Polygon forked to closed source code without warning: https://github.com/maticnetwork/bor/commit/488ea2bcb4d9771e05b1fad12d8b86562558aab5
“We’re making an effort to improve security practices across all Polygon projects,” Bjelic tweeted. “As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc. One of these partners discovered a vulnerability in one of the recently verified contracts. We immediately introduced a fix and coordinated the upgrade with validators/full node operators. No funds were lost. The network is stable.”
The network is run by validators and full node operators, and we have no control over any of these groups. We just did our best to communicate and explain the importance of this upgrade, but ultimately it was up to them to decide whether they will do it or not.”
Adidas collab NFT with Bored Apes, PUNKS Comic, and gmoney was capped at 2 NFTs per wallet. Someone wrote a smart contract that creates 65 other smart contracts that each minted 2 NFTs and then sent them to the main account.
They paid 27.3 ETH ~ $104k in gas fees to process this, on top of 66 ETH ~$252k to pay for the items.
This means that they'd need the price of the NFT to raise from Ξ0.2 (mint price) to Ξ0.28 to break even on the gas they spent.
As the time of this writing, the price floor has skyrocketed to Ξ0.8 ETH. Netting them a theoretical profit of ~$600k
Ways to prevent this from happening:
Add a check to make sure that the originator of the transaction is the same as the current caller of the NFT contract mint function require(tx.origin == msg.sender)
Add a check to determine if caller is a contract
Bent discovered a potential exploit Monday 12/21/2021 and disabled claims. The hack transaction was sent from the Bent Finance Deployer. Bent are “working through it” after employing two independent white hat developers. Bent Finance proactively advised investors to withdraw funds and plans to reimburse losses “one way or another.”
Details still haven’t been released about how this hack occurred.
Grim Finance is a fork of “Beefy Finance”, offering auto-compounding LP vaults on Fantom.
The attack exploited a depositFor() function that hadn’t been protected against reentrancy.
This allowed the hacker to loop additional false deposits within the initial call, vastly increasing their share of the vault.
The user is able to choose the deposit token, which is where the attacker inserted their own contract containing the reentrancy deposit loops.
The Grim Finance team has an ongoing investigation tracking the movement of funds across the attacker’s accounts, and have found links to various CEXs.