834 hack event(s)
Description of the event: The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March.
Amount of loss: $ 5,500,000 Attack method: Scam
Description of the event: The Polkadot ecological project Acala caused an additional issuance of aUSD due to an error on the chain, allowing attackers to mint aUSD. The vulnerability caused aUSD to lose its peg to the US dollar, initially falling to $0.60 and hovering around $0.90. Acala suspended the protocol shortly after the attack and disabled the transfer of the stolen aUSD and the attackers exchanging Acala tokens for some of the aUSD.
Amount of loss: $ 52,000,000 Attack method: On-chain setup error
Description of the event: Yield aggregator Blur Finance withdrew more than $600,000 in assets from BNB Chain and Polygon before deleting websites and social media accounts. The project, which has only been active for about a month, has amassed about 750 users on its initial BNB Chain implementation, which was announced on Polygon on August 5.
Amount of loss: $ 600,000 Attack method: Scam
Description of the event: The Curve Finance frontend was attacked, prompting users to grant token approvals to malicious smart contracts. The attackers moved the stolen funds to FixedFloat and Tornado Cash, with at least 362 ETH (~$620,000) stolen. FixedFloat tweeted that they had frozen 112 stolen ETH (~$192,000).
Amount of loss: $ 428,000 Attack method: Front-end malicious attack
Description of the event: According to SlowMist, the EGD Finance project on BSC was attacked by hackers, resulting in the unexpected withdrawal of funds from its pool. The SlowMist security team analyzed this and said that this incident was because the price-feeding mechanism for calculating rewards when EGD Finance's contracts obtained rewards was too simple, resulting in the token price being manipulated by flash loans for profit.
Amount of loss: 36,000 BUSD Attack method: Price manipulation
Description of the event: Saxon James Musk has Rug Pull. Project developers suddenly sold their token share for around 1355 WBNB (~$442,000), causing the token price to plummet by over 68%.
Amount of loss: 1,355 WBNB Attack method: Scam
Description of the event: A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).
Amount of loss: $ 231,000 Attack method: Apple ID hacked
Description of the event: According to SlowMist, the GenomesDAO project on MATIC was attacked by hackers, resulting in the unexpected withdrawal of funds in its LPSTAKING contract. This incident is because the LPSTAKING contract of GenomesDAO can be arbitrarily repeatedly initialized and set key parameters, resulting in the malicious exhaustion of the collateral in the contract.
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: On August 4, the team behind the Velodrome exchange and liquidity marketplace noticed that $350,000 had been taken from a team-operated wallet that was normally used for operational funds. They announced they were beginning an investigation into the theft, which they initially believed was due to a compromised wallet. Their team member Gabagool tweeted more details, underscoring that no user funds were lost. On August 13, Gabagool posted a long confession to his Twitter account, writing that he had stolen the $350,000, and had previously taken $56,000 over the course of two months, to try to "revenge trade" the money he had lost in the crypto crash. Explaining why he took the $350,000, he wrote, "I thought I could make the 56k back and return all of the funds, which was delusional". He also wrote that "the majority of the funds have been returned to the Velodrome team. The rest will be." Velodrome later confirmed they had recovered all of the stolen money.
Amount of loss: - Attack method: Internal evil
Description of the event: A large-scale incident of currency theft occurred on the Solana public chain, and a large number of users were transferred SOL and SPL tokens without their knowledge. According to SlowMist MistTrack statistics, more than 8,000 Solana wallets have been stolen so far. Assets are valued at approximately $4.5 million.
Amount of loss: $ 4,500,000 Attack method: Unknown
Description of the event: The cross-chain interoperability protocol Nomad bridge was attacked by hackers. This attack was caused by the fact that the trusted root of the Nomad bridge Replica contract was set to 0x0 during initialization, and the old root was not invalidated when the trusted root was modified. As a result, the attack could be Construct an arbitrary message to steal funds from the bridge. White hat hackers have returned $25.4 million to date.
