Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

In brief⚡

Events Under the Spotlight💥

  • The MooCakeCTX attack originated as a result of the contract being reinvested without a reward before settlement.
  • The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.
  • The attacker borrows 50,000 cake tokens using a flash loan in the same block, pledges it twice in a row, and then withdraws and returns the pledged cake tokens to profit.
  • Attacker’s address: 0x35700c4a7bd65048f01d6675f09d15771c0facd5
  • A large-scale DDoS attack on the Ethereum L2 protocol knocked services offline for 11 hours.
  • During the incident, the rate per second (RPS) increased significantly because the Loopring gateway could not handle such a high volume of requests.
  • The brahTOPG project on the ETH chain was attacked, resulting in an exploit of $89,879.
  • The primary reason for this attack is that the Zapper contract strictly checks the data passed in by the user, resulting in the issue of arbitrary external calls.
  • The attacker uses this arbitrary external call problem to steal the tokens of users who are still authorized to the contract.
  • DFXFinance’s DEX pool suffers a $5 million loss due to a flash loan attack.
  • Using a flash loan, an attacker could exploit a vulnerability in the smart contract for DFX Finance, a decentralized forex trading platform.
  • The attacker then used the Tornado Cash cryptocurrency tumbler to launder the funds.
  • Because an MEV bot stole a significant portion of the funds, the attacker did not take the entire amount lost from the platform.
  • When the defi protocol Pando was exploited with an oracle manipulation attack, it cost the company $20 million.
  • In response to the hack, the protocol halted several projects and stated they hoped to negotiate with the hacker to reclaim some of the stolen funds.
  • Some of the stolen funds could be locked, but it is unclear whether this was the total amount.

Trending Blog of the Week🚀

Thanks for reading HashingBits! Subscribe for free to receive new posts and support our work.

Partner with QuillAudits :

- Affiliate program ( Refer and secure web3 )

- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )

- Join Ambassdor program



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store