Skip to main content

· 5 min read
Sebastian Lim

Introduction

Gas Mint Scams are not new on BSC. They have been documented relatively well on Web3 newsletters and by security companies in the space. However, we noticed that scammers are recently changing some of their techniques, hence we decided to write this blog to offer more understanding of this scam.

Recap

This is how the scam typically work:

  1. A user notices an unknown airdropped token in his wallet, usually it mimics a valuable or well known token like USDT. In other cases, it might be the latest trends like Friend.Tech.
  2. He then proceeds to “approve” it to a DEX router such as PancakeSwap, in hopes of selling it for a profit. Subsequently, he tries to swap it on the DEX but to no avail as the transaction reverts. But didn’t he already grant approval for the DEX?
  3. At the same time, he notices that the token is still in his wallet and he lost some BNB as well. He was scammed!

What actually happens is that when the user interacts with the unknown token at step 2, the token inadvertently took his gas provided in the transaction to create gas tokens. Furthermore, the gas requested in the transaction will be at unusually high costs.

1 popular instance of gas tokens on BSC is the CHI Gas token, you can refer to this link here for more information. Essentially, they are tokens that utilize the “gas refund” feature of the EVM that allows refunds when clearing storage. This allows users to mint gas tokens when fees are low, and burn them when fees are high, effectively "locking in" the lower fee.

In other words, the victim is minting CHI Gas tokens for the scammer so they can reduce their gas costs in future transactions.

New variations of the scam:

  1. Other common ERC20 methods invoke the same scam. For e.g, trying to move the token using the “transfer” method will lead to users invoking the minting too.
  2. Recently, we noticed that scammers now prefer to mint XEN tokens with the victim’s gas during the transaction.

For context, XEN is a social mining project based on a Proof of Participation mechanism. XEN tokens are minted using gas as well, and the tokens can only be claimed after a waiting period. XEN tokens do have value in the secondary market. Therefore, scammers can profit by gaining these XEN tokens from you and dumping them later.

  1. Creating fake approvals. This is not exactly new but we would like to elaborate more on how it works.

Revoke product platforms like Bscscan or Debank naively log all approval events related to your wallet. Then, they are displayed nicely in a dashboard for you to see. However, the issue is that approval events can actually be faked by the scammers.

Let’s look at this example: BscScan approver check:

IMG-1

On first glance, it looks like this user has multiple unlimited allowance for their tokens. However these are all not real (the token and the approval). This is my 1 instance of a Fake approval transaction https://bscscan.com/tx/0x3c3f16b418e6dcc39f03628f288d9aaba1a3cbb2e1843d92d651b61625329a95#eventlog

There are 1000 falsified approvals in just 1 transaction!

Looking into each of them, we can see that the token address is fake!

IMG-2 IMG-3

The fake token here mimics the INJ token and might appear to be be verified contract. However, it is actually a proxy contract, which points to an unverified logic contract here: 0x54d1527668bd83f719b5414141a912cbbda55382 (This is where the scam logic is) The real INJ token address is 0xa2b726b1145a4773f68593cf171187d8ebe4d495. *Notice that the token address prefix and suffix are scarily similar to trick victims.

Current landscape of scammers’ methodologies

Understanding when and how scammers create these scam opportunities will help us be more familiar and to better avoid them.

  1. Cast a wide-net

    • By airdropping fake notable tokens like USDT or USDC to victims’ wallets

    • Then by creating fake approval transactions for fake notable tokens like USDT or USDC, which are displayed on revoke pages like Bscscan.

  2. Wait for specific events

    • A hack event happened, airdrop / create fake approval transactions for the related hack project token / spender, so that users will ‘revoke’ them. For example, a particular project named "A" has been hacked, the scammers will mint and create a fake approval with a fake token "A" to the real "A" holders. As users are taught to revoke access for their "A" tokens, they see that there is an approval for the fake token "A" as well, promptly getting scammed of their gas.

