Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
$1M Stolen in Base Blockchain Exploit

$1M Stolen in Base Blockchain Exploit

AltcoinbuzzAltcoinbuzz2024/10/28 21:11
By:By Camille Lemmens -Aidan -

DeFi smart contracts on Base saw a blockchain exploit to the tune of $993,000. The attacker used a flash loan and exploited smart contracts.

Once more, the crypto sector experienced a hack. This time, the Base blockchain was the target of hackers’ attention.

He managed to get away with an initial $994,500, followed by another $455k. Once more, a DeFi protocol was hacked. Security firm Cyvers Alerts reported first about this blockchain exploit. So, let’s look closely at this blockchain exploit on Base.

Here’s What Happened During the Blockchain Exploit on Base

At the core of this blockchain exploit, on Base, was a smart contract vulnerability. These were WETH or Wrapped Ether smart contracts. The attacker managed to influence its price and drained the funds. That’s how he managed to get his hands on the initial $993,000. The attacker managed to siphon another $455k in a few more exploits. This resulted in an attack that lasted a couple of hours.

🚨ALERT🚨Our system detected multiple suspicious transactions involving unverified lending contracts on #Base a few hours ago.

The attacker initially made a suspicious transaction, gaining approximately $993K from these unverified contracts. Most of these tokens were swapped and… pic.twitter.com/FRo5gVhxCc

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) October 25, 2024

The oracle used for this WETH was also vulnerable. It relied on only a single pair with only $400k in liquidity. It was prone to price swings. In other words, the attacker could easily manipulate it. And so he did, with a flash loan attack. A flash loan is a loan where you don’t need collateral. That’s because you pay back the borrowed amount within the same transaction.

Once the initial $993k was in the attackers’ wallet, he transferred it to the Ethereum network.  From there, he funneled $202.5k to Tornado Cash . This is a privacy-centered service, aka a tumbler. An easy explanation is that its input comes from various wallets. However, once it tumbles the various assets, the output is in such a way that you can’t track it.

Since August 2022 Tornado Cash is illegal to use in the US for US citizens, residents, or companies. They’re great tools to keep your business transactions private. However, unfortunately, they’re also often used by money launderers. The picture below shows a part of the apparent attackers’ wallet.

$1M Stolen in Base Blockchain Exploit image 0 $1M Stolen in Base Blockchain Exploit image 1

Source: Basescan

Calls for Stronger Security Measures in DeFi

There are plenty of calls, asking for stronger security measures in DeFi protocols. Some options can be, for instance,

  • Cut single points of failures. Make use of various decentralized oracles from different sources. If one fails, the others will still work and provide correct data.
  • Decentralized oracles are harder to manipulate for attackers compared to centralized oracles. 
  • Make use of cryptographic proofs. These are mathematical algorithms. They can prove if statements are legit.
Conclusion

DeFi smart contracts on Base saw a blockchain exploit to the tune of $993,000. The attacker used a flash loan to exploit smart contract vulnerabilities. There was also a single point of failure in play, with a weak oracle. As a result, there are calls to make DeFi more secure.

Disclaimer

The information discussed by Altcoin Buzz is not financial advice. This is for educational, entertainment and informational purposes only. Any information or strategies are thoughts and opinions relevant to accepted levels of risk tolerance of the writer/reviewers, and their risk tolerance may be different from yours.

We are not responsible for any losses that you may incur as a result of any investments directly or indirectly related to the information provided. Bitcoin and other cryptocurrencies are high-risk investments, so please do your due diligence.

Copyright Altcoin Buzz Pte Ltd.

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!

You may also like

Congress’s top priorities this lame duck session

Here’s a look at what lawmakers are most focused on in these final weeks of the 118th Congress

Blockworks2024/11/26 18:33

BTC breaks through $94,000

Cointime2024/11/26 16:55