26 October 2022

Cyrex Hacking Roundup: October

Spooky season is well and truly on us as we enter the last week of October. From frightful DeFi hacks, to ghastly DDoS strikes against Overwatch 2, we bring you the biggest and latest hacking stories in the gaming industry.

DeFi Industry rocked by 4 hacks in 24 hours

October 11th proved to be a tumultuous day for the DeFi sector as it was rocked by four major hacks in just 24 hours.   The largest came from the Solana-based trading platform Mango Market as it experienced a hack resulting in the loss of $112 million in digital assets. The malicious actors used a method known as Oracle price manipulation, which has been used in the past to attack other DeFi protocols, to syphon off this enormous sum. Oracle price manipulation is a frequent DeFi sector exploit in which attackers alter an Oracle smart contract, leading to system failure, theft, and other damages.   On the same day, a $2.3 million hack targeted TempleDAO and STAX Finance. The perpetrator exploited the system by forging a smart contract to call a function and withdraw. TempleDAO tells its users that its core contracts are safe and have not been affected.   Elsewhere, a feature of the Rabby cryptocurrency wallet called "Rabby Swap" was targeted. Smart Contracts for Rabby Swap were exploited, resulting in a loss of about $2.34M. And finally, funds from numerous chains were stolen as a result of a breach in the DeFi aggregator ParaSwap. The exploit is believed to be caused by a profanity flaw.   The common thread in all of these stories is smart contract exploit and manipulation. We have been lucky to help clients such as Mythical Games, Immutable, Syscoin, Pollum, and Jigstack to secure, develop and scale their Web3 solutions to the highest of standards. Find out more here.  

Overwatch 2 launch suffers from DDoS attacks

October 4th saw the release of the highly anticipated first-person shooter Overwatch 2, by Blizzard Entertainment, across console and PC. However, launch day was anything but smooth due to not one but two DDoS attacks within the opening hours. As reported by IGN, enthused players were met with disappointment on the opening day as Blizzard shared via social media that the game was under a mass distributed denial of service (DDoS) attack, preventing successful player matchmaking. Less than a week later, an additional DDoS attack prevented thousands of fans from logging into the game server once more. Three weeks later and the game appears to be stable once more as we approach it’s Halloween Terror event - fingers crossed it all goes off without any further attacks.  

PS5 Jailbreak

Earlier this month, reports began to emerge that hackers have finally found a way to jailbreak the PlayStation 5 hardware with an experimental IPV6 kernel exploit first discovered in the previous generation hardware of the PlayStation 4. It is based on a previously reported vulnerability in Webkit, the PS5's built-in web browser, and it is exploitable on PS5’s running firmware version 4.03 and earlier. It reportedly works about 30% of the time, granting users access to the console's debug mode and enabling them to run software other than what was originally intended by Sony.   “This exploit gives us read/write access, but no execute,” reports console hacking blog Wololo.net. “This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain. The current implementation does however enable debug settings.”    That said, modder Lance MacDonald caught headlines by using the reported jailbreak to install the famous lost game P.T on his PS5 console - however, due to the limitations of the exploit, there is no way to execute or run the installed game. The revelation of this exploit will be closely followed by the hacking community (both ethical and malicious) as they may use it as an entry point for further testing.  

Conclusion

To discover more about Cyrex, check out our blog and portfolio page. We also offer comprehensive manual penetration testing for games and non-gaming applications. For any other questions, please get in touch.