Aavegotchi(GHST)

Crypto security and auditing firm CertiK has stated that crypto scams, exploits, exit scams, and flash loan attacks have resulted in a loss of $103 million during the month of April. The figures were published during CertiK’s April roundup of crypto scams and exploits, bringing the total loss during the current year to $429 million. No Let Up From Major Exploits According to CertiK, April saw a barrage of major crypto exploits that hit the ecosystem. “Combining all the incidents in April, we’ve confirmed ~$103.6M lost to exploits, hacks, and scams. Exit scams were ~$9.3M. Flash loans were ~$19.8M.” The security and auditing firm listed out some of the major exploits, such as the $25 million lost thanks to an exploit of several MEV bots. This exploit occurred during the first week of the month, the 3rd of April to be precise. It also listed out an exploit where $22 million were stolen thanks to a hot wallet exploit that occurred at the Bitrue exchange and the hack of South Korea-based GDAC Exchange, which resulted in a loss of $13 million. According to CertiK, April saw a total of around $74.5 million lost to crypto and DeFi exploits. This figure is close to half of the $145 million lost during the first four months of the ongoing year, according to CertiK. $20 Million Lost To Flash Loan Attacks CertiK also stated that April saw $20 million lost to flash loan attacks. The biggest contributor to this figure was Yearn Finance, which saw a hacker exploit a bug in an old smart contract on the 13th of April. CertiK also highlighted that $9.4 million were lost to exit scams in April. The most significant exit scam to occur during April was that of the Merlin DEX, which ended up losing $2.7 million. CertiK has reported that it was investigating a “potential private key management issue” at the exchange on the 26th of April. This exit scam occurred after the Merlin DEX was audited by CertiK, which had warned the protocol about key centralization issues. Following the exploit, CertiK outlined a compensation plan and urged the rogue developer to return 80% of the stolen funds while offering a 20% white hat bounty. According to data from De.Fi Rekt, April saw over 50 scams, hacks, crypto exploits, and rug pulls, with a significant chunk of these being meme coin rug pulls. Major Exploits And Scams In April There were several other prominent scams to hit crypto in April. On the 9th of April, decentralized finance (DeFi) protocol SushiSwap lost over $3 million thanks to a bug in one of its smart contracts. According to PeckShield, the approval function in SushiSwap’s Router Processor 2 contract was at the center of the unusual activity on the protocol. Ethereum Layer-2 blockchain Optimism also reported a significant security breach that involved Hundred Finance on the 17th of April. According to CertiK, Hundred Finance lost $7.4 million thanks to the exploit. While the protocol did not disclose the attack’s methodology, CertiK described it as a flash loan attack. The most recent exploit to occur during April was that of Polygon lending protocol 0VIX. The protocol announced that it was temporarily suspending its Proof-of-Stake (PoS) and zkEVM operations thanks to an exploit that resulted in a loss of $2 million to the protocol. An investigation revealed that the exploit was possible thanks to the attacker using the vGHST token. “0VIX is working with its security partners to look into the current situation that seems to be related to vGHST. As a result, POS and zkEVM markets have been paused. This includes pausing oToken transfers, minting, and liquidations.” Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Polygon lending protocol 0VIX has announced a temporary halt to its POS and zkEVM operations because of an exploit costing the protocol at least $2 million. 0VIX is working with its security partners to look into the current situation that seems to be related to vGHST.As a result, POS and zkEVM markets have been paused this includes pausing oToken transfers, minting, and liquidations.Only POS has been currently affected but zkEVM… — 0VIX | live on zkEVM (@0vixProtocol) April 28, 2023 A joint investigation with blockchain security firm PeckShield revealed that the attacker had managed to exploit the protocol using the vGHST token. vGHST is the staking token of the blockchain gaming project Aavegotchi. It is also the share token for $GHST, Aavegotchi’s native token. Blocksec, another security and audit firm, confirmed that vGHST was artificially inflated and its price oracle manipulated. The attacker had initially borrowed stablecoins which they used to open up lending on 0VIX and enabled them access to the vGHST lending pool. They then borrowed large amounts of vGHST. This caused the value of the native token $GHST to shoot up by as much as 24.7% in less than half an hour, as blockchain data from CoinMarketCap reveals. The attacker then ran off with the collateral and subsequently exchanged their loot for other tokens. Attacks like these are commonly called oracle manipulation hacks. The crypto space has seen its fair share of these attacks, most recently with the Mango Markets hack last October 2022 where the attacker had made off with a whopping $117 million. As for 0VIX’s response, the protocol is not giving up as their joint investigation with PeckShield and Chainalysis has yielded significant results by managing to identify the attacker. An ultimatum was then switfly issued to the attacker via an on-chain message which 0VIX subsequently publicized in a tweet. It states that the protocol is willing to give the attacker $125,000 as bug bounty in return for the rest. Should the attacker not respond, 0VIX has warned that it will share information with law enforcement agencies. The protocol has since issued the following statement, embedding the warning for the threat actor that law enforcement will be involved if no response is received: Official message to the attacker:At 8am UTC 1 May 2023 the law enforcement process is scheduled to begin in the absence of any funds being returned.We will take the leads we've gotten so far (thank you to the public for these), combine it with our tracing we've already done on… — 0VIX | live on zkEVM (@0vixProtocol) April 29, 2023 Hacks and exploits are a real problem, and not just in the crypto space, especially when safeguards are still not properly placed. Attacks like these raise important questions not simply on the security measures that individual exchanges and crypto projects deploy but more importantly, the path Ethereum itself is taking, or has taken, specifically its move from Proof of Work to Proof of Stake. Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.