Vestra’s $500K Yield Reuse Flaw, Mosca’s Incomplete State Reset, BYC’s Burn-Based Price Play
Vestra lost $500K after failing to check if staking positions were still active, allowing repeated yield withdrawals. Mosca leaked $19.5K due to a flawed state reset that didn’t clear USDT and USDC balances. BYC was manipulated for $100K when its autoBurnLiquidity() function let attackers burn supply and inflate prices.
In Brief
Mosca lost $19.5K due to improper balance handling.
Vestra’s staking logic flaw resulted in a $500K loss
BYC Token suffered a $100K price manipulation attack.
Hacks Analysis
Mosca | Amount Lost: $19.5K
On January 8th, the Mosca exploit on the BSC resulted in a $19.5K loss. The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset.
Press enter or click to view image in full sizebuy()
Press enter or click to view image in full sizeexitProgram()
Press enter or click to view image in full sizewithdrawAll()
Exploited Contract (on BNB): 0x1962b3356122d6a56f978e112d14f5e23a25037d
On December 4th, the Vestra exploit on the Ethereum mainnet resulted in a $500K loss. The root cause of the exploit was the unStake() function, which failed to verify if a staking position was still active before allowing yield withdrawal. This enabled the attacker to claim yield from an already unstaked position. The exploit began a month earlier when the attacker staked 500,000 VSTR tokens to earn yield after the lock period. Once the lock expired, the attacker called unStake() to withdraw 500,000 VSTR plus 20,000 VSTR in yield. However, due to the missing isActive check, the attacker continued to call unStake() on the same position, repeatedly earning 20,000 VSTR per call. To avoid depleting the staking pool, the exploiter deployed new contracts to stake 500,000 VSTR tokens each time, keeping the pool’s total balance intact while exploiting the logic flaw.
On December 3rd, the BYC token exploit on the BSC resulted in a $100K loss due to a price manipulation attack. The root cause of the exploit was that the attacker was able to burn the BYC tokens by using the autoBurnLiquidity() function reducing the total supply and artificially increasing the token price. The attacker then sold the BYC tokens at the manipulated higher price for profit.
Press enter or click to view image in full size
Exploited Contract (on BNB): 0x9a69eb74060e2808344ac35bb5825051b89bbe76
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
