1. Basic information
In May 2023, security incidents caused losses of approximately US$18 million, a significant drop compared to the previous month, but the frequency of security incidents did not decrease. Among them, the attack on Jimbos Protocol caused a loss of about 7.5 million US dollars. Rug Pull, the Swaprum project of the Arbitrum chain, caused about $3 million in losses. In addition, social media phishing incidents are still emerging one after another, and it often happens that Discord of the project party is controlled and publishes phishing links.
1.1 REKT Inventory
No.1
On May 1st, Level__Finance was attacked and lost about $1.1M. The root cause is that there is a logic problem in the LevelReferralControllerV2 contract. The claimMultiple function in the contract can pass in a set of epochs to allow users to claim rewards for each epoch. However, if there are duplicate elements in the passed-in array, these rewards will be claimed repeatedly.
Attack ready transaction:
https://www.oklink.com/cn/bsc/tx/0x6aef8bb501a53e290837d4398b34d5d4d881267512cfe78eb9ba7e59f41dad04
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xe1f257041872c075cbe6a1212827bc346df3def6d01a07914e4006ec43027165
Attacker address:
https://www.oklink.com/cn/bsc/address/0x61bbd8c1bc09c4f4549f3f77be5ad61a9929412e
No.2
On May 3, the Never Fall project was attacked, with a loss of more than $70k. The attacker manipulated the price through a loophole in price calculation to make a profit.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xccf513fa8a8ed762487a0dcfa54aa65c74285de1bc517bd68dbafa2813e4b7cb
Attacker address:
https://www.oklink.com/cn/bsc/address/0x53b757db8b9f3375d71eafe53e411a16acde75ee
No.3
On May 3, the AutoDonateUkraine ($ADU) token suffered a flash loan attack and lost about $7k. The attacker uses the deliver function to increase $ADU in the pair, and then uses skim to extract the excess $ADU. After repeating the operation several times, the prices in the pair become unbalanced.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xc6f6b70e9e35770b699da9b60244d461d02db66859df42319c3207d76931423c
Attacker address:
https://www.oklink.com/cn/bsc/address/0xdaacd3431a29a21c0bae98ee220b075bebe70821
No.4
On May 5th, Deus Dao ($DEI) was attacked on both the BSC and Arbitrum chains, and lost $1,337,375. The main loophole is that the BurnFrom function uses a wrong allowance calculation, which allows users to manipulate the contract’s own allowance amount, thereby reducing The tokens in the contract are transferred away.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xde2c8718a9efd8db0eaf9d8141089a22a89bca7d1415d04c05ba107dc1a190c3
https://www.oklink.com/cn/arbitrum/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef
Attacker address:
https://www.oklink.com/cn/bsc/address/0x08e80ecb146dc0b835cf3d6c48da97556998f599
https://www.oklink.com/cn/arbitrum/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1
No.5
On May 6th, the $BFT token appears to have been attacked with a loss of approximately 275k USD.
Attack transaction: https://www.oklink.com/cn/bsc/tx/0x5a89e083e8e3ad75c38be65a6a92d7e32249cf9b5ceb304bf1ae2409241993ff
Attacker address:
https://www.oklink.com/cn/bsc/address/0x7e39468760c45205b616a385c414d2ffd7cbdc33
No.6
On May 6, $MELO was attacked. The reason is that there is no authority control in the mint function, and anyone can issue additional tokens and transfer them to their own accounts.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7
Attack address:
https://www.oklink.com/cn/bsc/address/0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b
No.7
On May 9, the MultiChainCapital ($MCC) token suffered a flash loan attack. As a reflective deflation token, MCC did not discharge a pair in the address, allowing the attacker to call the deliver function to mint the token and sell it for a profit of 10eth.
