1914 hack event(s)
Description of the event: Trader Joe, the largest native DEX on Avalanche, tweeted that the team's preliminary analysis identified a potential exploit in a 3rd party analytics plugin hacked JavaScript code used by the frontend.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: DEX SpookySwap on Fantom tweeted that the team is investigating a frontend vulnerability on their domain. Please do not execute any transactions on the DEX. On November 19, Spooky updated that a 3rd party JavaScript plugin enabled code injection from npm packages. This enabled replacing the spooky router contract on the Spooky Fi frontend with a malicious contract which sent funds that users attempted to swap to the exploiter.
Amount of loss: $ 5,000 Attack method: Malicious Code Injection Attack
Description of the event: About $9m from the dYdX v3 insurance fund were used to fill gaps on liquidations processed in the YFI market, and the CEO said this was pretty clearly a targeted attack against dYdX, including market manipulation of the entire $YFI market.
Amount of loss: $ 9,000,000 Attack method: Price Manipulation
Description of the event: PIPI (PIPI) on BSC is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 99.92% price decline.
Amount of loss: $ 121,373 Attack method: Rug Pull
Description of the event: Lendora Protocol on Scroll is suspected of an exit scam. The website is now offline and the contracts were paused.
Amount of loss: - Attack method: Rug Pull
Description of the event: BABYFIDO (BABYFIDO) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 81,400 Attack method: Rug Pull
Description of the event: Builders NFT (BuiLDerS) on BSC is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 89,296 Attack method: Rug Pull
Description of the event: Exzo Network tweeted that a recent security breach targeted Exzo ($XZO), resulting from a compromised owner/admin account. The malicious group utilized the compromised admin wallet to transfer the 'ownership' role of Exzo ($XZO) to their wallet, enabling them to mint a substantial amount of $XZO and drain 169 ETH from the XZO/ETH liquidity pool on Uniswap. The attackers also transferred a total of 69 ETH and the remaining XZO in the admin wallet to their own wallet(s).
Amount of loss: $ 470,498 Attack method: Wallet Stolen
Description of the event: The stablecoin protocol Raft protocol on Ethereum was attacked and lost about $3.3 million in ETH.
Amount of loss: $ 3,300,000 Attack method: Flash Loan Attack
Description of the event: The multisignature wallet addresses of the DAO project Samudai and the wallet of its founder appear to have been compromised, resulting in a loss of approximately $1.25 million.
Amount of loss: $ 1,250,000 Attack method: Wallet Stolen
Description of the event: On November 10, the Poloniex exchange was hacked. According to the analysis of the SlowMist, the Poloniex hack currently affects about $130M.
Amount of loss: $ 130,000,000 Attack method: Unknown
Description of the event: God Of Wealth (GOW39) is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 206,251 Attack method: Rug Pull
Description of the event: On November 8, 2023, CoinSpot was exploited across two of its hot wallets, resulting in a loss of over 1,283 ETH, worth approximately $2.472 million.
Amount of loss: $ 2,472,000 Attack method: Private Key Leakage
Description of the event: Mirage Finance has been exploited for ~$12K, $MRG has dropped 54%.
Amount of loss: $ 12,000 Attack method: Unknown
Description of the event: The MEV Bot (0x05f016765c6c601fd05a10dba1abe21a04f924a5) was exploited and lost about 1k ETH! The core reason is that the 0xf6ebebbb function used to trigger arbitrage in the contract lacks authentication. The attacker calls this function to exchange the tokens in the contract into the pool on curve, and then uses funds of the flash loan to reverse exchange and obtain profit.
Amount of loss: $ 2,152,392 Attack method: Flash Loan Attack
Description of the event: On November 7, TheStandard.io was exploited for ~$290k. The key vulnerability here was the low liquidity in the PAXG pool, which the attacker exploited to manipulate the market. On November 9, 243k $EUROs has been returned to the protocol from the attacker which will be burned in due process.
Amount of loss: $ 290,000 Attack method: Liquidity Exploit
Description of the event: Multi-chain launchpad platform TrustPad tweeted that one of the staking contracts was attacked. According to SlowMist's analysis, the lock time was manipulated due to obtaining an incorrect LockStartTime.
Amount of loss: $ 155,000 Attack method: Contract Vulnerability
Description of the event: A fake Ledger Live app on the official Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen.
Amount of loss: $ 588,000 Attack method: Fake Application
Description of the event: Tellor's Twitter account was compromised, and the hacker posted a phishing link related to the $TRB airdrop.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to @fraxfinance, Frax Finance's DNS has been attacked. Please don’t use http://frax[.]finance and http://frax[.]com domains until further notice.
Amount of loss: - Attack method: DNS Hijacking Attack