2/8
49.5% of the token supply was added to Uniswap after token creation.
LP tokens from this pool were sent to
@VitalikButerin
along with the remaining SHIB.
Therefore, Vitalik, instead of selling, can simply withdraw 93% of the pool liquidity without any price impact ($118M).
IronBank ($CREAM) was exploited on $37.5M, let’s take a quick look at what happened.👇
1/ Attacker used Alpha Homora for borrowing sUSD from IronBank.
Each time they borrow twice as much as in the previous one.
Ok, new DeFi exploit.
Victim:
-
@iearnfinance
Attacker profit:
- 513k DAI
- 1.7M USDT
- remaining 506k 3CRV (~$1)
To obtain such a profit, the attacker executed 11 transactions.
Below is a very superficial explanation of what was happening in these transactions👇
1/8
Everyone has been waiting for this for a long time, and now
@paraswap
practically launched his token (PSP), which includes a retroactive airdrop and, apparently, some staking for Paraswap pools
Let’s see what we can learn from these unverified contracts👇
1/5
Let’s look at how
@jump_
tried to defend the UST peg a week ago.
They used at least three addresses on Ethereum and spent $682.5M+ in various stablecoins.
Basically, they were adding one-side liquidity in USDC since the Curve DAI/USDC/USDT pool was already imbalanced.
1/9
Today we have witnessed the manipulation of XVS price — the governance token of Venus Protocol on BSC.
This incident resulted in $200M+ DeFi liquidations and a $100M+ of protocol bad debt.
As usual, let’s analyze this situation below👇
1/7
Many post-mortems after the Terra events have focused on “Wallet A” which played a large role in UST depegging
"Wallet A" swapped 85M UST for USDC and imbalanced the UST/3CRV Curve pool
There is a good chance this wallet is related to
@JaneStreetGroup
1/8
In the past few days, meme token SHIB has been a source of high gas prices and incredible profits for some early adopters.
Let’s take a look at some data to understand what’s going on👇
1/6
Today, BUNNY tokens worth $1B+ were minted from Bunny Finance on BSC, resulting in $40M+ was stolen:
- 114k WBNB ($40M)
- 697k BUNNY
For this reason, the BUNNY price fell from $146 to $6👇
1/6
Many talk about the
@0xPolygon
success and the record number of transactions, but is everything really so good?
Let’s see how arbitrage bots spammed Polygon with failed transactions👇
1/12
Alright, I've been sitting on this news all day, but let's look at the
@BaldBaseBald
deployer.
This is definitely someone from Alameda, but I don't think we can safely say that this is
@SBF_FTX
(even though he is a psycho)
Let's go👇
1/7
Rari Capital lost a lot of funds as a result of a complex exploit, right?
However, things are far from simple, and we witnessed the first cross-chain exploit, so let’s see how it went👇
1/5
We’re back to interesting exploits, and
@InverseFinance
users lost money today.
As a result, $15.6M was stolen in the form of:
- 1588 ETH
- 94 WBTC
- 4M DOLA
- 39.3 YFI
1/10
So, Uranium Finance (another Uniswap v2 fork on BSC) was exploited for $51M, right?
Nope, everything is much more complicated.
Let’s figure out what happened.👇
So what happened to Furuсombo👇
An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address.
Below is the code that was used in today's attack through ads on crypto websites like
@coingecko
or
@etherscan
The attacker wanted to get tokens approvals or perform swaps through DEXs to their address (it is not hardcoded, since it was pulled from API)
I even started to get a little bored, but half an hour ago $31M were stolen from
@MonoXFinance
on Polygon and Ethereum.
- 5.7M MATIC ($10.5M)
- 3.9k WETH ($18.2M)
- 36.1 WBTC ($2M)
- 1.2k LINK ($31k)
- 3.1k GHST ($9.1k)
- 5.1M DUCK ($257k)
- 4.1k MIM ($4.1k)
- 274 IMX ($2k)
1/9
Another DeFi protocol xToken was exploited today and almost $25 million was stolen.
The attacker was smart enough (or close enough to this project) to use two different exploits for two projects’ tokens.👇
Looks like
@jack
's exchange of preference is Kraken.
I don’t know if Jack uses Ethereum, but he used a fresh address specifically to dump the ETH he made from selling his NFT tweet.
Good wallet privacy management
Since launching MetaMask Swaps in October, MetaMask earned almost $2.5M in ETH and $1.5M in various tokens.
This is 3x Kyber Network fees for the same period.
Wen Metamask token?
1/2
Ok, the first connect-kit version with the drainer (1.1.6) was added to the npm registry at 9:44am UTC
Better to check that you have not interacted with any UIs starting this time
1/3
Today
@Moola_Market
has been exploited for $8.4M:
- 8.8M CELO ($6.5M)
- 765k cEUR ($0.7M)
- 1.8M MOO ($0.6M)
- 644k cUSD ($0.6M)
It was an incredibly simple attack👇
1/6
Big Data Protocol on crazy hype, huh?
BDP contract now holds $6.2B, collected in just a few days, which puts the project on par with MakerDAO and WBTC.
