Weekly Report (Jan-16)

5 min read

Roe Finance, and LendHub exploited. Mcdonald’s and Australian Open Metaverse initiative.


  • McDonald’s is set to celebrate the Lunar New Year in the Metaverse.
  • The Australian Open has taken a swing at Roblox Metaverse.
  • AR Rahman announced his new music NFT Metaverse.

The numerous attacks on blockchain-based projects show that human integrity is declining, and until morale improves, occurrences like this will continue to happen. A recent report by Chainalysis says that the amount of on-chain illegal cryptocurrency transactions has reached an all-time high of $20,1 billion, growing for the second year in a row.

Blockchain Hacks#

The BRA token on the BSC chain was attacked, allowing the hacker to steal funds valued 819 $WBNB, or nearly $225,000. The vulnerability was caused by a logical flaw in the BRA contract, which permitted the transfer procedure to generate incentives if the caller and receiver were a pair. The exploiter initially took a flash loan of 1,400 $WBNB, before swapping 1,000 $WBNB for 10.5K $BRA tokens. To earn rewards, the acquired $BRA tokens were transferred to the PancakeSwap pair, and then to the BRA contract. After repeating the transfer operations 101 times, the attacker exchanged back 1.675K $WBNB tokens and repaid the flash loan. The profits from the initial transaction were 675 $WBNB tokens, while another attack transaction netted them 144 $WBNB tokens. We have outlined the detailed analysis of the exploit in our blog post here.

Roe Finance was exploited using a price manipulation attack, resulting in a $80,000 loss, caused due to the limited liquidity of the pool. An attacker-controlled address first borrowed $USDC from Balancer and deposited it in the roeUSDC pool. The same address borrowed 2,953,841,283 UNI-V2 from the pool, while leaving debt to the contract creator, and then deposited the borrowed tokens back into the pool. These actions were carried out approximately 49 times, after which the contract address burned 0.295 UNI-V2 and earned 2.96 $WBTC and 51,661 $USDC. They then gave 26,024 USDC to UNI-V2 and invoked the Uniswap V2 sync function, which manipulated the price of the UNI-V2 obtained from the oracle. Then, they borrowed back 5,673,090 $USDC that had been put into the roeUSDC pool earlier, swapped about 0.66 $WBTC for 14,345 $USDC, and repaid the $USDC back to Balancer. The profit from these were 2.29 $WBTC and 39,982 $USDC, roughly amounting to $80,000. We have published a thorough analysis of this attack in one of our blog posts.

According to Beosin, the ACS token was a rug pull in which $10,000 worth of funds was stolen through a backdoor function. The scammer used a contract function to transfer the ACS within the BSC-USD-ACS pair, leading to an imbalance in the K value, and then used a small number of ACS to transfer out a significant quantity of BSC-USD within the pair.

According to QuillAudits, the UF Dao of XDAO was hacked, resulting in the loss of $90,000 USDC. The root cause of the attack is due to a smart contract vulnerability caused by incorrect parameter settings. The attacker bought a public offer of the UF Dao at a 1:1 rate using USDC, and almost all of it was later redeemed in UF Dao. They began by swapping 0.4 BNB for approximately 111.62 USDC, and then used all of the USDC to purchase a public offering in order to gain 111.62 UFT, the LP token of UF Dao, which represents nearly 94.25% of the total shares. These UFT tokens were then burnt to redeem the USDC from the UF Dao using the held shares.

The LendHub on Heco was exploited, in which hackers stole about $6 million worth of assets. The old LendHub contract wasn't deprecated, which allowed an attacker to use collateral on one of the LendHub's contract to get pegged tokens, and then use these pegged tokens to borrow funds on the other contract. Reports reveal that a part of the stolen funds are held at addresses controlled by hacker, while funds worth 1,100 ETH was deposited into Tornado Cash.

Metaverse, and NFTs#

Mcdonald’s has collaborated with Karen X Cheng for a series of metaverse activiites to celebrate the coming of the Lunar New Year. The famous artist has made many immersive experiences, such as an augmented reality filter that shows the transition from the Year of the Tiger to the Year of the Rabbit. The filter is made available to everyone through a QR code which can be found at the end of their AI-powered television commercial. In addition to the creative ad and filter, the two have also joined hands with Spatial, to provide an interactive gallery-like experience. Users can check out a wide range of events using virtual reality, augmented reality, and 3D animation, which includes classic Chinese games like Weiqi and Mahjong, VR zoos, cooking competitions, and a lot more.

The fans of the Australian Open are set to celebrate the start of the new season in web3 style, thanks to a partnership with Roblox. The viral gaming platform is releasing AO Adventure, an immersive Metaverse experience where users can explore the famous Rod Laver Arena, meet digital avatars of iconic players like Nick Kyrgios, and collect sports NFTs. The game is a celebration of the Australian Open Grand Slam tournament, which starts on January 16. Attendees can play single or double virtual tennis with their friends or even with AI opponents, and players can level up and get Freebies at each milestone. In addition, fans can also buy digital collectibles in the AO Shop section all of which are compatible with their Roblox avatars.

AR Rahman, a reputed Indian musician, has announced the launch of his upcoming music-focused metaverse dubbed Katraar. In Tamil language, the word Katraar means a group of learned people who change the world. This metaverse project aims to transform how people make music and how they interact with it. AR Rahman will put out original works in the metaverse, and the platform will also have soundtracks from artists from around the world. The platform is developed inassociation with the HBAR Foundation, thus it is likely that the initiative will be launched on HBAR’s Hedera Network. Additionally, the project will also include an unreleased project based on digital creatures, and help fuse NFT technology into music, art, and storytelling.

OnChain Insurance Industry News#

Neptune Mutual released a detailed annual report that discussed about their multiple funding rounds, partnerships, updates to their protocol and platform, thorough code audits, and a lot more progress.