$45M Exploited: UwU Lend, Gala Games, and TCH Breached via Price Oracles, Wallets, and Signature Reuse
UwU Lend bled $23M after a sUSDE price oracle was gamed across Curve pools. Gala Games lost $21.8M to a wallet key compromise and unauthorized GALA minting. TCH token dropped $19K via a signature replay exploit. Same theme, new month: broken assumptions cost millions.
In Brief
UwU Lend lost $23M due to price manipulation.
Gala Games was exploited for $21.8M.
TCH Token was targeted in a $19K attack.
Hacks Analysis
UwU Lend | Amount Lost: $23M
On June 10th, the UwU Lend exploit on the Ethereum Mainnet resulted in a $23M loss. The root cause of the exploit was the use of flash loans to manipulate the sUSDE price. The attacker took a flash loan of around $3.796 billion from various platforms and used the funds to create a leveraged position through recursive borrowing. By manipulating low liquidity pools (USDecrvUSD, FRAXUSDe, USDeUSDC, GHOUSDe, and USDeDAI) on Curve Finance pools, the attacker inflated the sUSDE price and made a profit. The UwU Lend team acknowledged the exploit and paused the protocol.
On May 21st, the Gala Games exploit on the Ethereum Mainnet resulted in a $21.8M loss. The root cause of the exploit was the compromise of a Gala Games wallet, which allowed the attacker to mint 5B GALA tokens. Before the attacker could swap all the minted tokens, the Gala Games team recovered 4.4B of the stolen assets. The attacker managed to swap 599M GALA tokens for 5,913 ETH.
On May 16th, the TCH Token exploit on the BNB Chain resulted in a $19K loss. The root cause of the hack was a vulnerability in the burnToken() function of the TCH contract. This function verifies signatures for authorization but stores used signatures in a mapping to prevent replay attacks. The attacker bypassed the mapping check by modifying the v part of the signature from 0x01 to 0x1c (28). The attacker then burned TCH tokens and manipulated the token price.
Press enter or click to view image in full size
Exploit Contract (on BNB Chain): 0x5d78CFc8732fd328015C9B73699dE9556EF06E8E
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
