1522 hack event(s)
Description of the event: According to the official release, the MM.finance website was hit by a DNS attack, and the attacker managed to inject malicious contract addresses into the front-end code. The attacker exploited the DNS vulnerability to modify the router contract address in the escrow file, and digital assets worth more than $2,000,000 were stolen, bridged to the Ethereum network through multi-chain, and then laundered through Tornado Cash.
Amount of loss: $ 2,000,000 Attack method: DNS Attack
Description of the event: Rainbow Bridge was attacked by forged blocks. However, it was blocked by an automatic watchdog mechanism, depriving the attacker of 2.5 ETH.
Amount of loss: - Attack method: Fake NEAR blocks
Description of the event: Solana-based NFT team at Metaplex, a web application and deployment platform, discontinued the program section today, Solana shows the program deployment of its program section, when further stabilized, the Solana team will be used to deploy a bot to use it for Deploy a bot. When attempting to complete a test transaction, 0.01 SOL will be charged for labor. The collected penalty funds will be provided to the configuration account of the Candy Machine instance.
Amount of loss: - Attack method: Downtime
Description of the event: In April, attackers exploited a vulnerability to steal $80 million from Rari Capital, and the asset management project Babylon Finance, Rari's main lending pool, lost $3.4 million as a result. On Aug. 31, Babylon Finance founder Ramon Recuero published a blog post announcing that Babylon would be shutting down and pledging to distribute remaining project funds to holders.
Amount of loss: $ 3,400,000 Attack method: Affected by the Rari Capital vulnerability
Description of the event: Fei Protocol officially tweeted that it has noticed multiple exploits of Rari Capital’s Fuse pool, has identified the root cause and suspended all lending to mitigate further losses. And shout that hackers, if they can return user funds, will get a bounty of 10 million US dollars. According to previous news, Fei Protocol was attacked, and the loss exceeded 28,380 ETH, about 80.34 million US dollars. The attacker's address was 0x6162759eDAd730152F0dF8115c698a42E666157F. The Rari Capital pool was attacked due to a classic reentrancy vulnerability. Its function exitMaket has no reentrancy protection.
Amount of loss: $ 80,000,000 Attack method: Reentrancy Attack
Description of the event: DeFi protocol Saddle Finance was attacked, causing the protocol to lose more than $10 million.
Amount of loss: $ 10,000,000 Attack method: Flash Loan Attack
Description of the event: Fantom-based decentralized derivatives protocol DEUS Finance was attacked, and the hackers made about $13.4 million in profit. The hack utilized a flash loan-assisted manipulation of price oracles read from the StableV1 AMM-USDC/DEI pair, and then used the manipulated collateral DEI price to borrow and drain the pool.
Amount of loss: $ 13,400,000 Attack method: Flash Loan Attack
Description of the event: The official Instagram of the NFT project Bored Ape Yacht Club (BAYC) was hacked, and the attackers have stolen 91 NFTs including 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, etc.
Amount of loss: - Attack method: Instagram was hacked
Description of the event: The Wiener DOGE project was exploited maliciously, causing $30,000 in damages. Attackers exploited the inconsistency between WDODGE's charging mechanism and swap pools to launch the attack. The root cause of the incident is that the sender's LP pair is not excluded from the transfer fee through the tightened token contract. As a result, the attacker is able to drain the deflationary tokens in the LP pair, which in turn causes the pair price to become unbalanced.
Amount of loss: $ 30,000 Attack method: Flash loan attack
Description of the event: The Last Kilometer project was exploited in a flash loan attack, resulting in a loss of $26,495.
Amount of loss: $ 26,495 Attack method: Flash loan attack
Description of the event: The Medamon project was exploited in a flash loan attack, resulting in a loss of $3,159.
Amount of loss: $ 3,159 Attack method: Flash Loan Attack
Description of the event: The PI-DAO project was exploited in a flash loan attack, resulting in a loss of $6,445.
Amount of loss: $ 6,445 Attack method: Flash Loan Attack
Description of the event: The Akutars (@AkuDreams) project auction contract was permanently unable to withdraw 11,539.5 ETH due to multiple code flaws. According to SlowMist analysis, even if the problem of users' inability to refund is solved, due to the inconsistency between the number of bidders and the number of auctions and the defects of the project party's withdrawal function, Akutars funds will eventually be permanently locked.
Amount of loss: 11,539.5 ETH Attack method: Contract Vulnerability
Description of the event: The DeFi ecological protocol ZEED was attacked and lost about $1 million. At present, the attacker's gains are all in the attack contract.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: The SlowMist security team found that funds from about 52 addresses were maliciously transferred to terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x30 from April 12 to April 21, with a total loss of about $4.31 million. The SlowMist security team stated that this attack was a phishing attack on batches of Google keyword advertisements. When a user searches for the well-known Terra project on Google, the first advertisement link (the domain name may be the same) on the Google search result page is actually a phishing website. When a user visits this phishing website and connects to the wallet, the phishing website will remind you to directly enter the mnemonic phrase. Once the user enters and clicks submit, the assets will be stolen by the attacker.
Amount of loss: $ 4,310,000 Attack method: Phishing Attack
Description of the event: A Rug Pull occurred in MaxAPY Finance, an automatic pledge protocol on BNB Chain, and its official Twitter account and Telegram group have been deleted. MaxAPY contract owners have transferred 1,042 BNB.
Amount of loss: 1042 BNB Attack method: Rug Pull
Description of the event: The Discord of NFT project Ugly People has been hacked, and attackers are spreading fake mint links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The protocol loss caused by the flash loan attack of Ethereum-based algorithm stablecoin project Beanstalk Farms is about 182 million US dollars. The specific assets include 79238241 BEAN3CRV-f, 1637956 BEANLUSD-f, 36084584 BEAN and 0.54 UNI-V2_WETH_BEAN . The attackers made over $80 million, including about 24,830 ETH and 36 million BEAN. The main reason for this attack is that there is no time interval between the voting and execution of the proposal, so that the attacker can directly execute malicious proposals without community review after completing the voting.
Amount of loss: $ 182,000,000 Attack method: Flash loan attack
Description of the event: According to official sources, a large amount of FACE tokens were dumped on-chain, and the investigation turned out that one of the FACE tokens held by the team was transferred and sold by an unauthorized account.
Amount of loss: - Attack method: Phishing attack
Description of the event: The developer of Klaytn-based NFT project Metaconz tweeted that a malicious bot was installed on the administrator account of Metaconz’s Discord overseas team on Saturday, causing 79 users to lose 11.9 ETH (about $36,000), the team said. It promised to compensate all losses, and 53 users have so far been compensated. In addition, the developer reminded that if the user executes the setApprovalForAll function in Etherscan, please transfer the wallet unconditionally. Therefore, in this attack, the hacker used this function to deprive the victim of the wallet permission.
Amount of loss: 11.9 ETH Attack method: Discord was hacked