Major Incidents from Last Week: Wise Lending Exploit and XAI Token Rug Pull

While the total losses experienced by the Web3 community last week were relatively modest, some of the exploits involved surprisingly sophisticated tactics.

An owl with crypto coins
Cybersecurity experts have identified a complex method employed by the hacker of the Wise Lending protocol.

Blockchain cybersecurity firm SlowMist has shared its weekly incident report with the crypto community on X. According to the on-chain security experts, total damage amounted to $684,000 during the period between January 7 and January 13.

Attack on Wise Lending

The most significant theft identified by SlowMist last week targeted the decentralized lending and borrowing protocol Wise Lending on January 12, resulting in an estimated $464,000 in damages. While this loss may not be on the scale of massive heists that regularly impact the crypto industry, cybersecurity professionals, including Daniel Von Fange, noted that the case is worthy of close examination.

Von Fange suggests that the hack is "far more complex than reported." A deeper investigation into the incident has revealed that "the protocol had added explicit defenses against this style of attack, which the attacker either bypassed or used against the protocol."

Read also: Solana Army Won't Help - Rainbow and Node Drainers on the Rampage

According to Von Fange, the sophisticated attack on the protocol involved modern vaults, which, instead of relying solely on shares and assets, stored the shares-to-assets ratio. To prevent rapid inflation, the deployer of the Wise Lending protocol ensured that this ratio was calculated and changes to it were restricted, while it was also decoupled from user actions.

Daniel Von Fange's analysis of the Wise Lending exploit
Source: Daniel Von Fange, X

"Wise Lending had additional code to defend against donation attacks, run before each action. It checked if funds had been gained since the previous action ended and limited any gains to an amount over time," Von Fange explains in the X thread. The blockchain security expert adds that "Wise was careful to ensure that the protocol always rounded against the user interacting and in favor of the protocol."

When a user deposited money to the Wise protocol, the number of shares given was rounded down. On the other hand, when a user initiated a withdrawal from the Wise protocol, the number of shares to be burned was rounded up.

However, despite these measures, the attacker managed to bypass the defenses put in place to prevent donation attacks. The attack involved manipulating two different parts of the system that were rounded differently, ultimately leading to the passing of a validation check that should have failed.

As per Von Fange, the criminal targeted the newly deployed Wise PLP Pool, designed to hold Pendle LP tokens.

The attacks started with a relatively small deposit and donation to pass the validation "even though the percentage donation was 5,000,000 times larger than the deposit."

Read also: Turbulent Start of 2024: Gamma Strategies, Radiant Capital Hacks and Solana Drainers

Next, the attacker intentionally incurred losses to the protocol by executing a series of deposits and withdrawals with ever-increasing values. This "stealth donation," performed through systematic manipulation of rounding mechanisms, gave the hacker rounding gains which "were immediately incorporated into the core protocol numbers."

Then, "the stage was set" by making a final large deposit, and the criminal cleverly used six additional helper contracts to deposit a substantial amount of funds into the PLP pool. Each deposit was large enough to obtain one share in the pool, and these shares were used as collateral for subsequent borrowing.

Through the withdrawals of a very small amount of funds and transferring the collateral that was apparently "lost" in the process, the master account, controlled by the attacker, gained all six existing shares of the PLP pool. Finally, the attacker withdrew the loot.

Other notable exploits

In its weekly report, SlowMist also cites a significant exit scam affecting the XAI token on the BNB chain. The deployer executed a substantial sell-off by dumping 20.779 billion XAI tokens onto the market. As a result of the token dump, the exploiter managed to net a profit of approximately $220,000.

Note that the token may share its name with tokens issued by legitimate projects.

Additionally, last week, several social media accounts of Web3 projects were hacked. One of these exploits affected two Twitter accounts belonging to the popular cryptocurrency data aggregator CoinGecko: GeckoTerminal and CoinGecko. The attack was empowered by a popular scam technique involving the event-scheduling application Calendly.

"Despite having 2FA enabled and implementing robust security measures, one of our team members clicked on a fraudulent Calendly link by accident, granting the unauthorized app access to a hacker who then posted on our behalf," the CoinGecko team shared with its X followers on January 11.

While CoinGecko promptly secured both of its accounts, SlowMist strongly recommended cryptocurrency users exercise extra vigilance when dealing with Calendly links, as this application is frequently abused by malicious actors.

Earlier, SlowMist warned against the exploitation of the "Add Custom Link" feature offered by Calendly, which makes it possible to insert a malicious link triggering a phishing attack directly into the event details.

In the new iteration of the Calendly scam, criminals use malicious links disguised to appear as legitimate Calendly links. Upon clicking, these links transform their name into "Calendly." with an extra dot at the end. Subsequently, victims, thinking they are interacting with a genuine Calendly link, unwittingly grant access to their X account, which is then used for phishing campaigns.