100x Return- “Georgian Coinbase account is identical to Aladdin’s magic lamp”🧞

In brief —

Events Under the Spotlight 🔎

  • Hackers may have uploaded a link to a purported airdrop on the server’s announcement channel, according to an unsubstantiated screenshot that was circulated on Twitter.
  • Due to the fact that handleDeductFee does not validate the feeAmount and incoming address, this function has adjustable parameters.
  • Nearly all of the DDC tokens in the victim pool were transferred by the attacker into the handleDeductFee function before sync was used to update the k-value.
  • After the k-value was revised, the balance of DDC in the pool was reduced to 0.0003 DDCs.
  • As a result, the price of $USD that corresponds to $DDC has dramatically increased, and a substantial number of USD can be exchanged via a relatively small amount of $DDC. To exchange for 104,600 USD, the hacker utilised 23 $DDC.
  • According to the post-mortem, the culprit was the command line “solana program close,” which the developers executed as part of their attempt to retrieve the tokens.
  • However, and apparently unbeknownst to the OptiFi team, “solana program close” has the effect of closing the program permanently and irretrievably.
  • The developers appealed to Solana developers to make changes to Solana documentation in order to warn developers of the irrevocable nature of the program close function.
  • Cupid contract 0x40c994299fb4449ddf471d0634738ea79c734919 has a reward logic vulnerability. Get $CUPID tokens with LP tokens and USDT/VENUS.
  • “We have experienced an exploit in our LP contract that has left it at $0. The ShadowFi team is hard at work looking for a solution that works in everyone’s best interest. Please have patience while we push through this.
  • All presale proceeds are secured and safe.”
  • The attacker made a profit of about 1078 BNB (about $300,000) by taking advantage of SDF’s flaw to enable anyone to burn the Token, and the stolen money was transferred to TornadoCash.
  • Kyber continued that the threat was “neutralized” within two hours, assuring its users that it is now “safe to use all KyberSwap functions.”
  • The hacker also tried to steal 800 NFTs from the Bill Murray collection that were sitting in the wallet, though Project Venkman said it foiled that attempt by moving those NFTs to a safehouse, too.
  • They said they ran a script to automatically move the NFTs to safety.
  • Georgia’s national currency, the lari (GEL), was priced at $290 rather than $2.90 on Wednesday. In an email to CoinDesk, Coinbase attributed the missed decimal point to “a third-party technical issue.”
  • The error allowed users holding $100 worth of lari on Coinbase to withdraw it to their bank account for $10,000.
  • Coinbase said the issue was exploited by 0.001% of its total users, or about 1,000 customers.

Test Yourself for Web3❓

This week was full of hacks and exploits!

Trending Blog of the Week📈

One of the biggest challenges with the creation of NFTs is that blocks have only limited storage, and so images cannot be stored in the blockchain directly.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store