Yesterday, two hacks on decentralized finance (DeFi) protocols netted a complete of over $5 million, with an additional $5 million siphoned off from compromised wallets on Wednesday.
Whereas the founders of two OG protocols, Aave and Maker (now Sky), bro’d down over Starcraft whereas basking in a “DeFi renaissance moment,” a few of the sector’s much less well-established initiatives have been happening in historical past for the fallacious causes.
Repeat DeFi hack or a brand new bug?
First up was Onyx Protocol whose $3.8 million loss was first considered a repeat of the well-known bug that drained $2.1 million from the undertaking towards the again finish of final 12 months.
Onyx is a fork of Compound Finance, which incorporates an notorious vulnerability wherein freshly-launched, empty lending markets are briefly left open to a worth manipulation assault, if not dealt with accurately.
Given the recognition of Compound’s v2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity throughout the sector, and was initially recognized as having been the reason for Onyx’s newest loss.
Nonetheless, because the group identified in a ‘post-mortem’ thread on X (previously Twitter), this time the vulnerability additionally lay within the platform’s ‘NFT Liquidation contract.’ The attacker was in a position to drain the vUSD stablecoin which was then offered off, inflicting it to depeg.
One thing’s not including up
Subsequent got here ‘bitcoin restaking’ protocol Bedrock which seemed to be overly bullish on ETH, costing it round $2 million.
The defective code allowed customers to mint Bedrock’s uniBTC token at a 1:1 ratio with staked ETH tokens, not bearing in mind the worth distinction between the 2 property (valued on the time at roughly $65,000 vs $2,650, respectively).
The uniBTC tokens have been then offered off for an alternate wrapped bitcoin token, for a return of virtually 25x.
Crypto safety auditor Dedaub claims to have recognized the vulnerability upfront, stating that such a easy bug may very well be found and exploited mechanically by ‘fuzzing bots.’
Regardless of warning the Bedrock group two hours earlier than the assault, there was no response due time zone variations. Nonetheless, by elevating the difficulty individually with Pendle, a platform with $30 million of publicity to uniBTC, additional losses have been efficiently averted.
The Bedrock group responded to the incident, reassuring customers that each one uniBTC collateral stays intact. It estimated the losses at “approximately $2 million (mostly in DEX LPs),” including {that a} “comprehensive reimbursement plan is being finalized.”
Compromised keys?
On Wednesday, real-world-asset-focused Truflation warned of “some abnormal activity,” which it attributed to a malware assault.
On September twenty fifth, 2024, the Truflation group detected some irregular exercise. An attacker launched an assault utilizing malware.
We’re presently monitoring the scenario and are taking measures to guard funds whereas we’re investigating and dealing with legislation enforcement. The…
— Truflation (@truflation) September 25, 2024
Blockchain investigator ZachXBT traced whole losses of over $5 million from addresses recognized because the undertaking’s “treasury multisig and personal wallets,” offering an inventory of addresses through his Investigations Telegram channel.
Whereas the preliminary disclosure was scant on particulars, it does point out a reward to any whitehats in a position to help the investigation. This was adopted up with an on-chain message to the hacker, providing a ten% ‘bounty’ for the return of the funds.
Assuming funds aren’t returned earlier than 8am (UTC) on Saturday, the bounty can be opened as much as the general public in return for data resulting in a conviction.
