Security Team: EGD_Finance was attacked by hackers, and token prices were manipulated by flash loans

[Security Team: EGD_Finance was attacked by hackers, token prices were manipulated by flash loans] On August 8th, according to news from SlowMist, the EGD_Finance project on BSC was attacked by hackers, resulting in unexpected withdrawal of funds from its pool. The analysis conducted by the SlowMist security team is as follows:

1. The claimAllReward function in the EGD_Finance contract will call the getEGD Price function to calculate the price of EGD when calculating the reward, and the getEGD Price function only calculates the price of EGD by dividing the balance of EGD and USDT in the pair

2. The attacker uses this point to loan a large amount of USDT in the pool first, so that the price of EGD tokens becomes very small after calculation. Therefore, when the claimAllReward function is called to obtain rewards, more rewards will be calculated. As a result, the EGD tokens in the pool were withdrawn unexpectedly

The reason for this incident is that the price feeding mechanism for calculating the rewards when the EGD_Finance contract obtains the rewards is too simple, resulting in the token price being manipulated by the flash loan to make a profit.

Other news:

Security Team: BGEO Token may have an "unlimited minting" vulnerability: According to news on October 20, according to Dataverse's disclosure on social media, hackers have detected attacks on the GEO BSC contract, and remind users not to purchase GEO in BSC because of related operations. May not be valid. Subsequent GeoCash will maintain related issues, and will also conduct airdrops based on snapshots on the ETH/Polygon chain.

According to PeckShield's analysis on social media, this problem may be caused by the "allowing unlimited minting" vulnerability in the minting function of BGEO (Binance GeoDB Coin). [2022/10/20 16:31:20]

Security team: Oapital address withdrew 5 million USDC from Aave V2 and transferred 4 million to FTX: Jinse Finance reported that according to PeckShield monitoring, the address marked as Oapital starting with 0x66B8 withdrew 5 million USDC flow from Aave V2 sex, and transferred 4 million USDC to FTX. [2022/10/11 10:30:42]

Dynamics | It is reported that "Fomo 3D was hacked" and the SlowMist security team judged it as a DDoS attack: According to the Internet rumor "Fomo 3D was hacked", the SlowMist security team judged that the Fomo 3D website suffered a DDoS attack, but the smart contract on Ethereum Not affected, because the Ethereum network Gas value is still within the normal range. At present, Cloudflare, the security management website used by the Fomo 3D website, has turned on anti-virus verification, and users need to wait for 5 seconds to access the website. It is reported that the waiting time of 5 seconds is almost the most advanced DDoS defense strategy of Cloudflare. [2018/7/31]