1486 hack event(s)
Description of the event: Qubit, the lending product of QBridge, a BSC ecological decentralized lending project, is suspected to have been hacked. The hackers minted a large amount of xETH collateral and consumed about $80 million in assets in the capital pool. According to SlowMist's analysis, the main reason for this attack is that when the recharge of ordinary tokens and native tokens are implemented separately, when transferring the tokens in the whitelist, it is not checked again whether they are 0 addresses, resulting in The operation that should be recharged through the native recharge function can successfully go through the recharge logic of ordinary tokens.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The project Wegrocoin (WEGRO) on BSC suffered a Rug Pull and lost more than 1000 BNB.
Amount of loss: 1,000 BNB Attack method: Rug Pull
Description of the event: Rug Pull occurred in the BSC ecological InfinityToken (INF), which lost more than 1390 WBNB.
Amount of loss: 1390 WBNB Attack method: Rug Pull
Description of the event: The social media accounts of NFT project Mercenary have been deleted. Deployers spent over $760,000.
Amount of loss: $ 760,000 Attack method: Rug Pull
Description of the event: An OpenSea user exploited a vulnerability in the non-fungible token (NFT) market to steal hundreds of ether (ETH) from the owners of well-known collectibles such as the Bored Ape Yacht Club (BAYC) and Cyber Kongs of several items. The vulnerability appears to be related to the listing mechanism exploited by the platform and allows users to earn around 347 ETH by purchasing some NFTs at the previous listing price on different markets.
Amount of loss: 347 ETH Attack method: Listing mechanism loopholes
Description of the event: Blockverse is a Minecraft-based NFT game. Through OpenSea, investors can buy Blockverse characters and a cryptocurrency called $Diamond. Unfortunately, investors withdrew all real money invested in Blockverse, shutting down and deleting the project’s official website, Discord, and Twitter. After three days of silence, the Blockverse founders resurfaced on Twitter, apologizing and explaining their actions. More than three weeks later, the Blockverse team's promise to "get back on track" has not materialized. The Blockverse Twitter account has not been updated further, its website remains offline, and the Medium account hosting the Blockverse white paper has disappeared.
Amount of loss: 1,294 ETH Attack method: Rug Pull
Description of the event: The SolFire Finance project owner stole all investor funds and moved them to the ETH chain via a cross-chain bridge. The project's GitHub account and Twitter account have been deleted and the site is no longer accessible.
Amount of loss: $ 10,000,000 Attack method: Rug Pull
Description of the event: Kingfund Finance had a Rug Pull and lost over 300 WBNB. Upon inquiry, the official Twitter of the project has been cancelled.
Amount of loss: 300 WBNB Attack method: Rug Pull
Description of the event: @alxlpsc disclosed on medium that MetaMask has serious privacy leaks. The vulnerability mainly uses MetaMask to automatically load NFT image URLs. Basic attack idea: the attacker can set the URI of the NFT to a server URL that he can control, and transfer the NFT to the target account; when the user logs in to MetaMask, MetaMask will automatically scan the NFT owned by the account, and initiate a pointer to The HTTP request to the attacker's server; the attacker can obtain the victim's IP information from the access log.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to Rugdoc, AFKSystem rug all of their vaults for a combined profit of around $12 million. Although AFKSystem has severely cut their governance authority. But they still retain an important privilege - changing the routers that sell the harvested tokens.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: According to the Crypto.com investigation report, “On January 17, 2022, Crypto.com learned that a small number of users had made unauthorized withdrawals of cryptocurrencies on their accounts. Crypto.com immediately suspended all token withdrawals to initiate the investigation and remained open 24/7 Work to resolve the issue. No clients suffered loss of funds. In most cases we blocked unauthorized withdrawals and in all other cases clients were fully reimbursed. The incident affected 483 Crypto. com users. Unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC and approximately $66,200 in other currencies.”
