- Topic
9k Popularity
13k Popularity
35k Popularity
24k Popularity
7k Popularity
6k Popularity
69k Popularity
141k Popularity
70k Popularity
1745k Popularity
- Pin
- #Gate Ranks Top 4 Exchange#
Gate has reached the Top 4 global crypto derivatives exchanges on CoinMarketCap, with a 24-hour trading volume exceeding $15 billion. Enjoy some of the lowest fees in the industry—maker fees as low as 0.015%. Gate is committed to providing users with a more efficient and cost-effective trading experience, making it your top choice for crypto trading!
Start trading now:
👉 Spot Trading: https://www.gate.com/trade
👉 Alpha Trading: https://www.gate.com/alpha
👉 Futures Trading: https://www.gate.com/futures
💬 What derivatives or other products have you recently traded
- 🎉 CandyDrop 5.0: 5 BTC Mega Airdrop is here!
🎁 Total Prize Pool: 5 BTC
📈 Trade any futures pair ≥ 50,000 USDT to earn Candy
👥 Invite friends to unlock more BTC rewards
🗓️ Event Time: June 27, 9:00 – July 11, 9:00 (UTC)
🎯 Max reward per user: 0.01 BTC
👉 Join Now >> https://www.gate.com/candy-drop/detail/BTC-59
⚡ 100% real airdrop — limited time only!
- Gate Alpha 2nd Points Carnival Round 4 Hot Launch! Trade to Share $30,000 MORE & Alpha Points
Trade $MORE to unlock Listing Airdrops + $300K Points Prize Pool!
💰 Total Airdrop Volume: $30,000 MORE, Limited slots—first come, first served!
✅ Total Points: 2 Alpha Points per trade—accumulate points to share the $300K prize pool!
🔥Trade the Hottest On-Chain Assets First
For more information: https://www.gate.com/campaigns/1342alpha?pid=X&c=MemeBox&ch=vxDB0fQ5
- 📢 $MORE is launching on Gate Alpha!
Users will be able to trade Moonveil ( $MORE ) directly via Gate Alpha — Gate's one-stop on-chain trading portal.
🔥Trade the Hottest On-Chain Assets First
https://www.gate.com/alpha
- 🎁 Gate Alpha Airdrop Alert!
To celebrate the listing of $EGL1 on Gate Alpha @GateioAlpha
A limited-time airdrop campaign is now live — with 149,254 EGL1 up for grabs!
First Come, First Served
🔥Trade the Hottest On-Chain Assets First
For more information: https://www.gate.com/campaigns/1355?pid=X&ch=0cykUS3i
OKLink: Inventory of security incidents in May 2023
Written by: Okey Cloud Chain
1. Basic information
In May 2023, security incidents caused approximately USD 18 million in losses, a significant drop from the previous month, but the frequency of security incidents did not decrease. Among them, the attack on Jimbos Protocol caused about $7.5 million in losses. Rug Pull, the Swaprum project of the Arbitrum chain, caused approximately $3 million in losses. In addition, social media phishing incidents are still emerging one after another, and it often happens that the Discord of the project party is controlled and publishes phishing links.
1.1 REKT Inventory
No.1
On May 1st, Level__Finance was attacked and lost about $1.1M. The root cause is that there is a logic problem in the LevelReferralControllerV2 contract. The claimMultiple function in the contract can pass in a set of epochs to allow users to claim rewards for each epoch. However, if there are duplicate elements in the passed-in array, these rewards will be claimed repeatedly.
Attack ready transaction:
Attack transactions:
Attacker address:
No.2
On May 3, the Never Fall project was attacked, with a loss of more than $70k. The attacker manipulated the price through a price calculation loophole to make a profit.
Attack transactions:
Attacker address:
No.3
On May 3, the AutoDonateUkraine ($ADU) token suffered a flash loan attack and lost about $7k. The attacker uses the deliver function to increase the $ADU in the pair, and then uses the skim to extract the excess $ADU. After repeated operations several times, the price in the pair becomes unbalanced.
Attack transactions:
Attacker address:
No.4
On May 5th, Deus Dao ($DEI) was attacked on both the BSC and Arbitrum chains, and lost $1,337,375. The main loophole is that the BurnFrom function uses a wrong allowance calculation, which allows users to manipulate the contract’s own allowance amount, thereby reducing The tokens in the contract are transferred away.
Attack transactions:
Attacker address:
No.5
On May 6, the $BFT token appears to have been attacked with a loss of ~275k USD.
Attack transactions:
Attacker address:
No.6
On May 6, $MELO was attacked. The reason is that there is no authority control in the mint function, and anyone can issue additional tokens and transfer them to their own accounts.
Attack transactions:
Attack address:
**No.7
On May 9, the MultiChainCapital ($MCC) token suffered a flash loan attack. As a reflective deflation token, MCC did not discharge Pair in the address, allowing the attacker to call the deliver function to mint the token and sell it for a profit of 10eth.
Attack transactions:
Attacker address:
**No.8
On May 10th, the $SNK token was attacked, and the attacker made a profit of about 197k BUSD. The main reason for the vulnerability is that the reward calculation method is the amount of deposited funds*deposited time. However, there is no corresponding relationship between the control time and the amount of deposited funds in the contract. An attacker can use earlier time parameters and the current amount of funds for calculations.
Attack transactions:
Attacker address:
**No.9
On May 11, the LW token was attacked, and the attacker made a profit of 48,415 $USDT. This is a price manipulation attack. In the process of exchanging USDT for LW tokens, the attacker triggers the repurchase mechanism of the marketing wallet, which increases the price of the tokens, and then the attacker sells the LW tokens to make a profit.
Attack transactions:
Attacker address:
**No.10
On May 11th, TrustTheTrident was attacked and lost about $95k. The main reason is that listToken[] in the contract can be set in the addLiquidity () function. However, this is an operation that should be done by an administrator. Using this vulnerability, a hacker can set a self-created token in listToken and call sell to sell it.
Attack transactions:
Attacker address:
No.11
On May 13, bitpaidio was attacked and lost about $30K. The root cause of the problem was that Lock_Token() was not updating the lock time correctly. The attacker made a lock () 6 months ago, which caused an excessive amount of reward to be calculated during withdraw ().
Attack transactions:
Attack ready transaction:
Attacker address:
No.12
On May 13, TrustTheTrident was attacked again and lost about 279 BNB. TrustTheTrident allows users to short tokens, but the price depends on the pair and is easily manipulated.
Attack transactions:
Attacker address:
No.13
On May 14th, TrustTheTrident was attacked again, and the amount of loss was unknown. The root cause was that the Claim () function of the StakingRewards contract did not correctly verify the input parameters, allowing the attacker to pass a fake token instead of USDT to get more rewards.
Attack transactions:
Attacker address:
No.14
On May 14, landNFT was attacked. The main reason was that the mint function of the project lacked permission control. The attacker mint 200 LandNFTs for himself, making a profit of about 149,616 BUSD.
Attack transactions:
Attacker address:
No.15
On May 20, Tornado Cash was attacked by a malicious proposal. Lost about $1.1M. The attacker proposed a malicious proposal. After the proposal was passed, the proposal contract code was changed by contract self-destruction and then redeployment. When the tornado cash contract executed the proposal, additional votes were issued for the address prepared by the attacker to gain control of the contract.
Attack transactions:
Attacker address:
No.16
On May 23, LFI tokens were attacked and lost about 36k USD.
Attack transactions:
Attacker address:
No.17
On May 23, the $CS token suffered a flash loan attack, and the attacker made a profit of about 714k USD. The main reason for the vulnerability is that $CS tokens will destroy part of the tokens in the pair during each transaction (or transfer) to increase the price. The burnAmount is calculated by sellAmount, but the value of sellAmount is not updated. This allows attackers to sell tokens at high prices to make a profit by pushing up token prices through multiple transactions.
Attack transactions:
Attacker address:
No.18
On May 23, LOCALTRADERSCL ($LCT) was attacked and lost about 384BNB.
