CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
unshETH Private Key Slip: $375,000 Loss from a Github Post
1/8/2024
unshETH Private Key Slip: $375,000 Loss from a Github Post

Project name: unshETH

Project type: Staking

Date of exploit: June 1, 2023

Asset loss: $375,000

Vulnerability: Private key leak

Date of audit report publishing: 03/23/2023

Conclusion: Out of audit scope

Details of the Exploit

Background

unshiETH is a staking platform that allows users to stake ETH and earn yield and swap fees. The exploited contract unshiETH Farm contains users’ unshiETH for farming.

Nature of the Vulnerability

The attacker compromised the private key of the unshiETH, which allows the attacker to withdraw the asset from the protocol.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.10.33 AM

Screenshot 2024-01-08 at 5.11.16 AM

Conclusion

On Jun 01, 2023, the staking platform unshETH was attacked, leading to a loss of around $375,000. According to the unshETH team, they mistakenly leaked their private key to Github, which allows users to withdraw unshETH from the contract. It was due to a human error of the private key management, which should be out of the audit scope.

Reference

Other Resources:

Related Stories
March's Major Private Key Compromises
Blogs
Incident Analysis
From 12 March to 16 March we have seen nine private key compromises (PKC) that have led to a combined loss of at least $22.96 million in March, with five of those incidents incurring losses over $1 million. These incidents showcase the continued devastation that private key leakages can have on the Web3 ecosystem which has already seen approximately $239 million lost to this type of attack in 2024.
3/22/2024
Bot-Driven Wash Trading in Exit Scams
Blogs
Security
CertiK has detected multiple exit scams employing bots for wash trading, a deceptive practice designed to attract unsuspecting investors. These scammers employ a subtle yet effective technique, transferring funds across various tokens—a strategy that sometimes slips under the radar of security assessments and exit scam post-mortems.
2/15/2024
Concentric.Fi Incident Analysis
Blogs
Incident Analysis
On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts.
1/23/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;