Blockchain Intel Tuesday #12

March 22, 2022 - Hacks and scams in the last two weeks cost crypto investors and projects over $21M. Interestingly, there was one unique exploit related to the OneRing Finance that deserves additional reading. Both Agave and Hundred Finance were exploited using similar methods. Last but not least Paraluni was attacked using a classic reentrancy but target unsupported token.

Blockchain News
  • SEC delayed more spot bitcoin ETF offerings from WisdomTree and OneRiver

  • Is Bitcoin halving happening now?

  • Glassnode releases some interesting insights on the buy and sell sides of the crypto market. Notably, current buy side demand appears to be dominated by US and EU markets, with the majority of sell-side sources during Asian trading hours. More on on these insights at this link.


Notable Hacks and Scams (Link to Zero Friction Hack and Scam Database)
  • OneRing Finance reported that the protocol was hacked and the exploiter was able to steal 1,454,672.244369 USDC ($1,454,672.24) via flashloan attack. The hack was made possible due to a flashloan-assisted price manipulation of the LP tokens, this led to a larger number of OShare tokens being moved from the protocol. It is a bit strange the contract is being audited by Certik when this flash loan attack took place and the attacker contract and their footprints are completely obfuscated. The contract has been configured to self-destruct at a specific block, making it almost impossible to track what specific functions from our contracts were called in order to steal the funds. This only tells us that the hacker is a professional, and since we were the only protocol being exploited, this attack was planned. Total losses ~ $1,454,672

  • Both Agave Finance, Agave DAO, a decentralized, non-custodial money market and lending protocol on Gnosis Chain, and Hundred Finance, a multi-chain lending protocol using veHND model, announced that they were exploited. Total losses ~ $11,000,000

  • Paraluni, a metaverse project, reported an reentrancy attack introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image. The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool. However the pool ID value (_pid) used to look up the appropriate pool is not validated internally. The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called. This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated. Approximately 230 ETH has been funneled into Tornado Cash. Total losses ~ $1,700,000

  • Deus Finance reported of the recent exploit reports regarding the $DEI lending contract. Contract has been closed, both $DEUS & $DEI are unaffected. Devs are working on a summary of the events, all information will be communicated once have assessed the full situation. The exploiter has taken ~$3M and the protocol loss may be larger, including 200,000 DAI and 1101.8 ETH. Exploit was made through price manipulation. Funds to launch the attack sourced from TornadoCash to Fantom via Multichain, and the stolen funds were taken out via Multichain and then TornadoCash. Total losses ~ $3,000,000

  • Arthur Cheong, Arthur_0x, reported that his private key was compromised resulting in a loss of $1.5M. Arthur_0x is is a Crypto Investor with investments in in DeFi & Web 3 Gaming @Azukizen Collector and founder of @DeFianceCapital - Leading Web 3 crypto venture fund founded by @Arthur_0x with DeFi and Blockchain Gaming focus. Total losses ~ $1,500,000

  • Umbrella protocol is the first truly decentralized oracle service providing low cost, massively scalable, and secure solutions for smart contracts.The reward pools are drained at both @BNBCHAIN and @ethereum, leading to the ~$700K gain for the hacker! The hack is possible because of an unchecked underflow in withdraw() so that anyone can withdraw any amount even without any balance! Total losses ~ $700,000