1513 hack event(s)
Description of the event: SperaxUSD, the Arbitrum ecological stablecoin protocol, tweeted that an attacker increased the token balance of his address to 9.7 billion without providing the corresponding collateral, and before the Sperax team and Arbitrum ecosystem partners jointly stopped, Approximately $300,000 was liquidated.
Amount of loss: $ 300,000 Attack method: Contract Vulnerability
Description of the event: Orion Protocol, an exchange aggregation platform, suffered a reentrancy attack and lost about $3 million in assets. The attackers have transferred some of the cryptocurrency to Tornado Cash. Orion Protocol CEO Alexey Koloskov tweeted that no users suffered any losses in the incident and all users’ funds are safe, including staking, Orion Pool, bridges, and liquidity providers. Assets at risk are held in in-house brokerage accounts run by the Orion team. This problem is not caused by a flaw in the core protocol code, but may be caused by a bug in a mix of third-party libraries in its experimental and smart contracts used by private brokers.
Amount of loss: $ 3,000,000 Attack method: Reentrancy Attack
Description of the event: Non-custodial lending platform BonqDAO and crypto infrastructure platform AllianceBlock were hacked due to a bug in BonqDAO's smart contracts, resulting in losses of approximately $120 million. Among them, hackers removed approximately 114 million WALBT ($11 million), AllianceBlock’s wrapped native token, and 98 million BEUR tokens ($108 million) from a BonqDAO vault. According to the analysis of SlowMist, the root cause of the attack is that the attacker uses the oracle machine to quote the required collateral, which is much lower than the profit obtained by the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. In addition, AllianceBlock stated that the incident has nothing to do with the BonqDAO vault, no smart contracts were breached, and both teams are working on eliminating liquidity to mitigate hackers converting stolen tokens into other assets.
Amount of loss: $ 120,000,000 Attack method: Price Manipulation
Description of the event: The BEVO NFT Art Token (BEVO) on BSC was exploited with a total loss of approximately $45,000. The root cause is that BEVO is a deflationary token, and the attacker calls the function deliver(), the value of _rTotal will decrease, which will further affect the return value of getRate() used to calculate the balance. After the attacker manipulates the token balance, he calls the function skim to transfer the increased PancakePair balance to his own account. Finally, the attacker calls the function deliver() again and exchanges the increased BEVO back to WBNB.
Amount of loss: $ 45,000 Attack method: Reward Mechanism Flaw
Description of the event: According to official news, the NFT project Azuki confirmed that its Twitter account was hacked, and the team has regained control of the account. Hackers posted two tweets on Azuki's Twitter account, prompting users to claim the virtual land, one of which was pinned to the top. Azuki officials remind users to be alert to this scam and not to click on any links.
Amount of loss: 618 ETH Attack method: Twitter was hacked
Description of the event: Kevin Rose, the founder of the NFT project Moonbirds, tweeted that his personal wallet was hacked and 25 Chromie Squiggles and other NFTs were lost, with an estimated loss of more than $1 million. Arran Schlosberg, vice president of engineering at Proof Collective, said their NFTs are safe after Kevin Rose was hacked and lost $1 million. Schlosberg said the phishing attack tricked Rose into signing a malicious signature, and the hackers then transferred his valuable NFT.
Amount of loss: $ 1,000,000 Attack method: Phishing Attack
Description of the event: The Robinhood Twitter account was hacked and used to promote a fraudulent crypto project. The hackers announced the launch of a new token called $RBH, which they say will be priced at $0.0005 on Binance Smart Chain. About 25 people purchased the fraudulent tokens for a total of just under $8,000 before the link was removed. Robinhood said in a blog post that the unauthorized content posted on Robinhood Twitter, Instagram and Facebook was removed within minutes, and the team believes the source of the incident was a third-party vendor.
Amount of loss: $ 8,000 Attack method: Twitter was hacked
Description of the event: Dogechain ecological multi-purpose GameFi and DeFi agreement Doglands may have exit scams. The contract addresses on the project chain are 0x106E6a2D5433247441c1Cdf4E3e24a0696a46d0, 0x12b17 and 0x0e815, which drain all the reserves in the LP tokens, with a value of about $204000. The funds have now been transferred to Ethereum through the cross-chain bridge and transferred to multiple addresses. Doglands has deleted the official Twitter and website.
Amount of loss: $ 204,000 Attack method: Rug Pull
Description of the event: It is reported that the FFF token deployed on the BSC has an abnormal additional issue event. This event is that the administrator of the original project party purchased the additional issue through the pre-set additional issue contract, and then sold the additional issued tokens and transferred the acquired assets in part. More than US $1.03 million of FFF tokens were sold in this issue.