For all cases, scammers ensure that the gas provided is enough to mint the scammers’ desired amount of CHI gas tokens or XEN tokens. I.e if the gas is too low, the scam transaction will likely revert.

Security Recommendations from HashDit

  1. Do not touch any new unknown tokens. These tokens might appear to have value based on a liquidity pool the scammer created. Do not fall for it!
  2. Always check the token address for legitimacy. You can cross reference this with platforms like CoinMarketCap.
  3. The underlying scam technique requires an unusual high gas cost, hence this is a major red flag if seen on the transaction page.
  4. Use revoke.cash. The platform uses heuristics to filter out fake approvals. Keep in mind this is not 100% so you should still pay attention.

HashDit is actively tracing and blacklisting these scam addresses on our HashDit API. Do download the HashDit chrome extension to safeguard yourself in the future!

We hope that this blog helps educate you on this Gas Mint scam so that you can stay safe in this space. Final security takeaway: do not sign any transactions if you do not know what it does.

Feel free to consult us at our email support@hashdit.io if you have any other queries.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 16 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xbcb24afb019be7e93ea9c43b7e22bb55d5b7f45dBSCSToken237
0x7b86f5ca09dc00502e342b0fef5117e1c32222ceSOLCash32
0x94db03752342bc9b5bbf89e3bf0132494f0cb2b3Dogai (DOGAI)27
0x4ee98216499b81a9942e7aa77970b68c792ff679SCT20
0x638deed975af106d7d721f92047b369f82241020JiangNanYi14
0xacb8f52dc63bb752a51186d1c55868adbffee9c1BunnyPark13
0x4634d58982138e93c951c1485d25bc619cbd1f75AiONE: AiONE Token8
0xab8c98491816fede394582f7758a5effeb4368d7TrumpCoin (DTC)7
0x2fd6c9b869dea106730269e13113361b684f843aChihuahua6
0x1b391f9d0fffa86a6088a73ac4ac28d12c9ccfbdSustainable Energy Token5

Key themes on high risks:

  1. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(31%)

  2. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 31% of the total newly identified risky addresses.

  3. A quarter of the newly identified risky addresses (25%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 6 min read
Ayden Duan

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

In September, a number of projects suffered attacks due to the leakage of their hot wallet private keys, leading to substantial financial losses for both the projects and their users. In this article, we will analyze these types of attack incidents using several examples and finally provide some practical suggestions from a security perspective to help project teams avoid such breaches in the future.

Stake's Unanticipated $41 Million Withdrawals

stake.com, a crypto gambling protocol, offers a variety of casino games such as dice, blackjack, Lingo, and more. Additionally, they provide sports betting options for basketball, tennis, volleyball, and others. On September 4th, Stake.com encountered an abnormal outflow of funds, totaling approximately $41 million.

The attack transpired across multiple chains, incurring losses of around $15.7 million on ETH, $7.8 million on Polygon, and $17.8 million on BSC. This brought the cumulative losses to over $41 million.

One of the fraudulent transactions can be traced back to: transaction.
From the transaction details, it's evident that the funds were transferred directly from Stake.com's hot wallet: transaction to the attacker's address. Subsequently, the funds were dispersed among numerous accounts.

Stake confirmed this security breach via social media, stating, "Three hours ago, unauthorized transactions were initiated from Stake's ETH/BSC hot wallets." As a result of this security incident, Stake's operations were temporarily put on hold.

The CoinEx Fund's 6.2 Million Dollar Loss

Stake.com isn't the only entity that has fallen prey to a breach of hot wallet private keys. On September 12, 2023, CoinEx detected irregular withdrawals from several of its hot wallet addresses, which were utilized to store user assets. The unauthorized transactions affected 19 chains, including $ETH, $TRON, and $MATIC, bringing the total loss to an estimated $55 million.

One particular unauthorized transaction can be seen here: transaction. One can observe that the assets were directly transferred from CoinEX's hot wallet, transaction, to the hacker's address. This indicates that the culprits may have managed to seize control of CoinEX's hot wallet's private key.

