Hack Summer Continues with Acala, Curve, and other Victims🚨

In brief —

Events Under the Spotlight 🔎

  • The attackers made off with $231,000 in crypto and NFTs.
  • The exact hack mechanics aren’t clear from Galanis’ tweets.
  • Some Twitter users suggested he’d kept a copy of his seed phrase (essentially a security key that can be used to get access to a crypto wallet) in a service that uses iCloud backups, giving the hacker access after his account was compromised.
  • The team later announced that the issue was resolved.
  • However, the hackers could still hijack around $537,000 USD coin (USDC) before the issue was resolved.
  • The project was based on the Binance BNB Chain and had migrated to Polygon (MATIC).
  • The protocol’s website returns an invalid certificate, and a link to its Discord channel results in an “invite invalid” message.
  • The move is a textbook rug pull; a scam carried out by developers who launch a working decentralized finance application and carry out social media marketing to popularize it before issuing a token and listing it on a decentralized exchange (DEX).
  • After investors have purchased the tokens in the hopes of a positive return, the developers shut up shop and disappear.
  • The exploit was due to a “misconfiguration" issue in the newly launched iBTC/aUSD liquidity pool that allowed users to mint unlimited aUSD from thin air.
  • After the incident, Acala immediately halted swaps and cross-chain transfers, leaving the exploiters stuck with around 99% of the erroneously minted aUSD on the parachain.

Trending Blog of the Week📈

Despite being an automated, decentralized version of a typical cryptocurrency mixer, Tornado Cash was sanctioned by the U.S. government last week as the Treasury Department’s Office of Foreign Assets Control (OFAC) added Ethereum addresses associated with the tool to its specially designated nationals and blocked persons (SDN) list.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store