1486 hack event(s)
Description of the event: Maison Ghost’s Discord was hacked, the hacker posted a fake minting link, and within minutes about 300 NFTs were stolen, including the Sandbox and 3landers NFTs, which were then sold for 128 ETH and eventually sent to Tornado.
Amount of loss: 128 ETH Attack method: Discord was hacked
Description of the event: NFT project MekaVerse tweeted that the official Discord was hacked. In addition, according to other users in the community, the wallets of hundreds of thousands of bots are suspected to have been stolen, and it seems that no users have been affected.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The NFT project VEVE officially tweeted that the system was exploited, resulting in a large number of gems being illegally obtained.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The stablecoin project Cashio on Solana has been hacked. According to the preliminary analysis of the SlowMist security team, hackers illegally issued 2 billion CASH tokens by bypassing an unverified account, and converted CASH tokens into 8,646,022.04 UST, 17,041,006.5 USDC and 26,340,965.68 USDT-USDC through multiple applications. LP, total profit value: 52027994.22 USD (more than 50 million USD). At present, the official announcement has been issued to allow users to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.
Amount of loss: $ 52,027,994.22 Attack method: Contract Vulnerability
Description of the event: Twitter user cr0ss.eth said Defiance Capital founder Arthur's hot wallet was suspected to have been stolen. OpenSea data shows that in Arthur's wallet address 0x4C53c32980ccE49aaA4bCc53Eef3f143Bc27E0aF, 60 NFTs including 17 azuki and 5 cloneX were transferred on the chain, totaling about 310 ETH.
Amount of loss: 310 ETH Attack method: Private Key Leakage
Description of the event: The NFT project REALSWAK has a Rug Pull, and its official social account (@REALSWAK) has been cancelled. Scammers have transferred 1,300 BNB to the TornadoCash mixer.
Amount of loss: 1330 BNB Attack method: Rug Pull
Description of the event: Fantom ecological Stablecoin revenue optimizer OneRing issued a document saying that hackers stole 1,454,672.244369 USDC through flash loan attacks, and the contract has been configured to self-destruct in a specific block, so it is almost impossible to track which specific functions in the contract are called to steal funds. .
Amount of loss: $ 1,454,672.24 Attack method: Flash loan attack
Description of the event: Crypto lender BlockFi has confirmed a data breach at Hubspot, one of its third-party vendors, Cointelegragh reported. Hubspot stores BlockFi's user data, including names, email addresses, and phone numbers. According to the announcement, hackers stole BlockFi’s customer data on March 18. Hubspot has confirmed that an unauthorized third party obtained certain BlockFi customer data deposited on its platform. BlockFi is currently cooperating with Hubspot's investigation to clarify the overall impact of the data breach. While the exact details of the stolen data have yet to be identified and disclosed, BlockFi emphasized that data such as passwords, government-issued IDs, and Social Security numbers were never stored on Hubspot.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to official reports, attackers exploited Li.finance’s smart contracts and managed to steal around $600,000 (currently worth $587,500 or 205 ETH) from 29 wallets. Attackers took various tokens from users’ wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The project team has found the vulnerability and created a fix, compensating most of the affected users in less than 18 hours.
Amount of loss: $ 600,000 Attack method: Contract Vulnerability
Description of the event: DeFi oracle Umbrella Network’s Ethereum and BNB Chain (formerly BSC) reward pools were hacked, resulting in the hackers earning around $700,000. The hacker was able to succeed because of an unchecked vulnerability in withdraw() , so anyone could withdraw any amount of funds without having any balance.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: According to a report by Twitter user Will Sheehan, the arbitrage bot took out more than 6w APE Coins (worth $8 each) through flash loans. After analysis, it was found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, whether APE Coin can be airdropped depends on whether a user holds the instantaneous state of BYAC NFT, and this instantaneous state attacker can manipulate by borrowing a flash loan and then redeeming to obtain BYAC NFT. The attacker first borrows BYAC Token through flash loan, and then redeems to obtain BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan.
Amount of loss: $ 500,000 Attack method: Airdrop Mechanism Vulnerability
Description of the event: Hundred Finance, the Compound fork project on the Gnosis chain, tweeted that it suffered a hacker attack and lost more than $6 million.
Amount of loss: $ 6,000,000 Attack method: Flash loan attack
Description of the event: DeFi protocol Deus Finance was attacked by a flash loan, and hackers manipulated the price of the oracle machine and stole about $3 million, including 200,000 DAI and 1101.8 ETH through Tornado mixing.
Amount of loss: $ 3,000,000 Attack method: Flash loan attack
Description of the event: The Agave contract on Gnosis Chain was attacked due to an untrusted external call. The attacker calls the liquidateCall function to liquidate himself without any debt. During the liquidation process, the liquidation contract called the attacker contract. During the process, the attack contract deposited 2728 WETH obtained through the flash loan and minted 2728 aWETH. And use this as collateral to lend out all available assets in the Agave project. After the external call ends, the liquidateCall function directly liquidates the 2728 aWETH previously deposited by the attacker and transfers it to the liquidator.
Amount of loss: $ 5,400,000 Attack method: Flash loan attack
Description of the event: According to RugDoc on Twitter, PulseDAO Finance has rugpulled. Social and website are closed. 4342 FTM was removed by contract developer.
Amount of loss: 4342 FTM Attack method: Rug Pull
Description of the event: Several NFT players posted on social media that a project called "NFTflow" had a Rug Pull, ran away without completing the pre-sale, and transferred the 92 ETHs from the sale to the Tornado mixer. According to the official website, NFTflow calls itself "a platform for creating liquid markets for illiquid NFTs on StarkNet".
Amount of loss: 92 ETH Attack method: Rug Pull
Description of the event: The metaverse financial project Paraluni on the BSC chain was hacked, and the hackers made more than $1.7 million in profits. The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project side. This method does not check whether the token array parameter address[2] memory _tokens matches the LP pointed to by the pid parameter, and does not add lock when the LP amount changes.
Amount of loss: $ 1,700,000 Attack method: Reentrancy Attack
Description of the event: Fantom’s on-chain synthetic asset protocol, Fantasm Finance, posted on social media that its FTM collateral reserves had been exploited, and called on users to exchange their XFTM immediately. After exploiting the vulnerability, the hacker exchanged all the profits for ETH, and used Tornado.cash to mix coins across the chain to the Ethereum main network. According to statistics, the hacker made a profit of 1,007 ETH (about 2.73 million US dollars).
Amount of loss: 1,007 ETH Attack method: Contract Vulnerability
Description of the event: ActiveCampaign (AC), an external email marketing provider used by Unchained, was hacked last week, according to Joe Kelly, CEO of Bitcoin financial services firm Unchained Capital. Information shared with AC, including customer email addresses, usernames, account status, whether customers have active multi-signature vaults or loans using Unchained Capital, and possibly IP addresses may have flowed out without authorization. Kelly said no systems on Unchained were affected, meaning customer profile information that was never shared with AC was not leaked. Kelly added that while customer Bitcoin custody is protected by multi-signature cold storage, customers should still be aware of what's going on and be wary of phishing attacks.
Amount of loss: - Attack method: Information Leakage
Description of the event: The pledge contract (0x6912B19401913F1bd5020b3f59EE986c5792DA54) of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back. The attackers put these tokens on the market and made a profit of about 212 BNB.
Amount of loss: 212 BNB Attack method: Private Key Leakage