In a matter of 24 hours, a DeFi platform lost millions of dollars in a hack, developers of a play-to-earn (P2E) GameFi project apparently rug-pulled their investors, and a Solana (SOL)-powered exchange mistakenly shut itself down – all reminding us of risks in the crypto space.
According to blockchain security firm PeckShield, DeFi lending protocol Cream Finance was exploited by hackers on Tuesday thanks to a “bug introduced by [the] AMP” token.
“The hacker makes a flash loan of [ETH 500 (USD 79,000)] and deposits the funds as collateral. Then the hacker borrows [$AMP 19m] and makes use of the reentrancy bug to re-borrow [ETH 355] inside $AMP token transfer. Then the hacker self-liquidates the borrow,” PeckShield added.
The security firm noted that the hacker repeated this process a total of 17 times to gain ETH 5,980 (USD 9.5m).
4/4 The hacker repeats the above process in 17 different txs and gains in total 5.98K ETHs (with ~$18.8M). The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement.
— PeckShield Inc. (@peckshield) August 30, 2021
Cream Finance confirmed the hack, claiming that they have stopped the attack by “pausing supply and borrow on AMP.”
Meanwhile, GameFi (P2E blokchain-powered games) project HeroCat appears to have rug-pulled its investors. The game’s token, HeroCat Token (HCT), has lost more than 99.9% over the past week, according to data by CoinGecko.
PeckShield said that HCT, which is developed on the Binance Chain, “made a big sale and transferred” around USD 151,000 worth of the binance USD (BUSD) stablecoin. HeroCat has yet to release any updates about the current situation.
Moreover, a Solana-based DeFi project has accidentally closed itself due to a developer mistake. “Decentralized options exchange” OptiFi said they closed down the project during a routine upgrade yesterday.
“We accidentally closed the OptiFi mainnet program and it’s not recoverable,” the project’s official Twitter account said, adding that the mistake resulted in the loss of USD 661,000 in funds, most of which was from team members.
OptiFi's program has been closed by mistakes we made.
TL;DR
1. We accidentally closed the OptiFi mainnet program and it's not recoverable
2. 661k USDC is locked in the PDAs, luckily 95% of the fund is from our team member
3. We will compensate for all users’ funds— OptiFi (@OptifiLabs) August 29, 2022
In a post-mortem, the team said they wanted to upgrade the protocol on August 29 but canceled the operation when the deployment took longer than expected due to network congestion. They then noticed that a new “buffer” account had been created and that OptiFi had already transferred a little more than SOL 17.2 (USD 558) tokens to it.
The team attempted to shut down the OptiFi program to recover those assets. The scheme worked, but instead of closing it temporarily, the program had been shut down permanently.
“We will return all users’ deposits and settle all user positions manually according to PythNetwor oracle at 8 AM UTC on Sep 2nd,” the team said.
Source: Cryptonews