Mozaic lost $2M to an insider with stolen keys. Blueberry bled $1.3M after deploying a borrow contract using the wrong oracle decimals. xPet got hit for $254K via price manipulation in a PvP contract. Miner leaked $466K due to a cached balance logic flaw. Smart contract correctness doesn’t matter if your deployment, access control, or math assumptions are broken.
In Brief
Mozaic was targeted in a $2M hack.
Blueberry Protocol lost $1.3M due to a faulty oracle deployment.
xPet got hacked for $254K.
Miner suffered a $466K loss due to logic vulnerability.
Hacks Analysis
Mozaic | Amount Lost: $2M
On March 15th, the Mozaic exploit on the Arbitrum chain resulted in a $2M loss. The root cause of the exploit was a compromise of Mozaic’s security module, which allowed the attacker to withdraw unauthorized funds. The Mozaic team stated that the exploiter was a Mozaic developer who had illegally obtained the private keys. Most of the stolen funds were transferred to MEXC and are frozen by the platform.
Exploit Contract (on Arbitrum chain): 0x20547341e58fb558637fa15379c92e11f7b7f710
On February 23rd, the Blueberry Protocol exploit on the Ethereum Mainnet resulted in a $1.3M loss. The root cause of the exploit was an unintended early deployment of the borrowing contract on February 22nd which used an incorrect price oracle. The incorrect oracle returned prices scaled to 18 decimals enabling the attacker to inflate the value of deposited assets with fewer than 18 decimals. The attacker made a profit by depositing 1WETH in the Blueberry Lending Market and borrowing 8,616 OHM, 913,262 USDC and 6.86 WBTC.
On February 16th, the xPet exploit on the Arbitrum chain resulted in a $254K loss. The attacker deposited the funds into xPet’s PvP contract in three separate transactions, artificially inflating the BPET token’s price. The attacker then swapped all BPET tokens to get 91.5 ETH and made a profit. The xPet team acknowledged the incident and proposed a 10% bounty reward to the exploiter.
Press enter or click to view image in full size
Exploit Contract (on Arbitrum chain): 0xA3d462f44F8C9F1a85e9757D874dB6646D4B7B7b
On February 14th, the Miner on the Ethereum Mainnet resulted in a $466K loss. The root cause of the exploit was a logic vulnerability in the private _update() function within the Miner’s contract. This function allowed users to double their balances when ‘from’ and ‘to’ addresses are the same, as the contract cached the toBalance value. The Miner team acknowledged the incident and offered a 30% bounty to the exploiter.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
