1914 hack event(s)
Description of the event: Polyhedra was exploited due to the compromise of the private keys, which resulted in a loss of 1,400,323 THENA tokens worth approximately $760,000. The contract was maliciously upgraded following the leakage of the private key of the administrator account. The exploiter swapped all of the stolen assets for 1,299 BNB tokens. According to the team, the incident resulted from intentional theft rather than a vulnerability in the contract itself.
Amount of loss: $ 760,000 Attack method: Private Key Leakage
Description of the event: The Blast ecosystem's LaunchPad and yield aggregator BLASTOFF announced that its Future Yield Minter Vault has been hacked, resulting in the theft of approximately 150 ETH (approximately $600,000). The official team has disabled staking in the affected pool and is currently conducting a thorough investigation.
Amount of loss: $ 600,000 Attack method: Unknown
Description of the event: The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract. On March 12th, Unizen's CTO Martin Granström tweeted that they had recovered $185,000 worth of stolen funds from four hackers.
Amount of loss: $ 2,100,000 Attack method: Contract Vulnerability
Description of the event: HumanizedAi (HMZ) is suspected to have exited scam, with the project team profiting 173 ETH (approximately $665,000). The project's Twitter account and website have been shut down.
Amount of loss: $ 665,000 Attack method: Rug Pull
Description of the event: FLOKIAI (FLOKIAI) on the BNB Chain appears to have exit scammed. The address starting with 0xFe54 has exchanged 268,561,795,727,990.23 FLOKIAI tokens for approximately 316.4 BNB, valued at around $148,000.
Amount of loss: $ 148,000 Attack method: Rug Pull
Description of the event: ClosedAI (ClosedAI) appears to have exit scammed on the BNB Chain. The address starting with 0xFe54 has exchanged 277,635,327,881,198.25 ClosedAI tokens for approximately 307.3 BNB, valued at around $13,100.
Amount of loss: $ 131,000 Attack method: Rug Pull
Description of the event: On March 6, TGBS (TGBS) was exploited through a flash loan attack, resulting in a loss of approximately $151k.
Amount of loss: $ 151,000 Attack method: Flash Loan Attack
Description of the event: The Twitter account of the security company @sherlockdefi was hacked, with the attackers using the account to post a tweet containing phishing links.
Amount of loss: - Attack method: Account Compromise
Description of the event: The sPMM algorithm controlling the pricing of WOOFi trades on DEX WOOFi was exploited on Arbitrum. The exploit consisted of a sequence of flash loans that took advantage of low liquidity to manipulate the price of WOO in order to repay the flash loans at a cheaper price. The exploiter repeated this attack 3 times within a very short period of time, which netted about $8.75m in profits after returning the flash loans.
Amount of loss: $ 8,750,000 Attack method: Flash Loan Attack
Description of the event: OrdiZK advertized themselves as a privacy bridge between the Ethereum network and Bitcoin, has exited, resulting in approximately $1.4 million in losses.
Amount of loss: $ 1,400,000 Attack method: Rug Pull
Description of the event: The decentralized cross-chain protocol Shido Network on the Ethereum blockchain appears to be a rug pull. The owner of the SHIDO token staking contract first upgraded the staking contract, then withdrew a large amount of SHIDO tokens, and finally dumped a significant amount of SHIDO tokens at a price of 692 ETH (worth $2.1 million).
Amount of loss: $ 2,100,000 Attack method: Rug Pull
Description of the event: Capital Killer, an anti-capitalist hacker group, revealed on twitter that they have attacked the Grayscale official website, claiming it as a gift to the AVAV community in support of fairness and anti-capitalism. Currently, the Grayscale official website is inaccessible, but the page for Grayscale's Bitcoin ETF GBTC remains accessible.
Amount of loss: - Attack method: Unknown
Description of the event: On February 28th, a vulnerability was discovered in the contract of Seneca, an omnichain CDP protocol on the Ethereum network. Hackers exploited constructed calldata parameters to call transferfrom, transferring tokens authorized to the project contract to their address, ultimately exchanging them for ETH. Seneca was exploited by hackers for over 1900 ETH, valued at approximately $6.5 million. On February 29th, the hacker address of SenecaUSD returned 1537 ETH (approximately $5.3 million) to the deployer address of Seneca.
Amount of loss: $ 6,500,000 Attack method: Contract Vulnerability
Description of the event: Blockchain data storage protocol Serenity Shield tweeted that the MetaMask wallet associated with the project has been compromised. According to blockchain detective ZachXBT, Serenity Shield was robbed of 6.9 million SERSH tokens, valued at approximately $5,600,000.
Amount of loss: $ 5,600,000 Attack method: Unknown
Description of the event: The Twitter account of MicroStrategy, the largest public holder of BTC, appears to have been compromised, with phishing airdrop links being posted. According to on-chain detective ZachXBT, the incident has resulted in the theft of assets worth $440,000.
Amount of loss: $ 440,000 Attack method: Account Compromise
Description of the event: Aleo, a blockchain project that advertises it's a place for "fully private applications" with "built-in privacy" has just emailed private identification documents — including selfies and photographs of government identification cards — to the wrong users. Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".
Amount of loss: - Attack method: Information Leakage
Description of the event: SlowMist founder Cos tweeted that there is a backdoor code in the Tornado Cash IPFS version frontend that hijacks deposit certificates. A governance attack led to malicious proposals being passed, and the malicious code has been present for about two months.
Amount of loss: - Attack method: Governance Attack
Description of the event: RiskOnBlast, a gambling and trading platform on the new ethereum layer-2 Blast blockchain, appears to be a rug pull. On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform.
Amount of loss: $ 1,300,000 Attack method: Rug Pull
Description of the event: ZoomerCoin on Ethereum suffered a flash loan attack, resulting in a loss of 14.06 ETH (~ $41k).
Amount of loss: $ 41,000 Attack method: Flash Loan Attack
Description of the event: Axie Infinity co-founder Jihoz tweeted that his personal two addresses have been compromised. The attack is limited to his personal accounts and is unrelated to the validation or operation of the Ronin chain. Additionally, the leaked keys are unrelated to the operations of Sky Mavis. He reassured everyone that strict security measures have been taken for all related activities.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage