Blockchain security incidents continued to grow in August, with losses due to hacker attacks reaching $314 million

lunaray
5 min readSep 3, 2024

--

The monthly security incident highlights of Zero Hour Technology have begun! According to statistics from some blockchain security risk monitoring platforms, in August 2024, the amount of losses from various security incidents continued to increase compared with July. More than 28 typical security incidents occurred in August, and the total loss amount caused by hacker attacks, phishing scams and rug pulls reached 314 million US dollars, an increase of about 9.7% from July. Among them, phishing attacks have become the main threat, accounting for 93.5% of the total stolen funds.

Hacker Attacks

8 Typical Security Incidents

(1) On August 1, approximately $200,000 was stolen from the Convergence Finance contract. The Convergence Finance contract deployed 17 days ago to distribute CVX rewards was compromised. The attacker minted 58 million $CVG tokens and exchanged them for 60 WETH and 15.9k crvFRAX.

(2) On August 6, the gaming blockchain Ronin was attacked, and the Ronin Bridge project showed abnormal cross-chain asset extraction behavior. The SlowMist security team analyzed that the cause of the vulnerability was that the weight was modified to an unexpected value, and the funds could be withdrawn without any multi-signature threshold check. The attacker withdrew about 4,000 ETH and 2 million USDC from the bridge, worth about 12 million US dollars. As of August 7, the white hat returned 12 million US dollars in assets and received a bug bounty of 500,000 US dollars.

(3) On August 7, Nexera Fundrs suffered a security vulnerability that led to the theft of NXRA tokens. An external attacker accessed Fundrs’ Ethereum staking contract without authorization and transferred the tokens, resulting in a loss of approximately $449,000.

(4) On August 13, Vow was attacked due to a contract vulnerability, resulting in a loss of approximately $1.2 million. According to VOW, the team was testing the USD exchange rate setting function of the v$ contract at the time in order to mint v$ for new lending pools and oracle functions.

(5) On August 16, Mantra DAO’s DeFi project Zenterest was attacked. The attacker used distorted prices to make profits through lending, which eventually led to the attacker using very little MPH to empty the project’s WHITE tokens. The attacker returned the 85 WHITE and 0.0085 WHITE interest borrowed from Uniswap, and ultimately made a profit of 4.9 WHITE, worth 21,000 USD.

(6) On August 19, according to the on-chain detective ZachXBT, a suspicious transfer involving 4,064 BTC (about 238 million US dollars) may have come from a potential victim. The funds were then quickly transferred to ThorChain, eXch, Kucoin, ChangeNow, Railgun and Avalanche Bridge. As of August 27, 205,000 US dollars had been recovered.

(7) On August 23, the HFLH project on BnbSmartChain was attacked. The attacker gained about 9.099 BNB (about 5,300 USD) through this attack. The main cause of this vulnerability was that the HFLH contract obtained the price of HFLH Token through a single source, PancakeSwapV2, which caused the price to be manipulated by the attacker, and finally took advantage of the price difference for arbitrage.

(8) On August 28, the DeFi lending platform Aave was attacked due to a contract vulnerability. The attack occurred in a smart contract outside the Aave core protocol, which is used to allow users to use existing collateral to repay loans. The attacker exploited an arbitrary call error and successfully stole approximately $56,000 from these different contracts. Aave personnel emphasized that the attack did not pose a risk to user funds and did not affect the security of the core Aave protocol.

Rug Pull / Phishing Scam

5 Typical Security Incidents

(1) On August 2, the address starting with 0x7371 was hit by an online fishing scam, resulting in a loss of $119,000.

(2) On August 13, the address starting with 0xdB59 was hit by an online fishing scam, resulting in a loss of 126.85 stETH, about $345,000.

(3) On August 19, the address starting with 0x293C was hit by a phishing scam, resulting in a loss of 3.2 MEGA, about $82,000.

(4) On August 21, a victim lost $55.43 million worth of DAI after signing a phishing transaction targeting his DeFi Saver Proxy. According to MistTrack analysis, the funds were sent to multiple addresses and most of them were subsequently converted into ETH.

(5) On August 23, the address starting with 0xc423 was hit by a phishing scam, resulting in a loss of 67 stETH, about $176,500.

Summarize

From the analysis of the above multiple events, the two largest hacker attacks in August both involved unauthorized transfers (phishing). In addition, hackers not only targeted well-known blockchain projects, but also celebrities and well-known brands in traditional industries, such as football star Kylian Mbappe, McDonald’s, etc.

The noneage security team recommends that project owners always remain vigilant and remind users to beware of phishing attacks and invest cautiously. In addition, internal security training and authority management should be carried out well, and professional security companies should be found to conduct audits and conduct project background checks before the project goes online.

💬 Website 🐦Twitter

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.