1914 hack event(s)
Description of the event: Kannagi Finance has rug pulled, making away with up to $2.13 million in investor funds. The platform runs o the zkSync Era, which is in the race for the best Ethereum Layer 2 network. The network has deleted its official website, including social media and communication accounts.
Amount of loss: $ 2,130,000 Attack method: Rug Pull
Description of the event: DefiLabs on the BNB chain has run away, taking about $1.6 million. The privileged address 0xee08 drains user funds by exploiting the backdoor function withdrawFunds() in the vPoolv6 contract. DeFiLabs claimed on Twitter that the platform had “experienced unexpected issues” while it was “going through maintenance and updates.”
Amount of loss: $ 1,600,000 Attack method: Rug Pull
Description of the event: A serious flaw in Pond0x, the Pepe the Frog-branded MEME coin launched by Pauly0x, caused traders to lose at least $2.2 million after it was discovered that anyone could transfer tokens belonging to someone else. People quickly started scrambling to steal money from each other. Pauly0x responded by blaming traders who were buying and selling tokens, with various Twitter posts the next day saying he was teaching people a lesson that it wasn’t his fault that people lost money. He wrote to angry traders accusing him of rug pulling. He added a message to the website: "GREED KILLS".
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: The BSC ecology Carson was attacked and lost about $145,000. At present, the price of Carson tokens has dropped by 96%, and the attacker has exchanged the stolen assets for 600 BNB and transferred them to Tornado Cash. The attacker repeatedly called the swapExactTokensForTokensSupportingFeeOnTransferTokens function in the 0x2bdf...341a contract (not open-source) through flash loans, swapped for BUSD and burned Carson in the pair, then repeatedly inflated the price of Carson for profit.
Amount of loss: $ 145,000 Attack method: Flash Loan Attack
Description of the event: According to SlowMist, IEGT tokens were created on BSC on July 13. Its creators "secretly minted a large number of tokens in preparation for pulling the rug". Although the project’s token supply is only 5 million tokens, this enabled the team to sell 1 billion tokens, cashing out approximately $1.14 million in USDT stablecoins. According to SlowMist, the project party modified the balance of the specified address through inline assembly when the contract was initialized, and secretly issued a large number of tokens that were not known to other users, causing users to be Rug when participating in the project.
Amount of loss: $ 1,140,000 Attack method: Rug Pull
Description of the event: The Palmswap project on the BSC chain was attacked, and the attacker made a profit of more than 900,000 US dollars. According to the analysis of SlowMist, this attack was due to the fact that the authority control function of the core function was not enabled, and the price calculation model of the liquidity token was designed too simply, depending only on the number of USDT tokens in the treasury and the total supply, resulting in the attacker can use flash loans to maliciously manipulate prices to obtain unexpected profits. On July 28, Palmswap tweeted that 80% of the stolen funds had been returned, and the remaining 20% was used as a bug bounty for hackers.
Amount of loss: $ 900,000 Attack method: Flash Loan Attack
Description of the event: MetaLabz tweeted: "In order to ensure the supply we hold, we deployed an unaudited contract (token locker), but the contract has been exploited. The situation was then exacerbated by the liquidity attack, resulting in a total loss of slightly more than 400 BNB." According to analysis, the reason is that the authorization check was bypassed.
Amount of loss: 400 BNB Attack method: Contract Vulnerability
Description of the event: On July 25th, according to reports from several users, Eralend, the lending protocol on Zksync, was attacked by lightning loans, and it is currently unable to borrow, but it can be proposed temporarily. On July 26, EraLend released the progress of the attack. EraLend stated that the attacker manipulated the price of the oracle machine, resulting in the USDC mining pool being used for about 2.76 million US dollars. All other pools remain safe and unaffected. The attackers used multiple bridges to spread the exploited funds across multiple wallets on various chains.
Amount of loss: $ 2,760,000 Attack method: Flash Loan Attack
Description of the event: Cryptocurrency payment service provider Alphapo's hot wallet stolen, $23 million lost. Alphapo client HypeDrop has disabled withdrawals. The stolen funds were first exchanged for ETH on Ethereum and then cross-chained to the Avalanche and BTC networks. Alphapo processes payments for many gaming services such as HypeDrop, Bovada, and Ignition. It is unclear how many bitcoins were stolen from Alphapo. On July 25, on-chain analyst ZachXBT tweeted that in the Alphapo hot wallet theft incident, an additional $37 million stolen on TRON and BTC due to this hack has been found. Now the total stolen from Alphapo has increased to $60 million. The hack was likely carried out by Lazarus.
Amount of loss: $ 60,000,000 Attack method: Wallet Stolen
Description of the event: On July 23, the CoinList Twitter account was hacked. Previously, CoinList tweeted that it would launch native tokens, and then Neon EVM tweeted that the CoinList account was stolen and reminded users not to click on any links. On July 25, CoinList has shut down the malicious website for the scam token sale, and the security team is actively investigating and working with all relevant parties, including Twitter's support staff, to regain control of the CoinList Twitter account. CoinList will notify the community as soon as the fix process is complete, currently CoinList still controls all other official social media channels.
