834 hack event(s)
Description of the event: Raccoon Network and Freedom Protocol are scam projects, scammers have transferred 20 million BUSD (IDO) to address 0xf800...469336.
Amount of loss: $ 20,000,000 Attack method: Scam
Description of the event: The permissions of the relevant administrators of the Discord of the Tableland project party were stolen. It is understood that after joining an external Discord server, Tableland members clicked the verification steps of a bot named "Dyno" and clicked a bookmark button with malicious javascript, and were then prompted to interact with the bookmark, triggering the malicious script to run. The attacker got hold of the admin account and posted a link on the announcement channel containing a fake website, anyone who clicked on the link and followed the wallet instructions would grant the attacker access to any NFTs held in their account.
Amount of loss: - Attack method: Discord malicious bookmarks
Description of the event: The NFT access list tool PREMINT issued an alert through its official Twitter, because some users reminded that the tool's website was hacked, and the collections of NFT collectors have been stolen. Subsequently, the blockchain security company SlowMist confirmed that the PREMINT website was attacked by hackers. Hackers carried out phishing attacks by implanting malicious JS (JavaScript) files in the website, deceiving users to sign the transaction of "set approvals for all", thereby stealing users. of NFT assets. The attack lost about 280 ETH in total, amounting to $381,818, making it one of the biggest NFT hacks of the year.
Amount of loss: 280 ETH Attack method: Malicious JS Attack
Description of the event: On July 16, hackers compromised the Twitter account of well-known NFT artist DeeKay. The 180,000 followers of DeeKay's hacked Twitter account saw it post a link announcing a limited number of new airdrops, which directed them to a phishing site that mimicked DeeKay's real site. One victim lost 4 Cool Cat NFTs and 3 Azuki NFTs with reserve prices around 4 ETH (~$5,350) and 12 ETH (~$16,200) respectively. The total value of the stolen NFTs was approximately $150,000. DeeKay said he wasn't sure how his Twitter account was stolen, but "guessed that 2FA was shut down at a specific time."
Amount of loss: $ 150,000 Attack method: Twitter account hacked
Description of the event: An official incident report from Impermax Finance stated that a hacker was able to steal approximately 9M IMX from several wallets controlled by the team. The IMX was not sold immediately after the hackers stole the funds. So the official team decided to get a head start by dumping a lot of tokens on the market before the hackers did anything. The Impermax lending protocol is completely immune to this, as the attack is caused by stolen private keys, not a bug in the smart contract.
Amount of loss: 9,000,000 IMX Attack method: Private key stolen
Description of the event: SpaceGodzilla was attacked by price manipulation and lost approximately 25,379 USDT.
Amount of loss: $ 25,379 Attack method: price manipulation
Description of the event: Staking platform Freeway tweeted, “The price of its token FWT fluctuated violently on July 13 and is currently under investigation. Freeway’s blockchain bridging service provider Coffe was attacked, and a large number of FWT tokens were bridged from Coffe’s It was removed from the wallet and subsequently sold. There was no damage to the Freeway platform, nor was the Supercharger affected. However, Freeway temporarily disabled FWT withdrawals, deposits and purchases on the platform.”
Amount of loss: - Attack method: Unknown
Description of the event: SpaceGodzilla, a project on the BSC chain, was attacked by hackers with a flash loan. Hackers used flash loans to borrow large amounts of money, manipulated the price of SpaceGodzilla in the trading pool on PancakeSwap, and exploited vulnerabilities in the project for arbitrage. At present, the hacker has exchanged the 25,378.78 BUSD profited from this attack to BNB and transferred it through Tornado.Cash.
Amount of loss: 25,378.78 BUSD Attack method: Flash loan attack
Description of the event: Multi-chain NFT protocol Citizen Finance claims to have been attacked by an outside party that gained access to the private keys of BNB and the Polygon chain. The attackers used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC, for a total of about $94,300.
Amount of loss: $ 94,300 Attack method: Private key leak
Description of the event: More than 70,000 addresses connected to Uniswap were airdropped tokens that tricked users into approving transactions that would allow attackers to control their wallets. The airdrop links users to a phishing site that resembles the real Uniswap site. Users are tricked into signing contracts, and cryptocurrencies and NFTs are stolen from wallets. One of the wallets lost more than $6.5 million worth of ether and bitcoin, and the other lost about $1.68 million worth of cryptocurrency.
