1513 hack event(s)
Description of the event: 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about US$700,000.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: The DeFi project DND Token (DungeonSwap Token) on BSC has been utilized. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.
Amount of loss: $ 728,000 Attack method: Contract Vulnerability
Description of the event: @HideYoApes previously owned several expensive NFTs from Yuga Labs, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds. The attacker sold all the NFTs for a profit of 127.3 wETH (~$208,000). HideYoApes explained on Twitter that he had downloaded and installed the MetaMask wallet extension from MetaMask’s official website.
Amount of loss: $ 208,000 Attack method: Phishing Attack
Description of the event: According to the official blog, The Sandbox issued a security incident notice on February 26 that an unauthorized third party gained access to the computer of an employee of the team and used its permissions to send a false email claiming to be from The Sandbox . Titled "The Sandbox Game (PURELAND) Access," the email contained hyperlinks to malware that could remotely install malware on a user's computer, granting it control of the computer and access to the user's personal information right. The Sandbox said that after the unauthorized access was discovered, the recipient was notified and the employee's account and access to The Sandbox were disabled, and no further impact has been identified.
Amount of loss: - Attack method: Phishing Attack
Description of the event: As Coindesk reported, the Solana network experienced a fork event that limited users’ ability to execute transactions. According to Solana Explorer, the network was processing about 93 transactions per second at around 2AM ET today, well below the previous network rate of nearly 5000 TPS about 15 minutes ago. Such low throughput has prohibited users from performing activities such as on-chain transactions and transfers on Solana.
Amount of loss: - Attack method: Fork
Description of the event: On February 24, 2023, Earning.farm’s USDC vault was exploited and lost about 5.15 million USDC.
Amount of loss: $ 5,150,000 Attack method: Flash Loan Attack
Description of the event: The AMM liquidity management protocol Revert Finance disclosed on Twitter that its v3utils contract was attacked, and 90% of the funds were stolen from a single account. The stolen assets included: 22983.235188 USDC, 4106.316699 USDT, 485.5786287699002 OP, 0.18217977664322793 WETH, 36.59093198260223 DAI, 211.21463945524238 WMATIC and 22 Premia. At current prices, that's about $29,000.
Amount of loss: $ 29,000 Attack method: Contract Vulnerability
Description of the event: The Baby Doll (BABYDOLL) project was hit by a flash loan attack, losing 25 BNB (~$7,900). BSC contract address is 0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2
Amount of loss: $ 7,900 Attack method: Flash Loan Attack
Description of the event: Hackers exploited a vulnerability in the Dexible smart contract code to withdraw funds from crypto wallets using funds approved for spending. The team added that "a small number of whales" lost 85% of the funds stolen in the attack. Data on the chain shows that Block Tower Capital, a digital asset investment company, was one of the victims. The address labeled Block Tower Capital had $1.5 million worth of TRU tokens stolen in this incident. The attackers transferred TRU tokens to SushiSwap for ether (ETH) and then to TornadoCash.
Amount of loss: $ 1,500,000 Attack method: Affected by Dexible events
Description of the event: The stablecoin trading project Platypus encountered a flash loan attack on AAVE, resulting in a total asset loss of approximately $9 million. According to the analysis, the vulnerability seems to lie in the verification of the MasterPlatypusV4 contract by the emergencyWithdraw function, which will only fail when the borrowed assets exceed the borrowing limit. The function then proceeds to transfer all of the user's deposit assets regardless of the value of the user's borrowed assets. On Feb. 18, The Block reported that at least $2.4 million has been recovered with the help of security firms after the Platypus hack.
Amount of loss: $ 9,000,000 Attack method: Flash Loan Attack
Description of the event: The DEX tool Dexible was suspected of being attacked and lost about $2 million. According to the analysis, there is a logical loophole in the selfSwap function of the Dexible contract, which will call the fill function. This function has a call to the attacker's custom data, and the attacker constructs a transferfrom function in this data, and transfers other users (0x58f5f0684c381fcfc203d77b2bba468ebb29b098) address and its own attack address (0x684083f312ac50f538cc4b634d85a2feafaab77a), causing the tokens authorized by the user to the contract to be transferred by the attacker.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: Multichain's AnyswapV4Router contract suffered a rush attack, and the attacker made a profit of about 87 Ethereum, about $130,000. After analysis, the attacker used the MEV contract (0xd050) to pre-emptively call the anySwapOutUnderlyingWithPermit function of the AnyswapV4Router contract before the normal transaction was executed (the user authorized WETH but has not yet performed the transfer), although the function uses the permit signature of the token verification, but the stolen WETH this time does not have a relevant signature verification function, and only triggers a deposit function in a fallback. In subsequent function calls, the attacker can directly use the safeTransferFrom function to transfer the WETH authorized by the _underlying address to the attacked contract to the attack contract without signature verification.
