According to cybersecurity firm CertiK, forty-two Web3-related exploits were discovered in a single week between August 4 and August 11. During that time, there were twenty-two security incidents, seventeen Discord hacks, four Twitter hacks, and three phishing attacks.
One of these exploits was the attack on the Infinity token contract of the design company VisualizeValue. The incident was reported on August 10 by the contract developer with the Twitter username Jalil.eth.
"A bug was found in the Infinity contract I built and it was abused to drain all the funds. I'm taking full responsibility for this. I took down the website just now. Investigating exactly what happened," the programmer tweeted, promising to "find a way to refund every single deposit."
According to CertiK, "The VisualizeValue's Infinity token's contract was exploited using the regenerateMany() function, leading to a loss of 40 ETH." Jalil.eth explained in a tweet that this function was implemented "to save the extra 'degenerate' transaction in case one wants to reroll the visuals of the token."
Jalil.eth ensured "the total numbers of tokens destroyed and generated are the same," but the programmer did not check "whether the token counts matched for each submitted pair." Furthermore, the developer did not verify if "the number of token IDs passed is the same as the number of the number of the amounts to burn or mint."
Additionally, CertiK reported the weak wallet entropy seeding mechanism in Libbitcoin Explorer, which is designed to prevent guessing or cracking a wallet’s private key "through sheer computing brute force" according to The Bitcoin Manual. Libbitcoin Explorer is a Bitcoin command line tool. CertiK claims its versions from 3.0.0 to 3.6.0 have the vulnerability, which "allows remote attackers to recover any private keys generated from bx seed."
Today, CertiK reported several recent incidents. One of them was an attack on the Ethereum-based digital platform Safe Global, formerly Gnosis Safe, which has lost nearly $97,600.
CertiK has also reported an EOA ( externally owned account) linked to the August 7 attack on yield aggregator Steadefi for moving $185,000 to popular cryptocurrency mixer TornadoCash. As per CertiK, that account still holds 524 ETH worth nearly $969,000. Earlier, on August 8, another leading blockchain analytics firm Beosin reported that the project had been hacked for $1,140,000.
CertiK also warns its Twitter followers against fake airdrops from POND, Web3 caching system Marlin. Previously CertiK reported that several phishing websites, including the subdomain jllyrancherxd[.]online, were connected to POND and WDC, the Worldcoin project token.
Yesterday, CertiK also tweeted about a possible exit scam conducted by the deployer of a GGBOND token. According to the cybersecurity firm, nearly $151,000 was withdrawn. Yet, the coin’s price still remains relatively unaffected by a large liquidity transfer. CoinMarketCap recorded only a slight drop from $0.00024 to $0.0002375. At the time of publication, the token was trading for $0.0002385.