0xaB26
April 26th, 2022

Project Overview

Audit work duration: April 21, 2022 — April 24, 2022

Audit methods: Formal Verification, Static Analysis, Typical Case Testing and Manual Review.

Audit team: Beosin Technology Co. Ltd.

0xaB26
April 25th, 2022

On April 25, 2022, according to Beosin EagleEye, Wiener Doge Token has suffered a flash loan attack. Although the amount involved is small, Beosin still decides to share the the analysis as the exploitation flow is a typical one. The findings are shown below.

Relevant Information

Transaction hash:

0x4f2005e3815c15d1a9abd8588dd1464769a00414a6b7adcbfd75a5331d378e1d

0xaB26
April 25th, 2022

1/6 @_2omb suffered a series of flashloan attacks. We take one of the transactions (0xb134f5d0609863aeaab8b8aeb77765a7a0f1e6a379c27455845e46d2261c46a9) as an example to show the key steps.

2/6 Flashloan 139,504 2omb tokens in uniswap’s 2omb-wftm trading pair and send them to the attack contract 0x77a5d0cdd1f4069747d9236b50f09f34b6d5b378.

3/6 Use the attack contract to split the funds, and swap in RedemptionPair (0x5D59cDaB08C8BbE4986173a628f8305D52B1b4AE) for multiple times.

0xaB26
April 25th, 2022

1/6 @_2omb suffered a series of flashloan attacks. We take one of the transactions (0xb134f5d0609863aeaab8b8aeb77765a7a0f1e6a379c27455845e46d2261c46a9) as an example to show the key steps.

2/6 Flashloan 139,504 2omb tokens in uniswap’s 2omb-wftm trading pair and send them to the attack contract 0x77a5d0cdd1f4069747d9236b50f09f34b6d5b378.

3/6 Use the attack contract to split the funds, and swap in RedemptionPair (0x5D59cDaB08C8BbE4986173a628f8305D52B1b4AE) for multiple times.

0xaB26
April 25th, 2022

On April 18th, 2022, according to Beosin-Eagle Eye, 2omb’s contract on FTM has suffered a flashloan attack, leading to a gain of 74246.54966 WFTM for the hacker. Beosin security team analyzed the incident and the findings are shown below.

2omb Introduction

2|3omb is part of the Fantom Network ($FTM). 2|3omb provides both use cases and liquidity to the Fantom Network. The official website is https://2omb.finance/.

Relevant Information

0xaB26
April 25th, 2022

According to the data monitored by Beosin EagleEye, in the first quarter of 2022, the loss caused by attack-type security incidents was up to about $1.2 billion, up about 9 times from $130 million in the same period last year. Cryptocurrency hacking incidents are occurring one after the other. (Beosin Blockchain Security Ecosystem Overview in Q1 2022: Losses From Security Incidents Reach Around $1.2 Billion)

Among all the hacked security incidents, the name “Tornado Cash” is often seen by the public:

☛ The $80 million stolen from Beanstalk Farms was laundered through Tornado Cash.
☛ The hackers in the OpenSea email phishing incident sold some of the NFTs from the attack and then used Tornado cash, an Ethereum privacy mixer protocol, to complete the laundering of $1,100 $ETH.
☛ The KuCoin exchange’s ultra $270 million funds security incident in which hackers made heavy use of Tornado Cash to launder ETH.
☛ In the security incident in March in which over $600 million was stolen from the blockchain bridge Ronin Network, hackers transferred tens of millions of dollars worth of ethereum through Tornado Cash.

0xaB26
April 25th, 2022

On April 23, 2022, according to Beosin EagleEye, the NFT project Akutar’s AkuAuction contract has locked 11,539 ETH (worth ~$34 million) permanently due to vulnerabilities in the smart contract itself. Beosin security team analyzed the incident and the findings are shown below.

Akutar Introduction

Akutar is an NFT project. The official website: https://aku.world/

Relevant Information

0xaB26
April 25th, 2022

Audit work duration: February 25, 2022 — April 14, 2022

Audit methods: Formal Verification, Static Analysis, Typical Case Testing and Manual Review.

