$9.7M Lost: Coinstats, Velocore, and Normie Breached via Wallet Compromise and Logic Bugs
Coinstats leaked keys to 1,510 wallets, costing users $2M. Velocore lost $6.8M to an unchecked feeMultiplier in its AMM math. Normie’s premarket whitelist logic let an attacker mint 650B tokens and dump them. Security assumptions shattered, again.
In Brief
Coinstats was targeted in a $2M attack.
Velocore suffered a $6.8M logic vulnerability exploit.
Normie was exploited for $882K.Hacks
Hacks Analysis
Coinstats | Amount Lost: $2M
On June 22nd, the Coinstats exploit on the BNB chain resulted in a $2M loss. The root cause of the exploit was the compromise of private keys for 1,510 wallets. The exploiter drained funds from wallets that were created directly within Coinstats. The Coinstats team acknowledged the incident and confirmed no impact on externally connected wallets. Transactions were temporarily suspended for four days.
Press enter or click to view image in full size
Exploit Contract (on BNB Chain): 0x53F7f5Ebc015ed0adE403b1392F1CBBa7D928c34
On June 1st, the Velocore exploit on zkSync and Linea resulted in a $6.8M loss. The root cause was a logic bug in the ConstantProductPool contract, which lacked verification for the feeMultiplier parameter. This allowed anyone to manipulate the parameter, leading to incorrect fee calculations. The Velocore team acknowledged the incident and proposed a white-hat bounty reward to the exploiter. Linea briefly halted block production to mitigate further damage.
Press enter or click to view image in full size
Exploit Contract (on Linea): 0x1d0188c4b276a09366d05d6be06af61a73bc7535
On May 26th, the NORMIE exploit on the Base network resulted in a $882K loss. The root cause was the unauthorized minting of tokens. The attacker used flash loans to swap ETH for NORMIE tokens to equal the balance of the deployer address, thereby getting added to the _premarket_user list. Gaining permission as a premarket user allowed the exploiter to mint 650 billion NORMIE tokens. The Normie team acknowledged the exploit and offered a white hat bounty.
Press enter or click to view image in full size
Exploit Contract (on Base): 0x7f12d13b34f5f4f0a9449c16bcd42f0da47af200
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
