Hackers stole >$30M from Grim Finance by exploiting platform vulnerability. Due to the advanced attack, all vaults were put on pause to prevent further attacks. The exploit was found in the platform’s vault contract. The company has notified DAI, AnySwap, and Circle (USDC) of the incident and shared the addresses potentially belonging to malicious actors. The company Solidity Finance performed the audit of Grim Finance 4 months ago.
According to the statement made by Solidity Finance, the incident was caused by “the ability of users to input arbitrary addresses and have them called within the depositFor function”. Through reentrancy, users could falsely increase their shares in Grim’s vaults. As a result, they could withdraw more assets than they had initially deposited. Solidity Finance states that a new employee missed this vulnerability, and it remained undetected since the CTO was on vacation.
Compared to 2020, the amount of virtual assets grabbed by cryptocurrency-based scammers and criminals has increased by 81% and reached $7.7B, according to the data provided by Chainalysis. $1.1B losses are attributable to a single scheme implemented by hackers in Ukraine and Russia. Scams remain one of the primary forms of cyber threats harming the mass adoption of crypto.
The number of deposits to scam addresses fell to 4.1 million from 10.7 million. Although fewer individuals are losing money, these victims are losing much more. The most popular scam is so-called rug pulls, whereby developers of a new cryptocurrency vanish after collecting funds from supporters. Rug pulls accounted for 37% of all crypto scams.
Malicious actors have successfully exploited a reentrancy flaw in the DeFi protocol Visor Finance; the project lost 8.8M VISR tokens. The hack took place on 21 December. Hackers generated the exploit by using the IVisor delegateTransferERC20 interface. Hackers also utilised the staking contract withdrawal function to call for the desired VISR amount. The exploit was successful since the caller relied on an external IVisor delegateTransferERC20 implementation.
Attackers could create extra VISR tokens by assuming control of the rewards contract. However, it is only an assumption since an official investigation has not started yet. Reentrancy bugs are one of the most critical vulnerabilities affecting DEXs. The incident has primarily affected token holders and stakers since the token price has dropped sharply soon after the incident.
The popular NFT project Monkey Kingdom was founded by entrepreneurs in Hong Kong and is supported by celebrities such as Steve Aoki and JJ Lin experienced the hack of its chat. Via a phishing link, an attacker stole $1.3M worth of cryptocurrencies. A malicious actor stole an administrator account of the project’s Discord group chat.
Scammers are actively targeting NFT communities since the popularity of these novel projects keeps on growing. According to the data provided by DappRadar, the sales volume of NFTs surged to $10.7B in Q3 2021 (8X compared to Q2 2021). The project was launched less than one month ago and has become one of the most popular NFT initiatives. The project has notified its community of the incident.
Hackers exploited the vulnerability in Log4j software to attack Belgium’s Defense Ministry. The attack started on 16 December. Some activities of the Ministry were paralysed since the attack caused damage to services connected to the Internet. Even five days after the attack, the Ministry was still trying to recover the functioning of its services. The body has not identified the parties responsible for the incident yet.
Log4j is the Java-based logging library used to track system processes. Earlier this month, multiple vulnerabilities were discovered in this software. Organisations need to take immediate measures to prevent security incidents related to exploiting flaws in Log4j.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.