Weekly Report (Apr-17)
Yearn Finance, & Hundred Finance exploit. Canon, Adidas, and Mastercard web3 initiatives.
Playing the video that you've selected below in an iframe
Sentiment Protocol and SushiSwap Exploit. Ralph Lauren, and Bugatti web3 initiatives.
The Sentiment Protocol was exploited on the Arbitrum Chain, resulting in a loss of approximately $1 million. The root cause of the exploit is the re-entrancy vulnerability of Balancer, due to which the attacker was able to execute a malicious contract before updating the pool balances in order to steal the funds using an overpriced collateral. The attacker invoked a function of the Balancer vault using a flash loan of 606 WBTC, 10,130 WETH, and 18.58 million USDC tokens, which ultimately increased the total supply of the LP token. Then, the attacker withdrew the assets by calling one of the functions of the oracle contract that calculated the token price inaccurately, after which tokens including 606.8 WBTC, 1k ETH, and 17.9m USDC were subsequently transferred. Amongst these transfers, the transfer of ETH tokens triggered the fallback function of the exploiter contract, due to which the total supply of the LP tokens is decreased, but the recorded balances of WBTC, WETH, and USDC are not updated in the pool. This caused the price of the tokens to be tilted, allowing the attacker to borrow multiple assets at the tilted price. We have shared a detailed analysis of the exploit in this blog post.
SushiSwap was exploited due to a bug in the RouterProcessor2 contract, resulting in a loss of over $3.3 million. Hackers used a fake Uniswap V3 pool with the new SushiSwap router, which didn’t have any checks that the pool was genuine. So the fake pool called the router callback with malformed arguments. The bug allowed the hacker to transfer the tokens without any approval from their owner. Approximately 190 Ethereum addresses and 2000 addresses on the Arbitrum chain have approved the malicious contract. It is reported that only those users who swapped on SushiSwap within the last four days prior to the incident were affected. All of those users who had interacted with the SushiSwap router are recommended to revoke their approval access.
A malicious proposer exploited the vulnerability in the Flashbots maintained open-sourced mev-boost-relay implementation to steal approximately $25 million from multiple sandwich bots. The attack was possible because the exploited relay disclosed block bodies to the proposer if the proposer correctly signed a block header. But the relay didn't check to see if the signed block header was valid. In the case that the block header was signed but invalid, the relay would attempt to publish the block to the beacon chain, where beacon nodes would reject it. Crucially, regardless of whether the block was rejected by beacon nodes or not, the relay would still reveal the body to the proposer. The bad actor had access to the block body; thus, they were able to extract transactions from the stolen block and put them in their own block, where they were used to their advantage. Therefore, the malicious proposer constructed their own block that broke the sandwich bots operation and effectively stole their funds.
Ralph Lauren has made its foray into the world of web3 by collaborating with Poolsuite. Poolsuite community members will receive a "Ralph Lauren x Poolsuite NFT'' as part of this collaboration, which will grant access to an exclusive in-person event. The fashion giant hopes to create an immersive experience that will allow visitors to see a distinctly Ralph Lauren expression of coastal living. The event will take place in April, as part of a three-day immersive experience at a beachfront in North Miami estate. The holders of Poolsuite’s Grand Leisure collection will be able to update the Leisurist Avatars with Ralph Lauren swag as well.
Bugatti and Asprey have collaborated to create a limited-edition collection of exquisite NFT eggs that represent the Bugatti family's timeless creations, as well as the heritage and craftsmanship of Asprey. The Royale Edition of this Asprey Bugatti Egg Collection was designed by Asprey Studio and signifies the continuation of a partnership between the two luxury brands that began the previous year. Asprey Studio employs cutting-edge production techniques and materials for the development of its limited-edition Bugatti NFT collections. As a result, the Asprey Bugatti Egg Collection is a physical as well as a NFT generative artwork. The Asprey Bugatti collection coincides with the inauguration of the Asprey Studio Gallery in Mayfair in April 2023.
With the start of the April Festival, The Sandbox has begun its latest monthly journey into the Metaverse. Throughout the month, players can compete to win tokens including SAND, LAND, and other NFT rewards. Those who finish the quest will get a guaranteed mystery box and a piece of the $1 million SAND rewards pool. The festival runs from April 5 to May 2, and those who finish the quest will get a reward. Because of these benefits, the April Festival of The Sandbox Game is one of the most anticipated events in the gaming metaverse. This year's Mystery Box could have a SAND pack or an NFT from a popular series like CyberKongz VX or Gutter Cat. Players must finish 200 quests before being eligible to receive the mystery box.
Neptune Mutual announced that their plans for the token launch, and the release of their NFT collection are in pipeline, and the complete details will be made public very soon.