ChainCatcher news, Beosin Alert posted on platform X, currently has collected about 2800 DEXX victim addresses, with over 9000 stolen transactions. An analysis of some stolen addresses' funds revealed that the stolen funds are still held in the hacker's address and have not been transferred out. It is likely the work of the same hacker, who is speculated to transfer funds based on the victims' token balances and arranged them in descending order of value.

ChainCatcher news, according to Beosin Alert monitoring and early warning, as of September 25, the total loss in the Web3 sector due to hacker attacks, phishing scams, and project Rug Pulls in Q3 2024 has reached $730 million. Among them, there were 23 major attack incidents, with a total loss of approximately $430 million; 3 project Rug Pull incidents, with a total loss of about $4.24 million; and total losses from phishing scams amounting to approximately $295 million.In terms of the types of attacked projects, the highest losses were incurred by CEX, with 3 attacks on CEX causing approximately $297 million in losses, accounting for about 40.6% of all attack losses.In terms of losses by chain, Ethereum remains the chain with the highest loss amount and the most attack incidents. 21 attacks and phishing incidents on Ethereum caused losses of $348 million, accounting for about 47.6% of the total losses.Regarding attack methods, there were 5 private key leakage incidents in Q3, resulting in losses of $305 million, accounting for about 41.7% of the total attack losses, making it the most prevalent type of attack.In terms of the flow of funds, only about $16.9 million of the stolen funds have been frozen or recovered. The vast majority (approximately 78.9%) of the stolen funds are still stored in the attackers' on-chain addresses.Compared to the same period in 2023, the total losses due to hacker attacks, phishing scams, and project Rug Pulls in Q3 2024 have slightly decreased to $730 million (the figure for Q3 2023 was $889 million). Factors such as the decline in cryptocurrency prices in Q3 2024 have had some impact on the reduction of the total amount, but overall, the situation in the Web3 security sector remains grim. Among the more than twenty attack incidents in Q3, 18 were still due to contract vulnerabilities, suggesting that project parties should seek professional security companies for audits before going live.

ChainCatcher news, according to Beosin Alert monitoring, the Bedrock project contract vulnerability has been attacked, resulting in approximately 1.7 million dollars worth of assets being stolen.Analysis shows that the root cause of this attack is that the mint function in the project mints the same amount of uniBTC for the ETH collateralized by users, without considering the price difference between the two. The attacker has exchanged all tokens for ETH.

ChainCatcher news, according to Beosin Alert monitoring, the Indodax exchange has been hacked, with hackers profiting approximately 17 million dollars in cryptocurrency assets.Hacking method: The attacker gained access to the Indodax exchange's hot wallet through unknown means and used that access to transfer a large amount of assets to multiple addresses on the Ethereum, Polygon, and Optimism chains, with most of the assets exchanged for ETH on the Ethereum chain.Affected blockchains: Ethereum, Polygon, Optimism

ChainCatcher news, according to Beosin Alert monitoring, the DeFi protocol Penpie built on Pendle has been hacked, resulting in the theft of approximately $27 million in crypto assets. Beosin provides the following brief analysis of the incident:The attacker exploited the claimRewards function in the market contract to re-enter the staking contract, increasing the staking contract balance, and then withdrew excess tokens and staked assets from the taking contract for profit.The attacker first created an attack contract and constructed the corresponding market contract through the official factory.Called the batchHarvestMarketRewards function of the staking contract to update rewards for the market.During the reward update, the attack contract's claimRewards function is called back, allowing for re-entry to stake the assets obtained from the flash loan, creating a discrepancy in the asset quantity of the staking contract, and withdrawing the excess.The attacker withdrew the staked assets and repaid the flash loan for profit.

