1535 hack event(s)
Description of the event: GMETA on BSC has been Rug Pulled, with a price drop of 96%, taking about $3.6 million. The contract creator is 0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1.
Amount of loss: $ 3,600,000 Attack method: Rug Pull
Description of the event: APEDAO on the BNB chain was attacked and the loss was approximately $7,000. The attacker transferred APEDAO to the pair contract. The APEDAO contract mistook the attacker's behavior as a selling operation and gradually accumulated a value named "amountToDead". The attacker repeatedly transferred APEDAO and then used the skim function to withdraw excess tokens. Eventually, the attacker calls the godead function to destroy APEDAO held in the pairing contract, causing the token price to rise.
Amount of loss: $ 7,000 Attack method: Contract Vulnerability
Description of the event: Ethscriptions.com was hacked, and about 123 individual addresses lost a total of about 202 Ethscriptions. In terms of value, it is unclear how much the attack caused. Based on the current lowest price of $14, the loss is at least $2,828. Ethscriptions creator Tom Lehman stated that this is not a vulnerability in the Ethscriptions protocol. This is a vulnerability in a specific smart contract (0x3ca843b98a2fe8ef69bb0f169afad3812c275f5e). The protocol itself and other applications running on it are not affected in any way. Meanwhile, Lehman claimed responsibility for the attack, explaining that the vulnerability can be traced back to a smart contract he and Indelible Labs co-founder Michael Hirsch created. It is reported that a small piece of code included in it allows people to withdraw Ethscriptions that do not belong to them from the market. Lehman also said that the Ethscriptions.com marketplace will be relaunched and that he has been in touch with many users affected by the bug.
Amount of loss: $ 2,828 Attack method: Contract Vulnerability
Description of the event: On July 12th, WGPT Token suffered from a flash loan attack, resulting in losses of ~$82.5k. Address (BSC): 0x1f415255f7E2a8546559a553E962dE7BC60d7942.
Amount of loss: $ 82,500 Attack method: Flash Loan Attack
Description of the event: The Avalanche project Platypus has been attacked again. According to the analysis of SlowMist, since the price difference between the two pools was not taken into account during the token exchange via CoverageRatio, it resulted in users being able to arbitrage by depositing USDC and then withdrawing more USDT. Arbitrageurs have arbitraged around 50,000 USDC in this way.
Amount of loss: $ 50,000 Attack method: Arbitrage attack
Description of the event: Klever published a report on an external security incident on July 12. All wallets affected by the suspicious activity on July 12 were reported to be affected by a known vulnerability caused by low-entropy mnemonics. It's important to underscore that this issue is not exclusive to Klever. Reports indicate that users of multiple wallet providers are affected. All the wallets involved were imported into Klever Wallet K5. These wallets had not been originally created using Klever Wallet K5, instead all the wallets were created using an old and weak pseudorandom number generator (PRNG) algorithm as their entropy source. This algorithm was commonly used in early versions of various cryptocurrency wallet providers, which relied on the Javascript platform. The use of such a weak PRNG algorithm can significantly compromise the security and unpredictability of the generated keys, potentially making them more vulnerable to attacks or unauthorized access. Klever strongly recommends immediately migrating old wallets to new wallets created on Klever Wallet K5 or Klever Safe.
Amount of loss: - Attack method: Low Entropy Mnemonic Vulnerability
Description of the event: The LibertiVault contract was attacked, losing about 123 ETH and 56,234 USDT on Polygon, worth about $290,000; 35 ETH and 96,223 USDT on Ethereum, worth about $160,000. Total damages exceeded $450,000. Attackers exploited a reentrancy vulnerability in the LibertiVault contract to repeatedly call the deposit function, manipulate the contract balance, and mint tokens based on incorrect balance calculations.
Amount of loss: $ 450,000 Attack method: Reentrancy Attack
Description of the event: The Arbitrum ecological leverage income agreement Rodeo Finance caused hackers to steal about $1.7 million due to price oracle manipulation, and currently about $816,000 has been recovered in the form of unshETH.
Amount of loss: $ 1,700,000 Attack method: Price Manipulation
Description of the event: Arcadia Finance has been attacked on Ethereum and Optimism, with total profits of $400K. The root cause is that in function vaultManagementAction, the attacker can first transfer all the asset to his own controlled contract and re-entry the function liquidateVault to liquidiate the vault. In this case, the global variable "isTrustedCreditorSet" will be set as false and the Collateral check can be bypassed.
Amount of loss: $ 455,000 Attack method: Contract Vulnerability
Description of the event: CivFund's ETH contract was attacked and lost $180,000. The attacker calls uniswapV3MintCallback to transfer funds approved by other users. Please revoke approval for the contract under attack as soon as possible.
Amount of loss: $ 180,000 Attack method: Contract Vulnerability
Description of the event: Around $126 million worth of tokens have been withdrawn from the Multichain bridge on the Fantom network. 7,200 WETH (approximately $13.7 million) and $4 million in stablecoin DAI (the above four tokens are worth more than $100 million), which also includes other tokens such as Chainlink, YFI, Wootrade Network, and UniDex’s total supply nearly a quarter. Assets also appear to be moving on Multichain’s Moonriver bridge, including 4.8 million USDC and 1 million USDT. Dogechain also experienced abnormal fund flows, and at least 660,000 USDC were sent to the same wallet as Moonriver's fund flows. Multichain tweeted that the “team is unsure of what happened and is currently investigating” and advised users to stop using the service and withdraw contract approval.
