1508 hack event(s)
Description of the event: The security of the GERA token was compromised due to private key leakage. Hackers transferred the ownership of the smart contract deployer of GERA tokens to another address 0x510E4d61663bE6a24D600AaF90F892dd8c8C61dC.
Amount of loss: $ 1,480,000 Attack method: Private Key Leakage
Description of the event: The project Nereus Finance on AVAX was attacked. The attacker made a profit of about 371,000 USDC by using the classic flash loan attack mode, namely "flash loan -> skew reserve -> fake LP token pricing -> repay the flash loan".
Amount of loss: 371,000 USDC Attack method: Flash Loan Attack
Description of the event: On September 5th, DaoSwap lost 580,000 USDT in an attack that allowed users to set the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification.
Amount of loss: $ 580,000 Attack method: Reward Mechanism Flaw
Description of the event: Decentralized liquidity protocol Kyber Network disclosed on Twitter that its users lost $265,000 in funds due to a front-end exploit. The vulnerability stems from malicious Google Tag Manager code in the KyberSwap website, where attackers target whale wallets and gain permission to transfer user funds by inserting fake approvals.
Amount of loss: $ 265,000 Attack method: Malicious Code Injection Attack
Description of the event: Privacy project ShadowFi suffered a hack, and its official TokenSDF fell 98.5%. The attacker exploited the vulnerability of SDF to allow anyone to burn the Token, making a profit of about 1078 BNB (about $300,000), and the stolen funds have been transferred to TornadoCash.
Amount of loss: 1,078 BNB Attack method: Contract Vulnerability
Description of the event: The attacker made a profit of $78,622 through a flash loan on BNB Chain, causing the token CUPID to plummet by more than 90%, and the token VENUS to rise by more than 300% and then fall back.
Amount of loss: 78,623 USDT Attack method: Flash Loan Attack
Description of the event: Solana’s ecological derivative OptiFi tweeted that at around 6:00 UTC on August 29th, team members tried to update and upgrade on Solana, but the OptiFi mainnet program was shut down due to an operation error and could not be recovered, of which 661,000 USDC Locked (95% of funds are owned by team members), all user funds will be compensated.
Amount of loss: 661,000 USDC Attack method: Operation error
Description of the event: DDC was exploited and lost $104,600. The cause of the event is the problem of arbitrarily deducting pool fees.
Amount of loss: $ 104,600 Attack method: Contract Vulnerability
Description of the event: Actor and comedian Bill Murray's personal wallet was stolen, resulting in the loss of funds raised by the actor's charity NFT, hackers stole about 112.05 wETH (worth about $174,000), which was then converted into ETH and sent to 5 EOA, Eventually it was transferred to Binance. The transfer of stolen assets did not indicate any malicious behavior, indicating that a mnemonic phrase was most likely compromised.
Amount of loss: $ 174,000 Attack method: Mnemonic Leakage
Description of the event: Public chain project Sui tweeted that its Discord server had been hacked, and asked users not to click on any links posted on the Discord server in the past 8 hours. According to some replies to the tweet, some users have already lost money by clicking on links posted by the hackers on Sui Discod.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Pokémon piracy project PokémonFi has RugPull, the project and token first launched in April, the project recently deleted its Twitter account, but its website still exists.
Amount of loss: $ 708,000 Attack method: Rug Pull
Description of the event: Kaoyaswap on BSC appears to have been attacked, with hackers making 37,294 BUSD and 271.2 WBNB, caused by faulty logic in the Swap function.
Amount of loss: $ 118,000 Attack method: Contract Vulnerability
Description of the event: BSC DEX protocol Kaoyaswap was attacked, losing 37,294 BUSD and 271.2 WBNB. The reason for this attack is the Swap value flaw.
Amount of loss: 37,294 BUSD + 271.2 WBNB Attack method: Contract Vulnerability
Description of the event: Sudoswap imitation disk Sudorare is suspected to have a Rug Pull, and the Looks, WETH and XMON tokens in the contract address were transferred to the first 0xbb42 address (0xbb42f789b39af41b796f6C28D4c4aa5aCE389d8A), and then sold for ETH on Uniswap, with a total profit of about 519.5 ETH (about 800,000 US dollars) , the Sudorare website and Twitter account are now inaccessible. According to the analysis, the initial deployment funds came from the exchange Kraken.
Amount of loss: 519.5 ETH Attack method: Rug Pull
Description of the event: Aurora Labs CEO Alex Shevchenko revealed that an attacker trying to steal funds from Rainbow Bridge was stopped in 31 seconds, losing 5 ETH in the process.
Amount of loss: - Attack method: Fake NEAR blocks
Description of the event: Celer said that cBridge's front-end interface suffered from DNS cache poisoning attacks. This attack targeted third-party DNS providers. Celer's own contract was not affected, and users who suffered losses in this incident, Celer, will be fully compensated.
Amount of loss: 128.4 ETH Attack method: BGP Hijacking
Description of the event: The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March.
Amount of loss: $ 5,500,000 Attack method: Scam
Description of the event: The Polkadot ecological project Acala caused an additional issuance of aUSD due to an error on the chain, allowing attackers to mint aUSD. The vulnerability caused aUSD to lose its peg to the US dollar, initially falling to $0.60 and hovering around $0.90. Acala suspended the protocol shortly after the attack and disabled the transfer of the stolen aUSD and the attackers exchanging Acala tokens for some of the aUSD.
Amount of loss: $ 52,000,000 Attack method: On-chain setup error
Description of the event: Yield aggregator Blur Finance withdrew more than $600,000 in assets from BNB Chain and Polygon before deleting websites and social media accounts. The project, which has only been active for about a month, has amassed about 750 users on its initial BNB Chain implementation, which was announced on Polygon on August 5.
Amount of loss: $ 600,000 Attack method: Rug Pull
Description of the event: The Curve Finance frontend was attacked, prompting users to grant token approvals to malicious smart contracts. The attackers moved the stolen funds to FixedFloat and Tornado Cash, with at least 362 ETH (~$620,000) stolen. FixedFloat tweeted that they had frozen 112 stolen ETH (~$192,000).
Amount of loss: $ 428,000 Attack method: Malicious Code Injection Attack