834 hack event(s)
Description of the event: The TokenStakingPoolDelegate contract updated by BXH after the last attack suffered another flash loan attack. The contract lost 40,085 USDT, and the attacker made a profit of 31,794 USDT after paying off the flash loan fee. After analysis, this attack is caused by the use of getReserves() in the contract's getITokenBonusAmount function to obtain the instantaneous quotation, so that the attacker can make a profit by manipulating the quotation.
Amount of loss: 40,085 USDT Attack method: Flash loan attack
Description of the event: A bot named 0xbadc0de made a windfall when traders tried to sell 1.8 million cUSDC (USDC on the Compound protocol) ($1.85 million in nominal value), but only got $500 of the asset due to low liquidity in return. However, the MEV bot made a profit of 800 ETH (~$1 million) from the sold carry trade. An hour later, a hacker exploited a bug in 0xbadc0de's badc code to withdraw all 1,101 ETH (~$1.5 million) in the contract.
Amount of loss: $ 1,500,000 Attack method: Contract vulnerabilities
Description of the event: According to the SlowMist security team, according to the BXH Stupid Kids team’s announcement on September 23, a total of $2.5 million worth of assets and 38 million BXH tokens were stolen the night before yesterday (September 21). According to the analysis and evaluation of SlowMist MistTrack, the private key of the original owner of the BXH VaultPool contract is suspected to be stolen, and the inCaseTokensGetStuck function is called to transfer the funds in the contract to the hacker's address. The hacker's address is 0x158f...e345. Up to now, the hacker has exchanged the stolen funds to the ETH chain across the chain, and further transferred all the stolen funds to Tornado Cash, with a total transfer amount of 1865 ETH.
Amount of loss: $ 2,500,000 Attack method: Private key stolen
Description of the event: @EvgenyGaevoy, founder and CEO of crypto market maker Wintermute tweeted that Wintermute lost $160 million in DeFi hacking attacks. Wintermute used Profanity to create a wallet in order to optimize fees. Funds from old address were transferred, but due to internal (human) error, wrong function was called and attacked.
Amount of loss: $ 160,000,000 Attack method: Call the wrong function
Description of the event: In a tweet, @0xCrumbs disclosed that Dogechain was hacked yesterday, and the attackers exploited the vulnerability to mint 9.7 million $Doge (about $600,000) and transfer $316,000 through a cross-chain bridge. Currently 3 million remain in the starting wallet, in addition to $100,000 worth of USDC/ETH. Therefore, @0xCrumbs believes that yesterday's Dogechain maintenance was caused by the attack. SlowMist also tweeted that the attackers used Anyswap to bridge funds to the BSC and ETH chains, which were then transferred to Binance. But Dogechain officials tweeted that no funds were lost during the maintenance period.
Amount of loss: $ 600,000 Attack method: Contract vulnerabilities
Description of the event: The New Free Dao project on the BSC chain suffered a flash loan attack. According to SlowMist analysis, the main reason for this attack is that the way of calculating rewards in the contract is too simple, and it only depends on the balance of the caller, which leads to arbitrage by flash loans.
Amount of loss: 4,481 WBNB Attack method: Flash loan attack
Description of the event: The security of the GERA token was compromised due to private key leakage. Hackers transferred the ownership of the smart contract deployer of GERA tokens to another address 0x510E4d61663bE6a24D600AaF90F892dd8c8C61dC.
Amount of loss: $ 1,480,000 Attack method: Private key leak
Description of the event: AVAX/USDC Joe LP NXUSD was attacked by flash loan, hackers made 371,000 USDC.
Amount of loss: 371,000 USDC Attack method: Flash loan attack
Description of the event: On September 5th, DaoSwap lost 580,000 USDT in an attack that allowed users to set the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification.
Amount of loss: $ 580,000 Attack method: Lack of validation
Description of the event: Decentralized liquidity protocol Kyber Network disclosed on Twitter that its users lost $265,000 in funds due to a front-end exploit. The vulnerability stems from malicious Google Tag Manager code in the KyberSwap website, where attackers target whale wallets and gain permission to transfer user funds by inserting fake approvals.
Amount of loss: $ 265,000 Attack method: Front-end malicious attack
Description of the event: Privacy project ShadowFi suffered a hack, and its official TokenSDF fell 98.5%. The attacker exploited the vulnerability of SDF to allow anyone to burn the Token, making a profit of about 1078 BNB (about $300,000), and the stolen funds have been transferred to TornadoCash.
Amount of loss: 1,078 BNB Attack method: Contract vulnerabilities
Description of the event: The attacker made a profit of $78,622 through a flash loan on BNB Chain, causing the token CUPID to plummet by more than 90%, and the token VENUS to rise by more than 300% and then fall back.
Amount of loss: 78,623 USDT Attack method: Flash loan attack
Description of the event: Solana’s ecological derivative OptiFi tweeted that at around 6:00 UTC on August 29th, team members tried to update and upgrade on Solana, but the OptiFi mainnet program was shut down due to an operation error and could not be recovered, of which 661,000 USDC Locked (95% of funds are owned by team members), all user funds will be compensated.
Amount of loss: 661,000 USDC Attack method: Operation error
Description of the event: DDC was exploited and lost $104,600. The cause of the event is the problem of arbitrarily deducting pool fees.
Amount of loss: $ 104,600 Attack method: Deduct pool fees arbitrarily
Description of the event: Public chain project Sui tweeted that its Discord server had been hacked, and asked users not to click on any links posted on the Discord server in the past 8 hours. According to some replies to the tweet, some users have already lost money by clicking on links posted by the hackers on Sui Discod.
Amount of loss: - Attack method: Discord server hacked
Description of the event: Pokémon piracy project PokémonFi has RugPull, the project and token first launched in April, the project recently deleted its Twitter account, but its website still exists.
Amount of loss: $ 708,000 Attack method: Scam
Description of the event: Kaoyaswap on BSC appears to have been attacked, with hackers making 37,294 BUSD and 271.2 WBNB, caused by faulty logic in the Swap function.
Amount of loss: $ 118,000 Attack method: Function logic error
Description of the event: BSC DEX protocol Kaoyaswap was attacked, losing 37,294 BUSD and 271.2 WBNB. The reason for this attack is the Swap value flaw.
Amount of loss: 37,294 BUSD + 271.2 WBNB Attack method: Swap value flaw
Description of the event: Sudoswap imitation disk Sudorare is suspected to have a Rug Pull, and the Looks, WETH and XMON tokens in the contract address were transferred to the first 0xbb42 address (0xbb42f789b39af41b796f6C28D4c4aa5aCE389d8A), and then sold for ETH on Uniswap, with a total profit of about 519.5 ETH (about 800,000 US dollars) , the Sudorare website and Twitter account are now inaccessible. According to the analysis, the initial deployment funds came from the exchange Kraken.
Amount of loss: 519.5 ETH Attack method: Scam
Description of the event: Celer said that cBridge's front-end interface suffered from DNS cache poisoning attacks. This attack targeted third-party DNS providers. Celer's own contract was not affected, and users who suffered losses in this incident, Celer, will be fully compensated.
Amount of loss: 128.4 ETH Attack method: BGP Hijacking