This Week's Security News: Metawin Casino’s $4M Exploit, ScamSniffer Reports $20.2M Stolen by Phishing Scam
Metawin Casino’s $4M Exploit Sparks Security Concerns Over "Frictionless Withdrawal" Method by The Block
Metawin casino recently suffered a $4 million exploit when hackers breached its "frictionless withdrawal system," draining tokens from hot wallets on Ethereum and Solana. This system, intended to provide seamless user transactions, became an entry point for attackers, who used it to bypass standard security checks and withdraw large sums undetected.
Metawin CEO Richard "Skel" Skelhorn stated that the stolen funds have since been backfilled, and law enforcement has been contacted. Blockchain investigator ZachXBT linked the stolen assets to 115 addresses, with portions of the funds transferred to KuCoin and HitBTC, suggesting a well-coordinated, technically skilled attack.
Metawin temporarily disabled withdrawals but has now restored access, assuring users of enhanced security measures to prevent future breaches. To further mitigate risks in similar environments, platforms can implement several key precautions around automated withdrawal systems.
Rate limiting and withdrawal caps could restrict large, rapid transactions, while two-step authentication for high-value withdrawals would add an essential verification layer. Additionally, limiting hot wallet balances and using dedicated wallets for specific operations would minimize exposure to substantial losses. Enhanced monitoring and anomaly alerts would allow operators to detect and respond to unusual activity swiftly.
This exploit highlights the tension between seamless user experience and robust security in crypto services, emphasizing the need for comprehensive protections to balance convenience and security. Metawin’s experience serves as a cautionary reminder of the importance of building resilient systems that can withstand sophisticated attacks.
October Phishing Report: $20.2M Lost to Crypto Scams Despite Fewer Losses per Incident by ScamSniffer
According to ScamSniffer's October report, approximately 12,000 victims lost $20.2 million to phishing scams a 56% drop in stolen funds from September, yet a 20% increase in victim count. The largest single loss involved a victim losing $5.87 million in fwDETH re-staking tokens on Blast chain, de-pegging DETH’s price due to limited liquidity.
Other notable cases include $2.3M in sDAI lost on Aave via Permit signature, $1.6M on Arbitrum through a malicious Permit, and $1M taken via Uniswap Permit2. Additionally, $800K was lost after EigenLayer’s X account was compromised, and a $723K supply chain attack was traced back to a compromised Lottie Player website.
The Inferno Drainer phishing service announced its shutdown, with its operations reportedly taken over by Angel Drainer. ScamSniffer recommends crypto platforms enhance user security by issuing clear warnings for high-risk signatures, improving readability of Permit approvals, and integrating ScamSniffer’s blocklist for flagged domains and addresses.
Want to Reach Developers?
Web3 Builder news is read by an avid audience of developers and builders. If you want to reach this influential audience, contact us.
CryptoBottle $527K Exploit Analysis by CertiK
In October 2024, CryptoBottle on Polygon was exploited three times, leading to combined losses of approximately $527K. The largest incident on October 24 involved an attacker bypassing a balance check in the swap() function to acquire a significant amount of NAS tokens, resulting in a $490K USDT drain. Following this breach, CryptoBottle temporarily suspended operations to improve security.
Breakdown of October Exploits:
- October 1: A $6K loss occurred due to missing access control in the withdrawUserLiquidity() function.
- October 22: An exploit on the CryptoCuvee contract enabled an attacker to buy and instantly extract all CryptoBottles, resulting in a $31K loss.
- October 24: The attacker set fixedPriceEnabled to True in the Navigator’s Advantage contract, allowing arbitrary swaps (e.g., 1 USDT for millions of NAS tokens) and draining $490K from the contract.
The attacker exploited insufficient access control on fixedPriceEnabled and a missing post-callback balance check, typical in flash swaps. By activating the mint() function and performing arbitrary swaps, the attacker used the disabled balance check to drain USDT from the contract.
Key Transactions:
- Attack contract creation: 0x1216c94053fb5c78e5a72ec49d594efb1a5f7380821ccb570bd7b588f09f5a54.
- Exploit transactions: Multiple transactions executed to swap and dump NAS tokens.
In October 2024, 21 incidents due to code vulnerabilities were reported, totaling $2.4M in losses—the second-highest cause of losses after phishing attacks. For comparison, October 2023 recorded 12 incidents and $1.5M in losses.
Projects can mitigate similar risks by enforcing rigorous access controls, performing regular smart contract audits, and ensuring balance checks in swap functions.
Like this content? Subscribe to stay up to date.