Hackers Steal over $11.5 Million from Web3 Protocols since August 10

The hack of Zunami Protocol on August 13 was one of the twelve exploits reported by blockchain security firm CertiK this week.

Hackers working on their computers
After the release of CertiK’s weekly statistics, Beosin reported a $7 million attack on Exactly Protocol.

Yesterday, CertiK shared its weekly incident statistics with its Twitter followers. The company discovered twelve security breaches between August 10 and August 18, resulting in nearly $11.5 million in damage.

The company also detected five Discord hacks, three Twitter hacks, and five phishing attacks. Although CertiK reported more incidents the previous week, malicious actors managed to steal less money between August 4 and August 11. At that time, the loot amounted to $7.4 million.

Read also: Cypher Freezes $600,000 Lost in the August 7 Hack

One of the largest exploits that happened this week was the hack of the yield aggregator for stablecoin staking Zunami Protocol. On August 13, the protocol lost over $2 million due to a price manipulation attack.

Among the social media hacks discovered by CertiK were compromised Discord channels of Arbitrum-based yield protocol Rodeo Finance, NFT maker ElmonX, and Ceramic Network. Attackers used their business accounts to post phishing links.

The on-chain analytics firm also reported fake airdrops of STG, the token of the liquidity transport protocol Stargate Finance, the memecoin PepeCoin, and ORAI, the token of Oraichain, an AI Layer 1 blockchain for oracle services.

In addition, CertiK warned crypto users about a new tactic adopted by cybercriminals. More and more exploiters are using malicious beta apps that mimic cryptocurrency investment software and can steal personal information, access financial accounts, or give attackers remote control over devices.

Meanwhile, another blockchain security firm, Beosin reported a major exploit of the Optimism-based Exactly Protocol. According to Beosin, at least $7 million was stolen from the protocol.

Exactly Protocol, "a non-custodial, open-source protocol providing an autonomous fixed and variable interest rate market," was temporarily halted to secure the funds, but the project's team still allowed users to withdraw their assets.

To address the consequences of the exploit, Exactly Protocol contacted the hacker.

"We are ready to start a conversation about potential next steps. If you agree, let’s talk in private on Blockscan via the Exactly Deployer address and one of your EOAs, via signed messages over email at hello@exact.ly or any channel of your choice," the protocol’s team tried to start a discussion with the exploiter.

Read also: Shibarium Technical Issues Disable Transactions Worth $1.7 Million

Additionally, the company scheduled an upgrade to address the technical issues that were present in one of the protocol’s periphery contracts. The team warns users of the protocol of a 24-hour timelock required to perform the upgrade, after which the protocol will continue its operation.

Exactly Protocol did not explicitly mention the vulnerability in the contract, but, according to Beosin, the DebtManager contract was susceptible to manipulation.

Beosin’s team believes that the hacker was able to bypass the permit check with the help of a "malicious market contract address." This, in turn, allowed the attacker to steal users’ USDC deposits by executing a malicious function. The funds were then liquidated for profit.