ChainCatcher news, Slow Mist's Chief Information Security Officer 23pds stated on the X platform that after analysis, it was found that Indodax's hot wallet private keys were not compromised by hackers, but rather other systems were attacked, such as signature machines.Previous news, on September 11 at 7 AM, according to Cyvers Alerts monitoring, Indodax's wallet conducted over 150 suspicious transactions across different networks, with a total loss of approximately 18.2 million USD, and suspicious addresses are exchanging various tokens for Ethereum.

ChainCatcher message, SlowMist founder Yu Xian stated that the DAI L2 Deployer private key leak has led to some recently deployed L2 DAI contract addresses being "honeypot" addresses controlled by attackers.There are no related risks on Optimism and Arbitrum, but the contracts on Base and Polygon networks are unsafe. The mainnet DAI contract is secure.

ChainCatcher news, OKLink released the July 2024 security report, stating that the cumulative losses from on-chain security incidents across the network amount to approximately $290 million. Losses due to private key leaks account for 88.31% of the total losses, phishing incidents account for 3.03%, REKT incidents account for 7.33%, and RugPull incidents account for 1.31%.On July 18, the private key of the WazirX exchange's multi-signature wallet was leaked, resulting in a loss of approximately $235 million, making it the largest security incident in July. On July 16, the LiFi Protocol cross-chain bridge aggregation protocol was attacked, leading to a loss of about $10 million. The attacker exploited a vulnerability that allowed arbitrary calls to steal assets authorized by users of this contract.In addition, there were a total of 14 incidents of scams and phishing on official social media, resulting in losses of approximately $3.89 million, a decrease of 81.34% compared to June. OKLink reminds users not to disclose your private keys or mnemonic phrases to anyone, not to click on unverified links, and to learn how to use Web3 on-chain tools to mitigate risks. This is an important line of defense in protecting yourself in the Web3 world.

ChainCatcher news, according to Beosin Alert monitoring, it was discovered that the Indian exchange WazirX was attacked. The attacker obtained the signature data of the multi-signature wallet administrator of the exchange, modified the logic contract of the wallet, and executed incorrect logic to steal assets.Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4Based on the attacker's behavior, it is speculated that the reason is the leakage of the multi-signature wallet administrator's private key. Beosin summarizes the cause of the attack as follows:The attacker deployed the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified by this contract.The attacker obtained the signature data of the WazirX multi-signature wallet administrator and modified the wallet's logic contract to the already deployed attack contract. The corresponding transaction is:https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185dThe attacker submitted a token withdrawal transaction to the WazirX multi-signature wallet. Due to the proxy model mechanism, the wallet contract will use delegatecall to invoke the relevant functions of the attack contract, transferring the wallet's tokens.The flowchart of the stolen funds shows that, so far, the hacker has transferred part of the funds to Changenow and Binance exchanges.

ChainCatcher news, MetaBit Capital released a statement on social media that the wallet private keys used by IFCT users for withdrawals have been leaked, and the specific cause of the leak is under ongoing investigation.It is reported that this incident led to the sale of approximately 750,000 MBT, resulting in a significant drop in the coin price. MetaBit has sought assistance from the judicial authorities and will soon release relevant recovery measures.

ChainCatcher message, Slow Mist founder Yu Xian posted on social media regarding the attack on CoinStats, stating: "I used this app quite a while ago; it's convenient for checking the asset status of target wallets. There are quite a few applications like this, so I won't name them. Some have their own wallet functions (which is a risky area), allowing users to create wallets and use them subsequently. I'm quite curious about how CoinStats Wallet, which is supposed to be user self-custodied, had its private keys leaked on such a large scale; the official statement is that it's 1.3%.This kind of large-scale leak, with a limited proportion, can be speculated upon, but I won't discuss it here. Let's wait for the official disclosure of details."

ChainCatcher news, Wintermute research director Lgor Lamberdiev stated that pump.fun was likely attacked due to a private key leak, resulting in the theft of 2000 SOL and a large amount of MEME coins.Lamberdiev also mentioned that the service account address 5PXxuZ somehow signed the txs, transferring funds to the attacker and random addresses, instead of deploying the Raydium pool, which strongly suggests that the attack was likely caused by the leak from pump.fun.

ChainCatcher news, according to the Beosin KYT anti-money laundering analysis platform, the address 0x121ad060686848b196df8ca5c5e24722efe57115 on the Ronin chain, jihoz.ron (0xa09a9b6f90ab23fcdcd6c3d087c1dfb65dddfb05), is suspected of private key leakage. Multiple tokens were transferred to the address 0x39f817976c51a91b60145febad81067e69713105, exchanged for ETH, and then cross-chain to Ethereum, subsequently flowing directly into Tornado.cash.

ChainCatcher news, according to SlowMist, there seems to be an issue with the OKX DEX contract. After analysis, SlowMist found that: when users perform exchanges, they authorize the TokenApprove contract, and the DEX contract transfers user tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to be called, which functions to call the claimTokens function of the TokenApprove contract to transfer the tokens authorized by the user. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin.On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract via the Proxy Admin. The new implementation contract's function is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, the attacker began calling the DEX Proxy to steal tokens. On December 12, 2023, at 23:53:59, the Proxy Admin Owner upgraded the contract again, with functionality similar to the previous one, and continued to steal tokens after the upgrade. As of now, the profit is approximately 430,000 U.This attack may be due to the leakage of the Proxy Admin Owner's private key, and the current DEX Proxy has been removed from the trusted list.

