Discover and read the best of Twitter Threads about #beosinalert
Most recents (4)
#BeosinAlert #Flashloan
$PLTD suffers a price manipulation attack with a profit of 24,497 $BUSD for the hacker.
(Tx provided by @bbbb)
TX:0x8385625e9d8011f4ad5d023d64dc7985f0315b6a4be37424c7212fe4c10dafe0
Attacker’s address:0x6ded5927f2408a8d115da389b3fe538990e93c5b
$PLTD suffers a price manipulation attack with a profit of 24,497 $BUSD for the hacker.
(Tx provided by @bbbb)
TX:0x8385625e9d8011f4ad5d023d64dc7985f0315b6a4be37424c7212fe4c10dafe0
Attacker’s address:0x6ded5927f2408a8d115da389b3fe538990e93c5b
The attacker mainly exploits the vulnerability in the PLTD contract to reduce the balance of PLTDs in Case-LP (0x4397c7) to 1 via flashloan, and then uses the $PLTD to swap all the $BUSD into the attack contract.
Step 1: The attacker initiates 2 flashloans through DODO and borrows $666,000 BUSD. 
#BeosinAlert
Beosin EagleEye reported an exploit on @XaveFinance, allowing an attacker to mint 100,000,000,000,000 $RNBW.
Attack tx:
etherscan.io/tx/0xc18ec2eb7…
Beosin EagleEye reported an exploit on @XaveFinance, allowing an attacker to mint 100,000,000,000,000 $RNBW.
Attack tx:
etherscan.io/tx/0xc18ec2eb7…
2/ The attacker first created the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3 to call the DaoModule 0x8f90 contract's executeProposalWithIndex() function to execute a proposal.
3/ The proposal is to call the mint() function to mint 100,000,000,000,000 $RNBW and transfer ownership to the attacker.
Finally the hacker swapped them to $xRNBW, which sit at the attacker's address 0x0f44f3489D17e42ab13A6beb76E57813081fc1E2.
Finally the hacker swapped them to $xRNBW, which sit at the attacker's address 0x0f44f3489D17e42ab13A6beb76E57813081fc1E2.
#BeosinAlert
$DPC was hacked for ~$103,755. The attacker first used the tokenAirdop function in the DPC token contract to prepare for claiming the rewards, then swapped $USDT for $DPC, added liquidity to obtain LP tokens, and then staked LP tokens in the token contract.
$DPC was hacked for ~$103,755. The attacker first used the tokenAirdop function in the DPC token contract to prepare for claiming the rewards, then swapped $USDT for $DPC, added liquidity to obtain LP tokens, and then staked LP tokens in the token contract.
2/ The attacker then repeatedly called the claimStakeLp function to repeatedly claim the rewards. The rewards can keep accumulating because of the " ClaimQuota = ClaimQuota.add(oldClaimQuota[addr]);" in the getClaimQuota function.
3/ Finally, the attacker called the claimDpcAirdrop function in the $DPC contract to claim the rewards and swapped them for $USDT. The stolen funds are still at the attacker's address 0xf211Fa86CBc60d693D687075B03dFF3c225b25C9.
#BeosinAlert
@Reaper_Farm Reaper Farm was hacked for ~$1.7M earlier today. The attacker (0x2c177d20B1b1d68Cc85D3215904A7BB6629Ca954) has deposited all stolen funds to Tornado.cash.
The addresses that suffered losses:
@Reaper_Farm Reaper Farm was hacked for ~$1.7M earlier today. The attacker (0x2c177d20B1b1d68Cc85D3215904A7BB6629Ca954) has deposited all stolen funds to Tornado.cash.
The addresses that suffered losses:
2/ As the owner address in _withdraw is controllable and without any access control, an attacker can withdraw any user’s assets by calling withdraw or redeem functions.
3/ The attacker (0x5636e55e4a72299a0f194c001841e2ce75bb527a) was able to use the attack contract (0x8162a5e187128565ace634e76fdd083cb04d0145) to withdraw arbitrary users’ assets via the vulnerable contract ( 0xcda5dea176f2df95082f4dadb96255bdb2bc7c7d).