Amount of loss: $ 34,000,000 Attack method: Permission Stolen
Description of the event: The cross-chain bridge Multichain said that an important vulnerability affecting six tokens of WETH, PERI, OMT, WBNB, MATIC, and AVAX was officially discovered. Now the vulnerability has been successfully repaired, and all users' assets are safe and cross-chain. Transactions will not be affected. However, if the user has authorized these six assets, he needs to log in as soon as possible to revoke the authorization, otherwise the assets may be at risk. According to the official announcement on the 19th, because some users did not cancel the authorization in time, the stolen funds were about 445 WETH, worth about 1.43 million US dollars.
Amount of loss: 455 ETH Attack method: The validity of the parameter is not checked
Description of the event: Decentralized trading platform Crosswise was attacked in nearly an hour, losing about $879,000. The hacker exploited a publicly exposed privileged function, which was then used to set trustedForwarder and further hijack Crosswise's owner privileges. The stolen funds have now been transferred to Tornado Cash for mixing.
Amount of loss: 879,000 Attack method: Contract Vulnerability
Description of the event: There is a vulnerability in the Crypto Burger project, an NFT project on the BSC chain. "The attacker discovered a vulnerability related to the $BURG token contract, which managed to burn most of the tokens in the liquidity pool, while immediately liquidating the tokens it had previously acquired, from liquidity," the project said in a statement. $770,000 was stolen from the pool.”
Amount of loss: $ 770,000 Attack method: Contract Vulnerability
Description of the event: White hat hackers at @immunefi discovered a critical vulnerability in the wxBTRFLY Token contract. The transferFrom function in the contract did not update the recipient's authorization correctly, and would incorrectly update the msg.sender's authorization. Although the vulnerability itself is serious, the cause is not complicated (more like a clerical error produced by the developer). What is more interesting is the official repair method. Since the contract itself does not support upgrade, the contract code cannot be updated directly; the contract does not support suspension, so it is not possible to transfer user assets by means of snapshot + migration. The final official measure was to launch an attack transaction by itself, transferring the assets of all users affected by the vulnerability to a multi-signature wallet.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: CityDAO, an Ethereum-based community blockchain city project, has posted that the CityDAO Discord administrator account has been hacked. 29.67 ETH ($95,000) funds were stolen by hackers using stolen admin accounts to post fake land airdrop messages. The attacked administrator, "Lyons800," tweeted that the attack was a "ridiculous security breach from Discord."
Amount of loss: 29.67 ETH Attack method: Discord was hacked
Description of the event: The attackers withdrew approximately 350 ETH (equivalent to $1.1 million) from Float Protocol’s Rari Capital pool. The reason is that Uniswap V3 FLOAT/USDC oracles lack liquidity, which allows attackers to manipulate the price in the pool and then deposit at a higher interest rate. The hackers returned about $250,000 for some reason.
Amount of loss: 350 ETH Attack method: Price Manipulation
Description of the event: The creator of the NFT project Frosties absconded with the money, causing investors to lose more than $1 million. According to available information, there are 8,888 NFTs in the series with a floor price of 0.04 ETH, roughly over $120. Within an hour, all NFTs were sold, but instead of getting their assets, investors found out that the project developers closed all communication with community members. Etherscan data shows that developers have moved most of the funds from the OpenSea account to another wallet.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: 7 IDO projects on BSC are suspected to be running, namely $GOTEM (gotEM), $ONEP (HarmonyPad), $HBARP (HbarPad), $MPLAY (MetaPlay), $ELIT (Electrinity) and $PEE (MicroPee) $QDrop (QuizDrop), swept away more than 5,744 WBNB, and the funds were transferred out through Tornado.Cash.
Amount of loss: 5744 BNB Attack method: Rug Pull
Description of the event: NFT marketplace LooksRare suffered a DDoS attack hours after its launch, resulting in a brief offline. Some users reported that they could not connect their wallets and list their NFTs. The LooksRare team quickly restored the site.
Amount of loss: - Attack method: DDoS Attack