1525 hack event(s)
Description of the event: On May 18, QANX Bridge was attacked between 15:01:40 and 18:20:25 UTC. Developers can withdraw 100,450,000 QANX from QANX Bridge and sell it on Uniswap for 325 ETH, then transfer it to Tornado Cash. By May 26, the hackers had sold all the stolen QANX tokens.
Amount of loss: 100,450,000 QANX Attack method: Private Key Leakage
Description of the event: Discord for NFT series Lazy Lions was hacked. Notably, this attack appears to infiltrate many other large NFT projects throughout the day, seemingly due to MEE6 staff being able to use MEE6 remotely to give themselves roles in any server.
Amount of loss: - Attack method: Discord was hacked
Description of the event: NFT project Alien Frens tweeted that Discord had been attacked. Users are asked not to click on any MINT links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The multi-chain DeFi protocol FEG was attacked again, and the flash loan attack suffered on the BNB chain lost about $1.3 million in assets. The subsequent flash loan attack on Ethereum caused a loss of about $590,000, with a total loss of about $1.9 million in assets. This attack is similar to yesterday's attack and is caused by a vulnerability in the "swapToSwap()" function. This function directly uses the "path" entered by the user as a trusted party without screening and validating the incoming parameters. Additionally, the function will allow an unverified "path" parameter (address) to use the current contract's assets. Therefore, by calling "depositInternal()" and "swapToSwap()", the attacker can obtain permission to use the assets of the current contract, thereby stealing the assets within the contract.
Amount of loss: $ 1,900,000 Attack method: Flash Loan Attack
Description of the event: There was an abnormality on the Tianqiong Digital Collection platform. The price of its collections on the secondary market skyrocketed thousands of times, and collections with a price of nearly 10 million yuan were sold in seconds. The Tianqiongshuzang announcement stated that the platform was maliciously attacked by hackers and used false balances to purchase and steal player collections.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: The multi-chain DeFi protocol FEG was suspected of being attacked, and a total of 143 Ethereum and 32,747 BNB were lost, about $1.3 million.
Amount of loss: $ 1,300,000 Attack method: Flash Loan Attack
Description of the event: Fantom-based DeFi lending protocol Scream caused $35 million in bad debt after failing to adjust the price of two de-pegged USD stablecoins. The two stablecoins are Fantom USD (FUSD) and Dei (DEI). Both stablecoins are still quoted at $1, according to data from the Scream dashboard. However, their trading prices have been severely de-pegged. Among them, FUSD fell to $0.69, and DEI fell to a low of $0.52. Whale players took advantage of this situation to deposit large amounts of FUSD and DEI at a discount, and siphoned all other stablecoins from the Scream platform. Stablecoins such as Fantom USDT, FRAX, DAI, MIM, and USDC have all been withdrawn from the platform. As a result, users who originally had deposits in these stablecoins would not be able to withdraw from Scream.
Amount of loss: $ 35,000,000 Attack method: Stablecoin prices de-anchor
Description of the event: SpiritSwap tweeted that the front-end server placed on AWS was compromised by hackers, the website was tampered with parameters, and $18,000 was currently stolen. According to official postmortem analysis, the attackers contacted GoDaddy and began a social engineering attack on one of its employees. After gaining access to the account, the attackers proceeded to modify DNS settings and change all credentials, effectively hijacking access and Take ownership for yourself. After securing access to the SpiritSwap domain, the attackers then proceeded to deploy a phishing site tricked into appearing to be SpiritSwap. The attacker then uses the "send to" function in the exchange contract to reroute any funds exchanged by the user to the attacker's address.
Amount of loss: $ 18,000 Attack method: Malicious Code Injection Attack
Description of the event: Decentralized exchange Quickswap has come under attack for a vulnerability in its hosting provider GoDaddy. The hijackers gained access to QuickSwap's DNS through a vulnerability in GoDaddy, where QuickSwap domains were hosted. Some DEX users lost around $107,600 through platform swaps before QuickSwap was able to regain control of our domain.
Amount of loss: $ 107,600 Attack method: DNS Hijacking Attack
Description of the event: Popular cryptocurrency websites including Etherscan, CoinGecko, and DeFi Pulse have reported incidents of malicious pop-ups prompting users to connect their MetaMask wallets. CoinGecko founder Bobby Ong said he believes the culprit is a malicious ad script from a crypto ad network called Coinzilla. The ad appears to be from a website parodying the popular Bored Apes Yacht Club NFT project, which was taken down after the scam was discovered.
