Blockchain Weekly

Your weekly dose for blockchain security news

10th July weekly edition-

-> 3rd July:

RAI Finance exploited for 2.9 Million RAI tokens: On Jul-03–2021 12:39:18 AM +UTC, RAI Finance was exploited for 2.9 Million RAI tokens by 0x0e128fb9f266f0cfedeb3b789f6fd4af50d51b84 address for ETH-BSC cross-chain swap using ChainSwap. The team reserved 2.9M RAIs to an address 0x9D4D377cFd6466Fe03e3cCbB266DC0ac235CcDe3. Later, deposit and withdrawal of RAI tokens were suspended by Huobi Global and Bithumb Korea.

~ Update (4th July):

The hacker returned 2.2 Million RAI to the ChainSwap deployer address. The loss was reduced to 670,000 RAI from 2.9M.

~ Update (6th July):

ChainSwap has compensated all the losses in 50% USDC and 50% ASAP (ChainSwap platform token).

The transaction details are as follows:

224,785 USDC

https://etherscan.io/tx/0x50a27b3b32d9ce6e02b3c7420ed78cc95f8db42693f02cabf1d8696c6fcd08b0

666,666 ASAP

https://etherscan.io/tx/0xfcee1c9ff618a9c2b2551117c37809f168bfa3d560a4be0959797552b7b2ce8c

The overall RAI token loss is now zero.

-> 3rd July:

DEX hack: DEX Tools suffered a hack and some $DEXT holders were affected. To ensure funds, the team airdropped $DEX tokens on the new BSC Bridge for BSC holders in the Ethereum Network the same day. Team suggested pausing trading DEX and revoked liquidity from Uniswap and Pancake swap. On 4th July, ChainSwap resumed asset swaps.

-> 8th July:

Starting from June 22, 2021, hackers attacked Haven Protocol, exploiting vulnerabilities:

# Miner reward validation hack:

It was possible for a miner to modify the transaction code to exploit a

vulnerability in the miner-reward-validation code. A successful attack meant to mint a much higher mining reward than was due.

~ Occurred: Blocks 882877 (2021–06–22 18:19:41) and 882877 (2021–06–22 18:19:41)

~ Value of exploit: 2 equal transactions totaling 13.46 xBTC and 202,920 xUSD.

# xJPY to xBTC conversion/transfer:

It was possible for the attacker to take advantage of a vulnerability in transaction types

to modify outputs and mint extra xAssets.

~ Occurred: 884293/2021–06–24 17:51:46 (2.2 xBTC), 884305/2021–06–24 18:09:30 (change from previous transaction), 884689/2021–06–25 07:04:19 (110 xBTC)

~ Value of exploit: 2 transactions totaling 112.2 xBTC.

# Hidden burn/mint amount bug:

The team found a bug that allowed the reporting of the actual number of assets minted or burnt to be manipulated.Not an exploit, but it does allow a bad actor to hide transactions.

# Zero value price record due to oracle being disabled:

The attacker was able to manipulate the output values to mint arbitrary amounts.

~ Occurred: 18 times between block 887361 (2021–06–29 00:45:20) and 887409 (2021–06–29 02:15:23)

~ Value of exploit: It is not possible to determine the value of these exploits.

The team is planning to conduct a community decision of chain rollback (reverse transaction) to block number 886575.

For more detailed description of the hack, check https://havenprotocol.medium.com/haven-protocol-technical-overview-of-june-2021-exploits-6f4573fbf216

[SCAM}

-> 7th July:

Lookout, endpoint-to-cloud security company announced the discovery of approx. 200cryptocurrency mining Android apps that scam users for a paid cloud cryptocurrency mining service. These apps belong to the BitScam and CloudScam Android app families which target people interested in cryptocurrency mining. Out of approx. 200 apps, only 25 were found to be available on PlayStore. At least 93,000 people are affected by this scam and more than $350,000 are lost.

-> 9th July:

Circle, a cryptocurrency payments company and issuer of USDC (US Dollar Stable Currency) reported a net loss of $2 Million to the US Securities and Exchange Commission in company funds as a result of an email scam that took place in June 2021. According to Circle, customer accounts and information remain unaffected and Circles's systems are safe.