The monthly security incident highlights of Zero Hour Technology have begun! According to statistics from some blockchain security risk monitoring platforms, the amount of losses from various security incidents in September 2024 has decreased compared with August. More than 28 typical security incidents occurred in September, and the total loss amount caused by hacker attacks, phishing scams and Rug Pulls reached 120 million US dollars, a decrease of about 61.8% from August, and 4.9 million US dollars were returned. In addition, according to statistics from the Web3 anti-fraud platform Scam Sniffer, there were 10,525 victims of phishing incidents this month, with a loss scale of 46.43 million US dollars.

Hacker attack

9 typical security incidents

(1) On September 4, Penpie, a DeFi protocol built on the tokenized yield platform Pendle, was hacked. Hackers stole approximately $27 million in crypto assets from the protocol, including various types of staked ETH, Ethena’s USDE, and wrapped USDC stablecoins.

(2) On September 11, the Indonesian cryptocurrency exchange indodax was attacked. Its wallets conducted more than 150 suspicious transactions on different networks, with a total loss of US$22 million. The suspicious address was exchanging ETH for various tokens. According to the analysis of the SlowMist security team, the possibility of a hot wallet being hacked can be ruled out, and it is possible that the withdrawal system was hacked.

(3) On September 16, the DeFi project DeltaPrime officially confirmed a security incident on the X platform, stating that DeltaPrime Blue (Arbitrum) was attacked and suffered a loss of $5.98 million due to the theft of private keys. Attack method: private key leakage.

(4) On September 20, Singapore-based cryptocurrency platform BingX reported a cyberattack on Friday. Threat actors stole more than $44 million worth of cryptocurrency. The company said they detected unusual network activity around 4:00 a.m. on September 20, 2024, which could indicate a hacking attack on their hot wallet. BingX responded immediately to the incident, moving assets to cold wallets and temporarily suspending withdrawals. Although a small amount of assets were lost, the exact amount is still being calculated. Ultimately, with the help of the SlowMist security team, approximately $1 million of the stolen funds have been frozen.

(5) On September 21, Wu said that the security agency fuzzland co-founder @shoucccc tweeted that the mortgage agreement Shezmu was hacked and about $4.9 million of ShezUSD was stolen. The attacker took advantage of a collateral loophole that allowed anyone to mint and lent a large amount of ShezUSD. Due to insufficient liquidity, these ShezUSD were only exchanged for about $700,000.

(6) On September 24, according to blockchain security platform TenArmor, the decentralized finance (DeFi) protocol Bankroll Network was hacked on September 22, with a loss of $230,000. The attacker took advantage of the contract loophole and transferred a large amount of funds from the BankrollNetworkStack contract through multiple Binance Coin (BNB) transfer operations.

(7) On September 26, the Onyx protocol suffered a security incident, resulting in losses of more than $3.8 million. The attacker exploited a known precision issue in the Compound V2 code. In addition, the NFTLiquidation contract failed to properly validate (untrusted) user input, causing the attacker to exploit the vulnerability to exaggerate the amount of self-liquidation rewards, further exacerbating the losses. Attack method: contract vulnerability

(8) On September 26, according to ZachXBT, the crypto project Truflation, supported by Coinbase Ventures, suffered a hacker attack, resulting in a loss of approximately $5 million. The funds were stolen from its “multi-signature fund vault and personal wallet.” The SlowMist security team promptly followed up on the transfer of the stolen funds. The attacker had transferred 415 ETH to 0xb1cf7880351e6d16313c03a6686b4c8a5ba6372a that day. Currently, 523 ETH has been deposited on this address and has not yet been transferred out.

(9) On September 27, Bedrock, a multi-chain liquidity re-staking protocol, announced on social media that the team had been aware of a security vulnerability involving uniBTC, with the total estimated loss of approximately $2 million. The Zero Hour Technology team analyzed that the attacker used distorted prices to profit through lending, which ultimately led to the attacker using the borrowed WETH to empty the project’s uniBTC tokens.

Summarize

Judging from the analysis of the above multiple events, there were 9 security incidents involving contract vulnerabilities in September, resulting in losses of US$41 million, accounting for 33.06% of the total hacked losses (US$124 million); account hacking incidents this month There were 8 cases, a significant decrease compared to the previous month (18 cases).

The Zero Hour Technology security team recommends that project parties remain vigilant at all times and reminds users to beware of phishing attacks and invest cautiously. It is recommended that the project party try to establish a comprehensive emergency plan while conducting a comprehensive safety audit so that it can effectively respond when an incident occurs. In addition, it is also necessary to do internal security training and authority management, find a professional security company to conduct audits and conduct project background checks before the project goes online.