1914 hack event(s)
Description of the event: The Arbitrum ecological project Jimbos Protocol was attacked, and about 4,090 ETH were stolen (about $7.5 million). This attack was due to the lack of slippage control on the liquidity transfer operation, which resulted in the protocol owned liquidity being invested in a skewed/imbalanced price range, which was used in reverse swaps for profit.
Amount of loss: $ 7,500,000 Attack method: Contract Vulnerability
Description of the event: The Sandbox tweeted that the Twitter account of its CEO and co-founder Arthur Madrid was hacked, and the hackers posted a scam/phishing link for a fake SAND token airdrop. The Sandbox reminds users not to click on the link, but to report the post so it can be blocked.
Amount of loss: - Attack method: Account Compromise
Description of the event: Nigerian gift card and cryptocurrency trading platform Patricia revealed on May 26 that hackers compromised its retail trading app, resulting in an undisclosed amount of BTC and naira assets being compromised, News.bitcoin reported. Other cryptocurrency balances were not affected and assets belonging to their customers and merchants remained safe. Patricia said it had stopped processing withdrawals and was "undergoing internal restructuring".
Amount of loss: $ 2,000,000 Attack method: Retail transaction app is compromised
Description of the event: According to The Block, cybersecurity firm Unciphered claims it was able to hack into hardware-encrypted wallets powered by Trezor T models. In a YouTube demo, Unciphered showed exploiting the wallet vulnerability to extract the mnemonic private key from the wallet, saying the attack is only feasible if the attacker has physical access to the hardware wallet. Trezor CTO Tomáš Sušánka responded: "This appears to be a vulnerability called an RDP downgrade attack, which requires extremely sophisticated technical knowledge and advanced equipment. Even with the above conditions, Trezor can pass a powerful passphrase, making RDP downgrade attacks ineffective.” Trezor added that they have taken the important step of developing a new secure element for hardware wallets with their sister company Tropic Square to solve future problems.
Amount of loss: - Attack method: RDP downgrade attack
Description of the event: Multichain tweeted that although most of the cross-chain routes of the Multichain protocol are operating normally, due to force majeure, some cross-chain routes cannot be used, and the time to restore services is unknown. After service is restored, pending transactions will be credited automatically. Multichain will compensate users affected during this process, and the compensation plan will be announced later. According to previous reports from multiple community users, there is an abnormal delay in the arrival of Multichain cross-chain funds. Markets show that the Multichain token MULTI has fallen 24.1% in the past 24 hours and is currently trading at $5.36.
Amount of loss: - Attack method: Unknown
Description of the event: CS Token was hacked and a total of 714,000 USDT was stolen. The hacker initially transferred 1 BNB from Tornado Cash, and then transferred 383 ETH to Tornado Cash.
Amount of loss: $ 714,000 Attack method: Contract Vulnerability
Description of the event: The team behind Fintoch, a blockchain financial platform, is suspected of being a Ponzi scheme. It defrauded users of 31.6 million USDT on BNB Chain, and the funds were bridged to multiple addresses on Tron and Ethereum. Users reported that they could not withdraw funds. Fintoch advertises that it is a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team page on the Fintoch website refers to "Bobby Lambert" as its CEO, when in fact he doesn't exist and is a paid actor. Earlier, the Singapore government and Morgan Stanley both issued warnings about the investment plan.
Amount of loss: $ 31,600,000 Attack method: Scam
Description of the event: Cross-chain interoperability protocol Celer Network reported Wednesday that it has patched a code vulnerability first discovered by Jump Crypto, The Block reported. In a blog post published by Celer and Jump Crypto, a vulnerability in the State Guardian Network (SGN), Celer's proof-of-stake (PoS) blockchain, was disclosed. If implemented, the vulnerability could allow a malicious validator to submit a large number of fraudulent "votes", resulting in a change in the state of the network. Celer emphasized that the breach did not result in any financial loss. The vulnerability was not publicly accessible and no funds were directly at risk when it was discovered. Celer said it would propose a bug bounty for Jump Crypto as a result of the discovery.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Polygon ecological project LunaFi was attacked. The attacker obtained initial funds from TornadoCash on BSC, the root cause was a flaw in reward calculation, and many other issues in the contract.
