DeFi

Millions Lost After Three DeFi Protocols Hacked in One Weekend

Published

on

The decentralized finance (DeFi) sector often proves to be a minefield for those looking for the latest opportunities; a fact that was perfectly illustrated by a trio of incidents over the weekend.

Ethereum-based lending platform Dough Finance lost nearly $2 million on Friday in a series of hacks fueled by flash loans. raised the alarm before new attack transactions were identified by ExVul, bringing the total loss to $1.96 million.

Learn more: CertiK Returns Funds on Its Own Terms After Hacking Kraken for $3 Million

The vulnerability was identified as a lack of validation of flash loan “callback” data, according to crypto auditing firms Ancilia And CertiKA flash loan allows a user to access large amounts of cryptocurrency, provided the amount is repaid in the same transaction.

Peckshield followed the flow of funds, demonstrating the funding of the attack via Railgun and the whitening funds via Tornado Cash after the event. Railgun and Tornado Cash are both controversial privacy tools, often used by hackers to cover their tracks.

In what was the platform’s first post on X (formerly Twitter), Dough Finance recognized the hack a few hours later.

After a much-needed break on Saturday, Sunday saw two incidents that illustrate the wide range of attack vectors facing DeFi users.

First, Ethena’s Discord server, transmitter of $3.4 billion The “synthetic dollar” USDe has been compromised. The breach led a seemingly legitimate account to post the promise of “retroactive rewards” for token holders while linking to a malicious URL.

Image taken from ZachXBT’s Telegram channel.

Learn more: Ethena offers 27% on stablecoins, but where does the yield come from?

The suspicious message was reported by ZachXBT via Telegram, and Ethena issued an official warning in a job on X shortly after, which has since been deleted.

The incident highlights the variety of dangers facing DeFi users, which come not only from hacked “smart contracts” containing their crypto, but also from insecurities in existing web infrastructure, such as social media or the project websites themselves.

Learn more: Compound Finance and Celer Network websites compromised by front-end attacks

Last week, a wave of web domain hijacking hit the industry, with Compound Finance, Celer Network, Pendle Finance, and (ironically) Unstoppable Domains among those affected.

To round out the weekend, another lending platform, Minterest, informed the users for whom it was exploited $1.4 million Sunday night. The hack, which took place on Ethereum-rollup Mantle, also appears to have been a flash loan attack, similar to the one who hit Dough Finance on Friday.

Learn more: Sifu’s UwU Lend Reportedly Hacked for $20 Million, Curve’s Egorov Among Those Affected

The attacker address was funded via Tornado Cash on Ethereum, suggesting that the Minterest team hopes The hypothesis that the hacker “performed this exploit as a white hat” may be short-lived.

But it wasn’t all bad. note by Cyvers, a phishing victim, who lost $32 million of ETH staked by Lido over a year ago has started receiving reimbursement.

After being contacted out of the blue via a channel message reading “I’m the guy who took your money…I want to give you the money back,” the victim has today confirmed reception of more than 10 million DAI over the past week.

Got a tip? Send us an email or ProtonMail. For more up-to-date information, follow us on X, Instagram, Blue skyAnd Google Newsor subscribe to our Youtube channel.



Fuente

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version