Let’s take a look at the four addresses that collectively own 41% of this TVL and dump BDP as soon as they claim it.
It seems that
@justinsuntron
did not really like that I disclosed his address for BDP farming, and therefore he began to use a new one.
h/t
@DeBankDeFi
2/6
One of the addresses deposited 25% of the current TVL ($1.6B).
This is a lot of money and most likely belongs to
@justinsuntron
, who tried to buy
@jack
NFT tweet from this address.
He added to the BDP farm contract:
- 661.8k WETH
- 228.9M USDT
- 161.6M USDC
- 150 WBTC
1/5
Two hours ago, someone sold a huge amount of social tokens issued on Roll platform.
As a result, an attacker earned almost 3k ETH ($5.7M), of which 700 have already been sent to Tornado Cash.
Most of social token prices dumped as a result.
1/8
Another weekend with a DeFi exploit on BSC, and this time the AMM called vSwap from
@value_defi
is in trouble.
About $11M was stolen today from non 50/50 pools, in addition to $6M already lost this week as a result of contract reinitialization.
Let’s see what happened👇
1/11 Okay, MEV is coming
MEV is a consequence of the fact that miners (pool operators) have the right to choose the tx order in a block.
They can be the first to:
- execute arbitrage
- get access to token offerings
- perform liquidation
Plus, they may not pay a fee for this.
10/10
Since the team fixed this bug that led to the exploit, they should have known about it for sure.
In this case, the best option would be a white hack not to jeopardize users’ funds.
Since there was no white hack, I tend to believe that it was a rug pull.
1/7
DeFi exploits have recently picked up significantly.
So far, there has been at least ~$370M withdrawn from DeFi due to exploits.
In the first part of my latest report, you can quickly look at how the attack proceeds and how it is investigated.
We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.
Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins.
Lol, it's funny how so many flash loans have been used.
This means that my new research piece about flash loans, which will be released very soon, will be relevant.
1/12
I’m finally home, which means it’s time for a thread about a four-hour attack on Spartan Protocol that resulted in $30.5M being stolen.
@Peckshield
has already written about the root cause, but there will be more details here as usual.
Enjoy👇
5/5
What do we know now?👇
- Despite the use of capital almost equal to the entire UST pool size, it was impossible to keep the peg.
- Jump lost hundreds of millions, which doesn’t even include CEXs.
- They control 36% of the total staked LUNA.
3/8
The top 50 ‘diamond hands’ by the number of tokens have a paper profit ranging from $5M to $2.5B, with an average of $65M.
Btw, someone turned $17 into $6.5M, and they can get $4.2M with current liquidity.
1/5
Do you like fancy words like MEV and Flashbots and want to have ‘stress-free passive income’?
Then be careful, and don’t get caught by scammers like
@mevbots
.
For half a year of existence, 4.4k addresses independently transferred 1.8k ETH ($2M+) to them👇
8/8
The final tokenomics and the ability to claim tokens are not yet available (due to the absence of Merkle data), but it has already become clear that $WEN is really coming soon
Over the past two and a half years, the number of addresses interacting with DeFi protocols has grown from several thousand to over three million.
For this reason, over the past few months, I have been fascinated by researching the various characteristics of protocol userbases.
1/6
I’m very excited to release new “DeFi Protocol Revenue” charts in
@TheBlock__
data dashboard.
I have been collecting this data from Ethereum in parallel with all other work for two months now, so the release of these charts is very important for me.
1/6
Sad, but
@raft_fi
was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoin
The twist is that they converted them into ETH, which was sent to the null address, but first things first👇
1/5
How can Defi live without new hacks, right?
The new victim is ForceDAO, who didn’t provide the necessary checks in a contract code.
Anyone could call the function “making a deposit” even without having FORCE.
However, the received xFORCE could be used to obtain real FORCE.
1/9
I looked at my calendar and realized that it was time for a little personal story.
It is about how exactly a year ago I quit my job at the most unsuitable moment and what happened in the end.
🧵
1/9
Today I’m starting a new chapter in my life by joining
@TheBlock__
family as a Research Analyst. I am very grateful to
@lawmaster
and all the rest of the team who supported the materials that I published here.
Also from today, I will be using my real name Igor on Twitter.
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
1/9
One of the largest crypto market makers is Wintermute (
@wintermute_t
).
They are currently
#1
on Bitfinex based on current month volume, also very active on FTX, and responsible for 40% of dYdX volume in 2020.
Let’s see what we can find out from their Ethereum addresses.👇
$ENM hacker used Tornado to fund his address a week ago. Right after that, he claimed $UNI tokens for one of arbitrage contracts and withdrew them to himself in another tx by simulating arb. In theory, this claim could be a hack, which is why a mixer might have been used.
1/9
The
@Starknet
Provisions Program is here, and 1.3M addresses can claim their part of 720M STRK in one week
With the pre-launch price from
@aevoxyz
, the program size is $1.2B, nearly matching
@arbitrum
’s
So let’s extract insights from the distribution data
Looks like casual rug pull.
