Crypto Projects Record Over $8M Worth Of Exploits In One Week

The past week witnessed a series of significant thefts within the NFT sector, impacting users of both Flooring Protocol and NFT Trader, resulting in total losses exceeding $8 million across various cryptocurrency and NFT projects.

These losses included the Stoic DAO rug pull, one of the biggest exit frauds, although other analysts think it was a hacking attempt. The overall losses incurred by Bitcoin and NFT projects between December 10 and December 16, per data from Web3 security firm SlowMist, was $8.43M.

Flooring Protocol’s Significant Loss

SlowMist’s weekly incident report highlighted the loss of NFTs from Flooring Protocol. This NFT platform facilitates the fractionalization of NFTs in return for fungible µTokens.

Numerous reports state that Flooring Protocol lost 14 bored apes and 36 puffy penguins, worth between $1.60 million and $1.68 million. A software engineer at Flooring Lab, with the pseudo-name FreeLunchCapital, said the vulnerability was affecting a multi-call or peripheral contract.

However, sources familiar with the matter state that the main contract remains secure in vaults. FreeLunchCapital expressed their readiness on X to work with the exploiter and devise a plan to return the stolen funds, encouraging the exploiter to start a conversation with them.

Accordingly, the Flooring Protocol team has reached out to the exploiter in an attempt to resolve the situation.

Measures For Enhancing Security

The day before the Flooring Protocol was taken down by the malicious actor, NFT Trader, a provider of trading infrastructure and solutions, reported a network breach. The team disclosed that in their previous two smart contracts, a third party managed to run a harmful code.

The NFT Trader team recommended users enhance security by utilizing the “revoke(.)cash code or similar tools after finalizing a transaction on any platform” and use a cold wallet as intended, without engaging with any smart contract. In a statement it released on X, the team confirmed that it has put in place all the required safeguards to avoid such incidents in the future.

Users with outdated permissions were vulnerable to the exploit, even though some claim that rescinding consent for the NFT Trader contract may have stopped the theft.

Other Notable Attacks

The Ledger Connect Kit Supply Chain Attack was another noteworthy attack that impacted the community last week. SlowMist claims that the infamous scam seller Angel Drainer was behind it.

The December 14 compromise was carried out via a social engineering attack on the NPMJS account of a former employee of Ledger. As a result, the hacker exploited the Ledger Connect Kit versions 1.1.5, 1.1.6, and 1.1.7.

The exploit resulted in the theft of at least $600,000. It impacted the functionality of other dApps linked to Ledger, including SushiSwap, Balancer, and Zapper.

Meanwhile, PeckShield, another cybersecurity firm, reports that OKX DEX lost $2.76 million. Security reports about the exploit indicate that the update that included a new implementation contract and permitted direct execution of the DEX contract’s claimTokens function was the main source of the issue.

SlowMist also mentioned the Peapods Finance hack in its weekly security report. However, the project team later deemed the attack to be white hat because 90% of the lost money was purportedly recovered.

Furthermore, the security report highlighted the Venus Protocol oracle attack, which affected a small independent pool, showcasing how decentralized protocols can be vulnerable to problems related to oracles.