ChainCatcher message, Bit Jungle analyzed the reasons behind the theft of a certain cryptocurrency wallet related to Binance deployers yesterday. It is reported that a certain cryptocurrency wallet related to Binance deployers was stolen yesterday, with hackers stealing 27.07 million USDT and 11 ETH from the wallet. Subsequently, the hackers cross-chained most of the funds and further transferred assets through ChangeNow, FixedFloat, SideShift, and others. However, a small portion of the funds has been converted to ETH and has not yet been transferred.

ChainCatcher news, the on-chain analysis agency X-explore posted on social media stating that it believes the reason for the attack on Poloniex is the leakage of private keys, and the attackers are the Lazarus Group.It is reported that this attack is similar to the attack on Stake.com on September 4, 2023, where hackers stored different tokens in different addresses, with each address handling only one type of token.

ChainCatcher message, Slow Mist founder Yu Xian stated on social media that this morning he received two forms of stolen submission information, both related to the stolen private keys of friend.tech users. It is currently reported that the FriendSniper Telegram Bot was used. Previously, the stolen cases we successfully intercepted were also suspected to have leaked private keys from this Bot.In addition, it was mentioned that if users encounter similar thefts, they are welcome to submit information to Slow Mist.

ChainCatcher message, Slow Mist founder Yu Xian posted on social media that through the analysis of Slow Mist's on-chain behavior (across multiple networks including Base/ETH/BSC), it was determined that the account private key of friend.tech user Pangchy is at risk of being leaked. As for the leakage channel, it can be referenced in the owner's investigation, but it cannot be confirmed at this time.Yu Xian stated that users are using third-party bots that run on Telegram, which are all centralized. Once the private key is given away, the risk is hard to assess.

ChainCatcher message, Slow Mist Yu Xian posted on social media that there has been a user private key leak incident on Bit Browser, resulting in at least $410,000 in losses.

ChainCatcher news, Kuan Sun, the founder of the encrypted derivatives trading company Eureka Trading, stated: "Last June, I lost 15 million USD due to a private key leak and was hacked. Currently, I have some preliminary IP and other information, but I have not yet been able to identify the hacker. I hope that individuals or organizations capable of providing valuable clues can assist in recovering the funds, and I can offer a reward."He added, "Hacker address: 0xa1ac23be458e14ac0a0003dc1343d2ac575ea3b6. At least 20% of the funds will be used as a reward, with the specific proportion depending on the level of contribution. So at least 3 million USD in rewards is available for those who are capable." (source link)

ChainCatcher news, Bitcoin core developer Luke Dashjr tweeted that almost all of his Bitcoin was stolen due to the leak of his PGP (Pretty Good Privacy) private key. According to on-chain data, Luke Dashjr's wallet address conducted four transactions on December 31, transferring 216.93 BTC, worth approximately 3.5 million dollars at current prices.It is reported that PGP is the first widely used encryption software to implement public key cryptography, utilizing a hybrid cryptosystem architecture that employs both symmetric and asymmetric encryption to achieve a high level of security. Binance founder Changpeng Zhao commented that he would cooperate with the investigation and has notified the Binance security team to monitor the situation, while reminding users that "self-custody comes with various risks." (source link)

ChainCatcher news, Raydium officials stated regarding the attack that occurred yesterday, the vulnerability seems to stem from a trojan attack and the leakage of the pool owner's account private key. The attacker accessed the mining pool owner's account and was able to call the withdrawalPNL function, which is used to collect transaction/protocol fees earned from swap trades in the pool. The affected pools include SOL-USDC, SOL-USDT, RAY-USDC, RAY-USDT, etc., with a total loss of approximately $4.395 million.Additionally, as an immediate solution, the permissions of the previous mining pool owner have been revoked, and all accounts have been updated to new hardware wallet accounts, so the attacker no longer has access and cannot exploit these pools for further attacks. If the attacker returns the funds, a 10% reward will be offered to the hacker for the stolen funds, treated as a white hat bounty. (source link)

ChainCatcher news, according to SlowMist intelligence, on November 4th, an address on the BNB Chain minted over $1 billion worth of pGALA tokens out of thin air and sold them for profit through PancakeSwap, causing GALA to briefly drop over 20%. The analysis results from SlowMist are as follows:The pGALA contract uses a Transparent Proxy model, which has three privileged roles: Admin, DEFAULT_ADMIN_ROLE, and MINTER_ROLE.The Admin role is used to manage the upgrade of the proxy contract and change the Admin address of the proxy contract, the DEFAULT_ADMIN_ROLE is used to manage various privileged roles in the logic (e.g., MINTER_ROLE), and the MINTER_ROLE manages the minting permissions of pGALA tokens.In this incident, the Admin role of the pGALA proxy contract was designated as the proxyAdmin contract address at the time of contract deployment, while the DEFAULT_ADMIN_ROLE and MINTER_ROLE were initialized to be controlled by pNetwork. The proxyAdmin contract also has an owner role, which is an EOA address, and the owner can upgrade the pGALA contract through proxyAdmin.However, the SlowMist security team discovered that the private key of the owner address of the proxyAdmin contract was leaked in plain text on GitHub, allowing any user who obtains this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.The owner address of the proxyAdmin contract was replaced 70 days ago (on August 28, 2022), and another project managed by it, pLOTTO, is suspected to have been attacked.Due to the architectural design of the Transparent Proxy, the change of the Admin role of the pGALA proxy contract can only be initiated by the proxyAdmin contract. Therefore, after the loss of owner privileges of the proxyAdmin contract, the pGALA contract has been at risk of being attacked at any time.In summary, the root cause of the pGALA incident lies in the leakage of the owner private key of the Admin role of the pGALA proxy contract on GitHub, and its owner address was maliciously replaced 70 days ago, resulting in the pGALA contract being at risk of being attacked at any time. (source link)