Amount of loss: $ 12,900,000 Attack method: Phishing attack
Description of the event: Decentralized NFT financialization protocol Omni X has been attacked and stolen funds have been transferred to Tornado.cash. The main reason for this attack is that the burn function will call the callback function externally to cause the reentrancy problem, and the liquidation function uses the old vars value for judgment, resulting in the user's status identification even after reentrancy and then borrowing. Being set as unborrowed results in no repayments.
Amount of loss: 1,300 ETH Attack method: Reentry attack
Description of the event: BIFROST officially released a report saying that the BTC address registration server of the BiFi service was attacked. According to the analysis, the attack was limited to the BTC address registration server, and neither the smart contract nor the BiFi protocol detected the vulnerability. BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi only in the case when the signature is verified. In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi. As a result, the attacker was able to borrow 1,852 ETH with fake deposit.
Amount of loss: 1,852 ETH Attack method: The server key was exposed
Description of the event: A fake Shade Inu Token project deployer removed approximately $101,000 (424 BNB) of liquidity from the liquidity pool. After investigation, this Shade Inu Token was identified as a scam, the project launched a fake Shade Inu Token, created a WBNB/SadeIT pool with the initial 200 BNB and provided liquidity to it, so the deployer made a total profit of about $53,000 ( 224 BNB).
Amount of loss: 224 BNB Attack method: Scam
Description of the event: The centralized liquidity DeFi application Crema Finance on the Solana chain announced its shutdown due to a hacker attack. The official Twitter of the protocol quoted information from the on-chain browser SolanaFM, saying that the value of the lost encrypted assets was $8.782 million. Early this morning, Crema Finance disclosed the attacked thread, saying that hackers bypassed contract checks by creating a fake price change data account (Tickaccount), and then used fake price data and flash loans to steal huge fees from the fund pool. On July 7, Crema Finance said on Twitter that after a long negotiation, Crema Finance attackers agreed to collect 45,455 SOL (about $1.682 million) as a white hat bounty, and had returned 6,064 Ethereum and 23,967.9 SOL (approximately $8.1 million).
Amount of loss: $ 1,682,000 Attack method: Flash loan attack
Description of the event: According to Forbes, the official Twitter and YouTube accounts of the British Army were hacked and posted about cryptocurrencies and NFTs. The Twitter account retweeted posts promoting NFTs, and the YouTube account uploaded a video about Elon Musk and cryptocurrencies. Currently, all NFTs and encrypted content have been removed from both accounts.
Amount of loss: - Attack method: Media account hacked
Description of the event: Quiuixotic, the largest NFT platform in the Optimism ecosystem, has a serious vulnerability, and a large number of user assets have been stolen. Users who have traded on this market should cancel their authorization as soon as possible. According to SlowMist analysis, only the sell order is checked in the fillSellOrder function of the market contract, and the buyer's buy order is not checked. Therefore, the attacker first creates an arbitrary NFT contract, calls the fillSellOrder function to generate a sell order, and passes the buyer parameter as the victim's address and the paymentERC20 parameter as the token address to be stolen, then the user who is authorized to the market contract can be transferred. Tokens are transferred for profit.
Amount of loss: 220,000 OP Attack method: The buyer's purchase order is not checked
Description of the event: Polygon Chief Information Security Officer Mudit Gupta tweeted that two remote procedure call (RPC) interfaces of Polygon and Fantom were affected by a Domain Name System (DNS) hijacking attack on Friday. The reason was that a hacker hijacked Ankr's Domain Name System (DNS) to steal the user's seed stage, and Ankr quickly recovered the error and said no funds were lost.
Amount of loss: - Attack method: DNS Hijacking
Description of the event: Metaverse project Quint was hacked and lost $130,000. The root cause of the attack is that when the reStake function executes the reStake reward reStake, the reward amount of the LP token is not updated, so that the attacker can claim the issued reward multiple times.
Amount of loss: $ 130,000 Attack method: Bonus update bug
Description of the event: $MAD was hacked, and the hacker transferred all $MAD in the contract by directly calling the transfer function of the contract holding the token, and finally made a profit of $556 BNB (worth about $115,681), which was then transferred to Tornado.Cash. The reason is that the sensitive function was not checked in the contract that holding tokens, resulting in anyone can directly call the 0x9763a894 function to transfer out the tokens held in the contract.
Amount of loss: $ 115,681 Attack method: Function vulnerability
Description of the event: The NFT liquidity solver XCarnival was attacked, the hacker made a profit of 3,087 ETH (about 3.8 million US dollars), and the hacker has returned 1,467 ETH after the negotiation. The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn.
Amount of loss: 1,620 ETH Attack method: Contract vulnerabilities