ChainCatcher message, according to monitoring by the blockchain security audit company Beosin Alert, the Ronin Bridge project has exhibited abnormal behavior in extracting cross-chain assets. According to the Beosin security team analysis, the root cause of this abnormal behavior lies in the project team's failure to properly initialize the operator weights required for cross-chain transaction confirmation when upgrading the contract, resulting in the minimumVoteWeight parameter in the contract being zero, allowing any signature to pass cross-chain verification.Currently, the Ronin bridge has lost 3,996 ETH, with funds stored at an address starting with 0xc6a (this address is an MEV bot, so it is speculated that it may be a white hat action). Beosin is currently collaborating with the project team to address this incident.

ChainCatcher news, according to monitoring by blockchain security audit company Beosin Alert, shows that in July 2024, the loss amount from various security incidents significantly increased compared to June. In July 2024, there were over 20 typical security incidents, with total losses from hacker attacks, phishing scams, and Rug Pulls reaching $286 million, an increase of approximately 56.3% compared to June.Among these, attack incidents accounted for about $271 million, an increase of approximately 92.2%; phishing scam incidents accounted for about $12.1 million, a decrease of approximately 67.6%; and Rug Pull incidents accounted for about $3.58 million, a decrease of approximately 13.1%.The largest hacking incident in July came from the Indian exchange WazirX, with losses of about $230 million, accounting for 85% of the total amount from attack incidents that month. The second largest attack incident was LI.FI, which lost about $11.6 million due to a contract vulnerability. This month also saw multiple phishing scams and rug pull incidents exceeding one million dollars, and users need to remain vigilant.

ChainCatcher news, according to Beosin Alert monitoring, the Terra chain has been suspended due to an emergency upgrade. It seems that someone has exploited an IBC vulnerability to mint multiple tokens on the Terra chain, including ASTRO.The Beosin security team analyzed and found that after the attacker instantiated the contract on Terra, they exploited a reentrancy vulnerability in the timeout callback of ibc-hooks, transferring approximately 60 million ASTRO, 3.5 million USDC, 500,000 USDT, and 2.7 BTC, totaling about 5.28 million USD in value.This vulnerability was disclosed in April this year and belongs to a vulnerability in the cosmos base library, but Terra has not fixed it.

ChainCatcher news, according to Beosin Alert monitoring, it was discovered that the Indian exchange WazirX was attacked. The attacker obtained the signature data of the multi-signature wallet administrator of the exchange, modified the logic contract of the wallet, and executed incorrect logic to steal assets.Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4Based on the attacker's behavior, it is speculated that the reason is the leakage of the multi-signature wallet administrator's private key. Beosin summarizes the cause of the attack as follows:The attacker deployed the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified by this contract.The attacker obtained the signature data of the WazirX multi-signature wallet administrator and modified the wallet's logic contract to the already deployed attack contract. The corresponding transaction is:https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185dThe attacker submitted a token withdrawal transaction to the WazirX multi-signature wallet. Due to the proxy model mechanism, the wallet contract will use delegatecall to invoke the relevant functions of the attack contract, transferring the wallet's tokens.The flowchart of the stolen funds shows that, so far, the hacker has transferred part of the funds to Changenow and Binance exchanges.

ChainCatcher news, according to Beosin Alert monitoring, the cross-chain protocol LI.FI has been attacked. The attacker primarily exploited the project contract's call injection to transfer user assets authorized to the contract. Beosin Trace tracked the stolen funds and found that the loss amounts include 6.3359 million USDT, 3.1919 million USDC, and 169,500 DAI, totaling approximately 10 million USD.The attack occurred on both the ETH and Arbitrum chains. Currently, most of the funds have been converted to ETH with no new developments. Beosin has added the hacker-related addresses to the KYT blacklist and will continue to monitor and track the situation.

