1534 hack event(s)
Description of the event: Metaverse project Quint was hacked and lost $130,000. The root cause of the attack is that when the reStake function executes the reStake reward reStake, the reward amount of the LP token is not updated, so that the attacker can claim the issued reward multiple times.
Amount of loss: $ 130,000 Attack method: Contract Vulnerability
Description of the event: $MAD was hacked, and the hacker transferred all $MAD in the contract by directly calling the transfer function of the contract holding the token, and finally made a profit of $556 BNB (worth about $115,681), which was then transferred to Tornado.Cash. The reason is that the sensitive function was not checked in the contract that holding tokens, resulting in anyone can directly call the 0x9763a894 function to transfer out the tokens held in the contract.
Amount of loss: $ 115,681 Attack method: Contract Vulnerability
Description of the event: The NFT liquidity solver XCarnival was attacked, the hacker made a profit of 3,087 ETH (about 3.8 million US dollars), and the hacker has returned 1,467 ETH after the negotiation. The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn.
Amount of loss: 1,620 ETH Attack method: Contract Vulnerability
Description of the event: Harmony Horizon bridge was hacked. According to the analysis of SlowMist MistTrack, the attackers made more than 100 million US dollars, including 11 ERC20 tokens, 13,100 ETH, 5,000 BNB and 640,000 BUSD. On the 26th, Harmony founder Stephen Tse said on Twitter that Horizon was attacked not because of a smart contract vulnerability, but because of a private key leak. Although Harmony stored the private keys encrypted, the attacker decrypted some of them and signed some unauthorized transactions. At present, Harmony has migrated Horizon's verification authority on the Ethereum side to 4/5 multi-signature.
Amount of loss: $ 100,000,000 Attack method: Private Key Leakage
Description of the event: ConvexFinance officially tweeted that a DNS attack caused users to approve malicious contracts on some interactions on the website, and the problem has been fixed.
Amount of loss: 215 ETH Attack method: DNS Attack
Description of the event: Ribbon Finance said in a tweet that the homepage of the URL suffered a DNS attack, causing 2 users to approve a malicious contract for vault deposits. At present, the team has solved the problem, and the funds in all contracts are in a safe state. After analyzing the data on the chain, SlowMist believes that it is the same attacker as Convex. At the same time, it is found that a user of Ribbon Finance lost 16.5 WBTC in the attack.
Amount of loss: 16.5 BTC Attack method: DNS Attack
Description of the event: One-stop asset management solution DeFiSaver tweeted that it experienced an attempted DNS attack and, according to its analysis, no users were affected. DeFi Saver said that what the DNS attack has in common with Convex Finance and Ribbon Finance is the domain name registration service Name cheap, reminding other projects to use it with caution.
Amount of loss: - Attack method: DNS Attack
Description of the event: The pandorachainDAO project suffered a flash loan attack, resulting in a loss of assets worth about $128,000.
Amount of loss: $ 128,000 Attack method: Flash Loan Attack
Description of the event: The LV PLUS (Token LVP) project has been identified as a Rug Pull project. So far, the project has resulted in losses of about $1.5 million. LV PLUS claims to be affiliated with the "LV Metaverse", and the main reason for the loss, which is defined as a Rug Pull, is that the LV PLUS contract deployer sent tokens to certain wallets - these wallet addresses subsequently sold the project's tokens, causing the project's market to crash .
Amount of loss: $ 1,500,000 Attack method: Rug Pull
Description of the event: The whaleswap.finance project was attacked, and at least 5946 BUSD and 5964 USDT were lost. The reason may be that there is a problem with the K value verification of the whaleswap.finance Pair contract. Whenever the user exchanges, there is a problem with the parameter magnitude passed in the K value verification, which causes the K value verification to fail. The attacker first borrows a BSC-USD through a flash loan, and then returns the flash loan when the K value verification parameter is on the order of 10000^4. The parameter verification level used in the K value verification is 10000^2, which causes the K verification to fail.
Amount of loss: 5946 BUSD+5964 USDT Attack method: K value verification vulnerability
Description of the event: A Rug Pull occurred in the DHE project, causing the price of DHE tokens to drop by more than 91%. Total losses are currently around $142,000.
Amount of loss: $ 142,000 Attack method: Rug Pull
Description of the event: The SNOOD ERC-777 smart contract was attacked, causing the liquidity of the UniswapV2Pair token to be completely drained (104 ETH).
Amount of loss: 104 ETH Attack method: Reentrancy Attack
Description of the event: Clothing brand LACOSTE's Discord was hacked, and scammers posted phishing links on the announcement channel. Recently, the Discords of several projects have been attacked, including Clyde, Good Skellas, Duppies, Oak Paradise, Tasties, Yuko Clan, Mono Apes, ApeX Club, Anata, GREED, CITADEL, DegenIslands, Sphynx Underground Society, FUD Bois, and Uncanny Club etc.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Crypto Financial Services Provider Babel Finance Suspends Customer Withdrawals due to crypto market turmoil. In July, documents revealed that Babel Finance lost more than $280 million in bitcoin (BTC) and ether (ETH) as its proprietary trading failure. Specifically, it lost around 8,000 BTC and 56,000 ETH in June after facing liquidation due to a severe market downturn.
Amount of loss: 8,000 BTC + 56,000 ETH Attack method: Proprietary trading failure
Description of the event: Inverse Finance suffered a flash loan attack, resulting in a loss of approximately 1068.215 ETH (approximately $1.26 million). This is the second time that Inverse Finance has suffered a flash loan attack in the past two months. The main reason for this attack is the use of insecure oracles to calculate LP prices.
Amount of loss: $ 1,260,000 Attack method: Flash Loan Attack
Description of the event: KnownOrigin officially tweeted that its discord had been attacked, and reminded users not to click on any links. Other servers hacked in recent days include those of Curiosity, Meta Hunters, Parallel, Goat Society, RFTP and Gooniez.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Fswap was attacked by a hacker on June 13. Fswap stated that the attack was a vulnerability incident of a non-attacked project and a malicious loan attack. Hackers borrowed money from BISWAP to FSWAP for transaction attacks. The hacker made about 1,751 WBNB worth about $500,000.
Amount of loss: 1,751 WBNB Attack method: Flash Loan Attack
Description of the event: The ElonMVP token suffered a Rug Pull, the token price fell by 99%, and over 622 BNB were transferred to Tornado.Cash, with a loss of about $130,000.
Amount of loss: $ 130,000 Attack method: Rug Pull
Description of the event: On June 12, the price of the HEGE token plummeted by more than 97%. The current loss amount is approximately $429,000.
Amount of loss: $ 429,000 Attack method: Rug Pull
Description of the event: The treasure swap project was attacked. The attacker only used 0.000000000000000001 WETH to exchange all the WETH tokens in the transaction pool. The reverse of the source code found that the swap function of the attacked contract lacked the K value check. At present, the attacker has completed the attack on the two contracts 0xe26e436084348edc0d5c7244903dd2cd2c560f88 and 0x96f6eb307dcb0225474adf7ed3af58d079a65ec9, and accumulated a profit of 3,945 BNB.
Amount of loss: 3,945 BNB Attack method: K-value Verification Vulnerability