Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.
Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months
A hacker was able to perform an oracle manipulation attack enabled by flash loans to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency tumbler.
GYM Network exploited for $2.1 million
Attackers stole around $2.1 million from the GYM Network defi project after exploiting a bug in a recently-deployed contract that failed to check the identity of the caller. The attackers quickly transferred the stolen funds to the Tornado Cash cryptocurrency tumbler to cover their tracks.
GYM Network promised to use the entire project treasury to bolster the price of their token, which tanked as a result of the massive sell-off. "We can't promise that it will bring the price back to 0.20$ but we will use it All to recover this attack," they wrote on Telegram.
Bored Apes Discord compromised again, 32 NFTs stolen and flipped for $360,000
Scammers were able to compromise the Discord account of a Bored Apes community manager, then use it to post an announcement of an "exclusive giveaway" to anyone who held a Bored Ape, Mutant Ape, or Otherside NFT. When users went to mint their free NFT, the scammers were able to steal their pricey NFTs. The scammer quickly flipped the stolen NFTs for a total of around 200 ETH (about $360,000), then began transferring funds to Tornado Cash.
The Bored Apes Discord was also compromised on April 1, along with those of several other big-name NFT projects.
DAO Maker project exploited for $530,000
The DAO Maker project (not to be confused with MakerDAO) is a launchpad that claims to be "building the future of venture capital". Its website boasts that users who stake their $DAO can "earn up to 70% APY". The project suffered an exploit on June 3 in which attackers stole 300 ETH, worth around $530,000. Although the project had been audited by three different auditing companies, hackers were able to exploit an issue in the claim portal for some tokens. Attackers moved the funds to the Tornado Cash cryptocurrency tumbler.
"Feminist Metaverse" token exploited for $533,000
The "Feminist Metaverse" ($FM) token suddenly plunged in value by 99.7% after an attacker stole 1,838 BNB ($533,000). The hacker quickly transferred the stolen funds to the Tornado Cash tumbler to help hide their tracks.
The project advertised on its website its plans to "Create Feminist economics in the form of a DAO to balance the male-dominated world." The project's whitepaper explains how the metaverse will apparently "greatly reduce the impacts on women’s normal work and inequality in wages brought by their physiological differences and pregnancy. As a consequence, it helps eliminating a number of unresolved problems in the real world like gender discrimination, inequality in wages, sexual harassments, sexual assaults, trafficking of women and child marriage." It's not clear what specifically the "Feminist Metaverse" project was hoping to achieve.
Attacker steals $3 million from Fortress Protocol
An attacker was able to steal 1,048 ETH (~$2.65 million) and 400,000 DAI from the Fortress Protocol borrowing and lending platform in what appears to have been an oracle manipulation attack. The attacker quickly moved their ~$3 million in stolen funds to the Tornado Cash cryptocurrency tumbler to obscure their tracks.
The exploit caused the $FTS token to drop 42%. The creators of Fortress urged people not to supply any assets to the pool as the attack was ongoing, and tweeted "we need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds!"
U.S. Treasury sanctions cryptocurrency tumbler Blender, the first sanction of its kind
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that they had sanctioned the North Korean cryptocurrency tumbler Blender.io. This was the first U.S. government sanction levied against a cryptocurrency tumbling service. Blender was used to launder more than $20.5 million of the $620 million stolen in March from the blockchain used by the play-to-earn game Axie Infinity. The U.S. government has alleged that the North Korean state-sponsored cybercrime group Lazarus was behind the hack.
The U.S. began sanctioning various wallet addresses belonging to the hackers in mid-April, though have faced obstacles given that it is trivial for the hackers to create new wallets. The use of cryptocurrency tumblers (also called "mixers") has also stymied the government's attempts to limit the DPRK's access to the ill-gotten funds. Blender is not the primary tumbler that Lazarus has been using—that would be Tornado Cash, which they have used to tumble more than $213 million from the hack. Tornado has taken perfunctory steps to comply with sanctions, but nothing that would meaningfully impact Lazarus' ability to use the service.
- "U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats", U.S. Department of the Treasury
Someone hijacks a Ferrari domain to host scam NFT mint
Someone was able to gain control of a ferrari.com subdomain to create a scam NFT mint. Most scam NFT projects rely on eager NFT collectors not noticing a URL that isn't quite right—for example, something like ferrari-nft.com. This one was able to gain some additional legitimacy by using an actual ferrari.com subdomain. Additionally, Ferrari had recently announced an upcoming NFT project, making the scam project seem more plausible.
Sadly for the scammer, the scam was discovered and shut down when they had only managed to scam one person. The unsuspecting collector sent 0.3 ETH ($800), which the scammer transferred to Tornado Cash.
- "Ferrari subdomain hijacked to push fake Ferrari NFT collection", BleepingComputer
Attacker compromises MM.Finance to redirect $2 million in crypto assets to their own wallet
MM.Finance, a group of crypto projects based on the Cronos blockchain, suffered an attack that allowed a hacker to redirect more than $2 million worth of crypto assets that were being exchanged through the project's website to their own wallet. Although MM.Finance described the attack as "DNS hijacking", it seems unlikely this is an accurate description of the attack, which seems more likely to involve phished credentials to their domain service providers.
"Please do not perform any transactions or your funds will be sent to the exploiter wallet," MM.Finance tweeted shortly before taking the website offline. Three days earlier, MM.Finance had published a blog post to address "FUD" in their ecosystem stemming from a popular Reddit post that described MMF as an "inverse pyramid of derivatives" that the author believed would "topple", and outlined the project's "rosy future".
The project promised to try to compensate users, with its developers foregoing 45 days of trading fees to reimburse users. They also appealed to the OKC crypto exchange to intervene to help recover funds from someone they believed to be the attacker, and threatened the attacker with the FBI. "With all these information, we have more than what we need to bring this information to the FBI," they wrote on Twitter. "So here’s the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds."
- Tweet by MM.Finance
- "Mm Finance — The road ahead", MM.Finance blog
- "Personal Take on Events and Existing Tokenomics", post from r/MMFinance
- "DNS Hi-Jacking Post Mortem & Compensation", MM.Finance blog
Saddle Finance loses more than $11 million to hack
An exploiter used a flash loan attack to pull 3,933 ETH (~$11 million) from the "decentralized automated market maker" Saddle Finance. Shortly after the attack, the hacker began moving the stolen funds through the Tornado Cash tumbler to launder the money.
Saddle Finance had lost money once before, right after it launched in January 2021. An individual was able to arbitrage Saddle Finance pools for a profit of around $275,000.
- Tweet thread by PeckShield
- "Update on Saddle’s Launch", Saddle Medium