Recent Exploits in DeFi: Bankroll Network Loses $230,000
On September 22, a significant security breach occurred in the decentralized finance (DeFi) protocol known as Bankroll Network, resulting in a loss of approximately $230,000, as reported by the blockchain security firm TenArmor on their X account.
Transactions related to the attack were detailed in an image shared by TenArmor, showcasing a series of transfers involving BNB from a contract associated with Bankroll Network. The largest transfers were valued at $9,679,645.51.
In addition to these self-transfers, two notable transactions were executed: one involving around $9,435,877.94 sourced from a PancakeSwap exchange pool, which was directed to an account ending in “47D7”. This account then funneled funds back into the BankrollNetworkStack contract.
The sum of the self-transfers and the transaction to the external account was calculated to be $243,767.57, closely mirroring the reported loss of $235,000.
This suggests that the hacker may have exploited a vulnerability, enabling them to withdraw more funds than they deposited, potentially utilizing flash loans for their initial input.
Details from blockchain transaction services confirm the transfers took place at 4:50 PM UTC on September 22. Attempts to reach out to the Bankroll Network team for comments went unanswered as of the report’s timing.
Exploits of this nature are becoming increasingly common within the Web3 space. Users are urged to perform thorough research into a protocol’s security measures prior to engagement, with a preference for protocols that have been audited by trusted smart contract security firms, although such audits cannot guarantee complete safety against vulnerabilities.
Phishing Attack: $250,000 Laundered via CoW Protocol
On August 28, an attacker behind a phishing attack that previously drained a substantial wallet of $55.4 million began laundering some of the stolen assets through the CoW decentralized finance protocol, as outlined by security firm PeckShield.
The attacker converted the stolen DAI stablecoins into ETH. The laundering activity was detected on September 14, when they executed a transaction transferring the ETH to a new address.
On Etherscan, the laundering actions appeared as a compilation of 33 individual trades executed under a specific function call titled “MoooZ1089603480”. A wallet identified as “Fake_Phishing442897” sent DAI worth $260,000 to CoW in exchange for roughly 106.29 ETH.
It appears that a third-party paymaster account or relayer executed the function call, possibly aiming to mislead analytic tools and obscure tracing efforts, though this strategy ultimately failed.
The attacker had received $3,000 worth of DAI the previous day by swapping ETH on CoW, and had also received a substantial amount of ETH on August 20, valued at around $10 million at the time, also through CoW.
PeckShield reports indicate that these funds can be traced back to the aforementioned $55.4 million phishing attack on a significant account, or “whale.” Phishing scams, particularly in the crypto realm, often involve deceiving users into granting token approvals, subsequently facilitating the draining of their wallets.
Crypto users are advised to carefully verify the addresses they interact with. An accidental approval of a malicious contract can lead to significant financial loss. The funds stolen from this particular victim are being distributed among various wallets and exchanged for different tokens, in what appears to be a continuous effort to evade analytics tools. If successful, the attacker may transfer the assets to a centralized exchange where they could permanently disappear.
Fortunately, security firms have made progress in tracking these funds, providing some hope that authorities may eventually recover them.
Security Alert: D-Link Reveals Vulnerabilities in Routers
On September 16, D-Link, a major manufacturer of networking devices, announced the identification of five vulnerabilities within several router models, as reported by CyberRisk Alliance. These vulnerabilities pose risks that could allow malicious actors to infiltrate a user’s home network and access devices containing cryptocurrency wallets.
The first two vulnerabilities, labeled CVE-2024-45695 and CVE-2024-45694, enable attackers to exploit a “stack-based overflow” to seize control of a router, potentially allowing them to execute arbitrary code on the device. The first vulnerability impacts DIR-X4860 and DIR-X5460 models, while the second affects only the DIR-X5460.
The remaining vulnerabilities involve the DIR-X4860 and the discontinued COVR-X1870 models, which permit the use of hardcoded credentials for logging in, provided Telnet is enabled.
Under typical circumstances, activating Telnet on these devices should not be feasible. However, CVE-2024-45697 facilitates the enabling of Telnet service whenever the modem’s internet or WAN port is connected, granting the attacker access for executing operating system commands.
The vulnerability issues CVE-2024-45696 and CVE-2024-45698 also allow login through Telnet for executing OS commands. CVE-2024-45696 requires the attacker to send specific packets to force Telnet activation, but can only be exploited by someone already connected to the device’s WiFi network. In contrast, CVE-2024-45698 enables an attacker to bypass user input validation in the Telnet service, allowing OS command injections.
D-Link has recommended that users update their devices with the latest firmware to defense against potential exploitations of these vulnerabilities.
For crypto wallet holders, ensuring the security of their home network is paramount. Cybercriminals can leverage network vulnerabilities to monitor online behavior, which can lead to subsequent attacks that may result in significant losses of cryptocurrency funds.