挂机的kaii

挂机的kaii

tg_channel
HomeArchives

【202311】Analysis and Summary of Defihacks - Updating

114
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a summary of vulnerabilities found in various projects. The vulnerabilities include unrestricted access permissions, lack of code transparency, and failure to validate parameters. The projects mentioned are unibot, Astrid, Maestro, OpenLeverage, OpenDAO-kTAF, MicDao, Beluga, WiseLending, Platypus, BH, pSeudoEth, StarsArena, DePayRouter, FireBirdPair, DexRouter, babydoge2, babydoge, XSDWETHpool, Kub_Split, CEXISWAP, and uniclyNFT. The summary also includes information on hacker profits, gas sources, and fund destinations. Some vulnerabilities are confirmed, while others are speculative.
ProjectVulnerability CauseVulnerability Occurred inDefiLlama InclusionHacker's ProfitGAS SourceFund Destination
unibot❗️ sink unrestricted access, closed-source code, requires reverse engineeringTrading👌640k USDFixedFloattornado.cash
Astridsink withdraw parameter not strictly validatedWithdrawal👌4w USD (20% bonus)EXchUnchanged
Maestrosink fallback (unrestricted access)Invocation👌, contract not found280 ETHrailgunrailgun
OpenLeveragesink initialize (unrestricted access, closed-source code)Initialization👌8K USDtornado.cashtornado.cash
OpenDAO-kTAF❗️sink price depends on current stateLending👌, contract not found8k USDkucoinUnchanged
MicDao❗️ sink price manipulationExchangeCannot13k USDFixedFloatWallet
Beluga❗️ sink price manipulationExchange👌175k USDCross-chain bridgeWallet
WiseLending❗️ sink rate manipulation, precision difference based on current donation fund totalDonation👌260k USDtornado.cashUnchanged
Platypus❗️ price manipulationExchange👌2m USDCross-chain bridgeMultisig address, possibly exchange
BHsink upgrade unrestricted accessUpdateCannot1.2m USDtornado.cashtornado.cash
pSeudoEth❗️ price manipulationExchangeCannot3k USDOrbiter FinanceWallet
StarsArena❗️sink SellShares function reentrancyExchange👌3m USDCross-cross-chain bridgeMultiple wallets
DePayRoutersink route function unauthorized accessConfigure routingCannot827 USDWalletWallet
FireBirdPair🤔 sink incorrect slippage protectionExchange👌8k USDWalletWallet
DexRouter❗️sink (unrestricted access update unrestricted accessUpdateCannot20 BNBtornado.cashtornado.cash
babydoge2🤔 deflation? Slippage?Exchange👌441 BNBtornado.cashtornado.cash
babydoge🤔 sink, deflationary token + 0 fee privilege, market manipulation?Exchange👌237 BNBFixedFloatFixedFloat
XSDWETHpoolswapXSDForETH function reentrancy, impact analysis of deflationExchangeCannot56 BNBWallettornado.cash
Kub_SplitsetPair parameter not validated, false trading excessive rewardTradingCannot22k BUSDWalletWallet
CEXISWAP❗️sink unrestricted access to init, requires reverse engineeringInitializationCannot30k USDTrailgunrailgun
uniclyNFTDeposit function triggers onercERC1155Received and then reentrancyWithdrawal👌0.4 ETHFixedFloatWallet

Note:

[1] "❗️" indicates a common attack method. Some core methods: (1) Unauthorized privileged function discovered based on reverse engineering. (2) Profit from slippage loss of deflationary tokens. (3) Price manipulation based on flashloan.

[2] "🤔" indicates that the summary is based on speculation and has not been confirmed.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.