Amount of loss: $ 35,000 Attack method: Reward Mechanism Flaw
Description of the event: At 15:25 on May 20, Tornado Cash encountered a governance attack. The attacker granted himself 1.2 million votes through a malicious proposal, exceeding the number of legal votes (about 700,000), and gained full governance control. An attacker could withdraw all locked votes and drain all tokens in the governance contract, disabling routers, though the attacker would still not be able to drain individual pools. Tornado Cash governance attackers obtained a total of 483,000 TORN from governance vaults.
Amount of loss: $ 2,173,500 Attack method: Governance Attack
Description of the event: The Swap-LP contract on BNB Chain (0xe0c352c56af65772ac7c9ab45b858cb43d22f28f) has been attacked with a loss of approximately $1.1 million. The attacker (0xdead) transferred the stolen funds to Tornado Cash. specifically, the attacker manipulated a low-level call in the Swap-LP factory address to trigger the 0x33604058 function of the SwapLP pair. This causes all WDZD tokens in the pair to be transferred to the factory address. As a result, the attacker is able to use fewer WDZDs to obtain more SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743 and subsequently destroy the LPs for profit.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: A Nevada man has been charged in connection with his alleged involvement in CoinDeal, an investment fraud scheme that defrauded more than 10,000 victims of more than $45 million, the U.S. Department of Justice announced. According to court documents, Lee allegedly conspired with Neil Chandran and others to defraud investors of companies controlled by Chandran. Operating under the name "ViRSE," these companies include Free Vi Lab, Studio Vi Inc., ViDelivery Inc., ViMarket Inc., and Skalex USA Inc., among others. Presumably, these companies are developing virtual world technology, including their own cryptocurrency, for use in virtual worlds. Chandran allegedly misled investors by falsely promising extremely high returns on the premise that his company was about to be acquired by a syndicate of wealthy buyers. As further alleged, Lee was the nominal owner and director of ViMarket and was instructed by Chandran on how to transfer received investor funds into ViMarket's bank accounts.
Amount of loss: $ 45,000,000 Attack method: Scam
Description of the event: About 110 million USD in WETH, USDT, WBTC, WMATIC in Aave V2 on Polygon cannot be withdrawn, nor can it be borrowed and repaid. This is because the interest rate strategy contract is only compatible with Ethereum, not Polygon. At present, Aave has submitted a patch to fix this problem, which will be deployed after voting. Funds are not at risk, but it takes at least a week for funds to be unfrozen.
Amount of loss: - Attack method: Compatibility issues
Description of the event: The Arbitrum ecological Swaprum project has a Rug Pull, the price of SAPR has dropped by 100%, Swaprum has deleted the social account, and the scammer bridged 1628 ETH (about 2.94 million US dollars) to Ethereum and transferred it to Tornado Cash.
Amount of loss: $ 3,000,000 Attack method: Rug Pull
Description of the event: On May 19, Blockworks Research stated on Twitter that the Bitcoin Layer 2 network Stacks has experienced several obstacles in the past few months: 1. There is a serious loophole in the STX "stacking" mechanism; 2. Confused review It becomes common during Stacks mining; 3. Stacks chain block reorganization is more common.
Amount of loss: - Attack method: Block Reorganization
Description of the event: The DeFi protocol WDZD Swap on BSC was exploited and lost about $1.1 million. The attackers made nine malicious transactions that drained 609 Binance-Pegged ETH from contracts related to the WDZD project.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: Alexpf.eth, co-founder and CEO of NFT exchange EZswap, tweeted: "OpenSea is suspected of having a royalty loophole. Recently, OpenSea seems to have changed the owner's identification standard, which means that NFT projects cannot set or change royalties. This error is very serious. Seriously, it's been around for 2 days."
Amount of loss: - Attack method: Royalty Vulnerability
Description of the event: The EOS Network Foundation tweeted that the EOS EVM has released version v0.4.2, which fixes a serious security vulnerability found in the EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented by the EOS mainnet all need to be upgraded.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The Web3 content publishing platform Mirror application is currently experiencing an outage under load.
Amount of loss: - Attack method: Load
Description of the event: The DeFi protocol land was suspected of being attacked and lost about 150,000 US dollars. The reason for the attack was the lack of mint permission control.
Amount of loss: $ 150,000 Attack method: Contract Vulnerability