Audit team: Beosin Technology Co. Ltd.

0xaB26
April 25th, 2022

Nowadays, the explosive growth of NFT is boosting the development of Web 3.0. In the past, Web 1.0 to Web 2.0 has realized the transformation of content from consumers to producers, and its essence is a great migration from the physical world to the network world in parallel time and space. Then in the Web 3.0 world, each user is in control of his or her own data, identity and destiny, and a new generation of Internet is created.

Web 3.0 exists on the basis of blockchain, promising to return privacy and digital identity to users, while enabling new levels of interaction thanks to applications such as NFTs. But what we need to pay more attention to is the hidden security issues of NFT under the Web 3.0 boom, as evidenced by the recent “hacking incidents” that have been seen everywhere in the NFT space.

Ⅰ What NFT contract exploits have recently occurred?

On April 20, The Association NFTs (NBA) were exploited due to a contract vulnerability. In the contract code, the vData memory parameter info is not verified in the function that passed in, resulting in a reusable signature, and users can use someone else’s signature to mint NFTs.

0xaB26
April 25th, 2022

On April 21th, 2022, according to Beosin EagleEye, ZEED’s contract on BNB Chain was exploited for about $100M. Beosin security team analyzed the incident and the findings are shown below.

ZEED Introduction

ZEED is a decentralized financial ecosystem deployed on BNB Chain.

0xaB26
April 25th, 2022

Project Overview

Audit work duration: April 12, 2022 — April 19, 2022

Audit methods: Formal Verification, Static Analysis, Typical Case Testing and Manual Review.

Audit team: Beosin Technology Co. Ltd.

0xaB26
April 25th, 2022

Beosin VaaS is an industry-leading automatic smart contract formal verification platform, providing static scanning and formal verification capabilities for smart contract codes.

It is the world’s first automated testing tool that supports detection of NFT ERC721 contract standards.

Beosin VaaS is now available to the public in a free trial version. Each account has 10 free usage credits.

0xaB26
April 25th, 2022

On April 17th, 2022, according to Beosin EagleEye, Beanstalk’s Beanstalk Protocol contract was exploited for about 24,830 ETH. Beosin security team analyzed the incident and the findings are shown below.

Beanstalk Introduction
Beanstalk is a decentralized stablecoin-based protocol. The official website: https://bean.money.
Relevant Information
Transaction hash:
0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7
Exploiter’s address:
0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
Contract that launched the hack:
0x79224bC0bf70EC34F0ef56ed8251619499a59dEf
Victim contract:
0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5

Exploitation Flow

0xaB26
April 13th, 2022

On April 10, 2022, according to the Beosin-Alert, Gymdefi’s LiquidityMigrationV2 contract was exploited for about 1,327 WBNB. Beosin security team analyzed the incident and the findings are shown below.

Related Information

● Transaction hash: 0xa5b0246f2f8d238bb56c0ddb500b04bbe0c30db650e06a41e00b6a0fff11a7e5

● Exploiter’s address:

0xaB26
April 13th, 2022

On April 8, 2022, according to Beosin-Alert, StarStream Finance’s DistributorTreasury contract was exploited for 532M $STARS, then 900ETH was swapped out by the hacker. Beosin security team analyzed the incident and the results are as follows:

StarStream Introduction

Starstream is a suite of products that provides revenue aggregation, revenue generation and one-click smart contracts on Metis L2 rollup. The protocol is maintained by various devs and managed by STARS holders.

0xaB26
April 13th, 2022

As the Collins Dictionary’s word of the year for 2021, NFT continues to evolve rapidly in 2022. Recently, the NFT version of the first-ever tweet by Jack Dorsey has been offered for about $48 million on Opensea. Despite the popularity and rapid growth of NFT, the hidden risks such as scams or attacks still cannot be ignored. Our previous blog “Losses Exceeds $1M. Jay Chou’s Bored Ape NFT Got Stolen by a Discord Phishing Attack — Beosin’s Analysis” has also addressed the phishing attack that occurred frequently in the NFT field. In this blog, we will talk about the types of attacks on NFT and give some advice on how to protect your NFT.