ChainCatcher message, according to Beosin Alert monitoring and early warning, the cross-chain protocol LI.FI has been attacked. The Beosin security team found that the vulnerability was caused by the attacker using a call injection in the project contract to transfer the assets of users authorized to the contract. The LI.FI project contract has a function called depositToGasZipERC20, which can exchange specified tokens for platform tokens and deposit them into the GasZip contract. However, the code in the exchange logic does not restrict the data of the call, allowing the attacker to exploit this function for a call injection attack, extracting the assets of users authorized to the contract.Attacker address: 0x8B3Cb6Bf982798fba233Bca56749e22EEc42DcF3Attacked contract: 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaEAs of now, the total loss includes 6.3359 million USDT, 3.1919 million USDC, and 169,500 DAI, approximately 10 million USD.Beosin Trace is currently tracking the stolen funds.

According to ChainCatcher news, monitoring and early warning from Beosin Alert shows that in the first half of 2024, the total losses in the Web3 field due to hacker attacks, phishing scams, and project rug pulls reached 1.54 billion USD. Among them, there were 78 major attack incidents, with 43 stemming from contract vulnerabilities, resulting in total losses of approximately 1.193 billion USD; there were 64 project rug pull incidents, with total losses of about 119 million USD; and phishing scams accounted for total losses of approximately 232 million USD.In the first half of 2024, there were 3 security incidents with losses exceeding 100 million USD. The total loss in May reached 450 million USD, making it the month with the highest losses in the first half of 2024.In terms of the types of attacked projects, the highest losses were from CEX, with 4 attacks on CEX causing approximately 392 million USD in losses, accounting for 32.8% of all attack losses.Regarding losses by chain, Ethereum remains the chain with the highest losses and the most attack incidents. 32 attack incidents on Ethereum resulted in losses of 470 million USD, accounting for 39.4% of the total losses.In terms of attack methods, there were a total of 22 private key leakage incidents in the first half of the year, causing losses of 894 million USD, which accounted for about 75% of the total attack losses, making it the most prevalent attack type.In terms of fund flow, approximately 470 million USD (39.3%) of the stolen funds were frozen or recovered. This proportion has significantly increased compared to 2023.

ChainCatcher news, according to Beosin Alert monitoring, the DMM Bitcoin hacker transferred 500 BTC (approximately 34 million USD) to two new addresses on June 12: 300 BTC was sent to an address starting with bc1qc6, and 200 BTC was sent to an address starting with bc1qln.

According to ChainCatcher news and Beosin Alert monitoring, 4502.9 BTC (approximately $305.9 million) stolen from the Japanese cryptocurrency exchange DMM Bitcoin has been transferred to the address 1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P and is currently distributed to 10 addresses.

ChainCatcher news, according to monitoring by blockchain security audit company Beosin Alert, the total loss from various security incidents in May 2024 increased compared to April. In May 2024, there were over 27 typical security incidents, with a total loss of 154 million USD due to hacker attacks, phishing scams, and Rug Pulls, an increase of about 52.5% compared to April. Among them, attack incidents accounted for about 54.51 million USD, an increase of about 3.7%; phishing scam incidents accounted for about 97.4 million USD, an increase of about 754%; and Rug Pull incidents accounted for about 2.04 million USD, a decrease of about 94.5%.This month, there were 2 hacker attack incidents with losses exceeding 10 million USD: the gaming platform Gala Games lost 22.5 million USD due to private key leakage, and Sonne Finance lost 20 million USD due to a contract vulnerability. This month saw a significant increase in phishing scams, with multiple phishing incidents resulting in losses exceeding 1 million USD, including one address poisoning scam with a loss of 72 million USD. The number of crypto crime cases continued to rise this month, with several cases involving amounts exceeding 100 million USD.

According to ChainCatcher news, Beosin Alert monitoring has discovered that the Sonne Finance protocol on the OP chain has been attacked by hackers using a flash loan attack, resulting in approximately $20 million in losses due to multiple attacks.The Beosin security team analyzed that the attackers borrowed VELO Tokens through flash loans and sent them to the soVELO contract via transfer, repeatedly creating new contracts to borrow various tokens from the Sonne Finance protocol and redeem VELO Token tokens. This operation was repeated until all funds were drained.Currently, the attackers are mainly holding the funds at the following addresses:0x02FA2625825917E9b1F8346a465dE1bBC150C5B90x5D0D99e9886581ff8fCB01F35804317f5eD80BBb0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43Beosin Trace will continue to monitor the movements of the stolen funds.