Attack transactions:
Attacker address:
No.19
On May 25th, GPT was attacked and lost about 42k USD. The main reason for the vulnerability is that the token burn mechanism can be triggered by putting tokens into the pair and then skim, thereby pushing up the price.
Attack transactions:
**No.20
On May 26, CNN was attacked, and the attacker made a profit of about 5.6k USD.
Attack transactions:
Attacker address:
No.21
On May 28, jimbosprotocol was attacked and lost about $7.5M.
Attack transactions:
Attacker address:
No.22
On May 29th, babydogecoin was attacked and lost about $157,000. The key to the attack was that in the FarmZAP contract, the babydoge transaction enjoys a 0 fee rate. The attacker used the babydoge return mechanism to cause a price difference between FarmZAP’s babydoge router and the babydoge pair in the pancake Realize arbitrage.
Attack transactions:
Attacker address:
No.23
On May 30, the vault of ede_finance was exploited, and about $580,000 was lost, and the attacker has returned 90% of the funds.
Attacker address:
No.24
On May 31, ERC20TokenBank was attacked and lost about $119,000.
Attack transactions:
Attacker address:
1.2 RugPull Inventory
No.1
On May 04, zjz.eth rugpull of wsbcoinofficial ($WSB ), $WSB fell by 86%, zjz.eth dumped most of WSB and made a profit of 334ETH (about 653k USD).
No.2
May 05, YODA token rugpull, YODA fell -100%, yodacoineth has deleted its social account/group, scammers have transferred 68 ETH ($130K) to FixedFloat.
No.3
Hakuna Matata rugpull on May 08, HAKUNA fell -100%.
No.4
On May 09, Derpman rugged, DMAN fell -100%, profiting about 48.55 $ETH.
No.5
On May 15th, the rugpull gang has been creating fake tokens such as #PEPEPE, #LADYS, #BENZ, #GGBOND, #BENEN, #NEWPEPE, #PEN, #TURBOO, #PEPELOL for the past 3 days. Scammers have transferred approximately 12 ETH to MEXC.
No.6
On May 19th, Swaprum rugged on Arbitrum, making a profit of about $3 million. Swaprum deployers use the add() backdoor function to steal LP tokens pledged by users, and then remove liquidity from the pool for profit.
No.7
May 26, rugpull of @SeaSwapSui, which deleted Twitter and other social accounts. Administrators urgently withdrew SUI from the token sale contract, totaling 32,787 SUI ($32,000).
**No.8
On May 30, BlockGPT_BSC rugged. The profit is about 816BNB (about $256K).
1.3 Social media fraud and phishing inventory
No.1
On May 01, a phishing website was promoted on Twitter, do not interact with hxxps://claimbob.site/.
No.2
On May 02, a fake CertiK phishing website appeared, do not interact with hxxps://claim.certik.app/.
No.3
On May 04, the Syncera_io Discord server was compromised, please do not click on any links until the team is sure they have regained control of the server.
No.4
On May 04, a fake Pepe Coin account appeared on Twitter, do not interact with hxxps://pepegives.xyz/.
No.5
The FeetLabsHQ Discord server was under attack on May 05, please do not click on any links until the team is sure they have regained control of the server.
No.6
On May 06, the STFX_IO Discord server was under attack, please do not click on any links until the team is sure they have regained control of the server.
No.7
On May 07, a fake Pepe claim website appeared, do not interact with hxxps://pepegift.org/
No.8
On May 08, a phishing link was posted on the Evmos Discord server, please do not click on any link until the team confirms regaining control of the server.
No.9
On May 08, a fake MetaMask account appeared on Twitter, do not connect with hxxps://meta-token.net/# website.
No.10
On May 08, a fake Bob claim website appeared, do not interact with hxxps://bob-airdrop.com/.
No.11
On May 09, the fake peckShield account popped up on Twitter, don't believe anything eye-catching from this account.
No.12
On May 09, a fake Ben airdrop website appeared, do not interact with hxxps://bencoineth.net/.
No.13
On May 10, a fake Pepe claim website appeared, do not interact with hxxps://rewardspepe.com/.
