Weekly Report (Jul-24)


  • McDonald’s launched the McNuggets Land metaverse experience on the Sandbox platform.
  • Amazing Thailand rolled out plans for a third NFT-packed tourist season.
  • Seven Bank launched an NFT-backed campaign on Astar.

Blockchain Hacks

Ocean (the BNO token) was exploited on the BNB chain, resulting in a loss of $505,000. The root cause of the exploit is due to the presence of a vulnerable function in which the reward debt is updated after NFT transfers without the related bonus, making it smaller than the actual reward claimed. The pool contract supported both the ERC20 and NFT stakes; however, the emergencyWithdraw function allowed users to withdraw their ERC20 stakes but didn’t process the NFT stake records. The attacker repeatedly staked the same two Ocean NFTs and claimed their share of rewards, which resulted in the loss of 1.84 million BNO tokens, worth approximately $505,000. We have shared a detailed analysis of the exploit in this blog.

GMETA, a project on the BNB chain, appears to have executed a rug pull. The contract owner moved 1 million GMETA tokens to an externally owned address and then liquidated about 120,000 of those tokens, siphoning off approximately $2.367 million in USDT from the liquidity pool. After this, the token’s value plummeted by a staggering 96%. Additionally, another address laundered the remaining 1 million USDT by distributing it across several addresses in smaller denominations, bringing the total malfeasance to a sum of around $3.6 million.

Crn DEX was exploited on the BNB chain, resulting in a loss of approximately $893,000. The exploited funds were removed from the liquidity pool and then transferred to an EOA, which has since started to launder the illicit funds through Tornado Cash. The associated contracts are unverified; therefore, the root cause of the exploit is unknown at this moment.

Flashmall on the BNB chain was subject to a rug pull, causing a loss of approximately $550,000. The privileged address set up by the project initiated the exploit by tampering with the set point rate function. This manipulation allowed the scammer to mint tokens at ten times the normal rate, which were then swapped back at a 1:1 ratio. Subsequently, the attacker removed the liquidity, profiting to the tune of $550,000. This ill-gotten gain was ultimately laundered through Tornado Cash.

Fire Fist (FFIST Token) was exploited on the BNB chain, resulting in a loss of approximately $91,000. The root cause of the exploit is the presence of a random airdrop address generator. The contracts included an airdrop function in the transfer routine, which is designed to airdrop FFIST tokens to random addresses. The seed required the last airdrop address, the block number, from, and to, which are easily predicted and manipulable. The number of tokens airdropped to an address is set to one, rather than adding one token. This caused the FFIST token to be set to 1, leading to an imbalance in the pool. Therefore, a small amount of FFIST tokens could be exchanged for a large amount of USD. The attackers also targeted projects including AI-Doge and QX using the same set of techniques and made a total of 450 BNB, worth approximately $110,000.

Utopia was exploited in a similar way as the Fire Fist and other tokens. This attacker initially funded 1 BNB from Tornado Cash and stole 496 BNB worth approximately $120,000. The total loss due to the airdrop-related vulnerability has exceeded $230,000.

Scooby Pepe (SCO token) was identified as a rug-pull project, in which the scammers took away funds worth 128 ETH, amounting to approximately $243,172.

Conic Finance was exploited due to a smart contract vulnerability, which resulted in a loss of funds worth approximately $3.2 million. The root cause of the vulnerability is the price manipulation of assets caused by read-only reentrancy. Attackers were able to exploit multiple issues in the ConicPool contract to manipulate the prices of one of their underlying pools, allowing them to remove more liquidity tokens than they had deposited. Following the exploit on the ETH Omnipool, the crvUSD Omnipool was also exploited. A total of $934,000 was stolen from this contract, giving the attacker a profit of approximately $300,000. The total loss of funds on these contracts exceeds $4.13 million. In this blog, we have shared a detailed analysis of the exploit.

LooBr, a cross-chain social-media NFT marketplace, was identified as a rug-pull in which funds totaling approximately $64,000 were stolen by the deployer of the contract.

Alphapo, the cryptocurrency payment service provider, has reportedly suffered an exploit in their hot wallets due to the compromise of the private keys. Over $23 million worth of funds in ETH, TRX, and BTC have been stolen. The stolen funds also include assets such as 6.074 million USDT, 108,000 USDC, 100.2 million FTN, 430,000 TFL, 2500 ETH, and 1700 DAI. The drainer swapped stablecoins and some other cryptos for 5730 ETH and bridged them via the Avalanche bridge to BTC. Reportedly, the exploited contracts reveal that the total loss of funds exceeds $100 million.

Metaverse, and NFTs

McDonald’s Hong Kong has embraced the realm of blockchain gaming by introducing McNuggets Land within The Sandbox platform. This groundbreaking launch represents an innovative approach to engaging with their customers, offering a one-of-a-kind digital experience to commemorate the 40th anniversary of their beloved Chicken McNuggets menu item. Through the game, players are invited to immerse themselves in an exciting journey featuring personified nugget characters and captivating decor inspired by the iconic dipping sauces. The vibrant world of Chicken McNuggets awaits as players embark on various quests and challenges, unlocking a host of rewards both in the real world and within the blockchain ecosystem as they achieve significant milestones. This creative endeavor not only celebrates a cherished menu item but also paves the way for an exciting fusion of technology and entertainment.

Amazing Thailand NFTs have garnered immense popularity among collectors. In the captivating and diverse nation of Thailand, the tourism NFT initiative returns for its third season, presenting an enticing challenge to visitors: the quest to explore the country’s captivating tourist hotspots in exchange for exclusive non-fungible rewards. Unlike its predecessors, this latest campaign promises to be even more rewarding, with a significant increase in the number of NFTs offered to adventurous travelers. Participants can unlock an array of exciting new benefits and discounts associated with these unique digital assets. Amazing Thailand aims to distribute an impressive 55,000 NFTs from July 20 to August 31, scattered across numerous locations throughout the nation. These sought-after NFTs encompass 50 captivating Reity Studio artworks, strategically placed at 40 attractions, 32 airports, 7 bus stations, and the railway network. Additionally, another 5,000 NFTs are made available through reputable vendors, including hotels, restaurants, wellness retreats, and retail stores, adding to the allure of this exceptional initiative.

Seven Bank, a prominent Japanese financial institution, has unveiled a groundbreaking soul-bound NFT project aimed at contributing to environmental conservation efforts. In collaboration with Astar Blockchain and Sushi Top Marketing, this initiative, running from July 18 to October 16, encourages users to partake in the noble cause of saving the planet. By making donations towards the memorial fund for environmental causes through any of the 26,000 Seven Bank ATMs, participants become eligible to receive a complimentary digital artwork. Upon donating, they will be provided with a deposit receipt containing a unique QR code. This QR code can be scanned to set up a Sushi Top Marketing wallet, facilitating the claim of the exclusive artistic token.

OnChain Insurance Industry News

InsurAce Protocol announced that Level Finance has been listed on their platform, where users can get covered against smart contract vulnerabilities occurring on the Omnichain Perpetual DEX.