Weekly Report (Apr-17)
Yearn Finance, & Hundred Finance exploit. Canon, Adidas, and Mastercard web3 initiatives.
Playing the video that you've selected below in an iframe
Team Finance, a security toolkit was exploited for approximately $14.5 million worth of tokens.
Blockchain hacks and smart contract vulnerabilities are likely to remain a consistent and common risk in the blockchain industry. As a result, the need for fast, reliable, and scalable solutions from the decentralized insurance industry is likely to grow.
ULME, a token on Binance Smart Chain BNB Chain, was attacked by a hacker who allegedly gained approximately 50,646 BUSD. The underlying source of the vulnerability is an indirect price manipulation using flash loans resulting from unrestricted access control. The attacker initially used flash loans to borrow 1,000,000 BUSD. They then swapped the borrowed BUSD for $ULME tokens on PancakeSwap. The attacker then called the buyMiner function of the $ULME token contract, passing in the list of users, and their corresponding amount. This action triggered the price increase, after which they swapped the $ULME token for BUSD, returned the amount borrowed during the flash loan, and kept the remaining profit of 50,646 BUSD. In our blog post, we provide a detailed analysis of the exploit.
Melody, a play to earn web3 entertainment, and social media application, was hacked resulting in the loss of approximately 2225 $BNB tokens. The root cause of the attack is that the application's token address was compromised which allowed the hacker to bypass the access control. The hacker initially invoked the coinWithdraw function of the SGS contract, which is used to redeem the user's assets from the contract. The attacker then withdraws the tokens from the contract to an address, and then sends a total of 990,000 tokens to the attacker's address. The hacker most likely obtained the signeraddress to generate the signature of the malicious action, transferring $SGS tokens to them. We've decoded a detailed analysis of the exploit here.
Team Finance, a security toolkit for founders who want to create a token and raise funds from investors, was exploited for approximately $14.5 million worth of tokens. The vulnerability is caused by a lack of proper validation in the contract's function, which resulted in the addition of a fake token to the contract, which was then used as a parameter to migrate the tokens from the pool. The migrate function of the LockToken contract didn’t properly validate the _id and other parameters of the said function. A fake token was locked, and the attacker arbitrarily specified the token pair to migrate the liquidity amount of the locked fake token. The perpetrator took this opportunity to illegally migrate $WTH, $CAW, $USDC, $TSUKA tokens from V2 to V3 liquidity pool.
DC Comics, the American comic book publisher is entering a new phase in its web3 expansion with the announcement of DC Collectible Comics. The NFT comics will feature weekly releases and can be purchased, sold, and traded via the fan NFT marketplace at nft.dcuniverse.com. To kickstart the new venture, DC Collectible Comics has released Superman #1. Notably, the NFTs will be divided into Legacy and Modern categories. Legacy comics are releases of classic comics that have been out of print for years, such as the legendary Superman #1. However, the Modern comics will include more recent releases from the extensive collection of DC comics. The rarity and grading of the NFT comics are intriguing features of the digital artifacts. There are five different rarity categories: common, uncommon, epic, and legendary.
Twitter, in cooperation with four marketplaces, said that users would be able to purchase, trade, and display NFTs directly through tweets. The integration, which is still in testing, works with marketplaces from four particular partners: the Solana-centric marketplace Magic Eden, the multi-platform NFT marketplace protocol Rarible, Flow blockchain creator Dapper Labs, and the sports-centric platform Jump.trade. Collectively, these marketplaces cover multiple blockchain networks, such as Ethereum, Solana, Flow, Polygon, Tezos, and Immutable X. The integration, branded NFT Tweet Tiles, displays the artwork of an NFT in a dedicated panel within a tweet and includes a link to let users click through to a marketplace listing.
Apple has released guidelines to help developers create and facilitate in-app purchases of NFTs in their iOS apps. Apple users will be able to trade NFTs directly from the app, using an in-app purchase feature that will allow them to mint, list, and transfer NFTs. Apple stated in the updated App Store review guidelines that developers will be able to issue NFTs on their apps however they are not permitted to include features that direct users to purchase NFTs from other platforms. Furthermore, apps are not permitted to unlock additional functionality involving cryptocurrencies and cryptocurrency wallets.
Visa becomes yet another organization planning for a future metaverse in which individuals spend a great deal of time in virtual worlds, exchanging virtual currency for virtual commodities, and collecting digital items. According to Mike Kondoudis of the United States Patent and Trademark Office, the company submitted two applications. The filings include software for auditing digital, virtual, and cryptocurrencies, software for managing digital assets via a digital wallet, including verifying digital transactions and storing NFTs, and software to establish virtual environments where users can connect for entertainment or recreation in a virtual world.
Gucci's Gucci Vault Land store in The Sandbox is now open for business. The Gucci space will now be open to the public for free until November 9. Users will be able to have fun, learn, and unwind in a stylish Gucci metaverse environment while taking part in this fun and immersive experience. This space celebrates the rare vintage Gucci pieces that were carefully chosen and the conversations between contemporary artists and the Gucci brand. The immersive experience starts when players walk into a beautiful garden surrounded by ancient ruins. Walk through the Grand Entrance hall and stop by the glorious room, with each offering an insight into Gucci Vault’s core pillars.
Insurace Protocol has joined hands with Hubble Protocol to provide borrowers with coverage for any smart contract exploits on the protocol.
Tidal Finance has deployed the user purchase portal for Synthetix smart contract protection coverage. The amount of coverage can be adjusted weekly, and Synthetix users can purchase protection at a cost of 0.05% per week.