1513 hack event(s)
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leakage
Description of the event: The unopened contract 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 of the MTDAO project party was attacked by a flash loan, and the affected tokens were MT and ULM, with a total profit of 487,042.615 BUSD. The attacker used the functions 0xd672c6ce and 0x70d68294 in the unopened contract to call the sendtransfer function in the MT and ULM token contracts to profit (because they are both deployed by the project party, the unopened contract 0xFaC06484 has minter permission).
Amount of loss: 487,042.615 BUSD Attack method: Flash Loan Attack
Description of the event: The EFLeverVault contract of Earning.Farm was attacked twice by flash loans. The first attack was intercepted by MEV bot, causing the contract to lose 480 ETH; the second hacker completed the attack, and the hacker made a profit of 268 ETH. After analysis, the vulnerability is caused by the contract’s flash loan callback function not verifying the flash loan initiator. The attacker can trigger the contract’s flash loan callback logic by itself: repay the Aave stETH debt in the contract and withdraw cash, and then exchange stETH for ETH. Then the attacker can call the withdraw function to withdraw the ETH balance in all contracts.
Amount of loss: 268 ETH Attack method: Flash Loan Attack
Description of the event: According to the X-explore blog, the hacker address starting with 0x1d37 is stealing GAS by exploiting the FTX vulnerability, minting XEN tokens 17,000 times at zero cost. The reason for this attack is that FTX does not limit the gas limit of the withdrawal transaction while the withdrawal fee is free. Instead, the estimateGas method is used to evaluate the handling fee. This method causes the GAS LIMIT to be mostly 500,000, which exceeds the default value of 21,000 by 24%. times.
Amount of loss: 81 ETH Attack method: Contract Vulnerability
Description of the event: Mango, the Solana ecological decentralized financial platform, tweeted: “A hacker is currently investigating an incident in which a hacker extracted funds from Mango through price manipulation through oracle machines.” According to a detailed report, the protocol was encountered at approximately 6:00 on October 12, Beijing time. Attack, 2 accounts funded by USDC held excessive positions in MNGO-ERP, the underlying price of MNGO/USD on various exchanges (FTX, Ascendex) saw a 5-10 times price increase within a few minutes, Caused Switchboard and Pyth oracles to update their MNGO benchmark prices above $0.15, further causing unrealized profits to increase account value to market long MNGO-ERP, allowing accounts to borrow and withdraw BTC from the Mango protocol (sollet) , USDT, SOL, mSOL, USDC, which made the loan amount of the equivalent deposit of USD 190 million on the platform reached the maximum value, and the net value withdrawn from the account at that time was about USD 100 million.
Amount of loss: $ 100,000,000 Attack method: Flash Loan Attack
Description of the event: Tulip Protocol, a Solana ecological income aggregator and leveraged income farming platform, stated that its exposure to the Mango attack was limited to a portion of the USDC/RAY strategic treasury, namely 2,465,841.497167 USDC and 66,721.925355 RAY, and the funds affected by the Mango attack were about $2.5 million.
Amount of loss: $ 2,500,000 Attack method: Affected by the Mango attack
Description of the event: The total amount of funds affected by the Solana ecological algorithm stablecoin protocol UXD Protocol in the Mango attack is $19,986,134.9037. UXD Protocol stated: “Our insurance fund is sufficient to cover losses. UXD is fully secured and will be redeemable by users once Mango Markets recovers from the exploit. The total insurance fund is $53,527,304.7757. UXD Protocol has suspended UXD minting for Risk minimization. Minting will be re-enabled once we confirm the issue with Mango Markets has been resolved.”
Amount of loss: $ 20,000,000 Attack method: Affected by the Mango attack
Description of the event: The Journey of Awakening (ATK) project suffered a flash loan attack. The attacker attacked the strategy contract of the ATK project (0x96bF2E6CC029363B57Ffa5984b943f825D333614) through a flash loan attack, and obtained a large amount of ATK tokens from the contract. The attackers have exchanged all of the obtained ATK tokens for approximately $120,000 in BSC-USD, and the stolen funds are currently being exchanged for BNB and all transferred to Tornado Cash.
Amount of loss: $ 120,000 Attack method: Flash Loan Attack
Description of the event: The Micro Elements (TME) project is an exit scam, with a drop of more than 95%, and about $548,600 has been stolen. BSC address 0xd631464f596e2ff3b9fe67a0ae10f6b73637f71e.
Amount of loss: $ 548,600 Attack method: Rug Pull
Description of the event: Layer1 blockchain QANplatform (QANX), which is resistant to quantum computing attacks, tweeted that its smart contract cross-chain bridge was attacked, and the attacker managed to extract tokens, reminding users not to perform any transactions related to QANX tokens. According to the findings, the hackers obtained the private keys to the bridge wallet and withdrew more than 1.4 billion QANX tokens worth more than $1 million in two transactions.
Amount of loss: $ 2,000,000 Attack method: Profanity Vulnerability
Description of the event: According to the official announcement of TokenPocket, the official website tokenpocket.pro is currently attacked by abnormal traffic, and the technical team is carrying out emergency maintenance. During the technical maintenance period, the TokenPocket website will not be accessible normally, and the security of user assets will not be affected.
Amount of loss: - Attack method: Abnormal traffic attack
Description of the event: DeBank plug-in wallet Rabby tweeted that its Rabby Swap smart contract has a vulnerability, and users who have used it should revoke Rabby Swap approvals on all chains as soon as possible. According to the analysis of the SlowMist security team, the Rabby Swap contract was attacked, and the token exchange function in the contract was directly called externally through the functionCallWithValue function in the OpenZeppelin Address library. The parameters passed in by the user are not checked, resulting in any external call problems. Attackers exploit this issue to steal funds from users authorized by this contract.
Amount of loss: $ 190,000 Attack method: Contract Vulnerability
Description of the event: The TempleDAO project was hacked, involving an amount of approximately $2.36 million. According to the analysis of the SlowMist security team, in this incident, because the migrateStake function did not check the oldStaking, the attacker could forge the oldStaking contract to add the balance arbitrarily.
Amount of loss: $ 2,360,000 Attack method: Contract Vulnerability
Description of the event: Jumpnfinance project Rugpull, involving an amount of about 1.15 million US dollars. The attacker first calls the 0x6b1d9018() function of the 0xe156 contract to extract the user assets in the contract and store them at the attacker's address (0xd3de02b1af100217a4bc9b45d70ff2a5c1816982).
Amount of loss: $ 1,150,000 Attack method: Rug Pull
Description of the event: The Xave Finance project was hacked, resulting in a 1000x increase in RNBW issuance. The attack transaction is 0xc18ec2eb7d41638d9982281e766945d0428aaeda6211b4ccb6626ea7cff31f4a. The attacker first creates the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3. The attack contract first calls the executeProposalWithIndex() function of the DaoModule contract 0x8f90 to execute the proposal. The content of the proposal is to call the mint() function to mint 100,000,000,000,000 RNBWs and transfer the ownership rights to the attacker. Finally, the hacker exchanged it for xRNBW, which was stored at the attacker's address (0x0f44f3489D17e42ab13A6beb76E57813081fc1E2).
Amount of loss: $ 635 Attack method: Contract Vulnerability
Description of the event: BNBChain was attacked and lost more than 500 million US dollars. According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attackers stole 1 million BNB twice, but both used the height of 110217401, which is much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
Amount of loss: 2,000,000 BNB Attack method: Pseudo-authentication
Description of the event: The Web3 social platform Sex DAO is suspected to have been Rug. The original white paper has been deleted. Over 220,000 USDT and 4.17 billion SED (SEXDAO Token) have been transferred on the chain. Currently, the Sex DAO official website and official Twitter account are inaccessible.
Amount of loss: 220,000 USDT Attack method: Rug Pull
Description of the event: Bitcoin DeFi application Sovryn tweeted that it found a vulnerability affecting the lending pool and was attacked. The attacker used the abandoned lending protocol to withdraw 44.93 RBTC and 211,045 USDT. After the developer detected the attack, the system entered maintenance mode. Half of the funds will be recovered, and any additional losses will be fully compensated by the treasury. A plan to restore system functions and provide post-mortem analysis will also be formulated in the future.
Amount of loss: 44.93 RBTC + 211,045 USDT Attack method: Price Manipulation
Description of the event: According to official news, Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. According to the analysis of SlowMist MistTrack, the stolen assets exceeded 28.9 million US dollars. The hacker's account address is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46. The largest attacker had returned 6,500 BNB (about $1.95 million) on October 10, and on October 13, the attackers returned 3,485 BNB (about $950,000).
Amount of loss: $ 28,900,000 Attack method: Unchecked Input Data
Description of the event: The TokenStakingPoolDelegate contract updated by BXH after the last attack suffered another flash loan attack. The contract lost 40,085 USDT, and the attacker made a profit of 31,794 USDT after paying off the flash loan fee. After analysis, this attack is caused by the use of getReserves() in the contract's getITokenBonusAmount function to obtain the instantaneous quotation, so that the attacker can make a profit by manipulating the quotation.
Amount of loss: 40,085 USDT Attack method: Flash Loan Attack