1513 hack event(s)
Description of the event: Celer said that cBridge's front-end interface suffered from DNS cache poisoning attacks. This attack targeted third-party DNS providers. Celer's own contract was not affected, and users who suffered losses in this incident, Celer, will be fully compensated.
Amount of loss: 128.4 ETH Attack method: BGP Hijacking
Description of the event: The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March.
Amount of loss: $ 5,500,000 Attack method: Scam
Description of the event: The Polkadot ecological project Acala caused an additional issuance of aUSD due to an error on the chain, allowing attackers to mint aUSD. The vulnerability caused aUSD to lose its peg to the US dollar, initially falling to $0.60 and hovering around $0.90. Acala suspended the protocol shortly after the attack and disabled the transfer of the stolen aUSD and the attackers exchanging Acala tokens for some of the aUSD.
Amount of loss: $ 52,000,000 Attack method: On-chain setup error
Description of the event: Yield aggregator Blur Finance withdrew more than $600,000 in assets from BNB Chain and Polygon before deleting websites and social media accounts. The project, which has only been active for about a month, has amassed about 750 users on its initial BNB Chain implementation, which was announced on Polygon on August 5.
Amount of loss: $ 600,000 Attack method: Rug Pull
Description of the event: The Curve Finance frontend was attacked, prompting users to grant token approvals to malicious smart contracts. The attackers moved the stolen funds to FixedFloat and Tornado Cash, with at least 362 ETH (~$620,000) stolen. FixedFloat tweeted that they had frozen 112 stolen ETH (~$192,000).
Amount of loss: $ 428,000 Attack method: Malicious Code Injection Attack
Description of the event: According to SlowMist, the EGD Finance project on BSC was attacked by hackers, resulting in the unexpected withdrawal of funds from its pool. The SlowMist security team analyzed this and said that this incident was because the price-feeding mechanism for calculating rewards when EGD Finance's contracts obtained rewards was too simple, resulting in the token price being manipulated by flash loans for profit.
Amount of loss: 36,000 BUSD Attack method: Price Manipulation
Description of the event: Saxon James Musk has Rug Pull. Project developers suddenly sold their token share for around 1355 WBNB (~$442,000), causing the token price to plummet by over 68%.
Amount of loss: 1,355 WBNB Attack method: Rug Pull
Description of the event: A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).
Amount of loss: $ 231,000 Attack method: Apple ID was hacked
Description of the event: According to SlowMist, the GenomesDAO project on MATIC was attacked by hackers, resulting in the unexpected withdrawal of funds in its LPSTAKING contract. This incident is because the LPSTAKING contract of GenomesDAO can be arbitrarily repeatedly initialized and set key parameters, resulting in the malicious exhaustion of the collateral in the contract.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: On August 4, Team at Velodrome, an AMM project built on Optimism, noticed that $350,000 had been taken from a team-operated wallet that was normally used for operational funds. They announced they were beginning an investigation into the theft, which they initially believed was due to a compromised wallet. Their team member Gabagool tweeted more details, underscoring that no user funds were lost. On August 13, Gabagool posted a long confession to his Twitter account, writing that he had stolen the $350,000, and had previously taken $56,000 over the course of two months, to try to "revenge trade" the money he had lost in the crypto crash. Explaining why he took the $350,000, he wrote, "I thought I could make the 56k back and return all of the funds, which was delusional". He also wrote that "the majority of the funds have been returned to the Velodrome team. The rest will be." Velodrome later confirmed they had recovered all of the stolen money.
Amount of loss: - Attack method: Internal evil
Description of the event: A large-scale incident of currency theft occurred on the Solana public chain, and a large number of users were transferred SOL and SPL tokens without their knowledge. According to SlowMist MistTrack statistics, more than 8,000 Solana wallets have been stolen so far. Assets are valued at approximately $4.5 million.
Amount of loss: $ 8,000,000 Attack method: Unknown
Description of the event: A large-scale coin theft event occurred on the Solana public chain, and a large number of users were transferred SOL and SPL tokens without their knowledge. The SlowMist security team analyzed the Slope wallet application at the invitation of the Slope team. The analysis showed that the version of the Slope wallet released on or after June 24, 2022 has the phenomenon of sending private keys or mnemonic words to third-party application monitoring services. However, from the investigation of the Slope wallet application, there is no temporary way to clearly prove that the root cause of the incident is the problem of the Slope wallet.
Amount of loss: $ 4,000,000 Attack method: Unknown
Description of the event: The Nomad Bridge, a cross-chain interoperability protocol, was attacked by hackers. This attack was due to the fact that the trusted root of the Nomad Bridge Replica contract was set to 0x0 during initialization, and the old root was not invalidated when the trusted root was modified. Constructing arbitrary messages to steal funds from the bridge, the attacker was able to extract over $190 million in value from the attack. So far, more than 40 addresses have returned over $36 million to Nomad.
Amount of loss: $ 154,000,000 Attack method: Contract Vulnerability
Description of the event: Reaper Farm's ReaperVaultV2 contract was maliciously exploited, resulting in more than $1.6 million worth of damage. Attackers exploited a vulnerability in the ReaperVaultV2 contract that could destroy other users' vault shares and withdraw tokens, thereby withdrawing large amounts of tokens from multiple vaults.
Amount of loss: $ 1,698,423 Attack method: Contract Vulnerability
Description of the event: The ZB exchange was hacked with a total loss of around $4.3 million. ZB has notified the community on August 2 that deposits and withdrawals will be suspended due to a "sudden failure". The reason is "Sudden failure of the core application". It's worth noting that the attack actually happened on August 1, but it was overshadowed by the overwhelming news of the Nomad exploit.
Amount of loss: $ 4,300,000 Attack method: Wallet Stolen
Description of the event: According to SlowMist Intelligence, Nirvana, a stablecoin project on the Solana chain, was attacked by a flash loan. The attacker used a flash loan to borrow 10,250,000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract buy3 method to buy a large amount of ANA tokens. Nirvana contract swap method to sell part of ANA, get USDT and USDC, after repaying the flash loan, a total profit of 3,490,563.69 USDT, 21,902.48 USDC and 393,230.32 ANA tokens, then the hacker sold ANA tokens and passed all the dirty money through the cross-chain bridge transfer.
Amount of loss: $ 3,500,000 Attack method: Flash Loan Attack
Description of the event: CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.
Amount of loss: $ 21,000,000 Attack method: Scam
Description of the event: DeFi project DRAC Network appeared Rug Pull, with the price of the token $TEDDY dropping 99.4%. 10,000 $BNB and 2 million $BUSD have been slowly transferred to Binance. It is said that the deployer deployed the contract and transferred a large quantity of $TEDDY to 0xdbe8ef79a1a7b57fbb73048192edf6427e8a5552, then pump and dump the price of $TEDDY.
Amount of loss: $ 4,500,000 Attack method: Rug Pull
Description of the event: Web3 music streaming service platform Audius community treasury was hacked, losing 18.5 million AUDIO Tokens. The hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated that the problem has been found and is currently being repaired. All Audius smart contracts on Ethereum must be stopped, including tokens. The team believes that there is no further capital risk. Before the repair is completed, token balances, transfers, etc. will be temporarily unavailable. use.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: The online game Neopets said it encountered a hack and is currently investigating a customer data breach. The Neopets hack may affect 69 million users, and a hacker named TarTarX sold the source of the Neopets website for 4 bitcoins code and database. Neopets recently launched NFTs for its online virtual world games.
Amount of loss: - Attack method: Information Leakage