This Week In Crypto Security Incidents: Scam, DeFi Exploits, And A Multi-token Vulnerability

0
CryptoMode Security Incidents

Security issues continue to run rampant in the cryptocurrency world. Over the past week, several hacks, exploits, and vulnerabilities have been identified. The following four incidents all confirm users need to tread with caution at all times when exploring new projects, primarily in decentralized finance and NFTs. 

LiyepLimal (Scam)

As the CertiK team points out, there are still plenty of outright scams in the cryptocurrency industry today. One such project is Lyeplimal, a venture claiming to provide a legitimate cryptocurrency MLM scheme. Although a multi-level matrix is an honest marketing approach, the cryptocurrency versions almost always turn into a scam at some point. 

It would appear Liyeplimal is going the OneCoin route. More specifically, it is not only a scam, but the project is also in the crosshairs of financial regulators worldwide. No action has been taken yet, yet the LimocoinSwap and SimbCoin tokens are best avoided for the time being. Neither of these projects will make it to Binance despite vehement claims by the CEO of Liyeplimal. 

MekaMiners (Smart Contract Exploit)

There was much excitement regarding Mekaminers, an NFT game on the BNB chain combining art and gaming. The game launched on February 23rd and was forced to shut down within the day. An issue affecting the smart contracts deployed for MekaMiners has become apparent, crashing the native token’s price to near zero. Moreover, over 127,000 $MEKA tokens were sold for 641 WBNB, raising many questions.

The MekaMiners team claims they had its code audited by Solidity Finance. A loss of $254,000 is a significant setback, although it remains unclear what made the exploit possible in the first place. Moreover, it raises questions regarding Solidity Finance’s process of performing security audits. Even so, an audit does not mean there is a 0% chance of exploiting code, as there is no foolproof solution where smart contracts are concerned. 

Flurry Finance (Malicious Token Contract)

Decentralized finance projects remain a keen target for hackers and other criminals. Flurry Finance, an automatic yield generating protocol, suffered from a Vault contract attack. The culprits stole roughly $293,000 in various crypto assets by deploying a malicious token contract. Moreover, they opened a Pancakeswap trading pair for the fake token and BUSD, allowing them to acquire a flash loan and execute a strategy/liquidate method. 

Interestingly, this flash loan attack is not the result of an issue with the Flurry Finance code or its overall security. Instead, the culprit took advantage of external dependencies to manipulate the multiplier for Rho Tokens after a Vault rebase. The multiplier determines the Rho Token balance, allowing the attacker to withdraw more tokens from the Vault than they were entitled to. Unfortunately, the culprit was able to repeat this process multiple times. 

SGirl, Moon, And STiger (Shared Vulnerability)

One of the worst-case scenarios is seeing multiple tokens share a crucial security vulnerability. That is the downside of letting everyone create tokens and introduce them to decentralized exchanges through trading pairs right away. Three tokens, named SGirl, Moon, and STiger, all trade on Pancakeswap. It seems fair to assume they share the same developer, as the security vulnerability is found in all three projects.

The attacked took out a flash loan and swapped it to vulnerable tokens to call the “transferFrom” function. Due to a bug, the attacked could transfer tokens from the LPO n Pancakeswap to the token contract, inflating the price of these tokens. Selling the vulnerable tokens at a higher price yielded a good profit, allowing the attacker to acquire over 37 BNB (over $11,000).  


CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: conta[email protected] None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. No reviews should be taken at face value, always conduct your research before making financial commitments.