Cryptohack Roundup: Tender.fi, Algodex
Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
Also: Uranium Finance Hacker Moves Funds; BitKeep Moves to Refund Victims Rashmi Ramesh (rashmiramesh_) • March 9, 2023 Image: Shutterstock
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between March 3 and March 9, Tender.fi joined the growing list of decentralized finance platforms that paid a white hat reward to a thief who stole from it, a Uranium Finance hacker began to launder funds via sanctioned mixer Tornado Cash, Algodex suffered security breaches and urged users to withdraw funds, and BitKeep said it would reimburse hack victims.
See Also: OnDemand | Navigating the Difficulties of Patching OT
A decentralized finance platform on Tuesday rewarded a malicious hacker for stealing funds from its platform. The hacker, who exploited a misconfigured price oracle to steal $1.6 million from Tender.fi, returned the funds in exchange for a $97,000 “bounty,” the company said. The platform has paused the borrowing function and is working on a postmortem report.
A wallet associated with the multimillion-dollar Uranium Finance theft moved funds worth $3.35 million to sanctioned cryptocurrency mixer Tornado Cash. The move comes after more than 21 months of inactivity, Web3 security firm PeckShield said on Tuesday. The hacker on April 28 exploited a coding vulnerability on the Binance Smart Chain-based platform to steal funds worth $50 million at the time, likely forcing the company to cease operations and ask users to withdraw funds from the platform.
A threat actor continues to drain funds from one of DeFi platform Algodex’s wallets, amid a renewed warning from the company. The hacker stole “less than $55,000,” and the incident did not affect the company’s liquidity, it said. MyAlgo, the wallet provider for the network Algodex operates in, urged users to withdraw their assets or rekey their funds to new accounts – that is, maintain a static public wallet address while dynamically rotating the authoritative private spending keys. The warning follows a Feb. 27 announcement from MyAlgo of a $9.2 million exploit resulting from an unknown and unpatched vulnerability.
Crypto wallet BitKeep on Wednesday said it had verified the reimbursement appeals of 2,785 victims that lost $8 million in a December hack, and it is set to reimburse users through two transactions “shortly.” The thieves last year hijacked the APK versions of the BitKeep app to install malicious code into user devices, the company said at the time. Victims must complete their appeal process by March 15 to be eligible for compensation, BitKeep said.