Yesterday, CertiK shared its weekly incident statistics with its Twitter followers. The company discovered twelve security breaches between August 10 and August 18, resulting in nearly $11.5 million in damage.
The company also detected five Discord hacks, three Twitter hacks, and five phishing attacks. Although CertiK reported more incidents the previous week, malicious actors managed to steal less money between August 4 and August 11. At that time, the loot amounted to $7.4 million.
One of the largest exploits that happened this week was the hack of the yield aggregator for stablecoin staking Zunami Protocol. On August 13, the protocol lost over $2 million due to a price manipulation attack.
Among the social media hacks discovered by CertiK were compromised Discord channels of Arbitrum-based yield protocol Rodeo Finance, NFT maker ElmonX, and Ceramic Network. Attackers used their business accounts to post phishing links.
The on-chain analytics firm also reported fake airdrops of STG, the token of the liquidity transport protocol Stargate Finance, the memecoin PepeCoin, and ORAI, the token of Oraichain, an AI Layer 1 blockchain for oracle services.
In addition, CertiK warned crypto users about a new tactic adopted by cybercriminals. More and more exploiters are using malicious beta apps that mimic cryptocurrency investment software and can steal personal information, access financial accounts, or give attackers remote control over devices.
Meanwhile, another blockchain security firm, Beosin reported a major exploit of the Optimism-based Exactly Protocol. According to Beosin, at least $7 million was stolen from the protocol.
Exactly Protocol, "a non-custodial, open-source protocol providing an autonomous fixed and variable interest rate market," was temporarily halted to secure the funds, but the project's team still allowed users to withdraw their assets.
To address the consequences of the exploit, Exactly Protocol contacted the hacker.
"We are ready to start a conversation about potential next steps. If you agree, let’s talk in private on Blockscan via the Exactly Deployer address and one of your EOAs, via signed messages over email at firstname.lastname@example.org or any channel of your choice," the protocol’s team tried to start a discussion with the exploiter.
Additionally, the company scheduled an upgrade to address the technical issues that were present in one of the protocol’s periphery contracts. The team warns users of the protocol of a 24-hour timelock required to perform the upgrade, after which the protocol will continue its operation.
Exactly Protocol did not explicitly mention the vulnerability in the contract, but, according to Beosin, the DebtManager contract was susceptible to manipulation.
Beosin’s team believes that the hacker was able to bypass the permit check with the help of a "malicious market contract address." This, in turn, allowed the attacker to steal users’ USDC deposits by executing a malicious function. The funds were then liquidated for profit.