ChainCatcher news, according to Beosin Alert monitoring and early warning, the total loss in the Web3 sector due to hacker attacks, phishing scams, and project Rug Pulls reached 778 million USD in the first quarter of 2024. Among them, there were 39 major attack incidents with a total loss of approximately 617 million USD; 43 project Rug Pull incidents with a total loss of about 75.5 million USD; and phishing scams with a total loss of approximately 86.24 million USD.The total loss in the first quarter of 2024 was about 778 million USD, a year-on-year increase of approximately 126% and a quarter-on-quarter increase of about 72%. The losses from hacker attacks were higher than any quarter in 2023. The total loss in February reached 422 million USD, making it the month with the highest loss in the first quarter of 2024.In terms of the types of attacked projects, gaming platforms have become the project type with the highest loss amount for the first time. Six attacks on Web3 gaming platforms caused a total loss of 365 million USD, accounting for 59% of all attack losses. In terms of loss amounts across chains, Ethereum remains the chain with the highest loss amount and the most attack incidents. Eighteen attack incidents on Ethereum resulted in a loss of 342 million USD, accounting for 55.4% of the total loss.In terms of attack methods, there were 13 private key leakage incidents this quarter, resulting in losses of 458 million USD, which accounted for 74.3% of the total attack losses, making it the highest proportion attack type. According to Beosin KYT anti-money laundering analysis platform monitoring, in terms of fund flow, most of the stolen assets this quarter were frozen and recovered. Approximately 303 million USD (49.2%) of the stolen funds were frozen, and 79.45 million USD (12.9%) of the stolen funds were recovered. In terms of audit status, the proportion of audited project parties among the attacked projects has increased.

ChainCatcher news, according to monitoring by the blockchain security audit company Beosin's KYT anti-money laundering analysis platform, the loss amount from various security incidents significantly increased in February 2024 compared to January. In February 2024, there were more than 19 typical security incidents, with total losses due to hacker attacks, phishing scams, and Rug Pulls reaching $422 million, an increase of about 102% compared to January. Among these, attack incidents accounted for approximately $347 million, an increase of about 110%; phishing scam incidents were about $16.08 million, a decrease of about 52%; and Rug Pull incidents were approximately $59.38 million, an increase of about 440%.The largest attack incident in February was the attack on the crypto gaming platform PlayDapp due to private key leakage, resulting in a loss of $290 million, making it the highest loss security incident of the year so far. Other incidents with losses exceeding ten million dollars include: the centralized exchange FixedFloat being attacked, resulting in a loss of $26.1 million; Axie Infinity co-founder Jihoz.ron’s personal address losing about $10 million due to private key leakage. Additionally, the Hong Kong exchange Bitforex is suspected of experiencing a Rug Pull, with $56.5 million anomalously flowing out of its hot wallet.

ChainCatcher news, according to the Beosin KYT anti-money laundering analysis platform, the address 0x121ad060686848b196df8ca5c5e24722efe57115 on the Ronin chain, jihoz.ron (0xa09a9b6f90ab23fcdcd6c3d087c1dfb65dddfb05), is suspected of private key leakage. Multiple tokens were transferred to the address 0x39f817976c51a91b60145febad81067e69713105, exchanged for ETH, and then cross-chain to Ethereum, subsequently flowing directly into Tornado.cash.

ChainCatcher news, security agency Beosin announced on platform X that it has initiated further ecological cooperation with Sei, supporting smart contract security audits for Sei ecological projects; currently, Beosin has completed the contract audit for Kryptonite, the largest liquidity staking platform in the Sei ecosystem. In the future, Beosin will provide security services for more Sei ecological projects, contributing to the secure development of the Sei ecosystem.