Poloniex, Unibot, Maestro, Astrid: $124M Burned by Keys, Calls, and Clones
Poloniex’s $123M key compromise wasn’t the only failure. Unibot and Maestro both shipped router contracts missing basic input validation — invites for attackers. Astrid let fake tokens slip through faulty withdrawal logic. In each case, either the access was too open or the checks were too weak. The result: $124M gone, all preventable.
In Brief
Poloinex lost $123M due to a private key compromise.
Unibot and Maestro were exploited due to lack of input validation.
Astrid Finance hacked for over $502K.
Hacks Analysis
Poloinex | Amount Lost: $123M
On November 10th, the Poloinex exploit on multiple chains resulted in a $123M loss due to the compromise of private keys. The attacker drained $57 million worth of ETH, $47 million worth of TRON, and $19 million worth of BTC. Poloinex confirmed the exploit and stated that a portion of the stolen assets has been frozen, ensuring affected customers would be reimbursed. Additionally, a 5% bounty was offered to the hackers. In response to the incident, Poloinex temporarily suspended deposits and withdrawals, which resumed on November 15th.
On October 31st, the Unibot exploit on the Ethereum Mainnet resulted in a $640K loss. The root cause of the hack was the lack of input validation in Unibot’s router contract, which had been deployed on October 28th. The attacker called the 0xb2bd16ab() function with an arbitrary address, triggering the transferFrom() function and enabling the unauthorized draining of funds. The Unibot router contract remains unverified on the Ethereum blockchain.
On October 28th, the Astrid Finance exploit on the Ethereum Mainnet resulted in a $228K loss due to logic vulnerability. The exploit’s root cause was the attacker’s ability to mint and deploy fake tokens through the call to the withdraw() function in the AstridProtocol contract. This action enabled the attacker to claim allowance and generate a profit. The Astrid Finance team acknowledged the exploit, refunded the affected users, and provided a 20% bounty to the hackers.
On October 24th, the Maestro exploit on the Ethereum Mainnet resulted in a $502K loss. The root cause of the hack is similar to the root cause of the Unibot incident, where the router contract lacked input validation. The attacker called the 0x9239127f() function with an arbitrary address, triggering the transferFrom() function and enabling the unauthorized draining of funds. Maestro confirmed the exploit and suspended the functionalities of their router contract.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
