Exactly Protocol suffered a $7.3M loss due to missing input validation.
LeetSwap got exploited due to price manipulation.
JPEG’d lost $11.4M due to reentrancy vulnerability.
Pond0x coin launch was blamed for rug pull.
Hacks
Hacks Analysis
Exactly Protocol | Amount Lost: $7.3M
On August 18, the Exactly Protocol exploit on the Optimism Mainnet resulted in a $7.3M loss. The root cause was the public leverage() function in the DebtManager contract of Exactly Protocol. This function was missing proper input validation. The attacker exploited this vulnerability by passing in an invalid market address when using the leverage() function and created a UniswapV3 liquidity position with WETH and a fake token. Due to the lack of input validation, the attacker could manipulate the _msgSender parameter to target victim addresses and drain their funds.
Exploit Contract (on Optimism Mainnet): 0x16748cb753a68329ca2117a7647aa590317ebf41
On August 1, the LeetSwap exploit on the Base Chain resulted in a $624K loss due to a price manipulation vulnerability. The root cause of the exploit was the incorrect visibility of the _transferFeesSupportingTaxTokens() function in the LeetSwapV2Pair contract. This function was meant to be private, but it mistakenly had a public visibility specifier. This mistake enabled the attacker to invoke this function to transfer tokens to LeetSwap's fee collection address. This reduced the liquidity of the axlUSD token, leading to an artificial price increase and allowing the attacker to make a profit from this manipulation.
Exploit Contract (on Base Chain): 0xEA8f89F47f3D4293897b4fe8cB69B5C233b9f560
On July 30, the JPEG’d exploit on the Ethereum Mainnet resulted in a $11.4M loss due to a reentrancy attack. The attacker exploited Curve Finance’s Factory Pool contract by invoking the remove_liquidity() function while reentering the add_liquidity() function. This led to an issue where the total_supply amount wasn't updated during the reentry into the add_liquidity() function. The attacker made a profit by manipulating the pETH token price. The lending platform reported recovering nearly $10M of assets and offering a 10% white hat fee to the exploiter.
On July 28, the Pond0x exploit resulted in a $2.2M loss due to a contract logic vulnerability. The directTransfer() function in the vulnerable contract allowed users to transfer PNDX tokens from any address. During the launch of the token, traders purchased PNDX tokens, increasing the token price. The exploiter then revoked the directTransfer() function to transfer the minted PNDX tokens and sold them for profit. This led some investors to accuse the platform of a rug pull.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.