Pahat toimijat vaivaavat edelleen DeFiä: Euler- ja Poolz Finance -hyökkäykset uusimpina esimerkkeinä

More than $3.8 bilion worth of digital assets – if accounting for unreported cases- was lost to various groups of malicious actors taking advantage of loopholes in smart contracts platforms last year. The Chainalysis report highlighting this alarming statistic further pointed out that a bulk of this sum was associated with the decentralized finance (DeFi) niche, effectively labeling the space a hotbed of hitters. SlowMist, another blockchain security firm, highlighted in its annual report on crypto security incidents that 2022 saw the highest number of security incidents affecting blockchains. A total of 303 cases of security being compromised were reported, a figure 28% more than the preceding years. Meanwhile, the estimate of aggregated losses came at around $3.77 billion – a justifiable discrepancy from other reporting.

DeFi-hyökkäykset eivät hidastu

SlowMistin raportti osoitti, että hyökkäykset koostuivat enimmäkseen phishing-hyökkäyksistä ja rug pull -tapahtumista, kun taas cross-chain-sillat saivat kovan iskun. Ronin-, Wormhole-, Nomad- ja Harmony-sillojen hyökkäykset johtivat yli $1.2 billion menetyksiin. Cross-chain-järjestelmien lisäksi hyökkääjät suosivat myös DeFi contract vulnerabilities. Alaa vaikutti näköjään olevan palautumassa laajalle levinneestä ongelmasta vuoden loppua kohti.

Vertailu lohkoketjujen menetyksistä. Source: SlowMist

CertiK havaitsi erikseen observed että joulukuun $62.2 million in thefts was the least monthly figure in 2022, the very year where FTX Wallet and Ronin Bridge lost a combined $1.09 billion in crypto. $15.5 million, nearly a quarter of the crypto thefts sum, was stolen via exit scams, while flash loan exploits wrote losses of $7.6 million. The incidences in December were led by Helio Protocol’s loss of $15 million as a chain effect of the price exploit of Ankr Reward Bearing Staked BNB (aBNBc). The smart contract audit firm also detailed that the attack on Defrost Finance’s V1 and V2 products led to a loss of $12.9 million, which has since been returned. Bitkeep lost $8 million, an inside job left Ankr short of $7 million, and Lodestar lost $6.5 million after an exploit of the price of PlutusDAO’s plvGLP token to complete the top five hacks seen last month.

Kesken maaliskuun, tämä vuosi on jo osoittanut merkkejä yli vuoden 2022 hyökkäysten tiheyden ja hakkerien menettämien kumulatiivisten varojen ylittämisestä.

Ei‑säilyttävä lainaus Euler Finance kärsi vuoden 2023 suurimman hakkeroinnin

Viimeaikaisessa esimerkissä näistä huolestuttavista tapahtumista hyökkääjä(t) siirsivät lähes $200 million worth of crypto assets from lending protocol Euler Finance on Mar 13 in a since confirmed case of a flash loan attack. CertiK Alerts, the hacks and scams tracker page associated with CertiK, was among the first to report the developments, albeit around $41 million had been abstracted at the time. The alert page later updated that the attacker had drained the protocol decentralized stablecoins and synthetic ERC-20 tokens worth around $198 million in multiple transactions, including 96,800 ETH and 43.6 million DAI, making it the largest DeFi exploit so far this year.

Hyökkääjä(t) lähetivät varastetut varat kahteen lompakkoon – yksi sisälsi 34,186,225 DAIs and 88,752 ETHs and the other around 88,77,507 DAI tokens, on-chain data shows.  The Ethereum-based protocol said it had looped in blockchain security teams, including TRM Labs, Chainalysis, and other law enforcement agencies, to help address the matter. PeckShield, which tipped off Euler of the drain, shared in another brief note that it had identified the cause. The attacker specifically exploited a bug when executing a ‘donateToReservers ()’ function to liquidate himself from the protocol, repay the loan and simultaneously make a killing.

Euler käsittelee haavoittuvuutta ja pyrkii palauttamaan varastetut varat

Yhteistyön avulla onnistuttiin lopulta pysäyttämään hyökkäys poistamalla haavoittuva moduuli ja siten estämällä talletukset, mutta vahinko oli levinnyt yli kymmeneen muuhun protokollaan. Balancer revealed that the incident affected Euler Finance’s Boosted USD (bbe-USD) pool – nearly two-thirds of its total value locked had siphoned when the resolution to pause it was executed. Angle Protocol also updated its followers on exposure to the exploit as its core module has allocated some funds in Euler, Compound and Aave.

“Jos hakkeroinnin varat (17,614,940.03 USDC) menettäisivät varmasti, ydinkomponentin TVL laskisi noin $18.4m. Jos hakkeroinnin varat (17,614,940.03 USDC) menettäisivät varmasti, ydinkomponentin TVL laskisi noin $18.4m. Tässä tapauksessa ydinkomponentin varantojen määrä olisi pienempi kuin agEUR‑haltijoiden, Standard Liquidity Providers -toimijoiden ja protokollan jäljellä olevien hedging‑toimijoiden vaateiden arvo yhteensä.”

Yearn Financekin ilmoitettiin menettäneen varoja hakkeroinnin seurauksena. Sherlock, Euleriin aiemmin liittynyt auditointitiimi, vahvisti hyökkäyksen syyn. Raporteissaan tiimi kritisoi WatchPug‑ryhmän heinäkuussa 2022 tekemää auditointia siitä, että se ei tunnistanut haavoittuvuutta. Seuraavissa palauttamisvaiheissa lainaprotokollan tiimi presented an offer of sorts to the hacker(s), promising to put a bounty up if the perpetrators failed to respond. The said reward of $1 million has since been publicly announced.

