{"id":97689,"date":"2024-10-25T09:38:52","date_gmt":"2024-10-25T13:38:52","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=97689"},"modified":"2024-10-25T09:40:08","modified_gmt":"2024-10-25T13:40:08","slug":"base-blockchain-exploit-leads-to-1m-theft","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/base-blockchain-exploit-leads-to-1m-theft\/","title":{"rendered":"Base Blockchain Exploit Leads to $1M Theft, Cyvers Alerts"},"content":{"rendered":"\n

An exploit on the Base blockchain revealed major vulnerabilities, resulting in $1 million in stolen funds <\/a>and creating security concerns in DeFi.<\/p>\n\n\n\n

\"Base<\/figure>\n\n\n\n

An exploit involving unverified lending contracts on the Base blockchain led to approximately $1 million in losses.<\/p>\n\n\n\n

The incident unfolded over several hours and was flagged by blockchain security firm Cyvers Alerts in an X post\r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a> on October 25.<\/p>\n\n\n\n

The attacker exploited a vulnerability in smart contracts linked to Wrapped Ether (WETH), manipulating the price and then draining funds.<\/p>\n\n\n\n

\n

\ud83d\udea8ALERT\ud83d\udea8Our system detected multiple suspicious transactions involving unverified lending contracts on #Base<\/use><\/svg><\/span><\/a> a few hours ago.

The attacker initially made a suspicious transaction, gaining approximately $993K from these unverified contracts. Most of these tokens were swapped and\u2026 pic.twitter.com\/FRo5gVhxCc<\/use><\/svg><\/span><\/a><\/p>— \ud83d\udea8 Cyvers Alerts \ud83d\udea8 (@CyversAlerts) October 25, 2024<\/use><\/svg><\/span><\/a><\/blockquote>

Price Manipulation Exploit<\/h2>\n\n\n\n

The first suspicious transaction enabled the attacker to withdraw $993,534 from Base\u2019s unverified lending contracts.<\/p>\n\n\n\n

Most of the stolen funds were then moved to the Ethereum network<\/a>, with $202,549 deposited into the privacy service Tornado Cash. The attacker proceeded to take an additional $455,127 using the same exploit.<\/p>\n\n\n\n

In a Q&A, Cyvers Alerts\u2019 senior SOC lead Hakan Unal explained the vulnerability:<\/p>\n\n\n\n

\n

\u201cThe oracle used by these contracts was not robust, relying only on a single pair with a limited liquidity of ~$400K, making it susceptible to price swings that could be manipulated.\u201d<\/p>\n<\/blockquote>\n\n\n\n

Security Implications and Prevention<\/h2>\n\n\n\n

The use of unverified lending contracts highlights significant risks within decentralized finance (DeFi) platforms that lack robust security measures.<\/p>\n\n\n\n

Unal noted that \u201ca more reliable, diversified oracle with higher liquidity to avoid price manipulation\u201d could prevent similar attacks, especially \u201cfor assets like WETH.\u201d<\/p>\n\n\n\n

\n

\u201cEnhanced due diligence for lending contract verification, particularly on oracles used, can mitigate these risks.\u201d<\/p>\n<\/blockquote>\n\n\n\n

Who\u2019s To Blame?<\/h2>\n\n\n\n

Unal told Cointelegraph that \u201cthe attacker managed to escape\u201d with the funds after exploiting \u201cthe price manipulation vulnerability.\u201d<\/p>\n\n\n\n

\n

\u201cResponsibility likely falls on the entity managing the unverified lending contracts, as well as those responsible for choosing an insufficiently secure oracle for price verification.\u201d<\/p>\n<\/blockquote>\n\n\n\n

The attacker remains unidentified and has successfully made off with the stolen assets.<\/p>\n\n\n\n

This exploit underscores the need for DeFi platforms<\/a> to strengthen security protocols to protect user funds and enforce contract verification, helping prevent similar incidents in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"

An exploit on the Base blockchain revealed major vulnerabilities, resulting in $1 million in stolen funds and creating security concerns in DeFi. An exploit involving unverified lending contracts on the Base blockchain led to approximately $1 million in losses. The incident unfolded over several hours and was flagged by blockchain security firm Cyvers Alerts in […]<\/p>\n","protected":false},"author":56,"featured_media":97705,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21],"tags":[202,197,128,937,12002],"class_list":["post-97689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-blockchain","tag-defi","tag-ethereum","tag-hackers","tag-hacks"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2024\/10\/Base-Blockchain-Exploit-Leads-to-1M-Theft-Cyvers-Alerts.webp","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/97689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/56"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=97689"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/97689\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/97705"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=97689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=97689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=97689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}