1627 hack event(s)
Description of the event: The total amount of funds affected by the Solana ecological algorithm stablecoin protocol UXD Protocol in the Mango attack is $19,986,134.9037. UXD Protocol stated: “Our insurance fund is sufficient to cover losses. UXD is fully secured and will be redeemable by users once Mango Markets recovers from the exploit. The total insurance fund is $53,527,304.7757. UXD Protocol has suspended UXD minting for Risk minimization. Minting will be re-enabled once we confirm the issue with Mango Markets has been resolved.”
Amount of loss: $ 20,000,000 Attack method: Affected by the Mango attack
Description of the event: The Journey of Awakening (ATK) project suffered a flash loan attack. The attacker attacked the strategy contract of the ATK project (0x96bF2E6CC029363B57Ffa5984b943f825D333614) through a flash loan attack, and obtained a large amount of ATK tokens from the contract. The attackers have exchanged all of the obtained ATK tokens for approximately $120,000 in BSC-USD, and the stolen funds are currently being exchanged for BNB and all transferred to Tornado Cash.
Amount of loss: $ 120,000 Attack method: Flash Loan Attack
Description of the event: The Micro Elements (TME) project is an exit scam, with a drop of more than 95%, and about $548,600 has been stolen. BSC address 0xd631464f596e2ff3b9fe67a0ae10f6b73637f71e.
Amount of loss: $ 548,600 Attack method: Rug Pull
Description of the event: Layer1 blockchain QANplatform (QANX), which is resistant to quantum computing attacks, tweeted that its smart contract cross-chain bridge was attacked, and the attacker managed to extract tokens, reminding users not to perform any transactions related to QANX tokens. According to the findings, the hackers obtained the private keys to the bridge wallet and withdrew more than 1.4 billion QANX tokens worth more than $1 million in two transactions.
Amount of loss: $ 2,000,000 Attack method: Profanity Vulnerability
Description of the event: According to the official announcement of TokenPocket, the official website tokenpocket.pro is currently attacked by abnormal traffic, and the technical team is carrying out emergency maintenance. During the technical maintenance period, the TokenPocket website will not be accessible normally, and the security of user assets will not be affected.
Amount of loss: - Attack method: Abnormal traffic attack
Description of the event: DeBank plug-in wallet Rabby tweeted that its Rabby Swap smart contract has a vulnerability, and users who have used it should revoke Rabby Swap approvals on all chains as soon as possible. According to the analysis of the SlowMist security team, the Rabby Swap contract was attacked, and the token exchange function in the contract was directly called externally through the functionCallWithValue function in the OpenZeppelin Address library. The parameters passed in by the user are not checked, resulting in any external call problems. Attackers exploit this issue to steal funds from users authorized by this contract.
Amount of loss: $ 190,000 Attack method: Contract Vulnerability
Description of the event: The TempleDAO project was hacked, involving an amount of approximately $2.36 million. According to the analysis of the SlowMist security team, in this incident, because the migrateStake function did not check the oldStaking, the attacker could forge the oldStaking contract to add the balance arbitrarily.
Amount of loss: $ 2,360,000 Attack method: Contract Vulnerability
Description of the event: Jumpnfinance project Rugpull, involving an amount of about 1.15 million US dollars. The attacker first calls the 0x6b1d9018() function of the 0xe156 contract to extract the user assets in the contract and store them at the attacker's address (0xd3de02b1af100217a4bc9b45d70ff2a5c1816982).
Amount of loss: $ 1,150,000 Attack method: Rug Pull
Description of the event: The Xave Finance project was hacked, resulting in a 1000x increase in RNBW issuance. The attack transaction is 0xc18ec2eb7d41638d9982281e766945d0428aaeda6211b4ccb6626ea7cff31f4a. The attacker first creates the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3. The attack contract first calls the executeProposalWithIndex() function of the DaoModule contract 0x8f90 to execute the proposal. The content of the proposal is to call the mint() function to mint 100,000,000,000,000 RNBWs and transfer the ownership rights to the attacker. Finally, the hacker exchanged it for xRNBW, which was stored at the attacker's address (0x0f44f3489D17e42ab13A6beb76E57813081fc1E2).
Amount of loss: $ 635 Attack method: Contract Vulnerability
Description of the event: BNBChain was attacked and lost more than 500 million US dollars. According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attackers stole 1 million BNB twice, but both used the height of 110217401, which is much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
Amount of loss: 2,000,000 BNB Attack method: Pseudo-authentication
Description of the event: The Web3 social platform Sex DAO is suspected to have been Rug. The original white paper has been deleted. Over 220,000 USDT and 4.17 billion SED (SEXDAO Token) have been transferred on the chain. Currently, the Sex DAO official website and official Twitter account are inaccessible.
Amount of loss: 220,000 USDT Attack method: Rug Pull
Description of the event: Bitcoin DeFi application Sovryn tweeted that it found a vulnerability affecting the lending pool and was attacked. The attacker used the abandoned lending protocol to withdraw 44.93 RBTC and 211,045 USDT. After the developer detected the attack, the system entered maintenance mode. Half of the funds will be recovered, and any additional losses will be fully compensated by the treasury. A plan to restore system functions and provide post-mortem analysis will also be formulated in the future.
Amount of loss: 44.93 RBTC + 211,045 USDT Attack method: Price Manipulation
Description of the event: According to official news, Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. According to the analysis of SlowMist MistTrack, the stolen assets exceeded 28.9 million US dollars. The hacker's account address is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46. The largest attacker had returned 6,500 BNB (about $1.95 million) on October 10, and on October 13, the attackers returned 3,485 BNB (about $950,000).
Amount of loss: $ 28,900,000 Attack method: Unchecked Input Data
Description of the event: The TokenStakingPoolDelegate contract updated by BXH after the last attack suffered another flash loan attack. The contract lost 40,085 USDT, and the attacker made a profit of 31,794 USDT after paying off the flash loan fee. After analysis, this attack is caused by the use of getReserves() in the contract's getITokenBonusAmount function to obtain the instantaneous quotation, so that the attacker can make a profit by manipulating the quotation.
Amount of loss: 40,085 USDT Attack method: Flash Loan Attack
Description of the event: A bot named 0xbadc0de made a windfall when traders tried to sell 1.8 million cUSDC (USDC on the Compound protocol) ($1.85 million in nominal value), but only got $500 of the asset due to low liquidity in return. However, the MEV bot made a profit of 800 ETH (~$1 million) from the sold carry trade. An hour later, a hacker exploited a bug in 0xbadc0de's badc code to withdraw all 1,101 ETH (~$1.5 million) in the contract.
Amount of loss: $ 1,500,000 Attack method: Contract Vulnerability
Description of the event: According to the SlowMist security team, according to the BXH Stupid Kids team’s announcement on September 23, a total of $2.5 million worth of assets and 38 million BXH tokens were stolen the night before yesterday (September 21). According to the analysis and evaluation of SlowMist MistTrack, the private key of the original owner of the BXH VaultPool contract is suspected to be stolen, and the inCaseTokensGetStuck function is called to transfer the funds in the contract to the hacker's address. The hacker's address is 0x158f...e345. Up to now, the hacker has exchanged the stolen funds to the ETH chain across the chain, and further transferred all the stolen funds to Tornado Cash, with a total transfer amount of 1865 ETH.
Amount of loss: $ 2,500,000 Attack method: Private Key Leakage
Description of the event: @EvgenyGaevoy, founder and CEO of crypto market maker Wintermute tweeted that Wintermute lost $160 million in DeFi hacking attacks. Wintermute used Profanity to create a wallet in order to optimize fees. Funds from old address were transferred, but due to internal (human) error, wrong function was called and attacked.
Amount of loss: $ 160,000,000 Attack method: Operational Mistake
Description of the event: In a tweet, @0xCrumbs disclosed that Dogechain was hacked yesterday, and the attackers exploited the vulnerability to mint 9.7 million $Doge (about $600,000) and transfer $316,000 through a cross-chain bridge. Currently 3 million remain in the starting wallet, in addition to $100,000 worth of USDC/ETH. Therefore, @0xCrumbs believes that yesterday's Dogechain maintenance was caused by the attack. SlowMist also tweeted that the attackers used Anyswap to bridge funds to the BSC and ETH chains, which were then transferred to Binance. But Dogechain officials tweeted that no funds were lost during the maintenance period.
Amount of loss: $ 600,000 Attack method: Contract Vulnerability
Description of the event: The New Free Dao project on the BSC chain suffered a flash loan attack. According to SlowMist analysis, the main reason for this attack is that the way of calculating rewards in the contract is too simple, and it only depends on the balance of the caller, which leads to arbitrage by flash loans.
Amount of loss: 4,481 WBNB Attack method: Contract Vulnerability
Description of the event: The security of the GERA token was compromised due to private key leakage. Hackers transferred the ownership of the smart contract deployer of GERA tokens to another address 0x510E4d61663bE6a24D600AaF90F892dd8c8C61dC.
Amount of loss: $ 1,480,000 Attack method: Private Key Leakage