[This blog is published with the authorization from PolyNetwork team]

Given the opportunity to perform an informal security review of the Pull Request 12 (PR-12) of the eth-contracts repository, we summarize in the report our assessment to evaluate the design goal, expose potential security issues, and examine semantic inconsistencies, if…

Started at Jun-25–2021 12:07:25 AM +UTC, xWin Finance was exploited and the attacker gained about $270k. This incident was due to an invalid slippage control in the protocol, which is exploited in a flashloan to obtain extra xWin rewards. In the following, we elaborate the technical details.

Summary

This incident was…

Started at June-22–2021 22:58:39 +UTC, Eleven Finance was exploited to drain a number of vaults at the loss about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a…

Started at May-22–2021 02:47:06 PM +UTC, Bogged Finance was exploited to inflate the BOG balance, which is immediately sold to gain about $3.6M. The incident was due to a bug that allows the attacker to increase the balance via self-transfer. While it appears to be a flashloan attack, it is…

Started at May-19–2021 10:34:28 PM +UTC, PancakeBunny was exploited to mint 6.97 million of BUNNY as reward from its vault (VaultFlipToFlip). The incident was due to a bug in the way of measuring the LP price from an AMM-based oracle. It is worthwhile to mention that this attack involves 8…

Started at 10:36:20 AM +UTC, May 16, 2021, BearnFi’s BvaultsBank contract was exploited to drain about $11M funds from the pool. The incident was due to a bug in its internal withdraw logic in inconsistently reading the same input amount but with different asset denomination betweenBvaultsBank and the associated strategy…

[Disclaimer] This analysis is based on the initial finding by @FrankResearcher!

Started at 07:41:39 PM +UTC, May 7, 2021, ValueDeFi’s vSwap contract was exploited to drain a number of pools at the loss of about $11M. The incident was due to the improper use of a complex exponentiation power() function…

Started at 04:38:39 PM +UTC, May 1, 2021, the Spartan protocol contract was exploited to result in more than $30M loss. The incident was due to a flawed liquidity share calculation in the protocol, which is exploited to drain assets from the pool. …

Beijing, April 30th — PeckShield Inc. (PeckShield), the industry-leading blockchain security company, announced join forces with Binance Smart Chain (BSC) ecosystem to enhance security implementations in a rapidly expanding Decentralized Finance sector.

Data shows that both transaction volume and unique active wallets (UAWs) on BSC have risen substantially. Since 2021…

Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. …

PeckShield

A Blockchain Security Company (https://peckshield.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store