This article analyzes four recent smart contract exploit incidents involving CIVNFT, Themis Protocol, Shido, and DEPUSDT/LEVUSDT.
These vulnerabilities read like a checklist of preventable failures:
- CIVNFT deployed a fund-transfer function without any access control.
- Themis allowed its oracle to be skewed by imbalanced Balancer pools.
- Shido failed to update unlock timestamps in its token swap mechanism.
- DEPUSDT/LEVUSDT transferred token ownership via unprotected approvals.
Total losses: Over $890,000.
Root cause: No one asked, "What if an attacker calls this?" before deployment.
Key Takeaways
- CIVNFT: Exploited via missing access controls.
- Themis Protocol: Lost $370K due to oracle manipulation.
- Shido: Configuration error led to $238K theft.
- DEPUSDT/LEVUSDT: Lacked critical function modifiers, losing $105K.
Detailed Vulnerability Analysis
1. CIVNFT | Loss: $180K
Exploit Date: July 8
Chain: Ethereum
Root Cause:
The function 7ca06d68() lacked access restrictions, enabling attackers to trigger callbacks and drain CIV/USDT funds to Uniswap for liquidation.
Solution:
Implement onlyOwner modifiers for sensitive functions.
Exploit Contract: 0xf169bd68ed72b2fdc3c9234833197171aa000580
Transaction Hash: 0x93a033917fcdbd5fe8ae24e9fe22f002949cba2f621a1c43a54f6519479caceb
2. Themis Protocol | Loss: $370K
Exploit Date: June 27
Chain: Arbitrum
Attack Flow:
- Flash-loaned 40K ETH from Aave/Uniswap.
- Used ETH as collateral to borrow DAI, USDT, ARB, and WBTC.
- Injected 55 ETH into a Balancer pool, receiving BLP tokens.
- Swapped 39,725 WETH for Themis, artificially inflating pool balance.
- Sold BLP tokens at manipulated prices.
Vulnerability:
Oracle relied on easily skewed Balancer pool ratios.
Exploit Contract: 0x75f805e2fb248462e7817f0230b36e9fae0280fc
Transaction Hash: 0xff368294ccb3cd6e7e263526b5c820b22dea2b2fd8617119ba5c3ab8417403d8
3. Shido | Loss: $238K
Exploit Date: June 23
Chain: BNB Smart Chain
Flaw:
The ShidoLock contract’s unlock timestamp was fixed at June 23, 2023, allowing premature claims of V2 SHIDO tokens.
Attack Steps:
- Flash-loaned 40 WBNB → swapped for 1B V1 SHIDO.
- Used
lockTokens()andclaimTokens()to mint 1B V2 SHIDO.
Exploit Contract: 0x7b190a928aa76eece5cb3e0f6b3bdb24fcdd9b4f
Transaction Hash: 0xaF0CA21363219C8f3D8050E7B61Bb5f04e02F8D4
4. DEPUSDT & LEVUSDT | Loss: $105K
Exploit Date: June 14
Vulnerability:
The approveToken() function in CurveSwap lacked owner-validation modifiers, letting attackers hijack approvals.
Exploit Contracts:
- DEPUSDT:
0x7b190a928aa76eece5cb3e0f6b3bdb24fcdd9b4f - LEVUSDT:
0x2a2b195558cf89aa617979ce28880bbf7e17bc45
Transaction Hashes:
- DEPUSDT:
0xf0a13b445674094c455de9e947a25bade75cac9f5176695fca418898ea25742f - LEVUSDT:
0x800a5b3178f680feebb81af69bd3dff791b886d4ce31615e601f2bb1f543bb2e
FAQ
Q1: How can developers prevent access control exploits?
A: Use onlyOwner or role-based modifiers (e.g., OpenZeppelin’s AccessControl).
Q2: What’s the best practice for oracle security?
A: Aggregate multiple price feeds (e.g., Chainlink) and implement circuit breakers for outliers.
Q3: Why are configuration errors common?
A: Manual timestamp/decimal inputs are error-prone. Automate checks via unit tests.
👉 Learn how to audit smart contracts like a pro
Strengthen Your Contracts with Olympix
Olympix provides advanced Solidity analysis tools to preemptively flag vulnerabilities.
👉 Start securing your dApps today
Follow Olympix:
Twitter | LinkedIn
Original source: BlockMagnates