Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

Published at: April 22, 2022

In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto.

Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.”

The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter.

Blockchain analytics firm PeckShield noted the stolen crypto was transferred to an “attack contract,” a smart contract that automatically and quickly executes the found exploit.

#PeckShieldAlert It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract. https://t.co/bSHHGM623Q @peckshield https://t.co/jXVj0oGI8B

— PeckShieldAlert (@PeckShieldAlert) April 21, 2022

However, the attacker was apparently so excited by the successful heist that they forgot to transfer over $1 million worth of stolen crypto out of their attack contract before they set it to self-destruct, permanently and irreversibly ensuring the funds can never be moved.

Interesting. The hacker kills the contract, but forgets to transfer the profit. https://t.co/HbS2fiztuc https://t.co/uApZyK8Uym pic.twitter.com/FwpZweNLHU

— PeckShield Inc. (@peckshield) April 21, 2022

Using a blockchain scanner to view the attack contract address shows that $1,041,237.57 worth of BSC-USD Binance-Peg token is forever stuck in the contract. The successful self-destruction of the contract was confirmed at 7:15 am UTC on Thursday.

Related: Truth or fiction? Popular former hacker claims to have $7B in BTC

It’s one of the more bizarre turns of events since the Polygon hacker did an Ask Me Anything using embedded messages on Ether (ETH) transactions after stealing $612 million from the protocol in August 2021. The question and answer session revealed the attacker hacked “for fun” and thought “cross-chain hacking is hot.”

This latest hack is on the smaller end regarding the amount stolen, and other DeFi protocol hacks have seen hundreds of millions siphoned off, as with the recent Ronin bridge hack where attackers made off with over $600 million.

Other notable DeFi exploits include the $80 million worth of crypto stolen from Qubit Finance in January, where attackers tricked the protocol into believing they had deposited collateral, allowing them to mint an asset representing bridged crypto.

DeFi marketplace Deus Finance was exploited in March when hackers manipulated the price feed of a pair of stablecoins resulting in the insolvency of user funds, netting the hackers over $3 million.

Tags
Bsc
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022
Developers seek solutions for Web3-related scams from internet browsers
A big concern for users in decentralized finance (DeFi) involves the industry’s susceptibility to exploits. A report from Privacy Affairs revealed hackers stole $4.3 billion worth of cryptocurrency in the time period from January to November 2022 — a 37% increase from the previous year. Such exploits harm the integrity of companies and fuel skeptics from outside of the space in their case against cryptocurrencies. However, in a Feb. 2 announcement from Web3 Builders Inc., the company revealed a suite of tools to combat this issue. The initial browser extension TrustCheck was created to flag Web3-related scams before users continue …
Adoption / Feb. 2, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023