This Week's Security News: Tapioca DAO Suffers $4.7M Theft, Eigenlayer Twitter hacked

Security 👾

• Dedaub launches "Security Suite", providing Ethereum-compatible decompilation, monitoring, verification, and transaction simulation for contract analysis and secure testing.
  • Web3Builder news is supported in part by Dedaub

Tapioca DAO Suffers $4.7M Theft

Tapioca DAO suffered a $4.4 million loss on Arbitrum due to a private key compromise, leading to exploits of the TAP token vesting and the USDO stablecoin contracts. The attacker used the Emergency Rescue function to withdraw 30 million TAP tokens, swapping them for 591 ETH and causing TAP’s value to plummet by 97%. Additionally, the attacker minted quintillions of $USDO, draining funds through multiple exploit transactions.

Blockchain sleuths tracked the stolen assets as they moved to the BNB Chain. Tapioca initially offered a bounty, but soon after, they managed to counter-hack the attacker, reclaiming 1000 ETH into their DAO treasury with help from Seal911 and EnigmaDarkLabs. The incident highlights the evolving security risks in DeFi, with rumors linking the attack to North Korean state-sponsored hackers using malware from fake job listings—a disturbing trend in recent hacks across other DeFi projects.

This latest incident underscores the critical need for robust key management and vigilant defense as DeFi remains an attractive target for sophisticated, organized cybercriminals.

SlowMist Alert on Eigenlayer Account Compromise

SlowMist has issued an alert regarding a security breach on Eigenlayer's official X account, warning users to avoid interacting with compromised sites. The affected domains include:

• claimed-eigenfoundation[.]org
• eligible-eigenfoundation[.]org

Users are advised to exercise caution and refrain from connecting wallets or sharing sensitive information on these sites. Fortunately, the account has now been restored, but vigilance remains crucial for user safety.

SlowMist: Compound Finance V2 Security Audit Manual

With the rapid growth of DeFi, Compound Finance V2 has emerged as a leading decentralized lending platform, but it faces significant security risks. This security audit guide delves into the architecture and potential vulnerabilities of Compound V2 and its forked projects. Key components, such as the Comptroller, cToken, InterestRateModel, and PriceOracle, are analyzed for flaws, including rounding loopholes, reentrancy vulnerabilities, price manipulation risks, and compatibility issues with ERC tokens.

The guide also emphasizes the importance of adapting to multi-chain deployments, ensuring compatibility across contract versions, and following secure practices like the Checks-Effects-Interactions (CFI) pattern. As Compound forks evolve, continuous audits are crucial to maintaining security and preventing exploits, such as the infamous Hundred Finance and Lodestar Finance hacks.

For developers, security researchers, and DeFi enthusiasts, this guide offers critical insights to identify and mitigate risks, ensuring safer lending platforms in the decentralized finance ecosystem.

Click and Beware by Rekt News

The crypto space in 2024 is a minefield of scams, with phishing attacks rampant across platforms like Twitter (X). Recent incidents, including a whale losing $35 million to a phishing scam and Symbiotic’s hacked Twitter account directing users to malicious sites, highlight the risks. Attackers hijack trusted accounts and lure victims with false offers, leading to financial loss.

Moreover, scammers are evolving with tactics like using SVG file malware to infiltrate devices. Protect yourself by using hardware wallets, enabling multi-factor authentication, and regularly checking for wallet approvals. In the Web3 world, skepticism and security measures are your best defense against digital disasters.

Like this content? Subscribe to stay up to date.