Hackers steal $42M from Fenbushi Capital founder’s wallet💰

In brief⚡

Events Under the Spotlight💥

  • An attack on the Numbers Protocol (NUM) token project on the ETH chain resulted in a profit of around 13,836 US dollars for the attacker.
  • The attack contract (0xa68cce) is created by the attacker as a malicious anyToken token, and its underlying token points to the NUM token address;
  • The NUM token lacks a permit function and has a callback function, which makes it possible to trick the cross-chain bridge and cause the user’s assets to be transferred unexpectedly. This is the major reason for the attack.
  • The Router contract of the Multichain cross-chain bridge should then be called to invoke anySwapOutUnderlyingWithPermit.
  • However, since the NUM token contains a callback function and no permit function, even if the attacker submits a fake signature, the transaction will proceed smoothly, and the NUM token at the victim’s address can ultimately be moved to the designated attack contract middle;
  • The attacker then converted the profitable NUM tokens into USDC via Uniswap, then profitably into ETH;
  • Hackers steal $42 million from the wallet of Fenbushi Capital’s founder.
  • A total of 42 million dollars in crypto assets, including 38 million dollars in USDC, were stolen from his wallet ending in 894.
  • According to Shen, the most stolen cryptocurrency was $38 million in USDC; other stolen assets included Tether (USDT), Bitcoin (BTC), and Ethereum (ETH).
  • In his tweet, he stated that the stolen assets were personal funds with no bearing on Fenbushi-related entities.
  • The AurumNodePool contract $AUR was targeted for approximately 50 $BNB ($14,538.04).
  • The changeRewardPerNode function in the contract was not validated, allowing an attacker to set arbitrary values by calling it.
  • The hacker uses the changeRewardPerNode function to increase the daily reward value to an extremely large number before claiming the node reward with claimNodeReward.
  • The calculation of node reward is based on the hacker’s rewardPerDay value, resulting in a highly calculated reward.
  • The hacker uses the changeRewardPerNode function to increase the daily reward value to an extremely large number before claiming the node reward with claimNodeReward.
  • The calculation of node reward is based on the hacker’s rewardPerDay value, resulting in a highly calculated reward.
  • Trending Blog of the Week🚀

Thanks for reading HashingBits! Subscribe for free to receive new posts and support our work.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store