Why do NFT security incidents remain frequent?

In mid-January 2022, a user discovered a security vulnerability on OpenSea. Users were able to purchase NFT assets, such as those of Bored Ape Yacht Club (BAYC), for less than a 1% of the price, causing serious damage to the originator.

0xaB26
April 13th, 2022

Beosin Alert — The Blockchain Security Situation Awareness Platform reported on April 2 that Inverse finance has suffered an oracle price manipulation attack. The attacker manipulated INV token prices and managed to profit about $15M. Check the following for our full analysis:

Exploiter 1:0x117c0391b3483e32aa665b5ecb2cc539669ea7e9

Exploiter 2:0x8b4c1083cd6aef062298e1fa900df9832c8351b3

0xaB26
April 13th, 2022

It’s time for another monthly security recap! BEOSIN Eagle Eye reported 21 typical security incidents in December 2021. On the whole, the number of blockchain security incidents in December is not much different from that in November, and the overall number of security incidents is still at a high risk level.

DeFi

There were 8 typical security incidents

№1 Automated market maker protocol MonoX is hacked by a flash loan, losing about $31 million.

0xaB26
April 13th, 2022

On December 30, BEOSIN’s Eagle Eye alerted that the Sashimi Swap was hacked at 09:06 UTC on December 30, with a total loss of nearly USD 200,000. Regarding this security incident, our security technical team have conducted a brief analysis of the hacking process.

#1 Overview

SashimiSwap is a decentralized trading protocol for multi-chain deployments based on AMM and swap pools. It has an embedded investment platform designed to increase the revenue of liquidity providers and it is deployed on three chains simultaneously: Ethereum, HECO and BSC. SashimiSwap executes automated trading strategies using funds from the platform’s liquidity pool.

#2 Detailed Analysis

0xaB26
April 13th, 2022

It’s time for another monthly security recap! BEOSIN Eagle Eye has reported over 17 typical security incidents in January 2022. On the whole, the overall number of security incidents has slightly decreased compared to last December.

Exchange

There was 1 typical security incident

№1 LCX exchange tweeted that it was hacked by a security attack and the total loss value may exceed $6 million.

0xaB26
April 13th, 2022

The private key of multiple addresses were compromised, and hackers drained the assets on multiple chains.

Take ETH as an example.

The Deployer address of DEGO Finance is:

0x20FE4B1eD95911487499e53355BB8f14a881D735

0xaB26
April 13th, 2022

Beosin Eagle-Eye has detected that Build Finance DAO suffered a governance attack. Our team has conducted a detailed analysis of this incident. Here are our findings:

#1 Incident overview

The Build Finance DAO suffered a “hostile governance takeover” on Feb.14th 2022. The hacker managed to take over the Build token contract by obtaining enough votes, minted over 1 billion BUILD tokens in three transactions, and drained most of the funds in balancer and Uniswap liquidity pools. After the incident, the project team advised users on Twitter not to buy BUILD tokens on any platform. The following is our detailed analysis of this incident:

#2 Detailed analysis

0xaB26
April 13th, 2022

It’s time for another monthly security recap! BEOSIN Eagle Eye has reported over 19 typical security incidents in February 2022. On the whole, the overall number of security incidents has increased compared to January.

The security risks exposed in DeFi still cannot be ignored. Cross-chain bridge projects have been repeatedly hacked, causing huge economic losses that seriously affect the security and stability of blockchain ecosystem. In addition, the incidents related to [rug pulls/crypto scams] also need to be paid attention to. The number of NFT theft cases has increased, and users still need to take more precautions.

DeFi

There were 7 typical security incidents

0xaB26
April 13th, 2022

Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:

#1 Overview

The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.

