E421bC0D2427] (Affected vault)
- USDT-WETH LP Vault [0xCDb97F4C32F065b8e93cF16BB1E5d198bcF8cA0d]
- USDC-WETH LP Vault [0xb64dfae5122D70Fa932f563c53921FE33967B3E0]
- DAI Vault [0x6046c3Ab74e6cE761d218B9117d5c63200f4b406]
- USDT Vault [0xDadd9bA311192d360Df13395E137f1E673C91deB]
- USDC Vault [0xae465FD39B519602eE28F062037F7B9c41FDc8cF]
Bug types mentioned in the article:
- Exploitation and draining of funds from the vault
- Use of AMM-based oracle (Uniswap) leading to price manipulation
- Flash loan-induced price manipulation
- Borrowing more than the collateral value
- Under-water borrow position
- Blue Kirby ICO contract: 0xA11f2dec4bab2E07de7708Dd640004Ef80cCaBCe
- FTT collateral wallet: 0x477573f212A7bdD5F7C12889bd1ad0aA44fb82aa
Bugs mentioned in the article:
- Blue Kirby promoted unaudited code for EMN
- Blue Kirby sold his YFI causing disappointment and outrage
- Blue Kirby's ICO for Off Blue lacked details and a public roadmap
- Concerns about the use of FTT as collateral for short selling other assets on C.R.E.A.M Finance
- Governance snapshot vote to decide if FTT should be delisted from C.R.E.A.M due to safety risks and lack of demand/impact on other users.
- Contract names: Big Data Protocol (BDP)
- Contract hex address: Not mentioned
- Bug types mentioned in the article:
- Unexpected behavior in the reward mechanism in the smart contract
- Inability to claim rewards due to minting "0" tokens
- Contract names: Maker DAO, USDC, USDT, RAI
- Bug types mentioned in the article: stability, compliance, regulatory vulnerability, frozen assets, centralization, pegged stability, systemic risk, existential threats, non-reliance on the dollar, increasing volatility, devaluation of fiat currencies.
- Contract names and hex addresses:
- Tornado Cash
- TRM Labs
- Hack victims
- Whitehats
- Nomad incident
- Addresses targeted by dusting attacks
- Bug types mentioned in the article:
- Compliance issues
- Censorship
- Proximity-based blocking of addresses
- Blanket blacklisting
- Large-scale censorship
- CeDeFi future
- Uniswap
- Contract hex address: https://uniswap.org/
- Aave
- Contract hex address: https://app.aave.com/
- Curve
- Contract hex address: https://www.curve.fi/
- Cream
- Contract hex address: https://cream.finance/
- Pickle Finance
- Contract hex address: https://pickle.finance/
Bug types mentioned in the article:
- Impermanent loss
- Market risk
- Volatility risk
- Impermanent loss risk
- Contract names: Wintermute's hot wallet, DeFi vault contract
- Contract hex addresses:
- Hot wallet: 0x0000000fe6a514a32abdcdfcc076c85243de899b
- DeFi vault contract: 0x00000000ae347930bd1e7b0f35588b92280f9e75
- Bug types mentioned in the article:
- Compromised vanity address
- Weakness in Profanity tool used for creating vanity addresses
- Forgotten removal of an admin address from the vault contract
- Contract names: Wintermute multisig on Ethereum, Gnosis Safe proxy
- Contract hex addresses:
- Wintermute's multisig on Ethereum: 0x4f3a120e72c76c22ae802d129f599bfdbc31cb81
- Hijacked address on Optimism: 0x4f3a120e72c76c22ae802d129f599bfdbc31cb81
- Bug types mentioned in the article:
- Misconfigured destination address
- Failure to check access to funds
- Vulnerability in Gnosis Safe proxy contract
- Out-of-date deployment method using create opcode instead of create2
- Lack of response to flagged alert on OP's launch day
- Carelessness in leaving funds in an unowned address
Bug types mentioned in the article:
- Loophole in Wormhole bridge
- Bypassing of guardians
- Discrepancy in address verification
- Fake SignatureSet
- Fraudulent minting
- Bridging of funds to Ethereum
- Liquidation of funds on Solana
- Exploit of Solana VAA verification
- Oracle issues leading to erroneous liquidations
- Security concerns around cross-chain protocols
- Contract names: xSNX contract, xSNXAdmin contract
- Contract hex addresses: not mentioned in the article
- Bug types mentioned in the article:
- Flash loan exploit
- Vulnerability in the callFunction function
- Erroneous require statement
- Value extraction through price manipulation and arbitrage opportunities
- Contract Name: xToken.Market
- Contract Hex Address: Not mentioned in the article
Bug types mentioned in the article:
- Exploitation with flash loans
- Draining liquidity pools
- Flashloan from DyDx
- Private transaction using Flashbots MEV
- Minting vulnerability
- Selling tokens through 1inch to ETH
- Manipulating token prices on Uniswap
- Using Kyber and Uniswap v2 for token swaps
- Reverse swaps in SushiSwap and Uniswap
- Repaying loans in Aave
- Selling tokens on Balancer SNX/ETH/xSNXa pool
- Issuing xBNTa multiple times
- Swapping xBNTa to BNT
- Stable AMM contract address: 0x5cB5e2d7Ab9Fd32021dF8F1D3E5269bD437Ec3Bf
- Exchange Router contract address: 0xDD05437d7c7aF576b58262AE5ac6D37515168BE3
- Swap Factory contract address: 0x3A4FF19554b0F997A4cEF14A8860DcF813b738a4
- Redeployed contract address: 0x71b6296174c5f07d37cafd6e9b72ab5bb3f14fac
- Bug types mentioned in the article:
- Vulnerability to exploit
- Lack of responsible disclosure
- Use of unfinished products
- Reliance on speculators to test products
- Clout chasing behavior
- Testing contracts in production with real funds
- Lack of deposit cap to limit potential risks
- Economic vulnerabilities in contracts
- Inadequacy of audits
- Potential security risks in audited contracts
- Lack of responsiveness to vulnerabilities and disclosures.
- Yearn DAI v1 vault
- Flash loans
- Arbitrage attack
- Mistake made during vault migration
- Withdrawal fee turned off
- Centralized refunds from Tether
- Implied centralization of Tether through token freeze and minting
- DeFi teams taking sides and fighting amongst themselves
The contract names and contract hex addresses mentioned in the article are:
- yUSDT contract hex address: 0x83f798e925bcd4017eb265844fddabb448f1707d
- Fulcrum USDC contract hex address: 0xF013406A0B1d544238083DF0B93ad0d2cBE0f65f
Bug types mentioned in the article:
- Misconfiguration in the yUSDT token contract
- Copy/paste error in the yUSDT contract, using the wrong Fulcrum contract address
- Exploiting the misconfiguration to manipulate share prices and mint a large quantity of yUSDT
- The attacker swapping the minted yUSDT for other stables and laundering the funds
- The test in prod attitude leading to incidents and vulnerabilities in the protocol
- Contract names: zETH contract, UZD contract
- Contract hex addresses:
- zETH: 0x5f4c21c9bb73c8b4a296cc256c0cde324db146df
- UZD: 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b
- Bug types mentioned in the article:
- Price manipulation issue
- Flawed price calculation via the totalHoldings function