Recent Hack Roundup by Webacy

If last week was any indication, security remains a tremendous issue in web3. From a surge in reentrancy attacks, to multiple alleged strikes by the infamous North Korea-backed Lazarus Group, to a massive liquidity rug pull, there is a lot to talk about when it comes to industry hacks and vulnerabilities.  

Let us break down the following:

  • The latest reentrancy hacks (Conic Finance, EraLend, Curve Finance)
  • Lazarus strikes again… and again (Alphapo, CoinsPaid)
  • BALD scam

What is a Reentrancy Attack?

To pull off a classic reentrancy attack, a hacker exploits flaws in smart contract design to force a vulnerable function into an infinite loop. Typically, the hacker begins by creating an external, malicious function. Then, they have the original smart contract function call the new function – but before the original function has time to update important information, the malicious function calls the original function again. This allows the hacker to hijack the flow of commands being executed, giving them the opportunity to execute harmful commands such as large withdrawals.

Take the analogy of a vending machine. You put some money in, and ask for a candy bar. Before the vending machine finishes processing the transaction, you push the button again for another candy bar, and another, forever. If the vending machine isn’t designed to fully complete one transaction before executing another, this loophole can be exploited. Thanks to our friends at Bankless for the example!

Recent Reentrancy Attacks

On July 21st DeFi protocol Conic Finance – part of the Curve Finance ecosystem – fell victim to a $3.2 million read-only reentrancy hack (a particularly cunning breed of reentrancy exploit that takes advantage of read-only functions, which are typically less guarded).

Other web3 players also fell prey to reentrancy exploits this week. Among the victims were EraLend and, most recently, the Curve ecosystem (again).

EraLend - Read-Only Reentrancy Exploit - $3.4 Million Drained

EraLend, the largest lending app on the Ethereum Layer 2 network zkSync, is a fork of the popular DEX SyncSwap. According to Spreek, an on-chain sleuth, a vulnerability in SyncSwap’s code left Era at risk for attackers to exploit the update reserves function and create an “incorrect reserve value” that would skew prices.

On July 25th, a hacker did just that, costing EraLend $3.4 million. It is suspected that other platforms that utilize SyncSwap code could be at risk of similar attacks.

Curve Finance - Yet Another Classic Reentrancy Exploit - Over $47 Million Drained Across Multiple Pools

On July 30th, several of DEX Curve Finance’s stable pools were drained due to a reentrancy lock malfunction. Curve uses Vyper 0.2.15, a pythonic language used in the development of smart contract functions. A bug in the Vyper compiler, affecting multiple versions of the language, appears to be the culprit.

Several platforms suffered significant losses during the attack, notably including Alchemix ($13.6 million) and JPEG’d ($11.4 million). Meanwhile, Curve’s swap pool lost $22 million in CRV tokens.

Lazarus Strikes Again

Over the last two weeks, Lazarus, the notorious cybercrime organization with ties to the North Korean government allegedly stole nearly $100 million through two separate hacks aimed at Alphapo and CoinsPaid. The group is believed to have exploited nearly $2 billion in proliferative hacking. This follows the infamous Atomic Wallet hack which took place on June 3rd, during which it is believed that the group stole over $100 million.

Alphapo - Multiple Hot Wallets Exploited - $60 Million Drained

On July 23rd, the crypto payment processor Alphapo, which services gambling sites and platforms such as HypeDrop, experienced large outflows from several of its hot wallets. According to on-chain sleuth ZachXBT, the on-chain fingerprint left behind by the attackers seems also to point to Lazarus.

This hack was initially estimated to have cost Alphapo $31 million in funds stolen on the Ethereum blockchain, but an additional $37 million was found to have been drained on the TRON and Bitcoin blockchains.

CoinsPaid - Internal Systems Hacked - $37.3 Million Drained

On July 22nd, payment services platform CoinsPaid reported that its internal systems had been exploited for $37.3 million. The hack, which did not affect client funds, forced the platform to halt its services for four days.

CoinsPaid is working with Estonian law enforcement to investigate the hack.

BALD Liquidity Rug Pull

BALD launched on July 30th, and within 24 hours, the Brian Armstrong-themed memecoin’s market cap rose to $50 million, peaking at $85 million a few hours later. However, the developer quickly pulled $25.6 million in liquidity, causing the coin’s price to plummet 98% – from around 9 cents to around 1 cent.

As some traders began to buy the dip, the developer also began adding some liquidity back, causing a partial rebound in the coin’s price. The identity of the developer is unknown, but many in the crypto community suspect involvement from Sam Bankman-Fried or someone in his circle.

Crypto Can Be a Risky Business - Here’s How to Stay Safe

Combined with the countless exploits that occurred earlier this year (notably Atomic Wallet), these latest hacks account for over $700 million in cryptocurrency stolen in 2023 so far.

What will it take to halt these attacks taking place on the protocol, smart contract, and even on a national scale? Beyond actions that retail investors can take to ensure their assets are safe, institutional players must take precautions to minimize risk. Precautions at a smart contract, protocol, and/or organizational level can look like: repeated smart contract audits by an accredited firm, running bug bounty programs (whereby websites, organizations and software developers encourage ethical hacking and responsible disclosure of security flaws to help improve overall cybersecurity), and employing specific security measures such as fuzzing throughout the development cycle. Furthermore, organizations and projects should continuously conduct due diligence on their partners’ backing and foundations, exercising caution with any involvement in under-researched token projects.

For individual users, Webacy provides a suite of tools to help make digital self-custody more secure. Our services notify our users of any transactions that involve their wallets, and in case of a suspected hack or scam, users can instantly transfer their assets to a backup wallet of their choice. With over $120 million in assets under surveillance and over 250k transactions monitored each month, Webacy is web3’s trusted solution for protecting digital assets.

Curious about your crypto footprint? Check your wallet’s risk score here and do web3 safely: dapp.webacy.com/risk-score

...

by Hannah Treehan and Isabel Doonan