As a seasoned analyst with a background in both cryptocurrency and cybersecurity, I’ve seen my fair share of incidents that leave investors scratching their heads and wallets empty. The recent Polter Finance flash loan attack is yet another example of how vulnerabilities in decentralized finance platforms can lead to significant financial losses for unsuspecting users.
Crypto-Sec is CryptoMoon’s bi-weekly round-up of crypto and cybersecurity stories and tips.
Polter Finance drained in “classic” flash loan attack
As a crypto investor, I recently learned that the Fantom-based DeFi protocol, Polter Finance, suffered a significant loss of approximately $7 million due to a classic flash loan attack on November 18, as reported by blockchain analyst Nick Franklin.
The attacker manipulated the cost of the SpookySwap governance token, BOO, by essentially borrowing nearly all BOO tokens from the liquidity pool. After inflating the price to a desirable level, the attacker then deposited just one BOO token, which allowed them to empty all the pools.
According to data from BlockSec Phalcon, it was evident prior to the incident that the liquidity pool contained approximately 269,042.22851562786 tokens.
As a crypto investor, I found myself in a precarious situation when an attacker swiftly obtained nearly all my BOO tokens (equivalent to around $1.3 million at the time) through a flash loan, leaving me with an almost insignificant fraction of those tokens.
Due to the fact that the value of a token on a decentralized exchange is based on its comparison with another token, this likely led to an enormous increase in the price of BOO.
After placing a single BOO token, the intruder subsequently acquired approximately 9.1 million dollars’ worth of wrapped Fantom (FTM) tokens on loan, ultimately earning a profit of around 7.8 million dollars.
Subsequently, the assailant repeated the assault in an attempt to obtain additional assets such as Magic Internet Money (MIM), sFTMX, Axelar USDC (axlUSDC), Bitcoin (BTC), Ether (ETH), and USD Coin (USDC). It is reported that some analysts suggest a total of $12 million was emptied during the attack.
Franklin didn’t ponder over the means by which the attacker managed to repay the flash loan with sufficient BOO. Yet, it’s plausible that they obtained it from another liquidity pool at a substantially reduced cost.
As a diligent analyst, I would advise all DeFi users to weigh the potential risks before depositing funds into platforms that hold low-liquidity tokens. These tokens, due to their limited market presence, are susceptible to price manipulation by a small group of traders. This could lead to significant volatility and potential losses for unsuspecting investors. Always do your own research and prioritize investing in tokens with a robust liquidity structure for optimal protection against such risks.
Anonymously, the creator of Polter Finance, referred to as Whichghost, has submitted a police complaint about the incident and is currently trying to communicate with the perpetrator.
CoinPoker hit with hot wallet hack
It’s been reported that the crypto poker platform CoiPoker suffered a breach of their private key as per a November 18 report from blockchain analysis provider Cyvers. The perpetrator executed transactions across various networks, such as BNB Smart Chain, Ethereum, and Polygon.
On November 16th, the poker platform initiated talks with the attacker by broadcasting a message across the Ethereum network as an attempt at negotiation.
The statement mentioned that there’s an issue concerning money missing from wallet address 0x3c17. We aim to set up a secure channel to handle this situation productively. [ …] We are open to negotiating conditions, even offering a reward, for the safe recovery of the funds.
The data from the blockchain indicates that the thief has mostly transferred the stolen assets into the confidential transaction service known as Tornado Cash, making it challenging to track these funds. This could potentially weaken the platform’s bargaining power during any future negotiations.
Users of Web3 platforms need to understand that their funds could be at risk if a centralized gaming platform experiences a hack and cannot return customers’ deposits. However, it seems that CoinPoker has shown resilience in such situations, since there are no reports of any issues with withdrawals currently.
Man gets 24 years for bank-crashing crypto scam
A resident of Elkhart, Kansas (United States) was sentenced to 24 years in prison for his involvement in a cryptocurrency fraud scheme that ultimately led to the collapse of Heartland Tri-State Bank, as reported on November 5th by The Register, a technology news site based in the United Kingdom. However, the mastermind behind this scam remains at large, yet to be captured by authorities.
In 2023, it was reported that Shan Hanes, who was then the CEO of Heartland Tri-State Bank, encountered a cryptocurrency scammer through WhatsApp.
It is said that the scam artist tricked Hanes into participating in a fraudulent digital currency investment plan. However, Hanes didn’t merely contribute his personal funds. Instead, he illegally diverted funds from the Elkhart Church of Christ and the Santa Fe Investment Club, organizations where he was responsible for managing their finances.
Furthermore, Hanes eventually started siphoning funds directly from Heartland Tri-State Bank. Over $47 million was taken out of the bank’s deposits and funneled into a cryptocurrency scam. However, this scam never generated any genuine earnings, and the money was ultimately pocketed by its anonymous creator.
Ultimately, the bank’s top finance official disclosed Hanes’ fraudulent activities to the relevant authorities. However, the damage had already been done, with the illicit gains exceeding the bank’s total assets, leading it to file for bankruptcy.
Based on a CNN report from July 2023, the struggling bank initially received bailout support from the U.S. Federal Deposit Insurance Corporation. Subsequently, it was acquired by Dream First Bank of Syracuse and reopened for business.
The report states that officials were able to retrieve $8 million from Hanes’ wallets, however, the additional $39 million is now irretrievable.
Crypto investors may want to be skeptical of crypto investments that cannot be tracked on a blockchain through a public block explorer. These types of “projects” often turn out to be fictional.
Read More
- ZK PREDICTION. ZK cryptocurrency
- DYM PREDICTION. DYM cryptocurrency
- POPCAT PREDICTION. POPCAT cryptocurrency
- JASMY PREDICTION. JASMY cryptocurrency
- Top gainers and losers
- TURBO PREDICTION. TURBO cryptocurrency
- UXLINK PREDICTION. UXLINK cryptocurrency
- EUR RUB PREDICTION
- TWT PREDICTION. TWT cryptocurrency
- MPL/USD
2024-11-19 00:09