Bitcoin.org Compromised

Bitcoin.org greeted visitors with a pop-up window saying that “the Bitcoin Foundation is giving back to the community” as a gesture to “support our users who have helped us along the years.”

The message included a QR code with a Bitcoin address that users were invited to send coins, after which they would receive twice the amount.

The rest of the website’s functionality at the time was limited so that users couldn’t get past the message.

While the exact way the hackers managed to compromise Bitcoin.org remains unclear, Cøbra suggested that attackers exploited a flaw in the DNS configuration after the website moved to Cloudflare two months ago.

https://t.co/OsFgRFRRZb hasn't been hacked, ever. And then we move to Cloudflare, and two months later we get hacked.

More scams: SpaceX & Apple Event Crypto Scam

Compound Bug Causes Excess Rewards

A community led (but professionally checked) proposal contained a bug which allowed for the distribution of ~$80M in excess COMP rewards.

Starting from ~22:20 UTC on Sep 29th, certain users could claim rewards that they had not earned.

Like an “infinite mint” but not quite as deadly, the damage done was indirect.

The only victims were COMP token holders, who temporarily suffered faster dilution than they expected.

pNetwork $12 Million Hack

An unknown hacker has exploited a bug in pNetwork’s codebase to steal 277 Bitcoin from the protocol's bridge on Binance Smart Chain.

“To the black hat hacker. Although this is a long shot, we're offering a clean $1,500,000 bounty if funds are returned. Finding vulnerabilities is part of the game unfortunately, but we all want DeFi ecosystem to continue growing, returning funds is a step in that direction,” pNetwork tweeted.

The attacker funded their 0x2bf5693dd3a5cea1139c4510fdce120cf042c934 account by withdrawing BNB tokens from Binance ( https://bscscan.com/tx/0x23db0ee27e10517dea0659a743fd6df92d482ad6796851c71127e5049e7bbd88 ) and then used the account to deploy a set of smart contracts specifically crafted to abuse the peg-out instructions the pNetwork nodes look for.

These smart contracts created a series of event logs: one of those being a legit peg-out request, while the others were faulty peg-out requests emitted by the attacker’s smart contracts rather than from the pToken ones.

Due to a bug in the section of the Rust code in charge of extracting these log events, both the legitimate and the faulty logs were extracted and erroneously processed.

VeeFinance $34 million Hack

As AVAX rises in popularity, its crime rates increase accordingly. This is the second substantial loss on the Avalanche network this month.

The main cause of the accident was that in the process of creating an order for leveraged trading, only the price of the Pangolin pool was used by the oracle as the source of price feed, and the pool price fluctuated more than 3%. The oracle refreshed the price, causing the attacker to manipulate the price of the Pangolin pool. Manipulating the price of the Vee Finance oracle machine and the acquisition of the oracle machine price were not processed for decimals, resulting in the expected slippage check before the swap did not work.

  1. The oracle machine has a single source of price feed, and the refresh conditions are affected by the real-time number of tokens in the Pangolin pool (the pool price fluctuates by 3%, and it will be refreshed).
  2. Price acquisition has not been processed for decimals.

Safepal Wallet