Amount of loss: $ 130,000 Attack method: Rush Attack
Description of the event: The email account of domain name registrar Namecheap has been hacked and hackers are using the account to send phishing emails. According to a report by BleepingComputer, the phishing campaign originated from SendGrid, an email platform used by Namecheap to send marketing emails and renewal notifications. The phishing emails pretended to be from logistics provider DHL and cryptocurrency wallet MetaMask. The email posing as MetaMask stated that the recipient's account had been suspended and would need to complete a KYC verification process before it could be reactivated. The email also contained a Namecheap marketing link that redirected users to a fake MetaMask page that asked users to enter their seed phrase or private key, seeking to steal the recipient's personal information and cryptocurrency wallet assets. The official MetaMask response stated that MetaMask will not collect KYC information, nor will it send emails to users about their accounts.
Amount of loss: - Attack method: Phishing Attack
Description of the event: Cybersecurity startup Unciphered has carried out an attack on encrypted hardware wallets made by OneKey. In a video on YouTube, Unciphered demonstrates a so-called "man-in-the-middle" wallet attack method that exploits a vulnerability to extract a mnemonic seed phrase, or private key, from a OneKey Mini hardware wallet. OneKey acknowledged the vulnerability in a statement and said that no one was affected as it had updated the security patch. OneKey said it has paid a bounty to Unciphered.
Amount of loss: - Attack method: "Man-in-the-middle" attack
Description of the event: The project fcdep (EPMAX) on BSC was attacked by flash loan, and the loss was about 350,000 US dollars.
Amount of loss: $ 350,000 Attack method: Flash Loan Attack
Description of the event: The DeFi aggregation platform dForce was attacked in Arbitrum and Optimism, and the attackers made a profit of about 3.65 million US dollars. According to the analysis of SlowMist, the root cause of this attack is that the attacker used the process of first transferring Native tokens and then burning LP when removing liquidity in wstETH/ETH Pool, triggering the callback of receiving Native tokens to re-enter to manipulate the virtual price and Liquidate other users for profit. On February 13, dForce tweeted that the attackers had returned all stolen funds to the project multi-signature addresses on Arbitrum and Optimism, and all affected users would be compensated.
Amount of loss: $ 3,650,000 Attack method: Price Manipulation
Description of the event: SushiSwap's BentoBoxv1 contract was attacked, and the hacker made a profit of about $26,000. According to analysis, the attack is due to the Kashi Medium Risk ChainLink price update later than the mortgage/loan. In the two attack transactions, the attacker flashloaned 574,275 and 785,560 xSUSHI respectively. After mortgage and loan, the price of kmxSUSHI/USDT in LINK Oracle dropped by 16.9%. By exploiting this price gap, the attacker can call the liquidate() function to liquidate and obtain 15,429 and 11,333 USDT.
Amount of loss: $ 26,000 Attack method: Price Manipulation
Description of the event: Umami Finance, a DeFi protocol on Arbitrum, offers yield products to institutional clients. On January 31, they announced they were suspending yields, saying they were concerned about regulatory tactics. Soon after, the project CEO started dumping tokens on the market, cashing out 44,000 UMAMI tokens. These were ostensibly priced at $800,000, and although the sell-off sent UMAMI prices crashing by more than 60%, the CEO still netted around $380,000 in USDC.
Amount of loss: $ 380,000 Attack method: Rug Pull
Description of the event: A fake token project named "Nostr" on the Ethereum chain has run away, and its funds have been transferred to a new EOA address 0xeeB8EB5CC144eDddDB204c3ABA499de6b6081696. In the end, the fraudsters made a profit of 232.1 ETH, worth about $370,000. The token contract is 0xA2be922174605BAd450775C76CEb632369480336.
Amount of loss: 232.1 ETH Attack method: Rug Pull
Description of the event: The LianGoPay project announced on February 7 that its assets in the LGTPool pledge contract on the BNB Chain were stolen, 6,148,859 LGT reward coins were stolen, and the loss was about 1.6 million US dollars. According to analysis, the reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (Pool No. 3), and then the thief put a large amount of LP tokens into the pool for pledge, and obtained 6.14 million pieces LGT reward token.
Amount of loss: $ 1,600,000 Attack method: Leveraging fake LP staking pools