Following the hacking event, CoinEx temporarily suspended crypto deposits/withdrawals, relocated assets to more secure addresses, overhauled and redeployed the wallet system, and engaged in efforts with other exchanges to freeze the attacker's assets.

Unauthorized Transactions Drain Over $2.7M from Remitano Exchange A mere week after CoinEx fell victim to a cyber intrusion, another exchange, Remitano, succumbed to unauthorized transactions that led to over $2.7 million being pilfered from its wallet across various chains, including #Ethereum and #TRON.

To illustrate the scenario, consider one of the unauthorized transactions on the ETH chain: transaction.

We can observe that approximately 1.3M USDT was directly shifted from Remitano's hot wallet wallet to the assailant's address wallet. Consequently, the perceived Remitano hack also appears to be a consequence of their hot wallet's private key leakage. This presumably allowed the hacker to gain direct control over the hot wallet and transfer all assets.

Gratefully, Tether responded promptly and froze two addresses allegedly utilized by the assailant on both the #Ethereum and #TRON chains, potentially preserving 2.7M $USDT.

Security Recommendations from HashDit

Since last September, numerous instances of hot wallet private key leaks have rattled various projects. Though Stake and CoinEx have stated that the affected funds comprise only a minor share of total assets, and users' funds are safeguarded, Twitter responses reveal growing public suspicion of insider activities at these projects, dramatically undermining user trust. These incidents underscore the significance of proactive risk management concerning project wallets and funds. HashDit, consistently carrying out related security tasks, offers the following recommendations based on our experience in averting hacking incidents:

  1. Adopt Comprehensive Address Planning and Isolation Design: For high balance addresses, refrain from frequent participation in DeFi contract operations. Replenish hot wallet balances regularly in batches to minimize balance fluctuations and risk exposure.
  2. Enforce Distributed Access Rights: Avoid allotting comprehensive access rights to the hot wallet to a single entity. Utilize a multisig wallet or MPC solution to necessitate multiple approvals for transactions, bolstering security measures.
  3. Monitor Key Management: Treat the access key to hot wallets as a critical asset and protect it with a suite of physical and digital measures. Avoid storing key duplicates on vulnerable networks, like emails or cloud storage.
  4. Initiate Regular Security Audits: Conduct periodic security audits on hot wallets to identify prospective threats or vulnerabilities. Regularly reinforce and upgrade security measures, including ensuring the appropriateness of hot wallet approvals.
  5. Institute Transfer Limits: Establish a cap for single or daily transactions to mitigate potential losses.
  6. Implement Ongoing Education and Training: Provide continuous security education for team members engaged in asset management, arming them with the ability to recognize and counteract potential threats.
  7. Craft Backup and Recovery Plans: Devise a robust plan to ensure swift recovery during unanticipated incidents.
  8. Maintain Secure Operations: Avoid transacting over unencrypted networks and processing in vulnerable settings, like public WiFi environments.
  9. Activate Two-Step Verification: Implement two-step verification for all accounts and services associated with the hot wallet.
  10. Leverage Audit Logs: Preserve and periodically review all hot wallet operation logs to detect and trace any suspicious activities. These are broad suggestions for hot wallet management, yet specific strategies may need tailoring based on individual projects. Don't hesitate to reach out to HashDit for any security consultation. Our mission is to secure your WEB3 journey.

https://hashdit.github.io/hashdit/blog/smart-wallet-migration-guide

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 42 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x0e9c0f8fcc8e60f8daeb569448a41514eb321471BakaCasino9855
0x60322971a672b81bcce5947706d22c19daecf6fbMarsDAO907
0x89eb16377f3d10d39b23df7c02ae94ac3a81d389XQJ (XQJ)871
0xe1cace0527aa2e5962221d2db962c04498a8308bUnknown455
0x8076c74c5e3f5852037f31ff0093eeb8c8add8d3OLD safemoon290
0xebe7c1395e43465ae7a041a686e957d9aa184b0dToken148
0xbcb3f0ee92c65c0ec86755b36197a5d7e60dd8e6Trump Inu (TRUMPINU)128
0x2fa6ee42bacf983f050210a1ca42f88686327fc9W3C69
0x29c55f1b02a95f0b30e61976835a3eee2359ad92EShareV266
0xdcd103bc6d14829c39afc9c10c9c373ce385d2c5FROG64

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (46%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(36%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 10% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 30 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x1bec5734b1e4559979158052dfa5c6f0156282f2Portaldot (POT)546
0x4fc75a68c38a700aac53a34784d6d9917932ea0eVCH66
0x9d173e6c594f479b4d47001f8e6a95a7adda42bcCryptoZoon41
0x902d9367a4de541926e1ed55287fac8eed959d6dASB35
0xa77346760341460b42c230ca6d21d4c8e743fa9cMicroPets33
0xadcfc6bf853a0a8ad7f9ff4244140d10cf01363cTrustPad25
0x767b04d1f1dde2a056cec1ab3bd51d1c286366dbAAToken20
0x00000065cbadead116136940b302f938284f2bdcPoop10
0xea51801b8f5b88543ddad3d1727400c15b209d8fINUKO10
0x2fb6212111dad926902febcfd8daa3eb44f1ca56YATANCAKE10

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (46%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(36%)

  3. Another theme for these contracts is that they are unverified. This means that the source code is unavailable, which could present some risks as scammers might hide malicious code in their contracts. This portion represents 6% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 9 min read
Sebastian Lim

TL;DR

This incident report aims to aggregate all the incidents that have happened on Layer 2. For context, the Layer 2 chains considered in this report are respective to Ethereum Layer 1 blockchain.

  • Optimism
  • Arbitrum
  • Avalanche
  • BASE

In total, there were a total of 57 cases, 52 incidents in 2023 and 5 incidents in 2022.

An examination of the yearly breakdown highlights that the total loss in 2022 and 2023 amounts to $149,278,400, namely 13.07% was for 2022 and 86.93% for 2023.

IMG-1

Type of projects​

When comparing the types of project with the observed financial loss, a whopping 99.8% of financial loss were attributed to DeFi projects. The second most was a GameFi project at 0.18% (TalesofElleria – Signature compromised), followed by MEV at 0.01% (an unknown MEV contract had a lack of validation bug).

IMG-2

With a large proportion of fiat loss associated with DeFi projects, this shows that DeFi projects are still the most common type of crypto project on L2 chains.

Chain comparison

According to our data, 38.82% of financial loss was from the Arbitrum chain (~$57.95m). BASE being a new chain, accounted for 22.84% (~$34m). This is followed by Optimism and lastly Avalanche.

IMG-3

On Optimism, there were 7 hacks and 1 scam cases. On Arbitrum, there were 23 hacks (including a White-hat) and 9 scam cases. On Avalanche, there were 9 hacks (including a White-hat) 2 scam cases. On BASE, there were 2 hacks and 4 scam cases.

Attack Type analysis

The next chart shows the attack type analysis for all the security incidents on L2 chains. 58.53% was because of Hacks, 40.31% was due to Scams, while 1.17% was rescued by a White hat.

IMG-4

The next chart shows the specific attack vector analysis.

IMG-5

As seen in the chart above, the highest financial loss attributed to rugpulls with $56.75m, $28.6m was due to MPC compromise (Multichain incident), and $9m was due to Internal accounting.

Further analyzing the top 3 attack vectors, Rugpulls - 13 cases (Most notably the $BALD case). MPC compromise - 3 cases (1 Multichain incident across 3 chains). Internal accounting - 2 cases (Mostly due to the Platypus case).

Top 10 incidents on L2 thus far

The following were the top 10 security incidents on L2, 3 of them were scams while the other 7 were exploit cases.

