1513 hack event(s)
Description of the event: There is a vulnerability in the Crypto Burger project, an NFT project on the BSC chain. "The attacker discovered a vulnerability related to the $BURG token contract, which managed to burn most of the tokens in the liquidity pool, while immediately liquidating the tokens it had previously acquired, from liquidity," the project said in a statement. $770,000 was stolen from the pool.”
Amount of loss: $ 770,000 Attack method: Contract Vulnerability
Description of the event: White hat hackers at @immunefi discovered a critical vulnerability in the wxBTRFLY Token contract. The transferFrom function in the contract did not update the recipient's authorization correctly, and would incorrectly update the msg.sender's authorization. Although the vulnerability itself is serious, the cause is not complicated (more like a clerical error produced by the developer). What is more interesting is the official repair method. Since the contract itself does not support upgrade, the contract code cannot be updated directly; the contract does not support suspension, so it is not possible to transfer user assets by means of snapshot + migration. The final official measure was to launch an attack transaction by itself, transferring the assets of all users affected by the vulnerability to a multi-signature wallet.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: CityDAO, an Ethereum-based community blockchain city project, has posted that the CityDAO Discord administrator account has been hacked. 29.67 ETH ($95,000) funds were stolen by hackers using stolen admin accounts to post fake land airdrop messages. The attacked administrator, "Lyons800," tweeted that the attack was a "ridiculous security breach from Discord."
Amount of loss: 29.67 ETH Attack method: Discord was hacked
Description of the event: The attackers withdrew approximately 350 ETH (equivalent to $1.1 million) from Float Protocol’s Rari Capital pool. The reason is that Uniswap V3 FLOAT/USDC oracles lack liquidity, which allows attackers to manipulate the price in the pool and then deposit at a higher interest rate. The hackers returned about $250,000 for some reason.
Amount of loss: 350 ETH Attack method: Price Manipulation
Description of the event: The creator of the NFT project Frosties absconded with the money, causing investors to lose more than $1 million. According to available information, there are 8,888 NFTs in the series with a floor price of 0.04 ETH, roughly over $120. Within an hour, all NFTs were sold, but instead of getting their assets, investors found out that the project developers closed all communication with community members. Etherscan data shows that developers have moved most of the funds from the OpenSea account to another wallet.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: 7 IDO projects on BSC are suspected to be running, namely $GOTEM (gotEM), $ONEP (HarmonyPad), $HBARP (HbarPad), $MPLAY (MetaPlay), $ELIT (Electrinity) and $PEE (MicroPee) $QDrop (QuizDrop), swept away more than 5,744 WBNB, and the funds were transferred out through Tornado.Cash.
Amount of loss: 5744 BNB Attack method: Rug Pull
Description of the event: NFT marketplace LooksRare suffered a DDoS attack hours after its launch, resulting in a brief offline. Some users reported that they could not connect their wallets and list their NFTs. The LooksRare team quickly restored the site.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Sports NFT platform Lympo suffered a hot wallet security breach, losing 165.2 million LMT tokens worth $18.7 million in the hack. Ten different project wallets were compromised in the attack. Quotes show that the LMT price plummeted 92% to $0.0093 after hackers moved and sold the loot in the project’s hot wallet.
Amount of loss: $ 18,700,000 Attack method: Wallet Stolen
Description of the event: The LCX exchange tweeted that LCX's technical team detected an unauthorized access on the LCX platform, nearly $8 million in encrypted assets were stolen, and about 60% were frozen.
Amount of loss: $ 8,000,000 Attack method: Wallet Stolen
Description of the event: According to the block explorer, the last block of the Arbitrum One network was generated at 18:29 Beijing time, and no new blocks and new transactions have been generated for more than 2 hours. At the same time, the Matemask wallet cannot connect to the Arbitrum One network.
