While the cryptocurrency community was celebrating Valentine's Day, criminals were engaged in robbing some Web3 projects.
Just before February 14th, during the night, a hacker launched an attack on the Duelbits casino. According to the cybersecurity team CertiK, Duelbits likely fell victim to a private key compromise, which enabled the perpetrator to steal approximately $4.6 million. Subsequently, the attacker swapped all seized assets for ETH.
Read also: Crypto Scammer Steals $3.2 Million through Honeypot Scheme
Miner, a Web3 project offering a collection of 100,000 avatars and counterparts powered by the experimental token standard ERC-X, also fell victim to an exploit during the festive season. Yesterday, the project's team cautioned its community against purchasing its newly released token MINER, which had been available for just three days prior to the attack. The project incurred losses of nearly 168.8 ETH, valued at over $463,000 at the time of the incident.
"We have saved approximately 130 ETH from liquidity and will either redeploy if needed or continue with the current contract if this can be fixed without redeploying," Miner stated on X, emphasizing that some of its contracts, including DN404, were still under attack.
According to Miner's team, the exploit exploited the "_update" function within the contract, which made transfers of tokens to oneself double the balance. This was possible as the contract utilized a cached value mechanism for balances.
CertiK also provided insights into the exploit's mechanics, explaining that the funds were stolen through the execution of multiple malicious transactions.
"_balances[from] calculates the attacker’s balance minus the tokens sent but is then immediately overwritten by _balances[to] which adds the sent value to the attacker’s balance effectively doubling their tokens," the cybersecurity team provided further details on the incident.
"This issue will be fixed, and the contract will be audited before being redeployed," Miner promised the community, adding that "The saved liquidity (nearly 130 ETH) is currently equal to ASTX LP and will be used for LP purposes for redeployment."
In response to the aftermath of the exploit, Miner has taken steps to reach out to the hacker. Through an on-chain message, the team appealed to the attacker to return the stolen assets in exchange for a $120,000 reward, equivalent to 30% of the pilfered funds.
Additionally, amidst these incidents, at least one cryptocurrency user fell victim to phishing scammers on Valentine's Day. According to the Scam Sniffer team, "a victim lost $96,164 worth of Uniswap liquidity NFT after signing malicious approval transactions," while the scammer gained approval for the liquidity NFT by exploiting a Safe wallet.
In this specific incident, the criminal concealed "setApprovalForAll" under what appeared to be a harmless "multicall" transaction
Read also: Spear Phishing vs Phishing: Most Popular Scam Techniques
In the meantime, CertiK conducted a detailed analysis of one of the recent massive rug pulls, XKingdom_Tech. The incident, which occurred on January 6th and resulted in investor losses of up to $1.2 million, was labeled by CertiK as "one of the largest exit scams we have seen over the past few months."
XKingdom positioned itself as a unique project combining SocialFi and GameFi, operating on the Arbitrum network. It introduced a quite original concept of constructing virtual kingdoms on the X platform through interactions with social network posts and engaging in quests like treasure hunts. These activities were supposed to help users earn project tokens. According to CertiK, XKingdom had an NFT contract as well as three ERC-20 tokens.
CertiK analyzed on-chain interactions and assumed that to participate, users could borrow XKING tokens for ETH, which could then be swapped for XCOIN and allowed to claim XCROWN. "The documentation that explains how all of these tokens interacted with each other has been deleted, however, it is assumed that XCOIN and XCROWN tokens could be traded for XKING, which is the token backed by users' funds," CertiK explains.
User transfers allowed the project to amass over 500 ETH. Unfortunately, the contracts associated with xKingdom had malicious functionality granting the deployer significant control over the ecosystem, contributing to the project centralization.
As per CertiK, on January 4th, the deployer upgraded key project contracts to new implementations. In all likelihood, this step was taken to fabricate technical issues that could divert attention from fund movements. Ultimately, the deployer of the xKingdom project transferred 558.3 ETH to EOA. Following a series of transactions, including the exchange of stolen ETH for stablecoins and back to ETH, the funds were laundered via Tornado Cash.