Rug Pull Deployers Stole Almost $4 Million in Just One Week

SlowMist detected thirteen incidents of rug pulls last week, but the actual number may be even higher.

Demonic money
One of the exit scams that were deployed last week involved a fake PulseX token.

In its weekly incident report covering exploits between January 14 and January 20, on-chain security firm SlowMist has revealed a disturbing spike in exit scams. The rug pulls identified by SlowMist resulted in a total damage of almost $3.9 million, a significant increase compared to the $700,000 lost between January 7 and January 13.

Earlier, the Web3 cybersecurity team PeckShield reported a series of incidents that led to a total loss of approximately $2.9 million within less than 48 hours. During that period, the tokens involved in exit scams included BorzoiCoin (BORZOI), MOE (MOE), FoxFunnies (FXN), PulseXIncentiveToken (INC), SolDragon (DRAGON), Speero (SPEERO), Audify (AUDI), StarkPepe (SPEPE), BoxyDude (BOX), and MAR3AI (MAR).

Rug pulls happened last week
Source: SlowMist, X

The rug pull deployments mirrored each other, involving the exchange of large amounts of tokens for BNB, with income from these scams ranging between $270,000 and $318,000, as reported by SlowMist. The latter incident specifically utilized the MOE token.

Read also: Rug Pull Tide Sweeps Through Crypto Community: Almost $3 Million Stolen in a Day

The SlowMist report also highlights more recent rug pulls exploiting tokens such as Cronus (CRONUS), Poldo (POLDO), and LongNoseDog (LONG), with investors facing losses between $309 and $316.

While SlowMist reports overall losses in Web3 incidents amounting to approximately $5,040,736, the actual figures may be even higher. As mentioned earlier, losses from rug pulls alone have nearly reached $4 million, and there were other exploits during this period.

One of the most notable incidents involved the exploitation of contract vulnerabilities in the interoperability protocol Socket, resulting in a loss of nearly $3.3 million on January 16. The incident was attributed to wallets with unlimited approvals to Socket contracts. Web3 security firm Beosin reported that the vulnerability stemmed from an unsafe call within the performAction function, enabling a malicious actor to execute a call injection attack. This type of exploit, common in smart contracts written in the Solidity programming language, allows criminals to inject code into the call() function, manipulating contract states and draining funds.

SlowMist also identified two Distributed Denial-of-Service (DDoS) attacks on major platforms.

One targeted Justin Sun’s cryptocurrency exchange HTX (formerly Huobi), which suffered a loss of nearly $13.6 million in November. The DDoS disrupted the HTX platform for approximately 15 minutes.

Another victim of a DDoS attack last week was Manta Pacific, a modular L2 protocol for ZK dApps. This attack, occurring on January 18, was of the RPC type, targeting remote procedure call services. While the network continued running, users faced difficulties accessing applications and completing transactions due to RPC congestion created by the attack. This incident led to alleviated gas fees, driven by massive user interaction during the illicit DDoS attack.

To address this issue, Manta’s team plans to reimburse the gas fees caused by the incident.

"Any gas fee payments above 0.001 ETH made on Manta Pacific from 9:30 AM UTC on January 18, 2024 (the time of TGE) to 4:30 AM UTC on January 20, 2024, will be reimbursed to users," Manta promised in its incident report.

Unfortunately, low resilience to DDoS attacks and other cybersecurity threats, not necessarily connected to the smart contract functionality of Web3 projects, is a common issue. It was discussed in-depth by SlowMist last December when the team published its Top DeFi security research.

"From the comprehensive statistical information gathered, it’s clear that the basic security risks in current DeFi projects are severe, with many DeFi projects having unsafe configurations and being at risk of attacks," SlowMist concluded then, emphasizing common problems such as source IP exposure, CDN and traffic protection security issues, as well as problems in domain registrar. Many of these vulnerabilities significantly increase the chances of a platform falling prey to DDoS attacks.

In addition to all these incidents, SlowMist also reports two large third-party and social media platform breaches. One of them was Rosa Finance, an Arbitrum-based non-custodial liquidity market protocol, which lost almost $45,000 on January 18. The team urged all users to refrain from interacting with the dApp as a precautionary measure and took down the website to prevent any further interactions. While actively addressing the vulnerabilities in their smart contracts in collaboration with Omniscia, Rosa Finance shared its plans to remove the liquidity pool to preserve as much of the background as possible.

Read also: Crypto Crook Issues Over 120 Scam Tokens in 3 Months

In the meantime, Trezor, a leading manufacturer of hardware cryptocurrency wallets, suffered from unauthorized access to a third-party support portal. According to SlowMist, digital assets belonging to users were not involved, although reportedly, the incident affected nearly 66,000 customers.

An internal audit revealed that the compromised data was limited to email addresses as well as name and nickname details. The unauthorized actor contacted 41 customers directly, attempting to obtain sensitive recovery seed information. Additionally, eight trial account users on Trezor's discussion platform may be affected by the breach.