Weekly Report (Mar-20)

6 min read

Euler Finance, and Poolz Finance exploit. Sony, Salesforce, and Moxy web3 initiatives.


  • Sony has introduced cross-platform NFT trading for Playstation users.
  • Polygon and Salesforce have launched loyalty programs with NFT integration.
  • Moxy, the blockchain-based ePports platform, has launched a beta challenge with tokens and digital collectibles as rewards.

Blockchain Hacks#

Euler Finance was exploited in a series of transactions, resulting in a total loss of roughly $200 million. The vulnerability occurred in the EToken implementation, specifically in the donateToReserves function, where the protocol permitted donations without having an account health check. The hacker first took a flash loan of 30 million DAI from AAVE and deposited 20 million DAI on the Euler Protocol to receive 20 million eDAI. The attacker deposited 10 million DAI via the repay function, repeated the above procedures again, and then invoked the donate to reserve call to burn $100 million worth of eDAI. Because of this, the amount of dDAI was greater than the held amount of eDAI, which effectively skipped their liquidation checks and made them liquidable without transferring funds to the protocol. The attacker withdrew approximately 38 million DAI from the contract and repaid the borrowed flash loan back to AAVE, making a profit of roughly 8.9 million DAI. The attacks were also repeated on other pools, which resulted in a total profit of approximately $191 million to the attacker. A detailed analysis of the exploit can be found in this blog.

Poolz Finance was exploited on Ethereum, Polygon, and BNB Chain, resulting in a total loss of approximately $550,000. The root cause of the exploit is the existence of a classic integer overflow vulnerability in its vesting contract. The exploiter initially called the vulnerable CreateMassPools, which allows users to create pools in bulk, provide initial liquidity, and record pool attributes. It invoked another call to the getArraySum function. The getArraySum function controls the amount in the TransferInToken, which is used to establish liquidity in the pool. The array sum exceeded uint256, triggering the integer overflow vulnerability. A large number of tokens were stolen and swapped for $BNB, and the attacker-controlled wallet address held assets including BNB, ETH, POOLZ, KMON, ESNC, and MATIC, totaling roughly $550,000. We have highlighted a detailed analysis of the exploit in this blog.

Block Chain Games, a project on the BNB chain, was identified to be a rug pull. The owner of the protocol called a privileged function in order to mint a massive amount of BCGA tokens, before swapping them for approximately 128.45 BNB Wirth $39,092. According to Beosin reports, the owner also called another privileged function multiple times to burn BCGA tokens of other users to prevent them from selling them.

The United States Department of Justice announced that ChipMixer, a darknet cryptocurrency mixing service, has been shut down. ChipMixer was responsible for laundering more than $3 billion worth of cryptocurrency between 2017 and the present, among other activities, including ransomware, the darknet market, fraud, cryptocurrency heists, and other hacking schemes. The operation involved the confiscation of two domains that directed customers to the ChipMixer service and one Github account by US federal law enforcement, as well as the seizure of the ChipMixer back-end servers and more than $46 million in digital assets by the German Federal Criminal Police.

BlockSec announced that they had stopped an attack on the ParaSpace NFT project and saved approximately 2900 ETH. The root cause of the vulnerability is due to the existence of a flaw in their contract, which is used to compute the user collateral. An attacker was able to manipulate the Ape coin number in one of the contract's functions, resulting in very large collateral that may be utilized to borrow more assets. The hacker initially took a flash loan from Lido Finance for 47,111 WSTETH, created a new contract, and utilized that contract to supply about 6,000 WSTETH to borrow approximately 1.84 million ParaSpace Compound APE. They transferred all of these tokens to the attack contract to mint 1.84 million cAPE Derivative Tokens. These processes were repeated until cAPE was completely drained, after which tokens were swapped to ETH for profits. However, due to the gas constraint, the attack failed three times and was effectively caught by the security audit company.

Metaverse, and NFTs#

Sony Interactive Entertainment has released the details of a patent, which states that the company has been investigating ways to use NFTs and blockchain technology in video games. The organization is constantly looking for new approaches to enhance their users' gaming experiences. The patent, titled NFT Framework for Transferring and Using Digital Assets Between Game Platforms, was originally filed last year but was revealed earlier this week. According to the summary of the Sony PlayStation NFT patent, current systems do not allow users to use NFTs across numerous games and platforms due to technological limitations. Sony's new architecture intends to provide a streamlined approach for transacting digital assets between game platforms. The filing also expresses support for the sale of NFTs to other players. Sony's plans to rent NFTs to players and stream viewers are detailed in an alternative patent.

Polygon and Salesforce have collaborated to create an NFT management platform. This partnership will allow them to create token-based loyalty schemes, revealing the expansion of their customer services to include NFT loyalty program management. It seeks to provide NFT capabilities to Salesforce’s clients while bolstering Polygon’s standing in the enterprise sector. Following a successful pilot program that witnessed over 250,000 transactions and involvement from well-known companies such as Mattel and Crown Royal, the partnership also seeks to enable Salesforce clients to develop token-based loyalty programs.

Moxy, the eSports gaming marketplace, has launched its beta challenge, dubbed "eSports for All." The challenge allows participants to compete in eSports-style gaming for Moxy tokens, collectibles, and $100,000 in cash. The platform hopes to extensively stress-test its many components while also enrolling eSports fans from around the world. In this challenge, players compete against one another to earn points and advance through four seasons. Those who are at the top of the Moxy leaderboard at the end of the fourth season can expect the coveted prizes, which include USDC incentives, Moxy's native tokens, and Moxy collectibles.The entire prize pool for cash prizes is $100,000; however, the value of each reward level will not be announced until the Moxy platform is officially launched.

OnChain Insurance Industry News#

Neptune Mutual has announced the launch of their own blockchain hacks database for their community, which includes information on major cryptocurrency hacks, exploits, smart contract vulnerabilities, and much more.

In addition, they hosted their first-ever monthly Townhall call in their Discord server, with Edward Ryall, one of the co-founders of Neptune Mutual, discussing the team's ongoing progress and answering community questions.

Tidal Finance announced that the V2 version of their protocol is now available as a public beta release, and that they are working on security audits ahead of the mainnet launch.