1530 hack event(s)
Description of the event: Browser security plug-in Pocket Universe tweeted that a new vulnerability was discovered in Opensea’s old contracts that could be used to steal users’ NFTs, potentially emptying wallets once the transaction was signed. It can steal any NFT users listed on Opensea before May 2022 (i.e. before Seaport upgrades), mainly involving the Wyvern protocol, which grants proxy contracts the right to withdraw user NFTs, and this new exploit will Trick the user into signing a transaction, giving the attacker ownership of the user's proxy contract. Cosine, the founder of SlowMist, tweeted that it is necessary to be vigilant about the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization, and this use is invalid for the new OpenSea protocol (Seaport).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Team Finance tweeted that the protocol’s management funds were hacked during the migration from Uniswap v2 to v3, with an identified loss of approximately $14.5 million worth of tokens. On October 31, the Team Finance white hat hacker address has returned $13.4 million in digital assets, including 548.7 ETH ($860,000) to FEG, 765,000 DAI and 11.8 million TSUKA ($626,000) to Tsuka, about 5 million DAI and 74.6 trillion CAW (~$5.5 million) to CAW, 209 ETH ($328,000) to KNDX, smithbot.eth has returned 263 billion KNDX ($292,000) to KNDX.
Amount of loss: $ 14,500,000 Attack method: Contract Vulnerability
Description of the event: The UvTokenWallet Eco Staking mining pool contract was hacked. The key reason for the vulnerability is that the mining pool contract withdrawal function does not strictly judge the user input, so that the attacker can directly pass in the malicious contract address and use the malicious contract to empty the relevant funds. SlowMist MistTrack conducted a traceability analysis of the funds: so far, hackers have transferred a total of 5,011 BNB of profit to Tornado Cash. In addition, the source of the attack fee is also Tornado Cash.
Amount of loss: 5,011 BNB Attack method: Contract Vulnerability
Description of the event: The project Layer2DAO on Optimism was attacked by hackers. The hackers stole 49.95 million L2DAO tokens and sold some tokens by obtaining the multi-signature permission of Layer2DAO. Layer2DAO said it has repurchased more than 30 million tokens remaining in the hands of hackers through treasury funds. The L2DAO price fell by about 90% at one point.
Amount of loss: 49,950,000 L2DAO Attack method: Permission Stolen
Description of the event: Several FTX users were hacked and stolen coins, which 3Commas said was due to phishing websites. In a collaborative investigation conducted by 3Commas and FTX, it was discovered that some API keys were associated with new 3Commas accounts, but the API keys were not obtained from 3Commas, but from outside the 3Commas platform. At the same time, FTX will provide a total of approximately $6 million in compensation to FTX accounts affected by the phishing incident.
Amount of loss: $ 6,000,000 Attack method: Phishing attack
Description of the event: NFT platform Blur tweeted that it noticed a phishing account with the ID @Blur_DAO and reminded users not to click on fake links. The fake account tweeted that the BLUR token query was now open, and posted a phishing URL.
Amount of loss: - Attack method: Phishing attack
Description of the event: The Discord server of NFT project Vivity was attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: SlowMist founder Cosine tweeted that Gate.io’s official Twitter account may have been hacked. Hackers sent phishing messages to trick users into visiting gąte[.]com. Once you click "Claim", the eth_sign signature phishing will appear, which may lead to the theft of related assets such as Ethereum.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The redeem() function in OlympusDAO’s BondFixedExpiryTeller contract resulted in a loss of approximately $292,000 due to inability to properly validate inputs. The OlympusDAO hacker has returned the stolen funds to the DAO.
Amount of loss: $ 292,000 Attack method: Contract Vulnerability
Description of the event: Aptos ecological wallet Petra tweeted that the Aptos Labs team discovered a vulnerability on Petra on October 20. The mnemonic is related to account creation in existing wallets, and the mnemonic displayed on the page may be inaccurate. To access the exact 12 mnemonic phrases, set up, manage your account, enter your password, and click Show Key Recovery Phrase. Currently, Petra has fixed the vulnerability.
Amount of loss: - Attack method: Mnemonic Vulnerability
Description of the event: The Mango INU (MNGO) project has been confirmed to be an exit scam, and the currency price has dropped by more than 80%. This token project was deployed by attackers at Mango Market and has made a profit of about $48,500.
Amount of loss: $ 48,500 Attack method: Scam
Description of the event: According to Cointelegraph, a vulnerability in the Ethereum Alarm Clock service (Ethereum Alarm Clock) has been exploited, and the hacker has so far made about $260,000 in profit. According to the analysis, hackers managed to exploit a loophole in the scheduled transaction process to profit from the refund of gas fees for canceled transactions. According to Etherscan transaction history, the hackers have obtained 204 ETH, worth about $259,800. It is reported that the Ethereum alarm clock service is to allow users to schedule future transactions by pre-determining the recipient address, sending amount and transaction time.
Amount of loss: $ 260,000 Attack method: Contract Vulnerability
Description of the event: On October 19, the Moola protocol on Celo was attacked, and the hackers made a profit of about $9 million. This attack is a price manipulation attack. The attackers returned about 93.1% of the proceeds to the Moola Market project, donating 500,000 CELO to the impact market. Left a total of 650,000 CELO as a bounty.
Amount of loss: $ 9,000,000 Attack method: Price Manipulation
Description of the event: Metaverse data platform Dataverse tweeted that it has detected hackers attacking the GEO BSC contract, and reminded users not to buy GEO in BSC, any code purchased on BNB Chian from October 19th to 22nd UTC Coins are invalid. It may be caused by the "allow unlimited minting" vulnerability in the minting function of BGEO (Binance GeoDB Coin).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: As reported by Cointelegraph, the BitBTC team has now fixed the bug after Twitter user @PlasmaPower0 disclosed a “fake minting” bug that existed in the cross-chain bridge between BitBTC and Optimism. It is reported that the vulnerability allows an attacker to fake tokens on one side of the bridge and exchange them for real tokens on the other side. Attackers have tried to extract 200 billion BitBTC tokens from Optimism through this vulnerability, but it is only a test.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The PLTD project was attacked by hackers, all BUSD in its trading pool was sold out, and the attackers gained a total of 24,497 BUSD. This attack mainly exploits the code loopholes in the PLTD contract, reduces the PLTD token balance in Cake-LP (0x4397c7) to 1 through a flash loan attack, and then uses the PLTD in hand to exchange all BUSD into the attack contract .
Amount of loss: 24,497 BUSD Attack method: Flash Loan Attack
Description of the event: According to the official news of the wallet BitKeep, BitKeep Swap was attacked by hackers, and the development team has carried out urgent processing. The hacker's attack has been stopped. The attack was concentrated on the BNB Chain, resulting in a loss of about 1 million US dollars. According to SlowMist MistTrack monitoring, Bitkeep Swap attackers have transferred 4,300 BNB (about $1.18 million) stolen funds to Tornado Cash in the form of 100 BNB each.
Amount of loss: $ 1,180,000 Attack method: Contract Vulnerability
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leakage
Description of the event: The unopened contract 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 of the MTDAO project party was attacked by a flash loan, and the affected tokens were MT and ULM, with a total profit of 487,042.615 BUSD. The attacker used the functions 0xd672c6ce and 0x70d68294 in the unopened contract to call the sendtransfer function in the MT and ULM token contracts to profit (because they are both deployed by the project party, the unopened contract 0xFaC06484 has minter permission).
Amount of loss: 487,042.615 BUSD Attack method: Flash Loan Attack
Description of the event: The EFLeverVault contract of Earning.Farm was attacked twice by flash loans. The first attack was intercepted by MEV bot, causing the contract to lose 480 ETH; the second hacker completed the attack, and the hacker made a profit of 268 ETH. After analysis, the vulnerability is caused by the contract’s flash loan callback function not verifying the flash loan initiator. The attacker can trigger the contract’s flash loan callback logic by itself: repay the Aave stETH debt in the contract and withdraw cash, and then exchange stETH for ETH. Then the attacker can call the withdraw function to withdraw the ETH balance in all contracts.
Amount of loss: 268 ETH Attack method: Flash Loan Attack