Weekly Report (Jul-31)


  • Over $58 million were lost in multiple DeFi hacks.
  • The British Museum is set to bring history lessons to The Sandbox Metaverse.
  • Graham’s Port unveiled limited-edition NFT port cases.
  • Ducati races into the Web3 world with free NFTs on the XRP Ledger.

Blockchain Hacks

The unaudited Token Locker contract of MetaLabz was exploited due to invalid authorization checks, which resulted in a loss of funds worth approximately 400 BNB. The exploiter has already laundered the stolen funds, worth 351 BNB, into Tornado Cash.

Palmswap was exploited on the BNB chain, which resulted in a loss of funds worth approximately $901,000. The root cause of the exploit is the price manipulation of the underlying PLP token, which is determined by the number of USDT in the Vault contract and the USDP supply. The attacker was able to manipulate the amount of USDT in the Vault by calling the buyUSDP function. We have shared a detailed analysis of the exploit in this blog.

EraLend was exploited due to a smart contract vulnerability, resulting in a loss of approximately $2.76 million. The root cause of the vulnerability is a read-only reentrancy issue caused by the incorrect implementation of the LP Oracle, which used the pool reserve amounts to determine the LP price. Due to this, the pool executed the callback before the reserves were updated, and the attacker was able to re-enter with the reserves, which were not updated yet, to manipulate the oracle price. In this blog, we have shared a detailed analysis of this exploit.

Carson was exploited on the BNB chain for approximately $143,800 across four different transactions. The root cause of the exploit is likely due to the deflation token issue, but the same can’t be confirmed as the code base is not open-source. The exploiter swapped the stolen USDT for 600 BNB and then laundered it into Tornado Cash. The price of the underlying Carson token dropped by 96% following the exploit.

DeFiLabs on the BNB chain was identified as a rug-pull, during which funds worth approximately $1.4 million were swept away. The privileged address associated with the contract withdrew approximately 1.4272 million BSC-USD staked in one of their contracts via the backdoor function.

Kannagi Finance, the zkSync Era revenue aggregator protocol, has executed a rug pull by taking away all of its TVL assets worth $2.13 million. Approximately 600 ETH, worth $1.13 million, have already been laundered to Tornado Cash. The team has also deleted their official website and other social media channels. Following this incident, the price of the underlying KANA token dropped by over 99%.

The pETH/ETH pool contract of JPEG’d, an NFT lending platform, was exploited due to a smart contract vulnerability, which resulted in a loss of funds worth 6,106 WETH, totaling approximately $11.4 million. The root cause of the attack is incorrect or misconfigured reentrancy protection. This was triggered by a zero-day exploit on Vyper Language, which affected three of its compiler versions: 0.2.15, 0.2.16, and 0.2.30. The attacker was able to manipulate the price calculation by reentering the vulnerable add liquidity function right after calling the remove liquidity routine, thereby updating the balance in the process.

Alchemix was also exploited due to the zero-day exploit on the Vyper language, which resulted in a loss of 7,258 ETH worth approximately $13.6 million. This exploit was limited to the alETH (alETH+ETH-f) pool contract. The attack also targeted MetronomeDAO, which resulted in a loss of 866 ETH worth approximately $1,625,950. This exploit was limited to their sETH-ETH-f pool contract. Additionally, Ellipsis Finance was also attacked due to this exploit, which resulted in a loss of 282 WBNB, worth approximately $68,581. Furthermore, deBridge Finance was also exploited for 13.13 ETH, worth approximately $24,590.

The CRV/ETH LP of Curve Finance was exploited in multiple transactions, which resulted in a loss of funds worth over $24 million. Approximately 7,680 WETH and 7.193 million CRV tokens, totaling $14.413 million, were exploited in one of the attack transactions. The CRV/USD contracts and other associated non-ETH pools remain unaffected. The attack was also caused by the lack of reentrancy protection affected by the zero-day exploit in the Vyper language.

Metaverse, and NFTs

Animoca Brands has penned a Memorandum of Understanding with Hi, signaling their intent to form a potent alliance. This prospective collaboration could see Animoca Brands making strategic investments in Hi’s avant-garde Web3 Financial application. The duo’s shared vision extends beyond mere capital infusion; they’re keen on revolutionizing the utility landscape of both fungible tokens and NFTs in the burgeoning Web3 domain. A notable highlight is their ambition to supercharge the Hi ecosystem by equipping developers with an unparalleled human authentication tool, courtesy of the Hi protocol’s novel Proof of Human Identity (PoHI) framework.

In an exciting mesh of tradition and innovation, the esteemed British Museum is embarking on its maiden voyage into the metaverse, joining forces with The Sandbox. This avant-garde collaboration, augmented by their association with LaCollection, aims to digitally encapsulate the rich tapestry of the museum’s legacy, dating back to its inception in 1753. Initial undertakings will witness the transformation of some of its most iconic artifacts into voxel representations. These digital iterations of timeless treasures will soon grace the Metaverse, granting global enthusiasts an unparalleled opportunity to engage and explore. This modernized engagement offers users a front-row seat to the annals of global history, all from the convenience of their digital devices.

Graham’s Port marked its entry into the NFT space by introducing 50 distinctive Port cases, each with an NFT-backed authentication. Beginning July 24, aficionados can acquire a rare case featuring two exemplary bottles of Port. The first, a 1970 vintage, showcases the Symingtons’ initial foray into winemaking, whereas the latter encapsulates the 2020 anniversary edition, crafted five decades hence. Of the golden 50, 44 are reserved for exclusive access at the storied Graham’s lodge in Portugal, each unlocking exclusive perks for its holder—including priority access to future releases and six immersive tasting sessions at the lodge. Venturing into the decentralized world, five of the coveted cases are earmarked for the WineChain Web3 platform. Notably, the final jewel will grace the Golden Vines Online Auction, benefiting the esteemed Gerrard Basset Foundation.

The automobile sector’s transition into the Web3 era is accelerating, with illustrious brands like Lamborghini, Renault, and DeLorean driving innovation through their NFT initiatives. Not one to be left in the rearview mirror, Ducati has entered into the Web3 world, rolling out digital collectibles via the XRP Ledger blockchain on July 26th. Their maiden NFT encapsulates a visual odyssey, tracing the Ducati emblem’s metamorphosis since 1946, interspersed with glimpses of their legendary motorbikes across epochs. Early adopters minting this NFT will secure priority access for upcoming drops and harness exclusive utilities on Ducati’s Web3 platform.

OnChain Insurance Industry News

Edward Ryall, Co-Founder of Neptune Mutual, joined Nicholas Merten from DataDash to discuss the importance of mitigating risks in DeFi, the role of DeFi Insurance, and how Neptune Mutual aims to provide a solution for projects looking to safeguard their communities in the ever-changing industry of blockchain and cryptocurrency.

InsurAce Protocol announced the listing of dForce Finance on their platform and urged users to purchase cover for the same, which has a limited capacity available on a first-come, first-served basis.