Attack transactions:
https://www.oklink.com/cn/eth/tx/0xf72f1d10fc6923f87279ce6c0aef46e372c6652a696f280b0465a301a92f2e26
Attacker address:
https://www.oklink.com/cn/eth/address/0x8a4571c3a618e00d04287ca6385b6b020ce7a305
No.8
On May 10, the $SNK token was attacked, and the attacker made a profit of about 197k BUSD. The main reason for the loophole is that the reward calculation method is the number of deposited funds * deposit time. However, there is no corresponding relationship between the control time and the amount of deposited funds in the contract. An attacker can use earlier time parameters and the current amount of funds for calculations.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x7394f2520ff4e913321dd78f67dd84483e396eb7a25cbb02e06fe875fc47013a
Attacker address:
https://www.oklink.com/cn/bsc/tx/0x7394f2520ff4e913321dd78f67dd84483e396eb7a25cbb02e06fe875fc47013a
No.9
On May 11, the LW token was attacked, and the attacker made a profit of 48,415 $USDT. This is a price manipulation attack. During the process of exchanging USDT for LW tokens, the attacker triggers the repurchase mechanism of the marketing wallet, which increases the price of the tokens, and then the attacker sells the LW tokens to make a profit.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xd0dd0c8aa71860ff2d7fe6f9763892d936e31fb8c1aef01ec5ffbc947dbedbeb
Attacker address:
https://www.oklink.com/cn/bsc/address/0xffc21396bc3c981f057b4ec993edb2a305ef8a62
No.10
On May 11th, TrustTheTrident was attacked and lost about $95k. The main reason is that listToken[] in the contract can be set in the addLiquidity () function. However, this is an operation that should be done by an administrator. Using this vulnerability, a hacker can set a self-created token in listToken and call sell to sell it.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x247e61bd0f41f9ec56a99558e9bbb8210d6375c2ed6efa4663ee6a960349b46d
Attacker address:
https://www.oklink.com/cn/bsc/address/0xc67af66b8a72d33dedd8179e1360631cf5169160
No.11
On May 13, bitpaidio was attacked and lost about $30K. The root cause of the problem is that Lock_Token() is not properly updating the lock time. The attacker made a lock () 6 months ago, which caused an excessive amount of reward to be calculated during withdraw ().
Attack transaction: https://www.oklink.com/cn/bsc/tx/0x1ae499ccf292a2ee5e550702b81a4a7f65cd03af2c604e2d401d52786f459ba6
Attack ready transaction:
https://www.oklink.com/cn/bsc/tx/0xd4ee8a5ad903a00b03af10653cebde64d81781e7d4140a309ea707613106d4bb
Attacker address:
https://www.oklink.com/cn/bsc/address/0x878a36edfb757e8640ff78b612f839b63adc2e51
No.12
On May 13, TrustTheTrident was attacked again and lost about 279 BNB. TrustTheTrident allows users to short tokens, but the price depends on the pair and is easily manipulated.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x7d04e953dad4c880ad72b655a9f56bc5638bf4908213ee9e74360e56fa8d7c6a
Attacker address:
https://www.oklink.com/cn/bsc/address/0x1581262fd72776ba5da2337c4c4e1b92c6e36ae6
No.13
On May 14th, TrustTheTrident was attacked again, and the amount of loss was unknown. The root cause was that the Claim () function of the StakingRewards contract did not correctly verify the input parameters, allowing the attacker to pass a fake token instead of USDT to obtain more rewards.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xfe80df5d689137810df01e83b4bb51409f13c865e37b23059ecc6b3d32347136
Attacker address:
https://www.oklink.com/cn/bsc/address/0xa3aa817587556c023e78b2285d381c68cee17069
No.14
On May 14, landNFT was attacked. The main reason was that the mint function of the project lacked permission control. The attacker mint 200 LandNFTs for himself, making a profit of about 149,616 BUSD.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xe4db1550e3aa78a05e93bfd8fbe21b6eba5cce50dc06688949ab479ebed18048
Attacker address:
https://www.oklink.com/cn/bsc/address/0x96b89c2560bcc43c342c12ba9c33dab7eb571a90
No.15
On May 20, Tornado Cash was attacked by a malicious proposal. Lost about $1.1M. The attacker proposed a malicious proposal. After the proposal was passed, the proposal contract code was changed by contract self-destruction and then redeployment. When the tornado cash contract executed the proposal, additional votes were issued for the address prepared by the attacker to gain control of the contract.
Attack transactions:
https://www.oklink.com/cn/eth/tx/0x3274b6090685b842aca80b304a4dcee0f61ef8b6afee10b7c7533c32fb75486d
Attacker address:
https://www.oklink.com/cn/eth/address/0x592340957ebc9e4afb0e9af221d06fdddf789de9
No.16
On May 23, LFI tokens were attacked and lost about 36k USD.