Amount of loss: $ 1,030,000 Attack method: Insider Manipulation
Description of the event: Thoreum Finance was hacked. According to analysis, because the transfer function of the non-open source contract 0x79fe created by the Thoreum Finance project party is suspected to have a loophole, when the from and to addresses of the transfer function are the same, due to the use of temporary variables to store the balance, the balance will double when you transfer to yourself , the attacker repeated the operation many times, and finally made a profit of 2,000 BNB, involving an amount of about 580,000 US dollars.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability
Description of the event: The OMNI Real Estate Token (ORT) project on BSC was attacked. The cause of the attack is suspected to be a loophole in the contract code. The attacker’s address is: 0x9BbD94506398a1459F0Cd3B2638512627390255e, one of the attack contracts is 0x0eFfECA3dBCBcda4d5e4515829b0d42181700606, the initial gas source of the attack is FixedFloat, and the attacker made more than 236 BNB, worth about $57.
Amount of loss: $ 70,705 Attack method: Contract Vulnerability
Description of the event: Due to the read-only-reentrancy problem (read-only-reentrancy) when interacting with the Curve liquidity pool, the cross-chain money market solution Midas Capital was attacked and exploited in the Polygon liquidity pool of the stablecoin protocol Jarvis, and has lost $650,000.
Amount of loss: $ 650,000 Attack method: Reentrancy Attack
Description of the event: Encrypted KOL NFT God tweeted that due to hackers hacking into its Twitter, Substack, Gmail, Discord and wallets, it lost all its encrypted assets and NFTs, and the hackers also posted fraudulent links through the stolen accounts. The reason for being hacked was that the Ledger was set as a hot wallet instead of a cold wallet on the new device, and the mnemonic was imported and used in the wallet on the networked computer. Then yesterday, after downloading the video streaming software OBS for the game live broadcast, I clicked on Google. The sponsored links of the website downloaded malware that gave hackers access to their funds. Yu Xian, the founder of SlowMist, said that the core reason is that the computer runs a game program with a Trojan horse, and then the mnemonic of encrypted assets is connected to the Internet on this computer, so it may be stolen by hackers.
Amount of loss: - Attack method: Malicious software
Description of the event: According to SlowMist, LendHub, the HECO ecological cross-chain lending platform, was suspected of being attacked and lost nearly 6 million US dollars. The main hacker profit address is 0x9d01..ab03. The reason for this attack is that there are two lBSV cTokens in LendHub, one of which has been abandoned in April 2021 but has not been removed from the market, which resulted in both the old and new lBSV existing in the market. Moreover, the Comptrollers corresponding to the old and new lBSV are not the same, but both have prices in the market, which results in a split in the calculation of liabilities in the old and new markets. Attackers take advantage of this problem to redeem mortgages in the old market and carry out lending operations in the new market, maliciously extorting protocol funds in the new market. At present, the main profit address for hackers is 0x9d01..ab03, and the source of the hacker attack fee is the 100 ETH received from Tornado.Cash on January 12. SlowMist said that through the threat intelligence network, some traces of hackers have been obtained.
Amount of loss: $ 6,000,000 Attack method: Contract Vulnerability
Description of the event: RoeFinance was attacked. The victim pool (0x574f) has just been emptied, with a total loss of about $80000. This is a typical price manipulation attack.
Amount of loss: $ 80,000 Attack method: Price Manipulation
Description of the event: A vulnerability known as CVE-2022-3656 affects more than 2.5 billion users of Google Chrome and Chromium-engine-based browsers. This vulnerability allows the theft of sensitive files such as encrypted wallets and cloud provider files. The vulnerability was discovered by examining how the browser interacts with the file system. Specifically, the browser did not properly check whether a symlink pointed to an inaccessible location, allowing sensitive files to be stolen. This problem is often referred to as symbolic link following. Attackers may use encrypted phishing sites to strategically gain access to users' sensitive files.
Amount of loss: - Attack method: Browser Vulnerability
Description of the event: On January 10, Sui Name Service, an eco-domain name service provider, posted a message on social media that its Discord server was attacked by a former employee today, and the attacker posed as an administrator. At present, the Sui Name Service is restoring role labels for users.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The price of BRA token on BNB Chain is zero. According to the analysis, the token will be taxed during the transaction, and the tax collected will be directly sent to the transaction pair, and the tax will be added twice. Under this mechanism, after many such transactions, the number of tokens in the transaction pair continues to increase. At the same time, any user can call the skim function to retrieve the extra tokens in the transaction pair, which results in the actual number of tokens exceeding its issuance limit. This BRA token attack has caused 820 WBNB losses. The address of the attacker (0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B).
Amount of loss: 820 WBNB Attack method: Taxation Mechanism Flaw
Description of the event: The official Twitter account of Chimpers, the NFT project, was hacked and embezzled, and multiple links to fake websites were published to lure users to forge NFT through the links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The Web3 Twitter marketing platform Twity tweeted that there was a security vulnerability in its system, the Telegram account of the technician was leaked, and the chat record contained project information and wallet private key, resulting in the disclosure of administrator account information. The team is currently holding an emergency meeting to study solutions. All user assets and NFT information will be snapped. The specific solution will be published separately after it is formulated.
Amount of loss: - Attack method: Telegram was hacked