“Euler Foundation käynnistää 1 miljoonan dollarin palkkion toivoen, että tämä tarjoaa lisäkannustimen tiedolle, joka johtaa Euler‑protokollan hyökkääjän pidättämiseen ja kaikkien hyökkääjän poistamien varojen palauttamiseen,”

Blockchain visualization and analysis platform Meta Sleuth opined in a tweet that the attack relates to a previous attack where the attacker transferred funds from the BNB Smart Chain (BSC) to Ethereum using a multichain bridge.

“It seems two attackers launched 6 attack transactions. Attacker 0x5f25 launched the first attack, making a profit of ~8.8M DAI. All profits stay in the exploit contract 0xebc2. The initial funding comes from FixedFloat and deflation token exploiter 6 on BSC. Attacker 0xb269 launched the other five attacks, and the total profit is ~186M USD. Now all profits stay in two addresses. 0xb269 holds 8,080 ETH, 0xb66cd holds 88,752 ETH and ~34M DAI. This attacker’s initial funding is from Tornado Cash,” the account theorized.

Väite sai vahvistuksen toiselta tililtä ZachXBT. Hyökkäyksiin liittyvät lompakot ja osoitteet ovat 0xebc291[…] cbf99, joka pitää noin 8,877,507 DAI, 0xb269[…] cedd4, jonka tilannekuva osoitti 8,080.97 ETH‑saldoa, sekä 0xb66c […]995db, joka sisälsi noin 88,753 ETH & 34,186,226 DAI.

Web3-projektien joukkorahoitusalusta Poolz Finance hyökätty

Vain kaksi päivää Euler‑tapahtuman jälkeen toinen hakkeri stole $390,000 from cross-chain Web3-focused crowdfunding launchpad Poolz Finance on the Polygon and Binance Smart Chain. A Mar 15 review from PeckShield detailed that the suspicious activity in the token vesting smart contract indicated a ‘classic arithmetic overflow issue’ being the cause. Poolz shared an update on the incident, advising users to stop trading POOLZ token. In addition to flagging the address in question, the launchpad dev team also removed liquidity from Pancakeswap and Uniswap.

Poolz Finance CEO Guy Oren confirmed in a tweet ongoing efforts to launch a new tokens contract while projecting trading to go live before the end of the day. Notably, the two incidents come barely a month since Platypus, another DeFi protocol, got exploited to the tune of $8.5 million, resulting in a brief depeg of its USP stablecoin offering from USD. In the case of Platypus, the actors took advantage of a loophole in the USP solvency check to drain the protocol.  Last week, Hedera revealed it had experienced technical issues disguising a loss of liquidity pools tokens when a hacker exploited the mainnet smart contract code.

Hedera ja Dogecoin: Viimeisin esimerkki lohkoketjujen haavoittuvuuksista

Hedera’s total value locked (TVL) slumped towards the end of last week after the network was hit with technical difficulties that some theorized involved a smart contract exploit. DeFi Llama data shows that the platform’s TVL dropped steeply in less than 24 hours following reports of the chain suffering technical irregularities affecting several decentralized applications.

Hedera TVL chart. Source: DeFi Llama

The HBAR Foundation, a non-profit backing the Hedera project, said the network was registered with smart contract anomalies affecting decentralized applications.

Hedera-protokollat kehottavat käyttäjiä varovaisuuteen

The Mar 10 technical irregularities were described by some as an attack on the enterprise-grade network, which left protocols on it scampering for safety. SaucerSwap Labs, a decentralized exchange (DEX) operating on Hedera, urged its users to withdraw their liquidity immediately due to the alleged exploit happening on the network. The protocol later confirmed that it was unaffected by the said hack. The exploit specifically targeted Hedera smart contracts’ decompiling process, which is responsible for transforming the contract’s bytecode into a more comprehensible Solidity-like code. It is useful for studying and comprehending the workings of a smart contract.

Nevertheless, malicious actors can also manipulate this process to gain unauthorized access to the smart contract, though the specific elements the attacker purportedly targeted in this case are not fully understood. In addition, Hashport said it was temporarily suspending its bridging services due to the smart contract irregularities, taking this action to safeguard the safety of user funds. Multichain DEX Pangolin urged users to exit any HTS tokens in Pangolin Pools and Farms.  Hedera resolved to work with the parties across the ecosystem to determine the potential impact of the anomaly. To further ensure the safety of its users, Hedera disabled network proxies on the mainnet as the core team explored the smart contract irregularities, restoring after the issues were resolved. It confirmed that the move did not affect consensus and that the mainnet remains online.

To learn more about Hedera, check out our Investing in Hedera guide.

Raportit korostavat heikkouksia DeFi‑kentässä

A recent report from blockchain security firm Halborn disclosed that as much as 280 chains, including Dogecoin, have been operating while bearing a critical vulnerability. In a Mar 13 report, the firm cautioned that it had identified the vulnerability in a previous assessment of the open-source codebase of the Dogecoin network in 2022. The meme coin project shared that it resolved the potential zero-day triggering issue in its Core 1.14.5 release after receiving a tip-off from Halborn, whose services it acquired last March, to review its codebase.

The firm identified another loophole in the RPC (Remote Procedure Call) remote code execution affecting individual miners on Dogecoin. The network’s devs have since urged users to update to the 1.14.6. node. Halborn indicated that Litecoin and Zcash were notable networks affected by other variations of the patched bug, which fraudsters and exploiters could have leveraged to execute more grave threats.  The two projects, too, worked with the security firm to address the major vulnerabilities.

To learn more about these projects, visit our Investing in Dogecoin and Investing in Zcash  guides.