Transaction initiation address:

0xaB26
April 13th, 2022

Beosin Research Series: Are Decentralized Exchanges (DEX) Safe Enough?

Decentralized exchanges (DEX) are a type of cryptocurrency exchange which allows for direct peer-to-peer cryptocurrency transactions. Our previous blog has analyzed the token-level issues, today we would like to talk about security issues that may arise in DEX’s process of swapping tokens. There are mainly two types of security issues in DEX:

(1) Security issues within DEX itself.

(2) Security issues that arise when interacting with other DEFI projects as a third-party protocol.

0xaB26
April 13th, 2022

On March 13, 2022, Beosin Eagle Eye reported that the Paraluni contract was hacked with a loss of about $1.7 million. Our security technical team has conducted a relevant analysis of this incident.

#1 Overview

Take the first attack transaction 0xd0b4a1d4964cec578516bd3a2fcb6d46cadefe1fea5a2f18eec4c0a496e696f9 as an example:
Address list
Attack address:

0x94bC1d555E63eEA23fE7FDbf937ef3f9aC5fcF8F
Attack contract:
0x4770b5cb9d51EcB7AD5B14f0d4F2cEe8e5563645
ParaProxy:
0x633Fa755a83B015cCcDc451F82C57EA0Bd32b4B4
ParaImpl:
0xA386F30853A7EB7E6A25eC8389337a5C6973421D (MasterChef)
UGT :
0xbc5db89CE5AB8035A71c6Cd1cd0F0721aD28B508
UBT
0xcA2ca459Ec6E4F58AD88AEb7285D2e41747b9134

  1. Borrow 224 BSC-USD, 224 BUSD from CakeSwap(0x7EFaEf62) via flash loan.
  2. Add liquidity to Para-LP(0x3fD4FbD7) using the borrowed tokens from step 1 and specify the receive address of the obtained 222 liquidity tokens as the UBT(0xcA2ca459) address. This step is to prepare for the subsequent reentrancy.
0xaB26
April 2nd, 2022

BEOSIN has always been concerned about the security of NFT and aimed at providing relevant solutions. Immediately after Jay Chou’s NFT theft, BEOSIN used Beosin-Trace to carry out on-chain tracking analysis of the stolen NFT. The timeline of the incident and related address analysis are as follows.

Timeline and path analysis of Jay’s stolen NFT

0xaB26
April 2nd, 2022

It’s time for another monthly security recap! March 2022 has seen a significant increase in the number of various exploits in blockchain field compared to February, with over 30 typical security incidents reported by Beosin Alert — the blockchain situation awareness platform.

The security risks exposed in DeFi reaches a record-high since the start of 2022. The Ronin exploit is probably the largest amount of funds involved in DeFi’s history, with over $600 million in losses. Other DeFi protocols have also been repeatedly attacked, with flashloans and contract exploits being the most favored attack methods by hackers. In addition, rug pulls-related incidents were also numerous. This month has seen a increased in NFT/metaverse exploits, of which phishing attack methods need to be focused on.

0xaB26
April 2nd, 2022

The pop star Jay Chou revealed on Instagram that his Bored Ape NFT been stolen by phishing website on Friday.

He initially thought is was an April Fool’s joke, and then checked and realized “it’s really gone”. Bored Ape (@BoredApeYC) then confirmed on its official twitter that its discord account has been hacked, reminding users not clicking on any links.

0xaB26
April 2nd, 2022

Beosin is a leading global blockchain security brand co-founded by several professors from world-renowned universities. The team consists of 100+ security experts, including 20+ PhDs and postdocs. The core team members have accumulated over 20 years of experience in formal verification technology, cybersecurity, artificial intelligence, and big data mining technology.

 

Beosin product series include smart contract audit service, blockchain platform audit service, smart contract detection product, and situation awareness product. Through security audits of more than 2,000 smart contracts and 50+ public blockchains worldwide, Beosin has successfully protected nearly $10 billion of assets and has been fully recognized by global partners.

Contact