Taiko bridge exploited
The Taiko bridge, which allows assets to be transferred between the Ethereum mainnet and the Taiko Ethereum layer-2 chain, was exploited for at least $1.7 million before the network was halted, limiting losses. An attacker was able to forge withdrawal requests to appear as though they matched real deposits. Crypto security firm BlockSec said that the attacker may have gained access to a signing key that had been exposed on GitHub.
Highly active MEV bot known as jaredfromsubway.eth drained for $7.7 million
On blockchains like Ethereum, a strategy known as "MEV" (short for "maximal extractable value") allows intermediaries to profit from manipulating the structure of blocks added to the chain — often reordering or "sandwiching" transactions in ways that extract profits. Automated software known as MEV bots make a business out of this strategy, and one of the most active is a bot called jaredfromsubway.eth — likely so named after one-time Subway spokesman and convicted sex offender Jared Fogle because of its strategy of "sandwiching" transactions by placing trades on both sides, causing the original trader to pay more.
On June 20, an attacker used a series of contracts to cause the bot to grant token approvals that were later used to drain 4,427 ETH ($7.7 million). Some of the funds were then laundered through Tornado Cash.
Main Street USD (msUSD) loses its dollar peg
Main Street USD, also known as msUSD, lost its dollar peg and crashed to around $0.25. At points, the token dipped as low as around $0.06. The asset, issued by Main Street Finance, is supposed to be redeemable 1:1 with Circle's USDC stablecoin. It's used as part of a yield strategy that is marketed as "democratizing the options box spread strategy through a stablecoin". Prior to the depeg, there was about $80 million msUSD in circulation.
On June 20, the verification provider Accountable announced that they had "terminated its service agreement with MainStreet, effective immediately. MainStreet was unable to meet our verification standards." The sudden loss of confidence in the token caused the price to plummet as holders rushed to withdraw funds.
Main Street issued a statement, claiming that "Mainstreet remains fully backed" and that "this is an infrastructure and reporting issue, not a solvency issue." However, they noted that "while our portfolio remains fully backed, converting positions into immediate liquidity depends on prevailing market depth and market-maker appetite."
Aztec Connect hacked for a second time in less than a week
Three days after Aztec Labs' deprecated Aztec Connect blockchain bridge was exploited for $2.1 million, the project has been hacked again for the same amount. Aztec Labs confirmed the second exploit, again trying to emphasize that the code was deprecated four years ago.
The hacks are part of a spate of exploits targeting legacy smart contracts belonging to projects including Raydium and DxSale. Although some projects have developed techniques to circumvent the immutable nature of blockchains and allow smart contracts to be upgraded or retired, many legacy contracts cannot be changed or shut down, leaving them vulnerable to attack indefinitely.