Amount of loss: $ 164,000,000 Attack method: Contract vulnerabilities
Description of the event: Reaper Farm's ReaperVaultV2 contract was maliciously exploited, resulting in more than $1.6 million worth of damage. Attackers exploited a vulnerability in the ReaperVaultV2 contract that could destroy other users' vault shares and withdraw tokens, thereby withdrawing large amounts of tokens from multiple vaults.
Amount of loss: $ 1,698,423 Attack method: Lack of access control
Description of the event: The ZB exchange was hacked with a total loss of around $4.3 million. ZB has notified the community on August 2 that deposits and withdrawals will be suspended due to a "sudden failure". The reason is "Sudden failure of the core application". It's worth noting that the attack actually happened on August 1, but it was overshadowed by the overwhelming news of the Nomad exploit.
Amount of loss: $ 4,300,000 Attack method: Stolen hot wallet
Description of the event: According to SlowMist Intelligence, Nirvana, a stablecoin project on the Solana chain, was attacked by a flash loan. The attacker used a flash loan to borrow 10,250,000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract buy3 method to buy a large amount of ANA tokens. Nirvana contract swap method to sell part of ANA, get USDT and USDC, after repaying the flash loan, a total profit of 3,490,563.69 USDT, 21,902.48 USDC and 393,230.32 ANA tokens, then the hacker sold ANA tokens and passed all the dirty money through the cross-chain bridge transfer.
Amount of loss: $ 3,500,000 Attack method: Flash loan attack
Description of the event: CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.
Amount of loss: $ 21,000,000 Attack method: Scam
Description of the event: DeFi project DRAC Network appeared Rug Pull, with the price of the token $TEDDY dropping 99.4%. 10,000 $BNB and 2 million $BUSD have been slowly transferred to Binance. It is said that the deployer deployed the contract and transferred a large quantity of $TEDDY to 0xdbe8ef79a1a7b57fbb73048192edf6427e8a5552, then pump and dump the price of $TEDDY.
Amount of loss: $ 4,500,000 Attack method: Scam
Description of the event: Web3 music streaming service platform Audius community treasury was hacked, losing 18.5 million AUDIO Tokens. The hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated that the problem has been found and is currently being repaired. All Audius smart contracts on Ethereum must be stopped, including tokens. The team believes that there is no further capital risk. Before the repair is completed, token balances, transfers, etc. will be temporarily unavailable. use.
Amount of loss: $ 1,100,000 Attack method: Contract vulnerabilities
Description of the event: The online game Neopets said it encountered a hack and is currently investigating a customer data breach. The Neopets hack may affect 69 million users, and a hacker named TarTarX sold the source of the Neopets website for 4 bitcoins code and database. Neopets recently launched NFTs for its online virtual world games.
Amount of loss: - Attack method: Data leak
Description of the event: The Tableland Discord server was compromised by malicious actors, successfully impersonating moderators on the channel and leading community members to a fake Tableland domain that funneled targeted assets from member ETH wallets. The perpetrators utilized a fakemint scheme, which lured community members using a pretense of an exclusive, limited mint. Instead, target victims were taken to a malicious website that tricked some of them into granting specific wallet permissions. Once granted, the perpetrators were able to siphon away Tableland Rigs and other NFTs
Amount of loss: $ 45,819 Attack method: Discord server hacked
Description of the event: My Big Coin founder Crater has been found guilty of a cryptocurrency fraud scheme. Crater founded My Big Coin in 2013 to provide virtual payment services through the fraudulent digital currency "My Big Coins," which he marketed to investors between 2014 and 2017 by misrepresenting the nature and value of Coins . Crater and his colleagues falsely claimed that Coins was a fully functional cryptocurrency backed by $300 million in gold, oil and other valuable assets. In reality, the coins are not backed by gold or other valuable assets, have no partnership with Mastercard, and are not easily transferable. Over the course of the scheme, Crater misappropriated more than $6 million in investor funds for personal gain and merchandise spending, including spending on antiques, art and jewelry worth hundreds of thousands of dollars.
Amount of loss: $ 6,000,000 Attack method: Scam