Over $8.4 Million Stolen in Crypto Exploits Within a Single Week

The past week witnessed two significant thefts of NFTs, impacting users of Flooring Protocol and NFT Trader.

Thief in an art gallery
One of the most massive exit scams, the Stoic DAO rug pull, allegedly took place last week, however, some experts claim it was a hacking attack.

Web3 security firm SlowMist estimates that the total losses experienced by cryptocurrency and NFT projects between December 10 and December 16 amount to $8,428,033.

One of the largest security incidents mentioned by SlowMist in its weekly incident report is the theft of NFTs from Flooring Protocol, an NFT platform known for supporting the fractionalization of NFTs in exchange for fungible µTokens. According to various reports, Flooring Protocol lost 36 Pudgy Penguins and 14 Bored Apes, with an estimated value between $1.60 million and $1.68 million.

FreeLunchCapital, a pseudonymous software engineer at Flooring Lab, reported that the exploit affected a peripheral or multi-call contract. However, the main contract, as well as assets in vaults and safeboxes, are reportedly safe.

"The hacker who stole from Flooring Protocol dumped $815k worth of Bored Apes into Blur bids and $867k worth of Pudgy Penguins (including 3 gold skin) into bids," noted crypto community influencer NFTstats.eth, who traced the movement of the stolen assets.

The Flooring Protocol’s team has attempted to contact the exploiter. "We are willing to negotiate a deal to return the assets to people who trusted FP and granted permissions to FP. You can keep the assets from my personal wallets. They are the bounty for your hunt. But please, talk to us," posted FreeLunchCapital on X yesterday.

Read also: Zapper, SushiSwap, and Balancer Affected by Attack on Ledger Connect Kit

Unfortunately, last week did not witness a lone NFT exploit. The trading infrastructure and solution provider NFT Trader announced being hacked a day before Flooring Protocol fell victim to the malicious actor.

Dumped Bored Apes stolen from Flooring Protocol
Source: WickdNFT, X

Regarding the NFT Trader exploit, the root cause of the issue has already been identified.

"There was a malicious code execution from a third party on our two older smart contracts. However, we have implemented all necessary measures to prevent any such incidents in the future," the team behind NFT Trader posted on X, recommending users of its solutions to "use revoke(.)cash or similar tools after completing a deal on any platform for added security and use a cold wallet as intended, without interaction (or signature) with any smart contract."

X influencer Cygaar has provided more details on the hack, claiming it exploited a vulnerability related to the combination of reentrancy and old approvals in the NFT Trader contract, as mentioned by the NFT Trader team. While revoking approval to the NFT Trader contract reportedly could have prevented the theft, users with old approvals were susceptible to the exploit.

While the NFTs stolen from Flooring Protocol are reported to have been dumped, it seems that users of NFT Trader managed to receive some of their assets back due to on-chain experts, including 0xQuit, who recovered 5 OCM, 11 Hashmasks, and 1 Game Disease.

Read also: Inferno Drainer Is Dead, but Angel Drainer Thrives

Another notable exploit that struck the community last week was the Ledger Connect Kit Supply Chain Attack, orchestrated, according to SlowMist, by the notorious scam vendor Angel Drainer.

The breach, which occurred on December 14, was executed through a social engineering attack on a former Ledger employee's NPMJS account. This allowed the hacker to compromise versions 1.1.5, 1.1.6, and 1.1.7 of the Ledger Connect Kit. The exploit affected the performance of several dApps connected to Ledger, including Balancer, SushiSwap, and Zapper, resulting in the theft of at least $600,000.

Meanwhile, OKX DEX suffered a loss of $2.76 million, according to another cybersecurity team, PeckShield. The root cause of the problem appears to be the upgrade introducing a new implementation contract, allowing direct invocation of the claimTokens function of the DEX contract.

In its weekly security report, SlowMist also cites the attack on Peapods Finance, subsequently considered a white hat hack by the project’s team as 90% of lost funds were reportedly returned. However, on-chain sleuth ZachXBT detected that the white hat had dumped some of the stolen funds first.

Furthermore, SlowMist mentions in its report the attack on the Venus Protocol oracle, which "impacted a small independent pool, demonstrating the vulnerability of decentralized protocols to oracle issues."

Among the rug pulls occurring last week, SlowMist names the Stoic DAO exit scam as one of the largest exploits of this type, resulting in the loss of a staggering $1.2 million. However, according to the wallet security suite FailSafe, the incident was a hack rather than a rug pull, performed by a malicious actor who drained the zetastaking.eth address, "leading the team to officially shut down the project."