IMG-6

BALD - $25.6 Million Scam

On 1-Aug-2023, BALD, a meme token on BASE was reported to have rug pulled $25.6 million USD from investors. Method: The liquidity of the BASE tokens were held by an EOA account, hence the account could remove liquidity at any time. Although the Base network is meant to be used for developer testing, some people have tried to trade on the network before its official launch https://decrypt.co/150647/bald-coin-based-ethereum-base-layer-2-coinbase Since removing liquidity though, he has appeared to still be adding/removing small chunks of liquidity (probably still trying to garner traffic) https://basescan.org/token/0x4200000000000000000000000000000000000006?a=0xfcd3842f85ed87ba2889b4d35893403796e67ff1

Multichain - $28.6 Million Exploit

On 10-July-2023, a Bridge project, Multichain had its MPC account compromised by an unknown entity. The MPC account had authority over the bridged funds of users, and transferred all the funds to his own wallet, on 3 chains: Arbitrum, Optimism and Avalanche. Since the MPC account appears as a normal EOA on-chain, it is unclear how the MPC account was compromised on the backend.

Defrost - $12 Million Scam

The Defrost project was rugged for a total of $12 million USD on 23-Dec-2022. The incident happened on Avalanche. Method: The privileged owner was an EOA which could change the address of the oracle, in a market contract. He changed the address maliciously to one that returns fake prices, to liquidate their users and seize their funds. At that point of time, it looked pretty obvious that it was a rugpull. However, the project party claimed that they were hacked 4 days later and stated that the exploiter has returned 100% of funds to them https://medium.com/@Defrost_Finance/hacked-funds-returned-to-defrost-71b9d2d1b458 In this case, it appears that they were caught so they returned the funds back.

Platypus - $8.75 Million Exploit

On 17-Feb-2023, Platypus, a Lending/Borrowing project, was exploited, resulting in users losing more than $8.75 million USD. The incident happened on Avalanche. Root cause: The project party overlooked the EmergencyWithdraw() method and forgot to include a check for borrowed funds https://twitter.com/danielvf/status/1626340324103663617?s=61&t=gr5sMl7K7qjCB7l3zmh53w Method: The hacker deposited funds, borrowed funds and then exited his position with EmergencyWithdraw(), allowing him to keep the borrowed funds

Jimbos - $7.5 Million Exploit

On 2023-05-28, Jimbos Protocol on Abitrum was exploited, which resulted in ~$7.5m funds loss. Root cause: The protocol did not have proper measures to manage price changes during operations that shift liquidity. This oversight allows the protocol's own liquidity to be put into a distorted price range, which allows attackers to make "profit" via a reverse swap. Method: 1) The hacker initially flash loaned 10,000 WETH 2) Subsequently swaps them for $JIMBO, inflating its price 3) Called the shift() method in JimboController to manipulate reserves and imbalance the pool 4) Following the manipulation, the attacker converted the acquired Jimbo tokens back into ETH

Exactly - $7.32 Million Exploit

Exactly Protocol, a Lending/Borrowing platform was hacked on Optimism for $7.32m. Root cause: Lack of validation -> allowed the attacker to steal users’ collateral assets

IMG-7

The attacker was able to bypass the permit check in the leverage function of the DebtManager contract by directly passing a fake market address without validation

Untrusted external call done with the fake market address -> the attacker reentered the crossDeleverage function in the DebtManager contract and stole the collaterals from the _msgSender.

IMG-8 IMG-9

Secondly, the Permit calldata p can be externally controlled too, changing the _msgSender to the victim address (user EOA address).

Hundred Finance - $7 Million Exploit

Hundred Finance, a Lending/Borrowing platform was hacked on Optimism for $7m. The hack was due to a known bug in Compound V2 code.

Root cause: The exchange rate can be manipulated because of a rounding issue in the redeemFresh of CToken pool contract (The attacker strictly controls the input quantity every time they call the redeemUnderlying function. This leads to a situation where the calculated result becomes 1.99999999999... but is rounded down to 1 by default.)

Lodestar Financ - $6.9 Million Exploit

Lodestar Finance, a Lending/Borrowing project, was hacked on Arbitrum for $6.9m. This attack vector is 1 variation of the donation-bug vulnerability.

The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company.

Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation of the plvGLP."

Following the hack, "several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP." The hacker was able to burn a little over 3 million in GLP, making profit on the "stolen funds on Lodestar - minus the GLP they burned.", noted the DeFi platform.

Magnate Finance - $6.4 Million Scam

Magnate Finance, a scam project, rug pulled for $6.4m. Incident was on the BASE blockchain. Moments before the rug, it was found that its deployer address is directly linked to the Solfire $4.8M exit scam.

The project team manipulated the price oracle value, so he could drain all the locked funds in the market contract.

Deus DAO (DEI) - $5 Million Exploit

On 6-May-2023, the DeusDAO (DEI) project was hacked for slightly more than $5 million USD due to a wrong contract upgrade. The project was hacked on Arbitrum. The upgrade bug introduced a public burn vulnerability, which allowed attackers to steal funds from other wallets that have DEI tokens.

The issue was specifically in the burnFrom method, which wrongly swapped the 2 parameters of msg.sender and the account to be granted approval. The hacker essentially approved DEI tokens to a whale account with a large amount of DEI tokens, and then invoked the wrongly implemented burnFrom method with 0 tokens. This approves all the DEI tokens to the caller instead, where he can just simply call transferFrom and steal all his tokens.

Conclusion:

L2 blockchains offer several advantages over traditional L1 chains such as Increased Scalability, Lower Fees and Faster Transaction Times. However, the issues that plague L1 chains do persist on L2 chains as well.

Therefore, we advise the opBNB community to pay more attentions on the below segments.

  1. Developers' concerns
  2. Users' concerns

Developers should

  1. Pay special attention to over-centralization. Privileged roles should be transferred to a multisig or timelock.
  2. Pay attention to oracle / price manipulation attacks. Ensure the oracle is a trusted source, and use a backup oracle to check discrepancy so that prices will not deviate too much.
  3. For lending/borrowing projects, pay close attention to exchange rates to ensure the rate cannot be manipulated by forceful donation and breaking any invariants.
  4. Ensure all state-changing functions have proper checks for all parameters so there will not be a situation of having unexpected inputs not validated.
  5. Ensure all token standards are followed.
  6. Ensure contract upgrades are done after review from a trustable auditor.

Users should

  1. Invest in trustable tokens, instead of over centralization and hype meme coins as such projects are high risks and might result in it being scams.
  2. Invest in projects that have partnered with 3rd party security companies.

For further inquiries or clarifications, do drop us an email at support@hashdit.io! Stay safe!

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 41 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xb1a1d06d42a43a8fcfdc7fdcd744f7ef03e8ad1aHongKongDAO (HKD)375
0xac68931b666e086e9de380cfdb0fb5704a35dc2dBNB Tiger INU https://bnbtiger.top/317
0x8624b3a4f29620390d06286df207f6791c243389GDPToken297
0xd9628be9ef42b75ca171128e8ce32eceecd858fdZGC (ZGC)289
0x6f9f7632cc42397a1e062db5346f2a9f9bc73e92BTR178
0x0a4e1bdfa75292a98c15870aef24bd94bffe0bd4FOTAToken117
0x57ca2436f9f54f4909a521e24768e21e322cae88JUPITER115
0x56b331c7e3d68306f26e07492125f0faa9d95343Alcazar: LEO Token78
0x000000000482aa9817645c3d56aa2230f6573532GPTChat (GPTC) - Fake_Phishing68576
0x014a087b646bd90e7dcead3993f49eb1f4b5f30aGulfCoin41

