1350 hack event(s)
Description of the event: According to Etherscan data, the OHM imitation project AnubisDAO, which was launched at Copper Launch, withdrew its liquidity pool one day after it went online. It is suspected that the volume of money went off the road. A total of more than 13,556 ETH were transferred to the address @0x9fc, worth about 58.3 million U.S. dollars. Jayson, the founding partner of PFR Capital, pointed out that AnubisDAO is just a Twitter account that was only registered a few days ago. There is no website, white paper, medium, and no products.
Amount of loss: 13,556 ETH Attack method: Rug Pull
Description of the event: Cream Finance, the DeFi lending agreement, was attacked and lost approximately US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. It is reported that this is the third largest DeFi hacking in history (although the two larger hacking incidents have funds returned), in addition, Cream Finance has suffered multiple lightning loan attacks before, and lost 37.5 million US dollars in February. Another $19 million was lost.
Amount of loss: $ 130,000,000 Attack method: Flash loan attack
Description of the event: According to Cointelegraph reports, some Youtube channels were hacked and seized control. The original content and information of these channels were destroyed by hackers. Hackers pretended to be large technology companies or cryptocurrency exchanges to commit fraud. These channels were also used by hackers for $3 to $4,000. Sold at varying prices. The Google Threat Analysis Team (TAG) stated that the hackers who attacked the Youtube channel came from a Russian-speaking forum. In addition, Google has shared the findings with the FBI for further investigation.
Amount of loss: - Attack method: YouTube was hacked
Description of the event: The IDO project SaturnBeam of MoonSwap, a decentralized exchange on the Moonriver chain, ran away, and MoonSwap tweeted a warning that SaturnBeam would refund the money within 24 hours.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: Email addresses belonging to 3.1 million CoinMarketCap users were leaked last week, according to Have I Been Pwned.Have I Been Pwned says that the website’s database was breached on Oct. 12, 2021. Exactly 3,117,548 email addresses, not including passwords, were stolen in the security breach.
Amount of loss: - Attack method: Information Leakage
Description of the event: These implicit assumptions on Uniswap V2 resulted in 20 addresses on Alpha Homora V2 being impacted and lost a total of 40.93 ETH to miners who extracted this value. We have plans to compensate these 20 addresses. However, what’s more important is to share this with our community, especially other builders in the space to be aware of these implicit assumptions that are not stated, how you can detect this as a builder, and how to prevent/mitigate this.
Amount of loss: 40.93 ETH Attack method: Sandwich attack
Description of the event: Avalanche ecological stability income aggregation agreement Avaterra Finance was attacked by hackers. The security company Rugdoc analyzed that the contract of the agreement is a fork of Goose, but their token contains custom elements, and anyone can call its minting function. In the end, the hacker called the contract and minted and dumped thousands of tokens.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission.
Amount of loss: $ 2,000,000 Attack method: Double Spend Attack
Description of the event: Pancake Hunny, the DeFi protocol on BSC, was attacked by lightning loans, and HUNNY tokens fell by about 70% in a short time. The hacked transactions included 513 transfers, and Gas consumption reached 19 million, of which a large number of transfers were related to Alpaca tokens.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Glide Finance, a DeFi protocol built on the Elastos ecosystem, tweeted that a contract loophole was exploited to siphon money out of the matching contract for a loss of approximately $300,000 because the team changed the fee parameters after an audit but did not update the number on the contract from 1,000 to 10,000. The team is now contacting the exchange to block the transfer of funds and reminding users who have money in Glide's liquidity pool to withdraw funds.
Amount of loss: $300,000 Attack method: Contract Vulnerability
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues
Description of the event: The report released by Sophos stated that the crypto fraud application CryptoRom stole 1.4 million U.S. dollars through the use of "super signature service" and Apple's developer enterprise plan. It is reported that fraudsters gain the trust of victims through Facebook and dating platforms (such as Tinder, Grindr, Bumble, etc.), and then lure them to install a fake cryptocurrency application CryptoRom and invest. The victim installs apps, invests, makes a profit, and is allowed to withdraw funds. After being encouraged, they were forced to invest more, but once they deposited a larger amount, they could no longer withdraw cash. To date, Bitcoin addresses related to the scam have sent more than 1.39 million U.S. dollars, and there may be more addresses related to the scam. According to the report, most of the victims are iPhone users. The report stated that CryptoRom bypassed all security checks in the App Store and remained active every day. The report also stated that Apple “should warn users about installing apps through temporary distribution or through the enterprise configuration system that these apps have not been reviewed by Apple.”
Amount of loss: $ 1,400,000 Attack method: Scam
Description of the event: According to news, the security research company discovered that there is a serious security vulnerability in OpenSea in the NFT market, which may cause hackers to steal the user's entire encrypted wallet. Then OpenSea responded that a repair was implemented within one hour of discovering the problem, and other measures will be taken to strengthen community safety education.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Quantitative trading company mgnr stated on Twitter that StarkWare has an urgent security issue, but did not disclose the specific details. Louis Guthmann, the head of ecology of the StarkWare team, confirmed that there is indeed a problem. “This is not a security vulnerability on dYdX. ) Is only related to a specific user." mgnr said he has contacted the StarkWare and Solana teams.
Amount of loss: - Attack method: Unknown
Description of the event: The official Twitter account and website of the NFT project Evolved Apes, the project developer "Evil Ape" disappeared last week, and took away 798 ETH worth US$2.7 million.
Amount of loss: 798 ETH Attack method: Rug Pull
Description of the event: My Farm Pet was suspected of being attacked by lightning loans, and today fell 79.86%.
Amount of loss: $ 31,424 Attack method: Flash loan attack
Description of the event: The Bitcoin sidechain Liquid Network launched by Blockstream encountered block signature-related issues after the recent upgrade, resulting in no block generation for more than 7 hours. According to Liquid Network's block explorer, the last block is 1517039, and it was generated 7 hours ago. Liquid Network said on Twitter, "It is investigating a block signature issue related to a recent feature upgrade, but user funds are safe and will not be affected."
Amount of loss: - Attack method: Block signature problem
Description of the event: Staking liquidity solution Lido Finance discovered a loophole through the Lido vulnerability bounty program, which can be used by whitelisted node operators to steal a small portion of user funds. Approximately 20,000 ETH were exposed to risk at the time of the vulnerability report. At present, the team has taken short-term remedial measures. The white hat for reporting the vulnerability is Dmitri Tsumak, the founder of StakeWise, who is expected to receive the highest reward of the vulnerability bounty program of $100,000.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: While the decentralized lending agreement Compound tried to fix the loopholes in the liquidity mining token distribution contract through the No. 63 or No. 64 community proposal, another COMP token worth US$68.8 million (a total of 202,472 COMP) was due to The call of the drip() function was entered into the liquidity mining token distribution contract that has existing loopholes.
Amount of loss: $ 68,800,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by lightning loans. The main reason was that the exchange mining function was used by hackers in a series of transactions. Hackers could use lightning loans to occupy most of the mining pool (to make up for exchange losses/fees) ), at the same time, the exchange fee reward was obtained, and a total profit of 3.18 million FINS was obtained. Afterwards, the hacker exchanged FINS for 1,388 BNB (approximately US$580,000).
Amount of loss: 3,180,000 FINS Attack method: Flash loan attack