Amount of loss: $ 126,000,000 Attack method: Unknown
Description of the event: The Aptos Foundation Twitter account (@Aptos_Network) has been hacked, with hackers directing people to a fraudulent website claiming to participate in a bogus airdrop. Aptos Labs also posted a warning on Twitter, reminding users not to interact with links to fake websites.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: An attacker has successfully compromised the Twitter accounts of popular NFT project Gutter Cat Gang and its co-founders, and used them to post phishing website airdrops claiming to be new NFTs. Instead of receiving the promised tokens, those who authorized contracted their wallets to be emptied. One victim lost 36 NFTs, including a Bored Ape NFT they bought for about $130,000. In total, the attackers managed to steal between $750,000 and $900,000 worth of NFTs, depending on how the resale value was estimated. The next day, the Gutter Cat Gang announced that they had regained control of the Twitter account and deleted the malicious tweet. They said they were cooperating with law enforcement investigating the theft but, to the dismay of some victims, did not describe any plans to compensate those whose assets were lost.
Amount of loss: $ 800,000 Attack method: Twitter was hacked
Description of the event: The cross-chain interoperability protocol LayerZero officially tweeted that its CEO Bryan Pellegrino's Twitter account (@PrimordialAA) was stolen, reminding users not to click on any suspicious links or participate in suspicious activities.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Mike Wazowski Monsters Inc $MIKE and Sid Ice Age $SID on the Ethereum chain have been rugged via a backdoor function that allows unlimited minting of tokens. The scammer has profited 87.9 $ETH, equivalent to about $171,000.
Amount of loss: $ 171,000 Attack method: Contract Vulnerability
Description of the event: After spending nearly $40 million on a new set of Azuki NFTs, the Azuki community was outraged that they were "diluting" a near-replica of the original Azuki collection. To counter what Azuki’s creators called a “blatant scam,” holders who claim to have collectively spent millions of dollars on the Azuki project formed AzukiDAO. The DAO created a governance token, $BEAN, which is distributed to Azuki NFT owners. The DAO then began voting to hire lawyers to sue the creators of Azuki and demand a return of the 20,000 ETH (approximately $38 million) that the Elementals NFTs had spent in total. However, governance tokens were exploited shortly after the DAO was created. Attackers were able to exploit a flaw in the smart contract, and two exploiters stole approximately 35 ETH (approximately $69,000), mainly because the variable signatureClaimed in the contract was not checked properly, resulting in a replay attack. The DAO suspended the contract to prevent further theft.
Amount of loss: $ 69,000 Attack method: Replay Attack
Description of the event: NFT Trader, a P2P digital asset trading protocol, said on Twitter that the website has been attacked, and users are asked to monitor their accounts and beware of phishing attacks. The NFT Trader website will be closed until further notice. Currently, the team is still investigating and the platform has been taken offline to avoid any further issues. NFT Trader stated that this is not a problem with the protocol. It is suspected that someone outside the team inserted a malicious code at the front end. The team will continue to investigate.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Encryption project Encryption AI (0XENCRYPT) crashed 99% as the developers behind it performed a retreat. Losing a total of $2 million, the developer released a message citing his online gambling addiction.
Amount of loss: $ 2,000,000 Attack method: Rug Pull
Description of the event: The Poly Network, a cross-chain interoperability protocol, was attacked again. This attack affected 58 assets on 11 blockchains. According to SlowMist analysis, Poly Network hackers have profited over $10 million worth of mainstream assets. The attackers implanted a Trojan virus into the program compilation environment, allowing them to acquire the consensus keys of Poly Network’s Relay Chain. Subsequently, they utilized these keys to forge cross-chain transactions. The hackers implanted a Trojan horse code block during the program compilation process, obtaining and uploading consensus keys during program startup. They then employed these keys to sign the block header of the forged Poly Network’s Relay Chain, ultimately submitting the forged cross-chain transactions and block header to the target chain to execute the cross-chain exploit.
Amount of loss: $ 10,000,000 Attack method: Trojan horse virus
Description of the event: The Aave fork project on the Pulse chain suffered a governance attack. The hacker first purchased a large number of Aave tokens to obtain the governance authority of the Aave fork project, and then created multiple contracts. The hacker seemed to want to use the governance authority to modify the implementation of the proxy contract Address, using the user's authorization to the contract that has not been canceled, to transfer the user's funds away. Such as WBTC, YFI, BAL, AAVE, UNI and other tokens. Finally, the hacker converted the stolen funds into ETH through the cross-chain bridge protocol, and sent it to the 0xA30190b96FaEe0080144aA0B7645081Fcbf49E6F address of Ethereum. The attacker made a profit of 483 ETH (approximately $930,000).
Amount of loss: $ 930,000 Attack method: Governance Attack