1513 hack event(s)
Description of the event: Sentinel founder Serpent tweeted that the first search result of the NFT trading platform X2Y2 on the Google search page was a scam website. It used the loopholes in Google ads to make the real website and the scam URL look exactly the same, and about 100 ETH had been stolen. . At present, the fake website has been removed after being reported by community members and exposed by the media. Users can directly enter x2y2.io to enter the official website.
Amount of loss: 100 ETH Attack method: Phishing Attack
Description of the event: The ownlyio project's NFTStaking contract was attacked, with a total of 115 BNB stolen and a loss of about $36,418. The reason for this attack is that the unstake function of the pledge contract of the ownio project does not check the user's claim status, so the attacker can use the unstake function to receive the own tokens in the contract infinitely, thereby extracting all the own tokens in the pledge contract, and finally the attacker The acquired owned tokens are exchanged for 115 BNB through the pair transaction.
Amount of loss: 115 BNB Attack method: Contract Vulnerability
Description of the event: The GOAT project claimed to be "the new standard in cryptocurrencies," but one of the project's developers abruptly sold their assets, taking $260,000 with them, and the token price fell to nearly $0.
Amount of loss: $ 260,000 Attack method: Rug Pull
Description of the event: Fortress Protocol, a lending protocol on BNB Chain, was suspected of being attacked. Token FTS fell by 42% in a short time. Currently, 1,048 Ethereum and 400,000 DAI have been transferred to Tornado.cash.
Amount of loss: $ 3,050,000 Attack method: Flash Loan Attack
Description of the event: Cashera is a project that claims to offer a "banking revolution" through its CSR crypto token. The project does a number of things to try to appear legitimate, including linking to government records showing a company named after it is registered in the UK and conducting a smart contract audit courtesy of AuditRateTech. Their website boasts "partners" including VISA, PayPal, Netflix and Spotify. Still, project deployers suddenly minted 23 million CSR tokens, which they exchanged for nearly $90,000 in other assets, plummeting the token value by about 70% in the process. The development team also took the project website offline.
Amount of loss: $ 90,000 Attack method: Scam
Description of the event: The DeFi project Hunter has been rug pull, and currently Telegram, Discord, and the website cannot be opened.
Amount of loss: $ 1,200,000 Attack method: Rug Pull
Description of the event: The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. However, the NFT rollout has not been smooth - out of a total supply of 9,671 NFTs, less than 2,800 NFTs have been minted. The project attempted to relaunch but failed to generate more interest, so the creators decided to pull it out — while preserving funding, of course. The project founders have left a long message to the community that they will close the project.
Amount of loss: $ 300,000 Attack method: Rug Pull
Description of the event: Day of Defeat has rug pull, value has suddenly dropped by over 96%, and over $1.35 million in assets has been moved from BSC-based projects to external wallets. After the funds ran out, the project claimed they had been hacked by outside actors and had “reported to Binance and local authorities.”
Amount of loss: $ 1,350,000 Attack method: Rug Pull
Description of the event: The Justice Department released an indictment on May 5 showing that Mining Capital Coin CEO and founder Luiz Capuci Jr. was charged with orchestrating a $62 million investment fraud. Capuci allegedly misled investors about MCC’s plan, which he said would use investors’ funds to mine new cryptocurrencies with guaranteed returns. Instead, Capuci deposited funds into his own crypto wallet and used them to fund his own Lamborghini lifestyle, real estate and yachts. Capuci also allegedly ran a pyramid scheme of promoters, promising them lavish gifts including iPads and luxury cars.
Amount of loss: $ 62,000,000 Attack method: Scam
Description of the event: DeFi project Pragma Money on Fantom has announced that around $1.5 million in FTM has been drained from their treasury and project wallets. Appears to be done by a team member.
Amount of loss: $ 1,500,000 Attack method: Rug Pull
Description of the event: Sentinel founder Serpent tweeted that OpenSea's official Discord was attacked. Hackers used bot accounts to post fake links in the channel, and said that "OpenSea has reached a cooperation with YouTube. Click the link to participate in the mint pass NFT limited to 100 pieces." Users should be aware of the risks and do not click on links provided by hackers.
Amount of loss: - Attack method: Discord was hacked
Description of the event: According to the official release, the MM.finance website was hit by a DNS attack, and the attacker managed to inject malicious contract addresses into the front-end code. The attacker exploited the DNS vulnerability to modify the router contract address in the escrow file, and digital assets worth more than $2,000,000 were stolen, bridged to the Ethereum network through multi-chain, and then laundered through Tornado Cash.
Amount of loss: $ 2,000,000 Attack method: DNS Attack
Description of the event: Rainbow Bridge was attacked by forged blocks. However, it was blocked by an automatic watchdog mechanism, depriving the attacker of 2.5 ETH.
Amount of loss: - Attack method: Fake NEAR blocks
Description of the event: Solana-based NFT team at Metaplex, a web application and deployment platform, discontinued the program section today, Solana shows the program deployment of its program section, when further stabilized, the Solana team will be used to deploy a bot to use it for Deploy a bot. When attempting to complete a test transaction, 0.01 SOL will be charged for labor. The collected penalty funds will be provided to the configuration account of the Candy Machine instance.
Amount of loss: - Attack method: Downtime
Description of the event: In April, attackers exploited a vulnerability to steal $80 million from Rari Capital, and the asset management project Babylon Finance, Rari's main lending pool, lost $3.4 million as a result. On Aug. 31, Babylon Finance founder Ramon Recuero published a blog post announcing that Babylon would be shutting down and pledging to distribute remaining project funds to holders.
Amount of loss: $ 3,400,000 Attack method: Affected by the Rari Capital vulnerability
Description of the event: Fei Protocol officially tweeted that it has noticed multiple exploits of Rari Capital’s Fuse pool, has identified the root cause and suspended all lending to mitigate further losses. And shout that hackers, if they can return user funds, will get a bounty of 10 million US dollars. According to previous news, Fei Protocol was attacked, and the loss exceeded 28,380 ETH, about 80.34 million US dollars. The attacker's address was 0x6162759eDAd730152F0dF8115c698a42E666157F. The Rari Capital pool was attacked due to a classic reentrancy vulnerability. Its function exitMaket has no reentrancy protection.
Amount of loss: $ 80,000,000 Attack method: Reentrancy Attack
Description of the event: DeFi protocol Saddle Finance was attacked, causing the protocol to lose more than $10 million.
Amount of loss: $ 10,000,000 Attack method: Flash Loan Attack
Description of the event: Fantom-based decentralized derivatives protocol DEUS Finance was attacked, and the hackers made about $13.4 million in profit. The hack utilized a flash loan-assisted manipulation of price oracles read from the StableV1 AMM-USDC/DEI pair, and then used the manipulated collateral DEI price to borrow and drain the pool.
Amount of loss: $ 13,400,000 Attack method: Flash Loan Attack
Description of the event: The official Instagram of the NFT project Bored Ape Yacht Club (BAYC) was hacked, and the attackers have stolen 91 NFTs including 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, etc.
Amount of loss: - Attack method: Instagram was hacked
Description of the event: The Wiener DOGE project was exploited maliciously, causing $30,000 in damages. Attackers exploited the inconsistency between WDODGE's charging mechanism and swap pools to launch the attack. The root cause of the incident is that the sender's LP pair is not excluded from the transfer fee through the tightened token contract. As a result, the attacker is able to drain the deflationary tokens in the LP pair, which in turn causes the pair price to become unbalanced.
Amount of loss: $ 30,000 Attack method: Flash loan attack