1519 hack event(s)
Description of the event: Kingfund Finance had a Rug Pull and lost over 300 WBNB. Upon inquiry, the official Twitter of the project has been cancelled.
Amount of loss: 300 WBNB Attack method: Rug Pull
Description of the event: @alxlpsc disclosed on medium that MetaMask has serious privacy leaks. The vulnerability mainly uses MetaMask to automatically load NFT image URLs. Basic attack idea: the attacker can set the URI of the NFT to a server URL that he can control, and transfer the NFT to the target account; when the user logs in to MetaMask, MetaMask will automatically scan the NFT owned by the account, and initiate a pointer to The HTTP request to the attacker's server; the attacker can obtain the victim's IP information from the access log.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to Rugdoc, AFKSystem rug all of their vaults for a combined profit of around $12 million. Although AFKSystem has severely cut their governance authority. But they still retain an important privilege - changing the routers that sell the harvested tokens.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: According to the Crypto.com investigation report, “On January 17, 2022, Crypto.com learned that a small number of users had made unauthorized withdrawals of cryptocurrencies on their accounts. Crypto.com immediately suspended all token withdrawals to initiate the investigation and remained open 24/7 Work to resolve the issue. No clients suffered loss of funds. In most cases we blocked unauthorized withdrawals and in all other cases clients were fully reimbursed. The incident affected 483 Crypto. com users. Unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC and approximately $66,200 in other currencies.”
Amount of loss: $ 34,000,000 Attack method: Permission Stolen
Description of the event: The cross-chain bridge Multichain said that an important vulnerability affecting six tokens of WETH, PERI, OMT, WBNB, MATIC, and AVAX was officially discovered. Now the vulnerability has been successfully repaired, and all users' assets are safe and cross-chain. Transactions will not be affected. However, if the user has authorized these six assets, he needs to log in as soon as possible to revoke the authorization, otherwise the assets may be at risk. According to the official announcement on the 19th, because some users did not cancel the authorization in time, the stolen funds were about 445 WETH, worth about 1.43 million US dollars.
Amount of loss: 455 ETH Attack method: The validity of the parameter is not checked
Description of the event: Decentralized trading platform Crosswise was attacked in nearly an hour, losing about $879,000. The hacker exploited a publicly exposed privileged function, which was then used to set trustedForwarder and further hijack Crosswise's owner privileges. The stolen funds have now been transferred to Tornado Cash for mixing.
Amount of loss: 879,000 Attack method: Contract Vulnerability
Description of the event: There is a vulnerability in the Crypto Burger project, an NFT project on the BSC chain. "The attacker discovered a vulnerability related to the $BURG token contract, which managed to burn most of the tokens in the liquidity pool, while immediately liquidating the tokens it had previously acquired, from liquidity," the project said in a statement. $770,000 was stolen from the pool.”
Amount of loss: $ 770,000 Attack method: Contract Vulnerability
Description of the event: White hat hackers at @immunefi discovered a critical vulnerability in the wxBTRFLY Token contract. The transferFrom function in the contract did not update the recipient's authorization correctly, and would incorrectly update the msg.sender's authorization. Although the vulnerability itself is serious, the cause is not complicated (more like a clerical error produced by the developer). What is more interesting is the official repair method. Since the contract itself does not support upgrade, the contract code cannot be updated directly; the contract does not support suspension, so it is not possible to transfer user assets by means of snapshot + migration. The final official measure was to launch an attack transaction by itself, transferring the assets of all users affected by the vulnerability to a multi-signature wallet.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: CityDAO, an Ethereum-based community blockchain city project, has posted that the CityDAO Discord administrator account has been hacked. 29.67 ETH ($95,000) funds were stolen by hackers using stolen admin accounts to post fake land airdrop messages. The attacked administrator, "Lyons800," tweeted that the attack was a "ridiculous security breach from Discord."