Attack transactions:
https://www.oklink.com/cn/polygon/tx/0xa0480d0f7c8d8bf898cadde954e773ddc3740f1ffa31cdd98fe4c5f5d8266243
Attacker address:
https://www.oklink.com/cn/polygon/address/0x11576cb3d8d6328cf319e85b10e09a228e84a8de
No.17
On May 23, the $CS token suffered a flash loan attack, and the attacker made a profit of about 714k USD. The main reason for the vulnerability is that $CS tokens will destroy part of the tokens in the pair during each transaction (or transfer) to increase the price. The burnAmount is calculated by sellAmount, but the value of sellAmount is not updated. This allows attackers to sell tokens at high prices to make a profit by pushing up token prices through multiple transactions.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x906394b2ee093720955a7d55bff1666f6cf6239e46bea8af99d6352b9687baa4
Attacker address:
https://www.oklink.com/cn/bsc/address/0x2cdeee9698ffc9fcabc116b820c24e89184027ba
No.18
Related Links:
On May 23, LOCALTRADERSCL ($LCT) was attacked and lost about 384BNB.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x57b589f631f8ff20e2a89a649c4ec2e35be72eaecf155fdfde981c0fec2be5ba
https://www.oklink.com/cn/bsc/tx/0x49a3038622bf6dc3672b1b7366382a2c513d713e06cb7c91ebb8e256ee300dfb
Attacker address:
https://www.oklink.com/cn/bsc/address/0xd771dfa8fa59bd2d1251a0481fca0cf216276dd7
No.19
On May 25, GPT was attacked and lost about 42k USD. The main reason for the vulnerability is that the token burn mechanism can be triggered by putting tokens into the pair and then skim, thereby pushing up the price.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x49a3038622bf6dc3672b1b7366382a2c513d713e06cb7c91ebb8e256ee300dfb
No.20
On May 26, CNN was attacked, and the attacker made a profit of about 5.6k USD.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0xd3bfd56c1f501d449199a4739f213631419dc6630e28355ce58196791eed63fc
Attacker address:
https://www.oklink.com/cn/bsc/address/0xd771dfa8fa59bd2d1251a0481fca0cf216276dd7
No.21
On May 28, jimbosprotocol was attacked and lost about $7.5M.
Attack transactions:
https://www.oklink.com/cn/arbitrum/tx/0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda
Attacker address:
https://www.oklink.com/cn/arbitrum/address/0x102be4bccc2696c35fd5f5bfe54c1dfba416a741
No.22
On May 29th, babydogecoin was attacked and lost about $157,000. The key to the attack was that in the FarmZAP contract, the babydoge transaction enjoys 0 fee rate. The attacker used the babydoge reflow mechanism to cause a price difference between FarmZAP’s babydoge router and the babydoge pair in the pancake Realize arbitrage.
Attack transactions:
https://www.oklink.com/cn/bsc/tx/0x098e7394a1733320e0887f0de22b18f5c71ee18d48a0f6d30c76890fb5c85375
Attacker address:
https://www.oklink.com/cn/bsc/address/0xcbc0d0c1049eb011d7c7cfc4ff556d281f0afebb
No.23
On May 30, the vault of ede_finance was exploited, and about $580,000 was lost, and the attacker has returned 90% of the funds.
Attacker address:
https://www.oklink.com/cn/arbitrum/address/0x80826e9801420e19a948b8ef477fd20f754932dc
No.24
On May 31, ERC20TokenBank was attacked and lost about $119,000.
Attack transactions:
https://www.oklink.com/cn/eth/tx/0x578a195e05f04b19fd8af6358dc6407aa1add87c3167f053beb990d6b4735f26
Attacker address:
https://www.oklink.com/cn/eth/address/0xc0ffeebabe5d496b2dde509f9fa189c25cf29671
1.2 RugPull Inventory
No.1
On May 04, zjz.eth rugpull of wsbcoinofficial ($WSB ), $WSB fell by 86%, zjz.eth dumped most of WSB and made a profit of 334ETH (about 653k USD).
No.2
On May 05, YODA token rugpull, YODA fell -100%, yodacoineth has deleted its social account/group, scammers have transferred 68 ETH ($130K) to FixedFloat.
No.3
On May 08, Hakuna Matata rugpull, HAKUNA fell -100%.
No.4
On May 09, Derpman rugged, DMAN fell -100%, with a profit of about 48.55 $ETH.
No.5
On May 15th, the rugpull gang has been creating fake tokens such as #PEPEPE, #LADYS, #BENZ, #GGBOND, #BENEN, #NEWPEPE, #PEN, #TURBOO, #PEPELOL for the past 3 days. Scammers have transferred approximately 12 ETH to MEXC.
No.6
On May 19, Swaprum rugged on Arbitrum, making a profit of about $3 million. Swaprum deployers use the add() backdoor function to steal LP tokens pledged by users, and then remove liquidity from the pool for profit.
No.7
On May 26, @SeaSwapSui's rugpull, which deleted Twitter and other social accounts. Administrators urgently withdrew SUI from the token sale contract, totaling 32,787 SUI ($32,000).
No.8
On May 30, BlockGPT_BSC rugged. The profit is about 816BNB (about $256K).
1.3 Social Media Fraud and Phishing Inventory
No.1
On May 01, a promoted phishing website appeared on Twitter, do not interact with hxxps://claimbob.site/.
No.2
On May 02, a fake CertiK phishing website appeared, do not interact with hxxps://claim.certik.app/.
No.3
On May 04, the Syncera_io Discord server was compromised, please do not click on any links until the team confirms regaining control of the server.
No.4
On May 04, a fake Pepe Coin account appeared on Twitter, do not interact with hxxps://pepegives.xyz/.
No.5
The FeetLabsHQ Discord server was compromised on May 05, please do not click on any links until the team is sure they have regained control of the server.