Amount of loss: - Attack method: Account Compromise
Description of the event: This second attack was unrelated to the ETH Omnipool's re-entrancy exploit. The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool. We will share more updates as we continue to investigate.
Amount of loss: $ 300,000 Attack method: Flash Loan Attack
Description of the event: Recently, Estonian encrypted payment service provider CoinsPaid said it suffered a cyber attack and $37.3 million worth of cryptocurrency was stolen. Although the attack caused significant financial losses to the company and had many adverse effects on the usability of the payment platform, the company stated that customer funds are still safe and the incident will not have a significant impact on the company's business. CoinsPaid said the attack was initiated by the Lazarus hacking group, and their goal was to obtain higher cash. On July 26, SlowMist tweeted that CoinsPaid, Atomic and Alphapo attackers may all be the North Korean hacker organization Lazarus Group.
Amount of loss: $ 37,300,000 Attack method: Unknown
Description of the event: The Twitter account of Uniswap founder Hayden Adams was hacked, and the account sent multiple tweets containing links to scam websites. "Hayden's account has been hacked," the Uniswap Foundation said in a tweet. "Do not click on this link, or one that may appear in similar tweets."
Amount of loss: - Attack method: Account Compromise
Description of the event: On July 21, Conic Finance ’s ETH omnipool was hit by a series of small hacks that cost around $3.2 million. Conic Finance issued an update on the attack, saying, “The root cause of the attack is due to an incorrect assumption about the address returned by the ETH’s Curve meta-registry in the Curve V2 pool, which enables reentrancy attacks and is deploying fixes for the affected contracts.
Amount of loss: $ 3,200,000 Attack method: Reentrancy Attack
Description of the event: The official Twitter account of the DeFi platform Shell Protocol on Arbitrum is suspected of being stolen. It posted false news about the application of SHELL tokens and closed the comment area. Please do not interact with it. According to news, this attack seems to be due to the hacking of its founder’s SIM card, resulting in both personal Twitter and Shell Protocol’s Twitter being hacked, and the attacker is the PinkDrainer phishing gang.
Amount of loss: - Attack method: Account Compromise
Description of the event: Nansen CEO Alex Svanevik tweeted that the Twitter account of PleasrDAO, a decentralized autonomous organization composed of DeFi leaders, early NFT collectors, and digital artists, has been stolen, reminding users not to interact with it. PleasrDAO’s official Twitter account tweeted about the claim of the fake token PLEASR.
Amount of loss: - Attack method: Account Compromise
Description of the event: BNO suffered a flash loan attack on BNBChain, resulting in a loss of about $500,000 due to business logic problems. The root cause of the attack is a problem with the reward calculation mechanism in the pool that supports NFT and ERC20 token rights. The pool has an "emergencyWithdraw" function that allows users to withdraw their ERC20 token stake immediately. Crucially, however, this feature does not process or interpret NFT stake records. Attackers exploited this flaw by depositing NFTs and ERC20 tokens into a pool and then executing the "emergencyWithdraw" function specifically for their ERC20 tokens. By doing so, an attacker can bypass the reward calculation check, effectively manipulating the system to his advantage. Through this manipulation, an attacker is able to clear a user's "reward debt," earn undeserved rewards, and cause significant financial damage to the mining pool and its users.
Amount of loss: $ 500,000 Attack method: Flash Loan Attack
Description of the event: GMETA on BSC has been Rug Pulled, with a price drop of 96%, taking about $3.6 million. The contract creator is 0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1.
Amount of loss: $ 3,600,000 Attack method: Rug Pull
Description of the event: APEDAO on the BNB chain was attacked and the loss was approximately $7,000. The attacker transferred APEDAO to the pair contract. The APEDAO contract mistook the attacker's behavior as a selling operation and gradually accumulated a value named "amountToDead". The attacker repeatedly transferred APEDAO and then used the skim function to withdraw excess tokens. Eventually, the attacker calls the godead function to destroy APEDAO held in the pairing contract, causing the token price to rise.
Amount of loss: $ 7,000 Attack method: Contract Vulnerability
Description of the event: Ethscriptions.com was hacked, and about 123 individual addresses lost a total of about 202 Ethscriptions. In terms of value, it is unclear how much the attack caused. Based on the current lowest price of $14, the loss is at least $2,828. Ethscriptions creator Tom Lehman stated that this is not a vulnerability in the Ethscriptions protocol. This is a vulnerability in a specific smart contract (0x3ca843b98a2fe8ef69bb0f169afad3812c275f5e). The protocol itself and other applications running on it are not affected in any way. Meanwhile, Lehman claimed responsibility for the attack, explaining that the vulnerability can be traced back to a smart contract he and Indelible Labs co-founder Michael Hirsch created. It is reported that a small piece of code included in it allows people to withdraw Ethscriptions that do not belong to them from the market. Lehman also said that the Ethscriptions.com marketplace will be relaunched and that he has been in touch with many users affected by the bug.
Amount of loss: $ 2,828 Attack method: Contract Vulnerability