Amount of loss: - Attack method: Phishing attack
Description of the event: Venus Protocol issued a statement saying that Chainlink’s suspension of LUNA price updates after extreme volatility in LUNA prices caused the price of LUNA on the Venus lending market to remain at $0.107, while the market price of LUNA had dropped to $0.01 at that time. After the price update was suspended, two addresses lent about $13.5 million in assets by staking 230 million LUNA (worth about $2.3 million at the time), resulting in a loss of about $11.2 million to the protocol. At present, the LUNA lending market has been suspended, and this loss will be made up by the risk fund.
Amount of loss: $ 11,200,000 Attack method: Oracle Attack
Description of the event: Avalanche lending protocol Blizz Finance tweeted that Chainlink suspended LUNA oracles, allowing several attackers to deposit millions of LUNA and borrow all collateral at $0.1 per Chainlink oracle. Due to the timelock mechanism, the protocol assets are exhausted before the team is suspended. According to DeFi Llama data, the agreement’s TVL was $8.28 million yesterday, and it is now 0.
Amount of loss: $ 8,300,000 Attack method: Oracle Attack
Description of the event: Sentinel founder Serpent tweeted that the first search result of the NFT trading platform X2Y2 on the Google search page was a scam website. It used the loopholes in Google ads to make the real website and the scam URL look exactly the same, and about 100 ETH had been stolen. . At present, the fake website has been removed after being reported by community members and exposed by the media. Users can directly enter x2y2.io to enter the official website.
Amount of loss: 100 ETH Attack method: Phishing Attack
Description of the event: The ownlyio project's NFTStaking contract was attacked, with a total of 115 BNB stolen and a loss of about $36,418. The reason for this attack is that the unstake function of the pledge contract of the ownio project does not check the user's claim status, so the attacker can use the unstake function to receive the own tokens in the contract infinitely, thereby extracting all the own tokens in the pledge contract, and finally the attacker The acquired owned tokens are exchanged for 115 BNB through the pair transaction.
Amount of loss: 115 BNB Attack method: Contract Vulnerability
Description of the event: The GOAT project claimed to be "the new standard in cryptocurrencies," but one of the project's developers abruptly sold their assets, taking $260,000 with them, and the token price fell to nearly $0.
Amount of loss: $ 260,000 Attack method: Rug Pull
Description of the event: Fortress Protocol, a lending protocol on BNB Chain, was suspected of being attacked. Token FTS fell by 42% in a short time. Currently, 1,048 Ethereum and 400,000 DAI have been transferred to Tornado.cash.
Amount of loss: $ 3,050,000 Attack method: Flash Loan Attack
Description of the event: Cashera is a project that claims to offer a "banking revolution" through its CSR crypto token. The project does a number of things to try to appear legitimate, including linking to government records showing a company named after it is registered in the UK and conducting a smart contract audit courtesy of AuditRateTech. Their website boasts "partners" including VISA, PayPal, Netflix and Spotify. Still, project deployers suddenly minted 23 million CSR tokens, which they exchanged for nearly $90,000 in other assets, plummeting the token value by about 70% in the process. The development team also took the project website offline.
Amount of loss: $ 90,000 Attack method: Scam
Description of the event: The DeFi project Hunter has been rug pull, and currently Telegram, Discord, and the website cannot be opened.
Amount of loss: $ 1,200,000 Attack method: Rug Pull
Description of the event: The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. However, the NFT rollout has not been smooth - out of a total supply of 9,671 NFTs, less than 2,800 NFTs have been minted. The project attempted to relaunch but failed to generate more interest, so the creators decided to pull it out — while preserving funding, of course. The project founders have left a long message to the community that they will close the project.
Amount of loss: $ 300,000 Attack method: Rug Pull
Description of the event: Day of Defeat has rug pull, value has suddenly dropped by over 96%, and over $1.35 million in assets has been moved from BSC-based projects to external wallets. After the funds ran out, the project claimed they had been hacked by outside actors and had “reported to Binance and local authorities.”
Amount of loss: $ 1,350,000 Attack method: Rug Pull