No.14
On May 11th, please be aware of fake layerzero claim sites being promoted on Twitter and do not interact with the hxxps://layerzero-network.app/ site.
No.15
On May 14th, the OnchainTrade Discord server has been compromised, please do not click on any links until the team confirms regaining control of the server.
No.16
The opentensor Discord server has been compromised on May 14th, please do not click on any links until the team confirms regaining control of the server.
No.17
Both the BTFDRabbits Twitter and #Discord servers were compromised on May 15th, please do not click on any links on either platform until the team has confirmed control.
No.18
On May 15th, a phishing link was posted in the Tyche Protocol Discord server, please do not click on any link until the team confirms regaining control of the server.
**No.19
On May 16th the taskonxyz Discord server has been compromised by a fake phishing link posted, do not interact with hxxps://airdrop.taskon.tech/.
No.20
The freshcut #Discord server has been compromised on May 16th, please do not click on any links until the team confirms regaining control of the server.
No.21
The MorphexFTM #Discord server has been compromised on May 16th, please do not click on any links until the team confirms regaining control of the server.
No.22
On May 17th, the NEARProtocol Discord server was compromised, please do not click on any links until the team confirms they have regained control of the server.
No.23
The lifiprotocol Discord server has been compromised on May 17th, please do not click on any links until the team confirms regaining control of the server.
No.24
The auroraisnear Discord server has been compromised on May 17th, please do not click on any links until the team confirms regaining control of the server.
**No.25
The Probably0 Discord server has been compromised on May 18th, please do not click on any links until the team confirms regaining control of the server.
**No.26
On May 18th, the oDDbOOG Discord server was under attack, please do not click on any links until the team is sure they have regained control of the server.
**No.27
TheHoraHub Discord server was compromised on May 19th, please do not click on any links until the team has confirmed they have regained control of the server.
**No.28
The ArbitrumNewsDAO Discord server has been compromised on May 19th, please do not click on any links until the team confirms regaining control of the server.
**No.29
On May 20, the avianfoundation Twitter account has been hacked and is promoting a phishing site, do not interact with hxxps://avn.finance/.
**No.30
On May 20th, be wary of fake yoda coin claim sites being promoted on Twitter and do not interact with hxxps://claim-yoda.com.
**No.31
On May 20, be wary of fake Psyop claim sites being promoted on Twitter and do not interact with hxxps://claim-psyop.live/.
No.32
The VenomBridge Discord server has been compromised on May 21st, please do not click on any links until the team confirms they have regained control of the server.
No.33
The asymmetryfin Discord server has been compromised on May 22nd, please do not click on any links until the team confirms they have regained control of the server.
No.34
Fake Dex Tools Twitter account on May 22. Do not interact with the hxxps://dextoois.com/ website.
**No.35
The Superlotl Discord server was compromised on May 22nd, please do not click on the link until the team confirms they have regained control of the server.
**No.36
The zerpmonxrp Discord server was compromised on May 23rd, please do not click on the link until the team confirms they have regained control of the server.
**No.37
The mail3dao Discord server was compromised on May 23rd, please do not click on the link until the team confirms that they have regained control of the server.
**No.38
On May 23rd, a phishing link was posted in the MetaStars Striker Discord server, please do not click on the link until the team confirms that they have regained control of the server.
2. Safety Summary
In May 2023, a number of security incidents occurred in DeFi. Code logic exploits, flash loan price manipulation, etc. are still commonly used attack methods by hackers. Tokens with more complex economic models such as reflection mechanisms and reflow mechanisms are more likely to become targets of attack. object. At the same time, some new attack methods have emerged, such as the malicious proposal attack suffered by Tornado Cash. In order to avoid similar incidents from happening again, developers need to take actions to ensure the security of the project, including fully verifying the code logic and economic model, regularly auditing the project, and releasing a bug bounty plan after the project goes live. At the same time, social media phishing incidents have also occurred frequently this month. Investors need to remain vigilant and pay attention to fully verifying the authenticity of links before interacting with them to avoid asset losses.