Another BSC-based DeFi Protocol gets Exploited for Over $30 Million

Another Binance Smart Chain (BSC)-based DeFi Protocol Gets Exploited for Over $30 Million

Spartan protocol team ensures that they will rebuild with a focus on review, unlike Uranium Finance which, after the $50 million exploit, said the project won’t be reborn and is currently activating the distribution of 300k.

Over the weekend, yet another BSC-based DeFi protocol got exploited.

On Saturday, Spartan Protocol, a project that incentivizes deep liquidity pools for leveraged synthetic token generation, reported an attack that resulted in a loss of more than $30 million.

Its native token SPARTA took over a 40% drop as a result of the exploit but had since then recovered to $1.65, just about 25% down from its ATH of $2.25 from mid-February.

The next day, blockchain security company PeckShield Inc. released an analysis of the attack stating it was due to a flawed liquidity share calculation in the protocol, which was exploited to drain assets from the pool.

As for the technical part of the attack that involved a number of operations to prepare the vulnerable pool and then manipulate it to drain funds, the attacker first borrowed a flashloan from PancakeSwap with 10K WBNB, which was returned at the last step with 260 WBNB as the flashloan fee.

The vulnerability stems from the fact that the liquidity share calculation calcLiquidityShare() is querying the current balance, which can then be inflated for manipulation, noted PeckShield Inc.

Spartan Protocol team ensured that they would rebuild with a focus on reviews. It also mentions that their code that contained the flaw was already audited by CertiK.

While sharing this, it further said that “Sparta is innovative code, built from scratch, it is not a clone of anything,” amidst the growing criticism around the DeFi projects built on BSC copying other projects that are already running on Ethereum.

“Sparta does not copy a single line of SNX code, and the Sparta community feel the brand is sufficiently differentiated, un-owned, and unique to the BSC community,” it stated.

Earlier last week, another BSC-based DeFi project, Uranium Finance, was exploited for $50 million despite the project being audited by BSC Gemz, which didn’t pick up the critical vulnerability.

The exploit was possible due to an update of the codebase for v2, which changed the swap fees from 0.20% to 0.16%.

Unlike Spartan Protocol, Uranium Finance said they are not releasing v3, adding, “We will not be trying to make this project reborn again, doing so is not possible under these circumstances.”

Currently, they are activating the distribution of less than 300k from the bonus money pot while asking users to remove liquidity from pools.

Read Original/a>
Author: AnTy

DeFi Warp Protocol Losses $7.7 Million in a Flash Loan Attack

Lending protocol, Warp was exploited with a complex flash loan attack for $7.7 million worth of stablecoins. Hacken Club audited the project.

The attack on Thursday allowed the hacker to borrow more than their collateral value resulting in a loss of stablecoin lender funds. Later on Thursday or earlier on Friday, the team took to Twitter to share with the community,

“We are investigating irregular stablecoin loans taken out in the last hour, we recommend that you do not deposit anymore stablecoins until we have clarity on the irregularities.”

Out of the lost $7.7 million, the team plans to recover about $5.5 million that is still “secured in the collateral vault.”

“Upon successful recovery, these will be distributed to users who experienced a loss,” announced the team. Additional plans are also in place to compensate for users’ loss over time, they added.

The decentralized finance project team said they would share a detailed analysis of the attack in the coming days once they have more understanding of the exploit.

Just a day before the attack, the lending protocol that powers a liquidity engine migrated to Warp Finance v2 with a 24 hours grace period. The latest version enabled borrowing for protocol users against LP tokens and be rewarded with the to-be-released governance token WARP.

The TVL of the project has more than halved after the attack. Only $6 million funds are currently locked in the project, down from $17 million, as per DeBank.

Read Original/a>
Author: AnTy

Harvest Finance Increases Bounty to $1 Million to Track the Attacker Who Stole $33.8M

Early Monday, the latest decentralized finance (DeFi) project Harvest Finance, was exploited. It was estimated that $33.8 million of the funds, about 3.2% of the total value locked in the protocol before the attack, was lost.

A couple of days before the attack, the project’s TVL surpassed $1 billion, which has now come down to a mere $300 million, as per DeFi Pulse. Since then, its FARM token has also lost 60% of its value, currently trading at $96.5.

To catch the attacker, the anonymous team behind the project has increased the bounty for identifying the hacker from $400,000, which had already been raised from $100k to $1 million.

Initially, the team said they know the person behind the hack, “who is well-known in the crypto community,” and they don’t want to dox them. As per the latest update, all that the team knows about the hacker so far is that they have an understanding of how DeFi works.

The attacker, meanwhile, is actively “money laundering” Bitcoin through various darknet mixers and crypto exchanges, including Binance, Huobi, Kraken, and Coins.ph, according to the post mortem of the incident.

The attacker reportedly exploited the effects of impermanent loss of USDC and USDT inside the Y pool on Curve.fi repeatedly.

Following the attack, funds from the shared pools, DAI, USDC, USDT, TUSD, WBTC, and renBTC, which were “not affected,” have been withdrawn.

The Harvest Finance team further said that it is taking full responsibility for the engineering error and is now working on a remediation plan for affected users.

The possible remediation techniques the team is considering include implementing a commit-and-reveal mechanism for deposits, stricter configuration of the existing deposit arb check in the strategies, withdrawals in an underlying asset, and using oracles for determining asset price. The team stated,

“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”

Read Original/a>
Author: AnTy

Bitfinex Offers $400M Reward For Info on 120k BTC Stolen in 2016; Hackers Can Collect Too

On August 2, 2016, Bitfinex experienced one of the biggest crypto heists of all time, as hackers exploited the system, running off with approximately 120,000 BTC. Shortly after, the price of BTC collapsed to 20% marking one of the darkest days in the top coin’s history. Now the exchange wants to clear this dark day in history with a $400 million dollar reward to the hackers if the full amount is recovered.

In a blog post on their website, four years later the exchange is offering anyone who will help them recover the Bitcoins a hefty 5% reward for the amount recovered. The statement reads,

“Bitfinex is offering a reward to any persons that connect us with hackers responsible for the unauthorized transfer of almost 120,000 bitcoins from the exchange in August 2016. As part of the same initiative, Bitfinex is also offering a reward to the hackers themselves for the return of the stolen property.”

The exchange is also ready to offer the hackers 25% of whatever amount is recovered (at the current BTC prices) which would translate to a total of 30% for the full reward. The 119,755 BTC currently trade for $1.3 billion at market prices, and a $403 million reward if the full stash is recovered.

The U.S government in 2017 recovered 27 Bitcoins in an investigation but the rest remains with the hackers.

Bitfinex claims they will ensure the process is safe and private enough with the identities of the hackers (if known) will remain uncovered. The statement reads,

“We will work to ensure this can be done safely, thereby protecting the identities of all parties, and Bitfinex reserves the right to impose conditions on any transfers in order to verify claims and ensure a secure process.”

April 2019 marks the first time the hacker moved the stolen BTC with 300 BTC, then trading at $1.5 million, moving into 13 new addresses. In May this year, the hacker moved $255k, or about 29 BTC to another unknown wallet keeping the identity a mystery. On the week leading to the fourth anniversary of the attack, Aug 2, the hacker moved of $12 million in BTC, Whale Alert reported – $7 million transferred on August 3 while the remaining $5 million was moved on July 29.

Read Original/a>
Author: Lujan Odera