HashingBits

Share this post

🚨Protect your contract or pay the price: Hundred Finance lost ~$7 Million to a Contract Vulnerability

quillaudits.substack.com

Discover more from HashingBits

Hashing Bits is a Web3.0 Cybersecurity focused weekly newsletter. We share the latest hacks, research, and tools, as well as career opportunities. Subscribe now and don't fall behind!
Continue reading
Sign in

🚨Protect your contract or pay the price: Hundred Finance lost ~$7 Million to a Contract Vulnerability

HashingBits | Week- 16

QuillAudits
Apr 24, 2023
Share this post

🚨Protect your contract or pay the price: Hundred Finance lost ~$7 Million to a Contract Vulnerability

quillaudits.substack.com
Share

In brief⚡

  • Hundred Finance ~lost $7Million due to a contract vulnerability.

  • Close call for KyberSwap as they found a contract vulnerability

  • ~$110K swept away in Arbtomb Rug pull incident

  • Sandwich Attack Cost MEV Bots ~$1.4Million

  • Tales of Elleria lost ~$280K to a contract vulnerability.


Hacks and Scams⚠️


Hundred Finance

Amount of Loss: ~ $7M

Analysis

  • Hundred Finance lost ~$7 million in the recent exploit.

  • This was not Hundred Finance's first exploit: in March 2022, a hacker targeted both Hundred Finance and Agave Finance with a flash loan attack, stealing $12 million from the two projects.

  • The root cause is that the attacker donates 200 WBTC to inflate the exchange rate of hWBTC so that even a small amount (2 wei) of hWBTC can effectively drain current lending pools.

  • An attacker manipulated the exchange rate between tokens and their interest-bearing counterparts on the Hundred Finance system on the Optimism layer-2 network, stealing approximately $7.4 million from the project.

KyberSwap

Amount of Loss: Nil

Analysis

  • KyberSwap, a DEX aggregator and liquidity platform, announced via Twitter that they had discovered a potential loophole in KyberSwap Elastic and hoped that liquidity providers could extract liquidity as soon as possible.

  • So far, no user assets have been lost.

  • KyberSwap strongly advises all Liquidity Providers to withdraw their funds from Elastic as quickly as possible as a precaution.

Arbtomb

Amount of Loss: ~$110K

Analysis

  • Rug Pull is suspected in the Arbitrum ecological Arbtomb project.

  • The scammer transferred 54 ETH (approximately $110,000) to Ethereum, then 52 ETH to Tornado Cash, and 2.4 ETH to Binance.

MEV Bots

Amount of Loss: ~$1.4M

Analysis

  • According to Sealaunch, an NFT data and research platform, the MEV Bot named jaredfromsubway.eth recently carried out "sandwich attacks" on buyers and sellers of Meme coins such as WOJAK and PEPE, earning more than $1.4 million in profits.

  • Furthermore, Sealaunch stated that MEV Bots spent 7% of Ethereum's petrol fees between April 18 and 19.

  • More about MEV Bot & Sandwich Attack https://blog.quillhash.com/2022/10/28/a-guide-to-mev-critical-issues-and-best-security-practices/

Tales of Elleria

Amount of Loss: ~ $280K

Analysis

  • Wayne, the co-founder of the NFT game ‘Tales of Elleria’, tweeted early this morning: "The Tales of Elleria bridge contract was exploited, causing its LP to be depleted and losing more than $280,000."

  • The attacker appears to have created his signature and extracted many ELM tokens, thereby draining the LP.

  • According to the findings, the hacker used the ecrecover function to generate authorised signatures without the private key.


Explore the Depths of Knowledge: Research Papers & Blogs🔖


How to Prepare for a Web3 Security Breach: Incident Response Planning

This world is a game of chances and possibilities. No matter how secure you believe you are, there is always one possibility that you may or may not be aware of, which can be devastating. This does not imply that you abandon security. The game's goal is to increase your chances of surviving the attacks.

In this blog, we have discussed the incident response plan that should be established and followed in case of a security breach to mitigate further losses and save yourself.

Decoding Yearn Finance $11 Million Hack

Another day in DeFi and Yearn Finance's wild world, an $11 million blunder occurs. It's difficult to believe, but it's true. Yearn Finance on the Ethereum chain was attacked on April 13, 2023, due to a misconfiguration in the yUSDT vault. The attackers took advantage of this flaw and stole approximately $11.54 million.


Tune in to Engaging Twitter Spaces & Webinars! 🎙️


  • 2023 DeFi Trends: Alphas For Your Next Bid

Image

Web3 Community Spotlight🔦


  • Predictable NFT: In this game, you can spend 1 ether to "mint" an NFT token with 3 possible ranks: Common(1), Rare(2), and Superior(3). As a hacker, your goal is always to mint the Superior ones.

image


Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.



Share this post

🚨Protect your contract or pay the price: Hundred Finance lost ~$7 Million to a Contract Vulnerability

quillaudits.substack.com
Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 QuillAudits
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing