Skip to main content

18 posts tagged with "2023"

View All Tags

· 5 min read
Sebastian Lim

Top 10 incidents in 2023

The following were the top 10 security incidents in terms of financial loss in 2023.

IMG-1

Fintoch - $32 Million Loss

On 24th May 2023, Fintoch, a Investment Fraud Ponzi Scheme, was found to have exit scammed for ~$32m worth of USDT.

Fintoch advertises a 1% daily APR, the team page listed a false person "Bob Lambert" as their CEO when he is in fact a US based paid actor (Mike Provenzano). The project claimed to be based in Silicon Valley but it was in fact not registered there. Furthermore, Fintoch claimed to be owned by Morgan Stanley.

Later on, the Singapore Government issued a warning against this fraud and Morgan Stanley issued a similar one as well.

Stake - $18 Million Loss

On 4th September 2023, the Stake platform was exploited, resulting in almost $18m loss on BSC. Stake is a Betting platform for users to gamble their cryptocurrency on multiple chains. The incident was due to a Private Key Compromise of several of its operating wallets, leading to their funds being directly stolen. However, the eventual root cause was not shared by the project team, and the platform continued business as usual by changing operating wallets subsequently.

Ipp - $15 Million Loss

On 26th May 2023, the Ipp project conducted a rugpull worth nearly $15m worth of USDT. The project has since deleted all its social media accounts.

The root cause of this rugpull was that there was a backdoor function in the staking contract of the project. The backdoor function allowed the scammers to have privileged access to remove users’ staked funds in the contract.

Safemoon - $9 Million Loss

SafeMoon markets itself as a decentralized cryptocurrency with reflection rewards for holders. On 28th March 2023, the project was exploited for roughly $9m worth of WBNB funds.

The vulnerability leading to the attack is because of a bug that was introduced in the latest update. Specifically, the burn() function introduced can be called publicly, and secondly the From address can be externally controlled. This means that any address can technically have its $Safemoon tokens burned from their wallet.

The hacker was able to continually call the burn() method, parsing in the address of the Safemoon-WBNB pool. By destroying the number of $Safemoon in the LP pool, the value of $Safemoon is artificially inflated, allowing the hacker to make a back swap for WBNB and profit.

SwapX - $7 Million Loss

On 27th February 2023, SwapX, an AMM project was exploited, resulting in the loss of ~$7m worth of funds on BSC. The victim smart contract which was unverified, had a vulnerable function without proper access control, which misuses the allowances given by other users.

The attacker exploited this vulnerability to swap other users’ funds for other tokens, in other words, users had their funds swapped not on their own accord. As a result, the other tokens such as $DND and $LZ had a price bump which allowed the attacker to make a back swap and profit from the price gap.

Coinex - $6 Million Loss

On 12th September 2023, Coinex, a CEX was exploited for roughly $6m on BSC. Similar to the Stake platform case, the incident was due to a Private Key Compromise of several of its operating wallets, leading to their funds being directly stolen.

This case was found to be linked to North Korea's infamous Lazarus group as they laundered funds through multiple channels onchain after the attack. The project team eventually pledged a 100% refund for all affected users and restarted services after 1 week.

Atlantis Loans - $4 Million Loss

On 12th June 2023, Atlantis Loans was exploited for around 4m. In this attack, the hacker executed a malicious governance proposal to take over all the core contracts of the ecosystem. During the execution, the hacker managed to take over the Admin role of all those core contracts. As such, he injected a malicious implementation to steal the funds of users that have approved to those contracts in the past.

Interestingly, the first proposal submitted was actively caught by the community and voted off. However, due to the lack of eyes on the project, the 2nd malicious proposal passed the quorum without sufficient Against votes.

FUT - $3 Million Loss

Early this year, on 4th January 2023, the FUT token rugpulled for nearly $3m worth of funds. These funds were laundered through multiple exchanges.

The loophole is in the Masterchef contract, where there was a backdoor function which allowed the scammer to steal staked funds from users.

$GMETA - $2 Million Loss

On 18th July 2023, $GMETA token conducted an exit scam of ~$2m, resulting in a 96% price drop.

The scam project party minted these large amounts of $GMETA tokens to a dormant address that they have control back in February. Once the price of the token has been pumped substantially, the scammers sold them all for a profit.

Circulate - $2 Million Loss

On 12th January 2023, Circulate executed a rugpull for roughly $2m worth of BUSD. The scam project party managed to hide a malicious code within the unverified contract to steal funds that were staked in the contract. The funds have since been bridged to ETH and laundered through Tornado Cash

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week's report, there were 11 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x1633b7157e7638c4d6593436111bf125ee74703fSplintershards (SPS)395
0x7bd6fabd64813c48545c9c0e312a0099d9be2540Dogelon Mars (ELON)263
0xb1f2d9678d14a74a9654ad73a43e7e60c59dc911TDY (TDY)98
0x4799c398bf0c202a985149796524c34043d62df9Meta Game (MTG)47
0x47f41a2b6e3cb035bb051f187f1908f51b7e5958JingTu (JT)20
0x2f4e9c97aaffd67d98a640062d90e355b4a1c539Afrostar (AFRO)18
0x83a86adf1a7c56e77d36d585b808052e0a2aad0eSaveYourAssets (SYA)17
0x13e1070e3a388e53ec35480ff494538f9ffc5b8dBRICKS (BRICKS)9
0xdf0816cc717216c8b0863af8d4f0fc20bc65d643SHIBA BSC (SHIBSC)9
0x88888888faedeb25b94a015af705f18666079038AGAME (AG)7

Key themes on high risks:

  1. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page (45%)

  2. Roughly 36% of the newly identified risky addresses were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 18% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week's report, there were 23 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x037b202ca88d2028d82936d5615ee5088cb9fd78Distributed Autonomous Organization (DAO)2182
0xbededdf2ef49e87037c4fb2ca34d1ff3d3992a11FEG Token (FEG)985
0x61b83edf87ea662c695439a807c386455c9e797cIgnore Fud (4TOKEN)402
0xe4fae3faa8300810c835970b9187c268f55d998fCateCoin (CATE)390
0x6e3fd1dea627226998da6e9e0c7ef95f417d6c35AEXN GLOBAL COIN (AGC)374
0x185674a45c57ebb884c609c2619740f2994767e9Helena Financial V2 (HELENA2)29
0x64abc441f2d011c64f0118f44debbe3e56958ffeHasee (Hasee)24
0xf606bd19b1e61574ed625d9ea96c841d4e247a32Guardian (GUARD)23
0x746760ecf1d8088c1014ef3d43dc45d5af8febf3Pi Network DeFi (Pi Networ...)16
0x674aa28ac436834051fff3fc7b6e59d6f9c57a1cOptimus Inu (OPINU)12

Key themes on high risks:

  1. Roughly 34% of the newly identified risky addresses were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Another theme for these contracts is that they showed scam features. This means that it could be a Ponzi, Honeypot or fake token. This portion represents 26% of the total newly identified risky addresses.

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 21% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week's report, there were 26 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x3374bdb800708d1b3173eac918c58d766c7ddd28XYZ finance (XYZ)598
0x28ce223853d123b52c74439b10b43366d73fd3b5FAME MMA (FAME)353
0xe9c803f48dffe50180bd5b01dc04da939e3445fcVelas (VLX)269
0xf87940f78f2f4d99a0c5c22e3fcc21795cd53245Kamaleont (KLT)225
0x1236a887ef31b4d32e1f0a2b5e4531f52cec7e75GamiWorld.io (GAMI)117
0x69c2fcae7e30b429166bd616a322e32bec036bcfMuratiAI (MURATIAI)91
0xd024ac1195762f6f13f8cfdf3cdd2c97b33b248bMiniFootball (MiniFootball)85
0x24086eab82dbdaa4771d0a5d66b0d810458b0e86Pepe AI (PEPEAI)82
0x631c2f0edabac799f07550aee4ff0bf7fd35212bPoollotto.finance (PLT)68
0xb56554296bc11afc98847914254a2beb82ba2bedTKING (TKING)48

Key themes on high risks:

  1. Almost half of the newly identified risky addresses (46%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page (23%)

  3. Another theme for these contracts is that they showed scam features. This means that it could be a Ponzi, Honeypot or fake token. This portion represents 23% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week's report, there were 29 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x71c20e781c623c022134713ef7f78aacf0109849META WORLD (MGC)734
0xfaf18e53f52122085a8743e2bfb324c0577b98b5UBKX (UBKX)635
0x4ffa143ce16a24215e8df96c0cef5677a7b91ee4REGENT COIN (REGENT)505
0xf99f2aec50adfde23cc67ab6240168b0a59f1d30IVY (IVY)327
0x641ec142e67ab213539815f67e4276975c2f8d50DogeKing (DogeKing)87
0x317c8971d88e749504cef345fbc69c65258501dbEternal World (ETL)72
0x92dd5b17bdacbbe3868a09be5a3df93032c29ddbKubic (KUBIC)51
0x7d18f3fe6e638fad0adacc5db1a47f871a2c2cc4dollarmoon (Dmoon)34
0x42269ac712372ac89a158ad5a32806c6b6782d66Vip Panda Community (VPC)28
0x0ebc30459551858e81306d583025d12c7d795fa2Amazing doge (Adoge)19

Key themes on high risks:

  1. 1 theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 31% of the total newly identified risky addresses.

  2. About one-quarter of the newly identified risky addresses (24%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  3. Another theme for these contracts is that they showed scam features. This means that it could be a Ponzi, Honeypot or fake token. This portion represents 13% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 17 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x71cce0035d82c21cf4b908bcd8f1117fff0fa623bitcoin (bitcoin)427
0x2b3559c3dbdb294cbb71f2b30a693f4c6be6132dLucky star Currency (LSC)350
0x872a34ebb2d54af86827810eebc7b9dc6b2144aaRocketVaultRocketX (RVF)215
0x0a92285241b0ea93eff4195db4530af1a4bcfe0cCRYPTO_STREET (CST)179
0x16e79e09b3b56bcbba83667aff88dc6ca727af2eBART SIMPSON COIN ($BART)162
0x4673f018cc6d401aad0402bdbf2abcbf43dd69f3French connection finance (FCF)100
0x3c1748d647e6a56b37b66fcd2b5626d0461d3aa0DinoX Coin (DNXC)23
0x123458c167a371250d325bd8b1fff12c8af692a7DRAC Token (DRAC)17
0xb6b91269413b6b99242b1c0bc611031529999999CALO (CALO)15
0x8424b4c691473c873067b65d5f40f3ff0bf7463eSHIBKING INU (Shibking)9

Key themes on high risks:

  1. Almost three-quarter of the newly identified risky addresses (70%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(11%)

  3. Another theme for these contracts is that they showed scam features. This means that it could be a Ponzi, Honeypot or fake token. This portion represents 11% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 5 min read
Sebastian Lim

Introduction

Gas Mint Scams are not new on BSC. They have been documented relatively well on Web3 newsletters and by security companies in the space. However, we noticed that scammers are recently changing some of their techniques, hence we decided to write this blog to offer more understanding of this scam.

Recap

This is how the scam typically work:

  1. A user notices an unknown airdropped token in his wallet, usually it mimics a valuable or well known token like USDT. In other cases, it might be the latest trends like Friend.Tech.
  2. He then proceeds to “approve” it to a DEX router such as PancakeSwap, in hopes of selling it for a profit. Subsequently, he tries to swap it on the DEX but to no avail as the transaction reverts. But didn’t he already grant approval for the DEX?
  3. At the same time, he notices that the token is still in his wallet and he lost some BNB as well. He was scammed!

What actually happens is that when the user interacts with the unknown token at step 2, the token inadvertently took his gas provided in the transaction to create gas tokens. Furthermore, the gas requested in the transaction will be at unusually high costs.

1 popular instance of gas tokens on BSC is the CHI Gas token, you can refer to this link here for more information. Essentially, they are tokens that utilize the “gas refund” feature of the EVM that allows refunds when clearing storage. This allows users to mint gas tokens when fees are low, and burn them when fees are high, effectively "locking in" the lower fee.

In other words, the victim is minting CHI Gas tokens for the scammer so they can reduce their gas costs in future transactions.

New variations of the scam:

  1. Other common ERC20 methods invoke the same scam. For e.g, trying to move the token using the “transfer” method will lead to users invoking the minting too.
  2. Recently, we noticed that scammers now prefer to mint XEN tokens with the victim’s gas during the transaction.

For context, XEN is a social mining project based on a Proof of Participation mechanism. XEN tokens are minted using gas as well, and the tokens can only be claimed after a waiting period. XEN tokens do have value in the secondary market. Therefore, scammers can profit by gaining these XEN tokens from you and dumping them later.

  1. Creating fake approvals. This is not exactly new but we would like to elaborate more on how it works.

Revoke product platforms like Bscscan or Debank naively log all approval events related to your wallet. Then, they are displayed nicely in a dashboard for you to see. However, the issue is that approval events can actually be faked by the scammers.

Let’s look at this example: BscScan approver check:

IMG-1

On first glance, it looks like this user has multiple unlimited allowance for their tokens. However these are all not real (the token and the approval). This is my 1 instance of a Fake approval transaction https://bscscan.com/tx/0x3c3f16b418e6dcc39f03628f288d9aaba1a3cbb2e1843d92d651b61625329a95#eventlog

There are 1000 falsified approvals in just 1 transaction!

Looking into each of them, we can see that the token address is fake!

IMG-2 IMG-3

The fake token here mimics the INJ token and might appear to be be verified contract. However, it is actually a proxy contract, which points to an unverified logic contract here: 0x54d1527668bd83f719b5414141a912cbbda55382 (This is where the scam logic is) The real INJ token address is 0xa2b726b1145a4773f68593cf171187d8ebe4d495. *Notice that the token address prefix and suffix are scarily similar to trick victims.

Current landscape of scammers’ methodologies

Understanding when and how scammers create these scam opportunities will help us be more familiar and to better avoid them.

  1. Cast a wide-net

    • By airdropping fake notable tokens like USDT or USDC to victims’ wallets

    • Then by creating fake approval transactions for fake notable tokens like USDT or USDC, which are displayed on revoke pages like Bscscan.

  2. Wait for specific events

    • A hack event happened, airdrop / create fake approval transactions for the related hack project token / spender, so that users will ‘revoke’ them. For example, a particular project named "A" has been hacked, the scammers will mint and create a fake approval with a fake token "A" to the real "A" holders. As users are taught to revoke access for their "A" tokens, they see that there is an approval for the fake token "A" as well, promptly getting scammed of their gas.

For all cases, scammers ensure that the gas provided is enough to mint the scammers’ desired amount of CHI gas tokens or XEN tokens. I.e if the gas is too low, the scam transaction will likely revert.

Security Recommendations from HashDit

  1. Do not touch any new unknown tokens. These tokens might appear to have value based on a liquidity pool the scammer created. Do not fall for it!
  2. Always check the token address for legitimacy. You can cross reference this with platforms like CoinMarketCap.
  3. The underlying scam technique requires an unusual high gas cost, hence this is a major red flag if seen on the transaction page.
  4. Use revoke.cash. The platform uses heuristics to filter out fake approvals. Keep in mind this is not 100% so you should still pay attention.

HashDit is actively tracing and blacklisting these scam addresses on our HashDit API. Do download the HashDit chrome extension to safeguard yourself in the future!

We hope that this blog helps educate you on this Gas Mint scam so that you can stay safe in this space. Final security takeaway: do not sign any transactions if you do not know what it does.

Feel free to consult us at our email support@hashdit.io if you have any other queries.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 16 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xbcb24afb019be7e93ea9c43b7e22bb55d5b7f45dBSCSToken237
0x7b86f5ca09dc00502e342b0fef5117e1c32222ceSOLCash32
0x94db03752342bc9b5bbf89e3bf0132494f0cb2b3Dogai (DOGAI)27
0x4ee98216499b81a9942e7aa77970b68c792ff679SCT20
0x638deed975af106d7d721f92047b369f82241020JiangNanYi14
0xacb8f52dc63bb752a51186d1c55868adbffee9c1BunnyPark13
0x4634d58982138e93c951c1485d25bc619cbd1f75AiONE: AiONE Token8
0xab8c98491816fede394582f7758a5effeb4368d7TrumpCoin (DTC)7
0x2fd6c9b869dea106730269e13113361b684f843aChihuahua6
0x1b391f9d0fffa86a6088a73ac4ac28d12c9ccfbdSustainable Energy Token5

Key themes on high risks:

  1. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(31%)

  2. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 31% of the total newly identified risky addresses.

  3. A quarter of the newly identified risky addresses (25%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 6 min read
Ayden Duan

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

In September, a number of projects suffered attacks due to the leakage of their hot wallet private keys, leading to substantial financial losses for both the projects and their users. In this article, we will analyze these types of attack incidents using several examples and finally provide some practical suggestions from a security perspective to help project teams avoid such breaches in the future.

Stake's Unanticipated $41 Million Withdrawals

stake.com, a crypto gambling protocol, offers a variety of casino games such as dice, blackjack, Lingo, and more. Additionally, they provide sports betting options for basketball, tennis, volleyball, and others. On September 4th, Stake.com encountered an abnormal outflow of funds, totaling approximately $41 million.

The attack transpired across multiple chains, incurring losses of around $15.7 million on ETH, $7.8 million on Polygon, and $17.8 million on BSC. This brought the cumulative losses to over $41 million.

One of the fraudulent transactions can be traced back to: transaction.
From the transaction details, it's evident that the funds were transferred directly from Stake.com's hot wallet: transaction to the attacker's address. Subsequently, the funds were dispersed among numerous accounts.

Stake confirmed this security breach via social media, stating, "Three hours ago, unauthorized transactions were initiated from Stake's ETH/BSC hot wallets." As a result of this security incident, Stake's operations were temporarily put on hold.

The CoinEx Fund's 6.2 Million Dollar Loss

Stake.com isn't the only entity that has fallen prey to a breach of hot wallet private keys. On September 12, 2023, CoinEx detected irregular withdrawals from several of its hot wallet addresses, which were utilized to store user assets. The unauthorized transactions affected 19 chains, including $ETH, $TRON, and $MATIC, bringing the total loss to an estimated $55 million.

One particular unauthorized transaction can be seen here: transaction. One can observe that the assets were directly transferred from CoinEX's hot wallet, transaction, to the hacker's address. This indicates that the culprits may have managed to seize control of CoinEX's hot wallet's private key.

Following the hacking event, CoinEx temporarily suspended crypto deposits/withdrawals, relocated assets to more secure addresses, overhauled and redeployed the wallet system, and engaged in efforts with other exchanges to freeze the attacker's assets.

Unauthorized Transactions Drain Over $2.7M from Remitano Exchange A mere week after CoinEx fell victim to a cyber intrusion, another exchange, Remitano, succumbed to unauthorized transactions that led to over $2.7 million being pilfered from its wallet across various chains, including #Ethereum and #TRON.

To illustrate the scenario, consider one of the unauthorized transactions on the ETH chain: transaction.

We can observe that approximately 1.3M USDT was directly shifted from Remitano's hot wallet wallet to the assailant's address wallet. Consequently, the perceived Remitano hack also appears to be a consequence of their hot wallet's private key leakage. This presumably allowed the hacker to gain direct control over the hot wallet and transfer all assets.

Gratefully, Tether responded promptly and froze two addresses allegedly utilized by the assailant on both the #Ethereum and #TRON chains, potentially preserving 2.7M $USDT.

Security Recommendations from HashDit

Since last September, numerous instances of hot wallet private key leaks have rattled various projects. Though Stake and CoinEx have stated that the affected funds comprise only a minor share of total assets, and users' funds are safeguarded, Twitter responses reveal growing public suspicion of insider activities at these projects, dramatically undermining user trust. These incidents underscore the significance of proactive risk management concerning project wallets and funds. HashDit, consistently carrying out related security tasks, offers the following recommendations based on our experience in averting hacking incidents:

  1. Adopt Comprehensive Address Planning and Isolation Design: For high balance addresses, refrain from frequent participation in DeFi contract operations. Replenish hot wallet balances regularly in batches to minimize balance fluctuations and risk exposure.
  2. Enforce Distributed Access Rights: Avoid allotting comprehensive access rights to the hot wallet to a single entity. Utilize a multisig wallet or MPC solution to necessitate multiple approvals for transactions, bolstering security measures.
  3. Monitor Key Management: Treat the access key to hot wallets as a critical asset and protect it with a suite of physical and digital measures. Avoid storing key duplicates on vulnerable networks, like emails or cloud storage.
  4. Initiate Regular Security Audits: Conduct periodic security audits on hot wallets to identify prospective threats or vulnerabilities. Regularly reinforce and upgrade security measures, including ensuring the appropriateness of hot wallet approvals.
  5. Institute Transfer Limits: Establish a cap for single or daily transactions to mitigate potential losses.
  6. Implement Ongoing Education and Training: Provide continuous security education for team members engaged in asset management, arming them with the ability to recognize and counteract potential threats.
  7. Craft Backup and Recovery Plans: Devise a robust plan to ensure swift recovery during unanticipated incidents.
  8. Maintain Secure Operations: Avoid transacting over unencrypted networks and processing in vulnerable settings, like public WiFi environments.
  9. Activate Two-Step Verification: Implement two-step verification for all accounts and services associated with the hot wallet.
  10. Leverage Audit Logs: Preserve and periodically review all hot wallet operation logs to detect and trace any suspicious activities. These are broad suggestions for hot wallet management, yet specific strategies may need tailoring based on individual projects. Don't hesitate to reach out to HashDit for any security consultation. Our mission is to secure your WEB3 journey.

https://hashdit.github.io/hashdit/blog/smart-wallet-migration-guide

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 42 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x0e9c0f8fcc8e60f8daeb569448a41514eb321471BakaCasino9855
0x60322971a672b81bcce5947706d22c19daecf6fbMarsDAO907
0x89eb16377f3d10d39b23df7c02ae94ac3a81d389XQJ (XQJ)871
0xe1cace0527aa2e5962221d2db962c04498a8308bUnknown455
0x8076c74c5e3f5852037f31ff0093eeb8c8add8d3OLD safemoon290
0xebe7c1395e43465ae7a041a686e957d9aa184b0dToken148
0xbcb3f0ee92c65c0ec86755b36197a5d7e60dd8e6Trump Inu (TRUMPINU)128
0x2fa6ee42bacf983f050210a1ca42f88686327fc9W3C69
0x29c55f1b02a95f0b30e61976835a3eee2359ad92EShareV266
0xdcd103bc6d14829c39afc9c10c9c373ce385d2c5FROG64

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (46%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(36%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 10% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.