Amount of loss: 29.67 ETH Attack method: Discord was hacked
Description of the event: The attackers withdrew approximately 350 ETH (equivalent to $1.1 million) from Float Protocol’s Rari Capital pool. The reason is that Uniswap V3 FLOAT/USDC oracles lack liquidity, which allows attackers to manipulate the price in the pool and then deposit at a higher interest rate. The hackers returned about $250,000 for some reason.
Amount of loss: 350 ETH Attack method: Price Manipulation
Description of the event: The creator of the NFT project Frosties absconded with the money, causing investors to lose more than $1 million. According to available information, there are 8,888 NFTs in the series with a floor price of 0.04 ETH, roughly over $120. Within an hour, all NFTs were sold, but instead of getting their assets, investors found out that the project developers closed all communication with community members. Etherscan data shows that developers have moved most of the funds from the OpenSea account to another wallet.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: 7 IDO projects on BSC are suspected to be running, namely $GOTEM (gotEM), $ONEP (HarmonyPad), $HBARP (HbarPad), $MPLAY (MetaPlay), $ELIT (Electrinity) and $PEE (MicroPee) $QDrop (QuizDrop), swept away more than 5,744 WBNB, and the funds were transferred out through Tornado.Cash.
Amount of loss: 5744 BNB Attack method: Rug Pull
Description of the event: NFT marketplace LooksRare suffered a DDoS attack hours after its launch, resulting in a brief offline. Some users reported that they could not connect their wallets and list their NFTs. The LooksRare team quickly restored the site.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Sports NFT platform Lympo suffered a hot wallet security breach, losing 165.2 million LMT tokens worth $18.7 million in the hack. Ten different project wallets were compromised in the attack. Quotes show that the LMT price plummeted 92% to $0.0093 after hackers moved and sold the loot in the project’s hot wallet.
Amount of loss: $ 18,700,000 Attack method: Wallet Stolen
Description of the event: The LCX exchange tweeted that LCX's technical team detected an unauthorized access on the LCX platform, nearly $8 million in encrypted assets were stolen, and about 60% were frozen.
Amount of loss: $ 8,000,000 Attack method: Wallet Stolen
Description of the event: According to the block explorer, the last block of the Arbitrum One network was generated at 18:29 Beijing time, and no new blocks and new transactions have been generated for more than 2 hours. At the same time, the Matemask wallet cannot connect to the Arbitrum One network.
Amount of loss: - Attack method: Downtime
Description of the event: The digital asset service provider StoboxCompany was attacked by hackers, and its official statement that the private key had been leaked, affected by this, the token fell by 96.93%. StoboxCompany officially stated that the address of the deployer of Stobox tokens was hacked. Since the address of the deployer of ETH and BSC is the same, all reserve funds have been stolen or liquidated. Remind users to stop buying/selling, and the official will restore the STBU snapshot to the last transaction before the hacker attack.
Amount of loss: - Attack method: Private Key Leakage
Description of the event: Rug Pull occurred in the DaoMetaland project on BSC, and the current loss exceeds 640 BNB. DaoMetaland's official Twitter has been deleted.
Amount of loss: 640 BNB Attack method: Rug Pull
Description of the event: NFT project Bored Bunny is suspected of being a Rug Pull project. Some netizens said that 2,000 ETH raised have been transferred out, and some of them have been transferred to Binan. In addition, this address had similar behavior 1-2 months ago, associated with 2 NFT items that almost went to zero. Currently Bored Bunny's Discord has turned off all people all channels to speak.
Amount of loss: 2,000 ETH Attack method: Rug Pull
Description of the event: Arbix Finance ran away, taking away more than 10 million US dollars. Arbix Finance bills itself as an arbitrage project on BSC, where users can deposit funds in a single asset vault in order to "get the best return with low risk". Starting at around 3 am on January 4, the project siphoned users’ funds from the treasury and deleted their websites, Twitter and Telegram accounts.
Amount of loss: $ 10,000,000 Attack method: Rug Pull