Web3 Security Monthly Report | Frequent Phishing Incidents in May, How On-Chain Tools Respond
This month's losses caused by security incidents across the internet have increased by 27.27% compared to the previous month, with phishing and fraud incidents accounting for over 60%.Author: OKLink
This month, the losses caused by security incidents across the network increased by 27.27% compared to last month, with phishing and fraud incidents accounting for over 60%. Security awareness is your first line of defense in protecting digital assets. OKLink provides over 40 leading blockchain explorers and a one-stop query portal, as well as tools for address monitoring, token authorization queries, and address health checks to safeguard your assets.
This month, the total losses across the network amounted to approximately $140 million, an increase of 27.27% compared to April.
There were a total of 27 incidents of fraud and phishing on official social media, accounting for 60.08% of the losses. These incidents were mainly concentrated on X, Discord, and various phishing websites.
The losses from REKT and RugPull incidents accounted for 16.89% and 1.37%, respectively, while other security incident losses accounted for 21.66%.
Case Analysis
On May 15, Sonne Finance was attacked, resulting in a loss of approximately $20 million. The reason was that the protocol added a new VELO market through voting, but the project team did not promptly add initial funds to the VELO market, allowing hackers to exploit a classic rounding issue to manipulate the collateral rate of the VELO market for profit.
OKLink has tagged its address with # Hack:
https://www.oklink.com/zh-hans/optimism/address/0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43
Attack Process
1) The attacker calls the attack contract 0xa78 aef to make an initial deposit to the soVELO market to obtain 2 WEI of soVELO;
2) The main attack contract 0x02 fa26 preemptively calls the timelock contract to set the collateral coefficient, allowing the assets in the soVELO market to be used as collateral for lending in other markets;
3) A flash loan of approximately 35M VELO is taken and donated to the soVELO market contract to manipulate the exchange rate, where 2 WEI of soVELO can represent a large amount of VELO, also representing a significant collateral value;
4) A sub-attack contract 0xa16388 is created, and 2 WEI of soVELO is transferred to it, then 265 WETH is borrowed, and approximately 35M VELO is redeemed using 1 WEI of soVELO. This exploits the manipulated exchange rate, resulting in the calculated amount of soVELO being approximately 1.9999 WEI, which rounds down to 1 WEI;
5) The borrowed amount from the sub-attack contract 0xa16388 is liquidated to retrieve 1 WEI of soVELO and returned to the main attack contract 0x02 fa26. Since the exchange rate is now lower, a small amount of WETH can be used to obtain 1 WEI of soVELO;
6) 1 WEI of soVELO is re-minted and the exchange rate is manipulated again by donating to the soVELO market, repeating the above steps to borrow more WETH, USDC, and other assets.
Problematic Code:
Largest Security Incident RugPull
On May 23, a fake TON token project experienced a RugPull, resulting in losses of approximately $600,000.
Largest Security Incident Phishing Fraud
On May 3, a whale user suffered a phishing attack, resulting in losses of approximately $70 million (1155 WBTC). However, on May 10, the hacker returned 90% of the funds to the victim.
Largest Security Incident - Private Key Leak
On May 21, Gala Games was attacked, and the private key was suspected to have been leaked, allowing the attacker to mint 5 billion GALA, worth approximately $200 million. By selling GALA tokens, the attacker ultimately profited about $21 million. On May 22, the attacker returned all assets.
OKLink Security Tips
This month, phishing attacks and private key leak attacks accounted for a significant proportion. OKLink reminds everyone to pay attention to protecting personal information, and never disclose your private key or mnemonic phrase to anyone. Also, do not store them simply as screenshots. Furthermore, when transferring funds, be sure to carefully verify the recipient's address, and confirm its accuracy by copying it directly from transaction records or chat logs. Security awareness is your strongest shield in the Web3 world and your first line of defense in protecting digital assets.
