Weekly Report (Jun-17)

TL;DR

  • Over $42.55 million was lost in multiple DeFi hacks.
  • Bento Batch launched the Bento Verse NFT Collection on the Optimism Network.
  • Toikido taps into OpenSea to launch Bad Egg digital collectibles.

Blockchain Hacks

UwU Lend was exploited across three different transactions on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of over 5272 ETH, totaling approximately $23 million. The root cause of the exploit is due to the manipulation of the price oracle. The vulnerable and exploited contract is actually a fork of AAVE v2, but the UwU protocol made some changes to the fallback oracle, allowing for price manipulation of the underlying assets.

JokInTheBox, the MEV Bot service provider, was exploited on the Ethereum Mainenet, which resulted in a loss of assets worth approximately $34,000. The attacker was able to steal 109 billion JOK tokens and then swap them for roughly 9.12 ETH. The root cause of the exploit is a badly implemented unstake function in the staking contract. This function didn’t account for the state of the unstake variable, allowing the exploiter to unstake the assets multiple times before ultimately draining them.

Yolo Games was exploited due to a smart contract vulnerability, which resulted in a loss of 392 ETH, worth approximately $1.4 million. The liquidity pool of the protocol had gone live on Baazar in the Blast network just a day prior to the exploit. The root cause of the exploit is a lack of permission checks in the exit pool function of the smart contract, which allowed anyone to impersonate the liquidity providers. The exploiter has already returned 90% of the stolen assets.

Just three days after the original exploit, UwU Lend was exploited by the same attacker, which resulted in a further $3.72 loss for the protocol. This second exploit was not the result of the same vulnerability as the original exploit but rather a consequence of the initial attack vector. The original exploiter held a significant amount of USDE tokens from the first attack. Despite the protocol reportedly being paused, USDE was still considered legitimate collateral for the protocol. This allowed the exploiter to take advantage of the remaining funds in USDE and drain other UwU lending pools. The second attack drained funds from several asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen assets were converted to ETH and then sent to three different addresses, likely controlled by the attacker. In this blog, we have shared a detailed analysis of the exploit.

The Holograph protocol was exploited due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $14.4 million. According to the team, a former contractor exploited an infinite mint vulnerability in their smart contract to release an additional 1 billion HLG tokens, which were further dumped. This malicious actor, who had funded the operator contract roughly 26 days before the attack, deployed an unverified contract on Mantle, which was used to mint the additional tokens caused by a function that exploited the protocol’s verification method.

Metaverse, and NFTs

Bento Batch, a streamlined transaction layer employing Account Abstraction (AA) to boost blockchain efficiency, has introduced the Bento Verse NFTs on the Optimism network. This move commemorates Bento Batch reaching over 10,000 users and handling more than 500,000 batch transactions, underscoring the advantages of batch minting in improving on-chain processes. The Bento Verse NFTs feature four elements: inferno, atmos, aquatica, and crystal. Among these, crystal is the most scarce, with a collection likelihood of 1%, whereas the others have a 33% likelihood. Initially, the first four NFTs are available for minting at no cost, but subsequent mints will cost 0.004269 ETH each. Collectors of all four elements will enjoy additional utility benefits. Those interested in participating can visit the minting website, connect their wallets, and set up a new account with Blocto, which provides gas-free services and supports batch transactions, thus enhancing the minting process.

Toikido rolled out its plans for the launch of the Bad Egg Co. digital collectibles, which are set to debut on June 20th through a collaboration with the OpenSea NFT marketplace. These items will be minted on the Ethereum blockchain. Located in the Sunnyside area of New Yolk City, Bad Egg Co. identifies strongly with the skateboarding scene, showcasing a blend of rebelliousness, adventure, and community spirit. The collection features a variety of characters, each with their own unique personality and style. Notably, the One of Ones within the Bad Egg Co. collection are particularly in demand. These 12 exclusive digital collectibles each feature unique characteristics and custom backgrounds, enhancing their value and rarity, making them the most desirable items in the series.

OnChain Insurance Industry News

The voice of the Neptunite community continues to grow on X as Neptunites post about recent cover purchases using the #DeFiInsurance tag. Neptunites are also actively engaging with Neptune Mutual’s social media accounts as momentum grows about sharing the benefits of protecting digital assets from smart contract hacks.