No.6
On May 06, the STFX_IO Discord server was attacked, please do not click on any links until the team confirms regaining control of the server.
No.7
On May 07, a fake Pepe claim website appeared, do not interact with hxxps://pepegift.org/
No.8
On May 08, a phishing link was posted on the Evmos Discord server, please do not click on any link until the team confirms regaining control of the server.
No.9
On May 08, a fake MetaMask account appeared on Twitter, do not connect with the hxxps://meta-token.net/# website.
No.10
On May 08, a fake Bob claim website appeared, do not interact with hxxps://bob-airdrop.com/
No.11
On May 09, a fake peckShield account popped up on Twitter, don't believe anything eye-catching from this account.
No.12
On May 09, a fake Ben airdrop website appeared, do not interact with hxxps://bencoineth.net/
No.13
On May 10, a fake Pepe claim website appeared, do not interact with hxxps://rewardspepe.com/.
No.14
On May 11th, please be aware of fake layerzero claim sites being promoted on Twitter and do not interact with the hxxps://layerzero-network.app/ site.
No.15
On May 14th, the OnchainTrade Discord server has been compromised, please do not click on any links until the team confirms regaining control of the server.
No.16
The opentensor Discord server has been compromised on May 14th, please do not click on any links until the team confirms regaining control of the server.
No.17
Both the BTFDRabbits Twitter and #Discord servers were compromised on May 15th, please do not click on any links on either platform until the team confirms control.
No.18
On May 15th, a phishing link was posted in the Tyche Protocol Discord server, please do not click on any link until the team confirms regaining control of the server.
No.19
On May 16th, the taskonxyz Discord server has been compromised by a fake phishing link posted, do not interact with hxxps://airdrop.taskon.tech/.
No.20
The freshcut #Discord server has been compromised on May 16th, please do not click on any links until the team confirms regaining control of the server.
No.21
The MorphexFTM #Discord server has been compromised on May 16th, please do not click on any links until the team confirms regaining control of the server.
No.22
The NEARProtocol Discord server has been compromised on May 17th, please do not click on any links until the team confirms regaining control of the server.
No.23
The lifiprotocol Discord server has been compromised on May 17th, please do not click on any links until the team confirms regaining control of the server.
No.24
The auroraisnear Discord server has been compromised on May 17th, please do not click on any links until the team confirms regaining control of the server.
No.25
The Probably0 Discord server has been compromised on May 18th, please do not click on any links until the team confirms regaining control of the server.
No.26
On May 18th, the oDDbOOG Discord server was under attack, please do not click on any links until the team confirms regaining control of the server.
No.27
TheHoraHub Discord server was compromised on May 19th, please do not click on any links until the team confirms regaining control of the server.
No.28
The ArbitrumNewsDAO Discord server has been compromised on May 19th, please do not click on any links until the team confirms regaining control of the server.
No.29
On May 20, the avianfoundation Twitter account has been hacked and is promoting phishing sites, do not interact with hxxps://avn.finance/.
No.30
May 20th, be wary of fake yoda coin claim sites being promoted on Twitter and do not interact with hxxps://claim-yoda.com
No.31
On May 20, be wary of fake Psyop claim sites being promoted on Twitter and do not interact with hxxps://claim-psyop.live/.
No.32
The VenomBridge Discord server has been compromised on May 21st, please do not click on any links until the team confirms regaining control of the server.
No.33
The asymmetryfin Discord server has been compromised on May 22nd, please do not click on any links until the team confirms regaining control of the server.
No.34
Fake Dex Tools Twitter account on May 22. Do not interact with the hxxps://dextoois.com/ website.
No.35
On May 22nd, the Superlotl Discord server was compromised, please do not click on the link until the team confirms they have regained control of the server.
No.36
The zerpmonxrp Discord server has been compromised on May 23rd, please do not click on the link until the team confirms that they have regained control of the server.
No.37
The mail3dao Discord server was compromised on May 23rd, please do not click on the link until the team confirms that they have regained control of the server.
No.38
On May 23rd, a phishing link was posted in the MetaStars Striker Discord server, please do not click on the link until the team confirms that they have regained control of the server.
2. Safety summary
In May 2023, a number of security incidents occurred in DeFi. Code logic exploits and lightning loan price manipulation are still common attack methods for hackers. Tokens with more complex economic models such as reflection mechanisms and reflow mechanisms are more likely to be attacked. object. At the same time, some new attack methods have emerged, such as the malicious proposal attack suffered by Tornado Cash. In order to avoid similar incidents from happening again, developers need to take actions to ensure the security of the project, including fully verifying the code logic and economic model, regularly auditing the project, and releasing a bug bounty plan after the project goes live. At the same time, social media phishing incidents have also occurred frequently this month. Investors need to remain vigilant and pay attention to fully verifying the authenticity of links before interacting with them to avoid asset losses.