April Security Report

lunaray
3 min readMay 4, 2023

The total loss of various attacks in April was about 94.07 million US dollars, a decrease from March
In April 2023, the number of various security incidents and the amount involved decreased compared with March, and the total loss of various attack incidents was about 94.07 million US dollars.

The biggest security incident this month was a malicious sandwich attack on several MEV robots, which cost $25 million. In terms of exchanges, two hot wallet security incidents occurred this month, involving an amount of more than 10 million US dollars. In addition, several projects have run away with more than 1 million US dollars this month. Users need to pay more attention to prevent risks.

DeFi security incidents
№1 On April 2, Allbridge suffered a flash loan attack and lost about $550,000.
№2 On April 3, several MEV robots were attacked by malicious sandwiches, and the loss reached 25 million US dollars.
№3 On April 5, the DeFi lending protocol Sentiment was attacked and lost about $1 million.
№4 On April 9, SushiSwap was attacked and lost about $3.34 million.
№5 On April 10, Terraport was attacked by an APT organization and lost about $4 million.
№6 On April 12, MetaPoint was attacked and lost about $910,000.
№7 On April 13, Yearn Finance was attacked by a flash loan and lost about US$11.5 million.
№8 On April 15, Hundred Finance on the Optimism chain was attacked by a flash loan and lost about $7 million.
№9 On April 28, the 0vix Protocol on the Polygon chain was attacked, resulting in a loss of about $2 million.
Exchange security incidents

№1 On April 9, the Korean exchange GDAC’s hot wallet was attacked, resulting in a loss of nearly $13 million.
№2 On April 14, the hot wallet of the encryption exchange Bitrue was stolen, and the loss was about 24 million US dollars.
Wallet/user security security incidents

№1 On April 22, Trust Wallet disclosed a vulnerability, and wallets created using browser extensions from November 14 to 23, 2022 were at risk.

04

Security incidents in fraudulent escape

№1 On April 2, Kokomo Finance, the lending agreement on Optimism, carried out a rug pull on the remaining funds, involving an amount of about 1.5 million US dollars.
№2 On April 9th, a rug pull occurred in the ZkSync ecological project CoreHunter, and the scammers made a profit of about 510,000 US dollars.
№3 On April 13, a rug pull occurred in ZkSync ecological project SyncDex, and the scammers made a profit of about 370,000 US dollars.
№4 On April 25, a rug pull occurred in the Ordinals Finance project, and the deployer made a profit of 1.01 million US dollars.
№5 On April 26, a rug pull occurred on Merlin DeX, and the scammers made a profit of $1.8 million.

05

other security incidents

№1 On April 24, the U.S. Department of the Treasury sanctioned 3 individuals who provided support for the North Korean hacking group Lazarus Group.

№2 In April, Google search advertising phishing incidents occurred frequently, resulting in the theft of more than $4 million in encrypted funds.
This month, fraudulent running incidents are still unabated, among which ZkSync ecological running projects have increased. It is recommended that users be more vigilant and do a good job of project background investigation. The stolen hot wallet of the exchange this month involved a huge amount. It is recommended that all project parties pay attention to off-chain security protection and keep the private key well. In addition, several flash loan incidents caused large losses this month. It is recommended that the project party should carefully consider the security of business logic during development, and find a professional audit company to conduct a security audit before the project goes live.

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.