Amount of loss: - Attack method: Downtime
Description of the event: The digital asset service provider StoboxCompany was attacked by hackers, and its official statement that the private key had been leaked, affected by this, the token fell by 96.93%. StoboxCompany officially stated that the address of the deployer of Stobox tokens was hacked. Since the address of the deployer of ETH and BSC is the same, all reserve funds have been stolen or liquidated. Remind users to stop buying/selling, and the official will restore the STBU snapshot to the last transaction before the hacker attack.
Amount of loss: - Attack method: Private Key Leakage
Description of the event: Rug Pull occurred in the DaoMetaland project on BSC, and the current loss exceeds 640 BNB. DaoMetaland's official Twitter has been deleted.
Amount of loss: 640 BNB Attack method: Rug Pull
Description of the event: NFT project Bored Bunny is suspected of being a Rug Pull project. Some netizens said that 2,000 ETH raised have been transferred out, and some of them have been transferred to Binan. In addition, this address had similar behavior 1-2 months ago, associated with 2 NFT items that almost went to zero. Currently Bored Bunny's Discord has turned off all people all channels to speak.
Amount of loss: 2,000 ETH Attack method: Rug Pull
Description of the event: Arbix Finance ran away, taking away more than 10 million US dollars. Arbix Finance bills itself as an arbitrage project on BSC, where users can deposit funds in a single asset vault in order to "get the best return with low risk". Starting at around 3 am on January 4, the project siphoned users’ funds from the treasury and deleted their websites, Twitter and Telegram accounts.
Amount of loss: $ 10,000,000 Attack method: Rug Pull
Description of the event: Solana was down for 4 hours on January 4th, however, Solana.Status showed no problems with the network. The Solana blockchain suffered its third incident in just a few months, resulting in network congestion and failed transactions, with users debating whether it was caused by another DDos attack or just a network issue. Anatoly Yakovenko, co-founder of Solana Labs, denied there was a DDoS attack this time around.
Amount of loss: - Attack method: DDoS Attack
Description of the event: An attack occurred at Tinyman Pools on January 1 /2, algorand-based automated market maker (AMM) Tinyman tweeted. The attack exploits a previously unknown hole in the contract and allows the attacker to extract assets from a pool to which he has no access. So far, attacks have been executed on multiple pools, but not all of them have been attacked.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: Vesper Finance tweeted that its No. 23 lending pool Vesper Lend beta launched on the interest rate agreement Fuse has been attacked again. The attacker manipulated an oracle and depleted the beta test borrowing pool of DAI, ETH, WBTC, and USDC of approximately $1 million. This is not an attack on the Vesper contract, no VSP or VVSP is threatened. Vesper has banned the lending of all tokens in Beta Vesper Lend Rari Pool #23, and also switched the oracle from VUSD/USDC to VUSD/ETH (Uni v3). Prior to this, the Vesper Lend loan pool on Rari Fuse was attacked, and the attacker made a profit of 3 million US dollars.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: SashimiSwap was attacked due to a logic error in the swap function, and the attacker finally made a profit: 6,261.304 uni, 4,466,096 Sashimi and 63,762 usdt, nearly $200,000.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: On December 28th, according to Twitter user coby.eth, a fake MetaMask governance token was created and launched on the DEXTools platform. The creator of the token used malicious code to make users browse the token information, and a pop-up interface showed that the MASK Token was verified and displayed A forged platform verification mark (blue certification symbol) is displayed. coby.eth stated that after the transaction volume exceeded US$1 million, the token was transformed into a "Pixiu plate", and users could only buy but not sell. According to browser data, the total transaction volume of this "Pixiu Pan" MASK Token is close to 10 million U.S. dollars, with a total of 642 related transactions and close to 400 addresses.
Amount of loss: $ 10,000,000 Attack method: Scam
Description of the event: The assets of MetaSwap, a project on the BSC chain, were transferred. The total amount of stolen funds of 1100 BNB was transferred to the Tornado.cash wallet (BSC version), and the price of MGAS tokens fell by 46.99%. All official accounts related to Metaswap - including Twitter , Instagram and Medium - all deleted.
Amount of loss: 1,100 BNB Attack method: Rug Pull