January 10, 2023
Security

Jaypeggers Exploit

On December 29, 2022, Jaypeggers, a tax-loss harvesting app for NFTs, suffered a reentrancy attack that resulted in the theft of 15.32 ETH, worth approximately $18,000. Hypernative was able to detect the attack and notify the Jaypeggers team in real-time, providing assistance in the investigation.

Meitar Yavneh

TL;DR

On December 29, 2022, Jaypeggers, a tax-loss harvesting app for NFTs, suffered a reentrancy attack that resulted in the theft of 15.32 ETH, worth approximately $18,000. The stolen funds were cashed out through Tornado Cash and Aztec. The Hypernative system was able to detect the attack and notify the Jaypeggers team in real-time, providing assistance in the investigation.

Tweet by @jaypeggerz - Dec 29, 2022
Tweet by @hypernativeLabs - Dec 29, 2022

Attack Analysis

Timeline of the Jaypeggers Exploit

First, the attacker’s address received anonymous funds through Tornado Cash, avoiding KYC’d funds sources. The Hypernative platform detected this transaction and alerted the address receiving funds from a mixer.

Next, the attacker prepared its tools for the attack and deployed its contract. The use of a contract enables the execution of more complex logic, such as multiple actions, through a single transaction, which is difficult to perform from an address that is not a contract (EOA).

About 3 minutes later, the attack was executed through the contract as follows:

  • The attacker began the attack transaction with a flash loan, borrowing 72.5 WETH.
  • The attacker then bought 13,584 JAY with 22 WETH.
  • The remaining borrowed WETH (50.5 WETH) was used to call the buyJay function , which, due to a lack of validation, allowed the attacker to insert their own malicious contract as if it were an ERC-721 token. The buyJay function then called the transferFrom function of the provided token, which was actually the attacker's malicious contract. This enabled the attacker to reenter the contract by calling the sell function of the JAY contract, allowing them to sell JAY tokens using a miscalculated price, and thus profit.
  • The attacker returned the flash loan and ended up with a profit of 15.32 WETH.

The stolen funds were cashed-out through Tornado Cash and Aztec. Hypernative detected the deployment of a malicious contract and the exploit in real-time. Our team immediately contacted the protocol and worked with them to help them prevent further loss.

The Hypernative Platform continuously monitors all blockchain activity, as well as other sources, providing operational and security monitoring capabilities to protocol teams, with out-of-the-box detections to proactively warn against hacks and exploits even before they are launched, allowing timely response and mitigation. The detected risks cover multiple aspects of protocol activities, including Governance, Financial, Security, Technical and other risks.

For more information about the Hypernative Platform, get in touch here.

Hypernative can protect you from zero-day vulnerabilities, frontend hacks, state actor threats and much more.

Book a demo