December Starts Small with Minor Web3 Exploits

Following a series of large attacks on Web3 projects and numerous rug pulls, the industry experienced a week of relatively modest losses caused by security incidents.

Money under s christmas tree
According to SlowMist, exploiters stole slightly over $220,000 from Web3 projects and investors last week.

After massive losses, the Web3 community experienced in November, estimated by cybersecurity firm CertiK to be nearly $363 million, the new month came with relatively small damage. In its weekly security report, another security expert, SlowMist, unveiled total losses of only $225,826 experienced by Web3 projects and investors between November 26 and December 2.

Read also: November Web3 Exploits Cause $363 Million Loss

Velodrome and Aerodrome exploits

The exploit of the Optimism-based trading and liquidity marketplace Velodrome and a similar project on Base, Aerodrome, was cited by SlowMist as the largest security incident that took place last week.

Today, the team behind Velodrome and Aerodrome shared its comprehensive incident report on the DNS attack on November 29, which resulted in an estimated loss of up to $250,000.

The malicious actor carried out a social engineering maneuver targeting the domain registrar, acquiring control over the account responsible for managing domain names. This granted the attacker the ability to modify the domains' nameservers, rerouting genuine traffic to deceitful replicas of the Velodrome and Aerodrome websites.

On these fraudulent sites, users were encouraged to link their wallets and validate transactions, unwittingly approving the transfer of assets to designated wallets across multiple blockchain networks.

"First social engineering attempt directed at registrar support. The owner of the domain names is not notified," the report describes the start of the attack, explaining, that "Ongoing attempts continue for multiple days, including multiple failed fake identity verifications associated with Velodrome and Aerodrome, using names that are both on and not on the registrar account."

The team took several steps to revoke the attacker's control, including freezing the account, removing nameservers, and completing the KYC process. However, after losing control over the platforms on November 30, the hacker managed to execute another similar attack the next day.

"The root cause of the attack was multiple carefully orchestrated socially engineered attempts to take over the access to the and domain names," the projects’ team claims.

The prolonged response times from the registrar and lack of control over nameserver restrictions played a role in extending the time during which the exploiter could carry out the attack.

Read also: KyberSwap Exploiter Coined "Pure Evil" after Stating Demands

Recent rug pulls

SlowMist also reported three rug pulls detected last week, with the most significant impacting investors of the Expando token (EXPSO), resulting in a loss of $87,317. Investors in AssetClub (ACC) experienced a comparable loss of $84,423, while the exit scam involving the Symbiogenesis token (SYSIS) led to damage amounting to $54,086.

SlowMist Distribution of Total Losses by Attack method Chart
Source: SlowMist, Medium

Damage caused to Web3 projects in November

Meanwhile, SlowMist also released its monthly incident report. The cybersecurity team reported total losses from detected incidents totaling $349 million, which is $14 million less than the losses reported by CertiK.

"In November, the combined losses from the Poloniex, HTX, and Heco Bridge incidents reached $243 million, accounting for approximately 69% of the total losses from security events this month," SlowMist reports.

In its statistics, the team presented the incident timeline covering the largest exploits, starting from the compromise of the Onyx protocol on November 1 caused by the manipulation of interest rates to borrow more funds than expected. Onyx suffered a loss of over $2 million.

Next, the cross-chain financing platform TrustPad experienced a theft of $155,000 resulting from the exploitation of a staking contract vulnerability allowing manipulation of newlockstartTime and withdrawal of rewards.

The following day, the decentralized over-collateralized stablecoin protocol lost $290,000 after low liquidity in the PAXG pool was exploited. The MEV Bot was attacked on the same day, which resulted in the loss of nearly 1,000 ETH. This incident was possible due to the lack of authentication in the contract's function used for arbitrage.

On November 8, the Australian crypto exchange CoinSpot experienced a private key leak from the hot wallet, enabling malicious actors to steal almost $2.5 million.

This incident was followed by a prolific attack on Poloniex on November 10, when the crypto exchange lost $130 million.

After a three-day break, another protocol fell prey to hackers. On November 11, a flash loan and precision calculation issue during the minting of share tokens allowed attackers to gain $3.3 million.

The next day, Exzo Network’s admin wallet, used to transfer ownership and mint XZO, the project’s token, was compromised. The losses from this exploit were not specified.

Nearly $9 million was lost by dYdX on November 18 when the insurance fund experienced a targeted attack.

Next, the investment firm Kronos Research suffered from unauthorized access to API keys, costing the company nearly $26 million.

November 22 turned out to be the day of the second-largest November exploit, which affected HTX and Heco Bridge, causing the theft of $113.3 million.

Finally, KyberSwap Elastic lost nearly $54.7 million due to an unexpected liquidity increase caused by a calculation issue in the token exchange.

SlowMist adds that "There were 24 rug pull incidents, making up 51% of the total number of security events." SlowMist emphasizes that the Binance Smart Chain and Ethereum ecosystems saw the greatest number of rug pulls last month.