PAID deployer made an attacker the owner of PAID admin contract.
This attacker deployed a new implementation contract for PAID token and minted almost 60M tokens.
9/9
I am sure that the actual damage from this case is greater than this figure, but the continuation of the analysis takes more time.
Perhaps later, I will find time to calculate all losses, as I did with Black Thursday.
8/8
According to Nansen, out of the Top 10 traders’ balances, only one sold tokens in the last week.
As already mentioned, the main reason for this is the very low liquidity, which will not allow to cash out in size.
Let’s see what happens when retail interest disappears
1/6
MakerDAO community was able to convince
@a16z
to start participating in governance.
Five days ago, a16z locked 20k MKR and voted for the current executive proposal.
But no one seems to have noticed that before that they also locked in some profits from their investments.👇
6/6
While scaling solutions have successfully lowered fees, they are already starting to run into problems due to adverse activity.
My user experience on BSC continues to deteriorate with each day, so it seems like the same will happen with Polygon.
FinNexus (FNX) contract deployer changed the token owner to some address on Ethereum and BSC.
This address minted:
- 323M FNX ($6M) on Ethereum
- 60M FNX ($1.6M) on BSC
and started dumping tokens.
Rug pull or StOlEn PrIvAtE kEy?
.
@1inchExchange
token is almost launching.
In addition to the 1inch token, 1inch distribution contract and a set of governance and staking contracts were deployed.
Get ready to give liquidity into pools with YFI, USDT, USDC, WBTC, DAI, and ETH on Mooniswap to farm 1inch.
2/8
49.5% of the token supply was added to Uniswap after token creation.
LP tokens from this pool were sent to
@VitalikButerin
along with the remaining SHIB.
Therefore, Vitalik, instead of selling, can simply withdraw 93% of the pool liquidity without any price impact ($118M).
The question is how did the exploiter validate a Merkle proof that he initiated a large deposit in one of the extremely old blocks?
(Bug in a MerkleProof contract?)
1/ Flash loaned 116k ETH from dYdX
2/ Flash loaned 99k ETH from Aave v2
3/ Borrow 134M USDC and 129M DAI using ETH as collateral on Compound
4/ Add 134M USDC and 36M DAI to 3crv Curve pool
5/ Withdraw 165M USDT from 3crv Curve pool
6/ Repeat five times👇
1/5
Imagine if you could bet on a coin flip but couldn’t lose anything
This is how someone stole around $25k from dice9win today, with another $200k was saved by SEAL 911 members
Let’s figure out how it works (we have the team's approval)👇
Today is a historic moment for SEAL 911 as it was the first incident where we were able to prevent damage _before_ the attack was carried out. h/t
@FrankResearcher
for helping with this incident & the anon community member for the intel!
9/ Stablecoins have been deposited to Aave v2,
1k ETH to IronBank deployer,
1k ETH to Homora deployer,
220 ETH to Tornado,
100 ETH granted to Tornado
and almost 11k ETH remain on the exploiter balance.
8/8
This is not the first and far from the last time that project teams fork someone else’s code without a deep understanding of its work.
It’s pretty foolish to think that CZ will save you if you mindlessly deposit money into projects with anon devs or obscure teams.
7/7
The interoperability between DeFi protocols is becoming more complex, which opens up new vectors of attacks.
This attack was similar in difficulty to the Pickle Evil Jar and will become even more frequent in the future.
1/8
I noticed a few days ago the use of MEV sandwiching and was preparing a Twitter thread but got frontran by
@fifikobayashi
.
In any case, I have additional insights regarding this situation and the current MEV state in general.
Let’s go👇
For those of you wondering what MEV sandwiching looks like in the wild:
1. Hop onto block
#11955959
2. Go to the last page and look at the 3 oldest tx's
3. It starts with the victim's tx in the middle buying POLK tokens on uniswap
1/10
For more than a week, someone has been trying to carry out a governance attack on
@SwerveFinance
(a dead Curve clone) and steal $1M+ in various stablecoins
Let’s figure out why he didn’t succeed and also find out who the exploiter is👇
7/8
The second one (0x3b45...) also had a lot of activity on Paraswap and made five deposits in Tornado Cash a few minutes before they were withdrawn to a new address.
Bad opsec😢
3/3
Consider four transactions:
- Larry received UNI from UGP address (18 days ago)
- sent 0.05 ETH on DeFi education fund address (16 hrs ago)
- swapped UNI on $50k using Uni v3 (15 hrs 55 mins ago)
- executed the $10M OTC deal (10 hrs 45 mins ago)
1/8
Time to do a quick overview of my research on DeFi liquidations.
Why are liquidations needed, how they work, how keepers harm the Ethereum ecosystem, and as always you can learn much more in 5–10 minutes of reading this piece.
But a summary here:
1/9
Crypto has existed for more than ten years, but we have not yet seen a real adoption.
One of the main issues is a rather high entry threshold and the lack of high-quality data.
@TheBlock__
is solving exactly that, and you are the one who can help bring adoption closer👇