Security Roundup: February 2024 Edition

Security Roundup: February 2024 Edition

Rivanorth's photo
Rivanorth
·

2 min read

In this month's security report, notorious hackers Lazarus Group make their first appearance of the year with yet another social engineering attack on a Blockchain project. This month we've seen over $30M stolen over various attacks with a diverse set of attack types, from classic Web2 to sophisticated smart contract hacks.

January 2024 Hacks

Gamma Strategies - $3.4M - The attacker exploited an inconsistency in the accounting mechanisms used for depositing and withdrawing funds. This discrepancy allowed the attacker to manipulate the protocol and withdraw an excessive amount of tokens

Radiant Capital - $4.5M - The exploit involved manipulating a known rounding issue in the current Compound/Aave codebase, which was triggered just six seconds after the activation of the new market. The hacker, in a precisely timed attack, sniped the new USDC market deployment and exploited it immediately after activation.

SEC X account compromise - On the 11th the SEC’s official X account announced the approval of Bitcoin ETFs, unfortunately this tweet was sent after the account had been compromised. There should be no excuse for not implementing MFA on virtually all accounts.

Socket - $3.3M - The Attacker targeted wallets that had granted infinite approvals to a recently added route to their bridging contract. This route did not properly validate user input which allowed the attacker to transfer approved assets from victim addresses to their own.

Abracadabra - $6.5M - Due to a rounding vulnerability in the CauldronV4 contracts, the borrow feature was susceptible to exploitation through the manipulation of the part parameter (the user's proportion of the overall debt). This vulnerability was exploited by repeatedly borrowing and repaying an asset, thereby leveraging the rounding error.

Gamee (GMEE token) - $7M - Gamee, a blockchain gaming project, got exploited due to the compromise of the deployer address.

CoinsPaid - $7.5M - On January 7, a crypto service platform CoinsPaid suffered an exploit on both Ethereum and the BNB Chain. It is believed that the attack was executed by the Lazarus Group and involved sophisticated social engineering techniques.

More Blockchain Security

Secure Proxy Models: Understanding Beacon Proxies

Rug Pulls and How to Avoid Them

Real-time hack alerts: https://twitter.com/rivanorthSec

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.

SecurityBlockchainEthereumSmart Contractshackscyber security#cybersecuritysmart contract audit services