1509 hack event(s)
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract Vulnerability
Description of the event: SnowdogDAO, an Avalanche-based decentralized reserve memecoin, suffered a severe failure yesterday after only 8 days of operation. Snowdog created its own AMM based on Uniswap V2 to move all SDOG liquidity from DEX Avalanche Trader Joe. However, the redemption failed miserably within seconds of launch, with hundreds of users losing most of their funds.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Optics Bridge was attacked and ownership of the multi-signature wallet was transferred. cLabs engineer Tim Moreton said that the multi-signature permission of Optics, a cross-chain communication protocol on Celo, was replaced because someone activated the Optics recovery mode (recovery mode) on the Ethereum GovernanceRouter contract, which caused the recovery account to take over the Optics protocol and overwrite it. The original multi-signature permissions. Tim Moreton said that he believes that the funds on the current cross-chain bridge are not risky. Tim Moreton also said that the situation occurred within 15 minutes after cLabs expelled James Prestwich. The team is currently contacting James Prestwich to find a solution. The team is currently working to exit the recovery mode and restore the community's multi-signature governance. James Prestwich responded on Twitter that he had never had the right to activate the recovery mode and expressed regret for cLabs and Celo's damage to his reputation.
Amount of loss: - Attack method: Multi-signature permission vulnerability
Description of the event: Ploutoz Finance, the BSC loan agreement, was attacked. Hackers made a profit of 365,000 US dollars, and the agreement suffered even greater losses. The hacker manipulated the oracle price of DOP tokens and used DOP as collateral to lend assets such as CAKE, ETH, BTCB, etc. After that, the hackers used ParaSwap and PancakeSwap to trade for BNB and then transferred to Tornado.Cash.
Amount of loss: $ 365,000 Attack method: Price Manipulation
Description of the event: The administrator of OlympusDAO, a new algorithmic stablecoin protocol based on Ethereum, said on Discord, the administrator of Discord said that yesterday, someone bonds OHM/DAI bonds that are considered to be closed so that they can get a large discount and receive 1,697 OHM (over 1.4 million U.S. dollars) instead of 59 OHM (approximately US$50,000). After OlympusDAO discovered this incident, it immediately closed the bond contract.
Amount of loss: 1,697 OHM Attack method: Contract Vulnerability
Description of the event: DeFi protocol Formation.Fi was attacked by flash loans. The main reason for this incident is that the project party underestimated the impact of fee on totalTokens when designing the function swapIn, and ignored the impact of decimal point accuracy between different tokens.
Amount of loss: $ 100,000 Attack method: Flash Loan Attack
Description of the event: According to blockchain game developer Animoca Brands, on November 19, hackers successfully accessed the Discord account of the science fiction NFT game Phantom Galaxies and took over its server. The hacker subsequently issued a fraudulent statement claiming that the game was launching an NFT minting activity. The hacker directs the user to a website, charges the user 0.1 ETH, and then sends the funds to the hacker's Ethereum address. A total of 265 sent ETH, about 1.1 million US dollars. Animoca Brands pointed out that there is no evidence that smart contracts have been breached, and no funds have been stolen from the game or its developers or publishers.
Amount of loss: 265 ETH Attack method: Discord was hacked
Description of the event: The Nerve cross-chain bridge MetaPool was attacked. This attack was an exploit of the logical vulnerabilities of fUSDT and UST MetaPool on the Nerve cross-chain bridge BSC, causing the fUSDT and UST liquidity in the Nerve staking pool to be exhausted, and the attacker made a profit of about 900 BNB . The attacked contract code Fork is from Saddle.Finance.
Amount of loss: 900 BNB Attack method: Logic Vulnerability
Description of the event: The stablecoin transaction protocol Curve caused losses to users who provided USDM liquidity due to the "governance attack" of the USDM stablecoin protocol Mochi. At present, Curve has dealt with urgently to avoid a wider range of losses. Previously, the Mochi project party purchased Convex's CVX tokens, voted to increase the USDM pool rewards to increase the liquidity of USDM and other assets, and then converted a large amount of USDM tokens owned by the project party into DAI after the liquidity increased. The team A total of 46 million USDM was exchanged for DAI. Based on the USDM to DAI exchange rate, the user loss that provides USDM liquidity to other stablecoins may be close to 30-40 million U.S. dollars.
Amount of loss: $ 30,000,000 Attack method: Governance Attack
Description of the event: According to a report from BleepingComputer on November 10, the electronic retail giant MediaMarkt suffered a ransomware attack. This attack affected many MediaMarkt retail stores throughout Europe, especially those in the Netherlands. The attacker initially asked for a ransom of 240 million US dollars. It was dropped to 50 million U.S. dollars and demanded to be paid in Bitcoin. According to the company later, customer data is "completely secure." The company's stores are now also reopening for exchanges, returns, and repair orders.
Amount of loss: - Attack method: Ransomware
Description of the event: Robinhood, a stock and cryptocurrency trading platform, stated that on the evening of November 3, an intruder entered the company’s system and stole the personal information of millions of users. The full names of the users, the names of about 310 users, the date of birth and postal code were leaked, and the more detailed account information of about 10 users was leaked. The intruder demanded blackmail for payment. The company notified law enforcement and continued to investigate the incident with the help of the external security company Mandiant. Robinhood stated that the attack had been contained. Robinhood believed that it did not expose social security numbers, bank account numbers or debit card numbers, and did not cause any economic losses to customers due to the incident.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to reports, a currency stolen event occurred in Farmers World, a farm-type game on the WAX chain, and the amount may exceed 100 million yuan. Some players have found that the game shows "Insufficient RAM" prompts, which cannot be solved even after adding WAXP. According to the official Discord discussion information: Neither the project smart contract nor the WAX wallet has vulnerabilities, but the address where the user pledged WAXP is not the official address of the game. It may be that the game "plug-in" script changed the user pledge address, causing the user to be unable to obtain RAM resources.
Amount of loss: $ 15,700,000 Attack method: Malicious Code Injection Attack
Description of the event: The asset cross-chain bridge launched by the cross-chain protocol Synapse Protocol is suspected to have loopholes, and the attacker manipulated the virtual price of nUSD Metapool, reducing it by about 12.5%. Ultimately, although the funds were withdrawn from the metapool itself, the funds were not lost. When the validator is offline, the address that took the funds from the LP tries to move the funds through the bridge, so the transaction has not yet been processed. However, the validators unanimously decided not to process this transaction because it was malicious to the LP and the entire network: as a result, ~$8.2 million in nUSD was not minted to the attacker's address on the target chain. The nUSD will be returned to the affected Avalanche LPs instead.
Amount of loss: - Attack method: Price Manipulation
Description of the event: The margin trading lending platform bZx tweeted that the private keys controlling Polygon and Binance Smart Chain (BSC) deployment appeared to have been leaked, resulting in a loss of funds. The bZx smart contract itself was not compromised, and the deployment, governance and DAO vault of Ethereum were not affected by this incident.
Amount of loss: $ 55,040,167 Attack method: Private Key Leakage
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Oracle Attack
Description of the event: Chivo Wallet is a national digital wallet issued by the government of El Salvador on September 7 for the implementation of the Bitcoin Act. To this end, El Salvador promised that users who download and authenticate the Chivo Wallet will receive a $30 bitcoin reward. This move allowed the official wallet of El Salvador to exceed 2 million users in one month. Between October 9th and October 14th, Cristosal, a human rights organization in El Salvador, received 755 notices about Salvadorans reporting that their Chivo wallet identity was stolen.
Amount of loss: $ 22,650 Attack method: Wallet Stolen
Description of the event: According to reports, the BSC project SQUID, which has the same name as the popular Korean drama "Squid Game", is suspected of running off or being attacked, with an estimated loss of 12 million USDT. According to the data, the official website of the project party cannot be opened at present; all the tokens in the current Pancake pledge pool have been transferred to the address: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728 through two transactions. The hash value of one of the transactions on the BSC is: 0xf7c9d0e5a81999f9e06fe78df7ce41da112d8bd4f2da7b16cfdbbe46c92cb6af. The address for initiating the token withdrawal transaction is 0x614826D885FF973324a5C3f43369d7C413a88aea. In addition, traders from the address 0x1f5eabba9c56bca4a7828969b79bc87051125b31 sold SQUID tokens to transfer the BNB in the trading pair in Pancake to: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728. The source of the initial gas required for the above transactions comes from the currency mixing application Tornado.Cash.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: The decentralized transaction protocol BXH tweeted that the assets of the protocol on the Binance Smart Chain (BSC) chain were hacked.
Amount of loss: $ 139,195,315 Attack method: Private Key Leakage
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by hackers in a series of transactions, and the hackers made a profit of US$2 million (the protocol loss may be even greater). Previously, AutoShark was attacked by a flash loan in May, and the currency price crashed. AutoShark responded that it would issue a new token, JAWS, to compensate damaged users. Since then, AutoShark was attacked by lightning loan again in early October, and hackers made a profit of approximately US$580,000.
Amount of loss: $ 2,000,000 Attack method: Flash loan attack
Description of the event: According to Etherscan data, the OHM imitation project AnubisDAO, which was launched at Copper Launch, withdrew its liquidity pool one day after it went online. It is suspected that the volume of money went off the road. A total of more than 13,556 ETH were transferred to the address @0x9fc, worth about 58.3 million U.S. dollars. Jayson, the founding partner of PFR Capital, pointed out that AnubisDAO is just a Twitter account that was only registered a few days ago. There is no website, white paper, medium, and no products.
Amount of loss: 13,556 ETH Attack method: Rug Pull