Category: Uncategorized

  • SASHA token hacked.

    Price of Sasha at uniswap v2 was much cheaper than v3. Hacker bought tokens at uniswap v2 and sold them at uniswap v3, gained $600k. Very simple exploit. 🙂

  • Unverified contract lost $280k due to sandwich attack.

    There’s a function that can be used for swapping WBNB to EGA token in victim contract. This function has no access control, anyone can call this function with only 1 wei. This is vulnerable to sandwich attack. Hacker swapped large amount of WBNB to EGA, called vulnerable function, and then swapped EGA to WBNB, gained…

  • AIZPT token hacked

    Root cause is wrong price calculation. If someone buys a huge amount of tokens with a lot of BNB, then he can sell tokens at high price, he can send few tokens and get much BNB. Hacker bought 8000 BNB worth AIZPT token, and then sold small amount of tokens several times. Total loss $20k.

  • Unknown lending project hacked due to price oracle manipulation.

    The lending project has WETH-USDC LP market. As you can see, price calculation for WETH-USDC LP market relies on UniswapV3Pool. Hacker was able to manipulate price, at first, price was 5826926145978180. But after manipulation price was 8131590584988874. He deposited some LP tokens in the pool, then deposited USDC and borrowed LP tokens. When borrowing, the…

  • Fire token exploit

    Root cause is in “transfer” function. When transfer token to uniswap pair, balance of uniswap pair is automatically decreased and “sync” is called. If someone transfers many Fire tokens to uniswap pair, balance of uniswap pair gets smaller and reserve value also gets smaller. Hacker exchanged 20 eth to Fire, about 200 Fire tokens remaining…

  • Bedrock was exploited

    Anyone can mint 1 uniBtc with 1 Eth. It seems that contract developer forgot that BTC is not native coin of Ethereum. 🙁 Interestingly, this vulnerability was available for several days. Total loss:$1.7m

  • Onyx Protocol hacked

    Onyx protocol was hacked because of improper parameter check. Vulnerability is in helper contract for Onyx liquidation – NFTLiquidation. As you can see, there’s “liquidateWithSingleRepay” function. This function is useful when repay amount is larger than borrow amount, it calculates “extraRepayAmount” and use this value to mint new oTokens. This “extraRepayAmount” is also used in…

  • Unverified contract(0xff2481) hacked by reentrancy attack

    An unverified contract lost about $140k in several tx. This is a staking contract. There are “stake”, “unstake” functions and also a function for swap tokens. “stake” function stakes usdt token and call “_swap” function. “_swap” function exchanges 10 usdt to other tokens and adds reward according to swap result. But “_swap” can be called…

  • InfernoBullWin drained $440k through hundreds of transactions

    Since 09/11/2024, Blocksec monitored hundreds of suspicious tx targeting InfernoBullWin, each tx gained about $1.5k. Victim contract has “swapTitanXForInfernoAndBurn” function which exchanges its “Titan” tokens to “Inferno” tokens, and then burns “Inferno” tokens. Anyone can call this function. This function was used for sandwich attack. Drainers swapped large amount of “Titan” to “Blaze”, and then…