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (56%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(29%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 5% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 55 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xdd63525fab69a97224962a076a642bfcf0714f2eDMD (DMD)2688
0x9a2478c4036548864d96a97fbf93f6a3341fedacZILLION AAKAR XO (ZAX)1399
0x78997aa5d48efe1c96415e0d941ba687cdc1c358MC1313
0x8d445b83bc7835d2a35a6ec681a10e2006928f73BRIToken1145
0x0566b9a8ffb8908682796751eed00722da967be0FGDTOKEN (FGD)682
0x14beb72194866e1b4d6ffad3cd5b488f76168b61BITCOINBattle378
0xa4a66d8a705260c8cb1ebb59224e018015294f48Ted (TED)327
0xb12e8eb6b1f24e14381514d2f3b75e7c61487016GSD (GSD)124
0x066cda0cca84e9c6ed0a4ecb92aa036a9582544bSonicInu121
0xcc780503e290274cfa8da085528067e259df58f0GLC121

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (56%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(25%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 7% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 3 min read
Sebastian Lim

Introduction

According to Hashdit, the amount of losses on BNB Smart Chain (BSC) in August 2023 have greatly decreased compared to July.

In August, there were over 27 typical security incidents, with a total loss of approximately $4.5 million, a decrease of about 60% compared to July.

In general, the data has trended downwards from July to August, which is a good sign.

The total amount involved in Hack incidents dropped to $507k from $4.7 million, a decrease of about 89% compared to July. The total amount involved in Scam incidents dropped to $4 million from $6.8 million, a decrease of about 40% compared to July.

The number of Hacks decreased to 4 from 19, a 78% decrease from July. The only data that trended upwards was the number of Scams increased from 13 to 23, a 76% increase from July.

IMG-1

Figure 1: Comparisons between July (Blue) and August (Red) in terms of Amount Loss ($$) and Number of Incidents

The largest security incident this month occurred with a fake LayerZero token, resulting in a loss of approximately $1 million. There has been an increase in exit scam incidents this month, with notable cases including a $680k rugpull by the NFT_SalesRoom (ASN) team. Additionally, there has been an increase in fake tokens that conducted a rugpull such as 2 Fake $CIRCLE tokens, 1 Fake $Zksync token and 1 Fake $X token.

Security Control Improvements in the BSC Ecosystem

  1. HashDit has integrated its security API with Prominent and Leading brands on BSC such as PancakeSwap, TrustWallet, BscScan to improve the security control across the ecosystem.
  • @PancakeSwap: Auto-scans tokens & displays risk scores

IMG-2

  • @TrustWallet: Notifies users of high risks before transactions

IMG-3

  • @bscscan: Displays risk warnings in the explorer

IMG-4

  1. New risks flagged in RedAlarm

A total of 319 dApps and 64 addresses were added to Hashdit's RedAlarm in August alone. This amounts to a total of 1679 smart contracts on RedAlarm currently.

Word of Advice

With the current trends in the BSC security landscape, Hashdit advices the community to:

  1. Do Your Own Research (DYOR) before participating in any trending projects to mitigate the risk of financial losses, especially when the token name and symbol is an impersonation of the real token.
  2. Place greater emphasis on security, adopt a Zero-Trust security mentality and be careful of phishing scams

Meanwhile, HashDit promises to continue to keep the BSC community and its users safe!

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 252 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xa68c9c2c39176b3ee9f6359b68e853893c6ddc5aPIG94788
0x150cbd6e82d63db545ff8904de365b9154b0b386DGTT2370
0x2266362f414bf2476c5465dc2ea953fe2a99ae1cFake ZRO2296
0xb1d4e33dd4aa6204bc8aae340b67455a662f038aLNL2262
0x3e573bf50b7625d9976fd65a8c0cdfbbc7b63a10Multi-Cultural Connect (MCC)2227
0x77087ab5df23cfb52449a188e80e9096201c2097hi Dollar (HI)1764
0x4908b8977f91e2257e5260551e7dc2950b1b3877MARS (MARS)1203
0xff71e87a2e7b818eee86f3f1c2e94a06cac85866Cat1085
0x9fbd6973f7e6e49eac8ff2eb857fdeed41d2e482QUANTIC PROTOCOL (QUANTIC)1055
0x7645444525bb2bd69ad23db57d3fc7b4fe3cda31Bitcoin Dao (BTCD)1028

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (50%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(17%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 15% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.