1208 hack event(s)
Description of the event: Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests. The decision shows that the security researcher samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents.oth vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances. Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2.
Amount of loss: - Attack method: Unknown
Description of the event: The official DeFi money market agreement DMM Twitter said that during $DMG public sale today, its telegram was unfortunately brigaded by malicious actors who impersonated the DMM Foundation with sole the intent of stealing funds. After digging through the on-chain transactions to find those affected, the official sent a total of $40k worth of DMG to those affected at an exchange rate of $0.40 per DMG, hoping to make sure everyone who lost funds were made whole.
Amount of loss: $ 40,000 Attack method: Malicious hijacking
Description of the event: About $2.13 billion worth of cash is missing from one of Wirecard's trust accounts, and the crypto debit card provider cannot as yet account for the money. In a statement, the crypto debit card provider blamed "spurious" cash balances provided by a third party with the aim of deceiving the auditor, which discovered the scandal during a routine audit. Wirecard said it is investigating the matter in close cooperation with the auditor. The amount missing equals 25% of the funds on the company's balance sheet.
Amount of loss: $ 2,130,000,000 Attack method: Scam
Description of the event: Due to the unverified safeTransferFrom () function in the new Bancor network contract, user funds are about to be depleted. The Bancor team stated: 1. A security vulnerability was discovered in the new Bancor Network v0.6 contract released two days ago; 2. After the vulnerability was discovered, the team conducted a white hat attack to transfer funds to a secure address; 3. The audit of the smart contract has been completed.But there are still $135,229 preemptively traded by two unknown arbitrage robots.
Amount of loss: $ 135,229 Attack method: Unknown
Description of the event: The new version of DeversiFi encountered a vulnerability in less than a week after it was launched. The official said that it would be fixed as soon as possible. The cause of this vulnerability was that a trader tried to submit an order larger than the limit, and the logic of why the system designed order limit is to avoid user's misoperation. After that, the system still repeatedly submitted the order, but it was continuously rejected by the system, which affected the processing of other orders.
Amount of loss: - Attack method: System design defect
Description of the event: 6Block technical staff found a serious vulnerability in the Filecoin code, through which the unlimited issuance of Filecoin can be achieved. The 6Block stated that, for proving the effectiveness of the vulnerability, the three miner accounts t01043, t027999, and t0234783 of 6Block had completed an additional issuance of 1.6 billion Filecoin using the vulnerability, taking the top three places in the Filecoin rich list. The 6Block team independently discovered and reported the vulnerability to Filecoin official, and is currently actively assisting the Filecoin to complete the vulnerability fixing.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The LMEX Stock Exchange's community issued a notice on the adjustment of exchange operations, stating that the platform was hacked and stolen and lost 150,000 USDT, which caused the platform to have a low debt. The deposit and withdrawal have been closed.
Amount of loss: 150,000 USDT Attack method: Unknown
Description of the event: After about 48 hours of testing on both the Ethereum and Bitcoin mainnets, the Keep team decided to trigger the 10-day emergency deposit moratorium allowed by the TBTCSystem contract, the team found that deposits were being blocked when certain types of Bitcoin addresses were used for redemption. The decision to trigger the moratorium came after a major issue with the redemption flow of the contract that put open deposit signer deposits at risk of liquidation. The team summarizes as follows: 1. First, the Keep team failed to conduct more tests after the new commit was proposed. As a result, the team missed the opportunity to catch this issue during development. 2. During the dApp-based manual QA process, the Keep team did not verify whether a successful exchange in the UI resulted in a closed deposit on-chain. As a result, the team missed the opportunity to find issues during the manual QA process. 3. The Keep team did not adequately consider input validation at the entry point of redemption. This is one of the relatively few pieces of data in the system that is completely user-controlled, and should therefore be a top consideration for input validation. 4. The Keep team did not spend enough time generating Bitcoin test vectors for unit tests.
Amount of loss: - Attack method: Insufficient testing
Description of the event: Loopring has appeared a serious front-end error, the private key material is set within a range of 32-bit integer, you can find all user private key pairs by brute force method, due to the user's EdDSA key pair is actually limited to a space of 32-bit integer, the hacker can find out the EdDSA key pair of all users by brute force method. Affected by this, Loopring Exchange shut down for half a day for maintenance and upgrade.
Amount of loss: - Attack method: System design defect
Description of the event: According to the official news from Youbi Exchange, Youbi has encountered heavy network-traffic DDoS attacks for three consecutive days since the platform coin subscription was launched on May 06, which caused the server to be inaccessible in a short time.
Amount of loss: - Attack method: DDoS Attack
Description of the event: -The official announcement of BitSG Exchange stated that its websites bitsg and app suffered from uninterrupted DDOS continues attacks, resulting in the inability to log in normally during certain periods.
Amount of loss: - Attack method: DDoS Attack
Description of the event: EOS gambling DApp suffered fake EOS attack
Amount of loss: 25,329.291 EOS Attack method: Fake EOS Vulnerability Attack
Description of the event: Hegic: There are 152.2 ETH (about 28,537 USD) permanently locked in the contract pool of unexercised put / call options. Out of the 19 contracts, 16 are put options (DAI is locked) and 3 are call options (ETH is locked). Hegic said it will process a 100% refund for all involved users.
Amount of loss: $28,537 Attack method: Unknown
Description of the event: DeFi lending protocol Lendf.Me was hacked.
Amount of loss: $24,696,616 Attack method: ERC777 Reentrancy Attack
Description of the event: The attacker used a reentrancy attack to steal funds (containing approximately 1,278 ETH) from Uniswap's ETH-imBTC Uniswap liquidity pool.
Amount of loss: 1,278 ETH Attack method: ERC777 Reentrancy Attack
Description of the event: Hacker Exploits Flaw in Decentralized Bitcoin Exchange Bisq to Steal $250K.
Amount of loss: $ 250,000 Attack method: Defects in the transaction agreement
Description of the event: Cocos-BCX has verified with the exchange, conducted internal investigations and concluded that asset loss and malicious selling that occurred are due to the malicious theft of the mapping wallet information. After verifying and confirming with the exchange, the total amount of stolen tokens this time was 1,087,522,819.2 COCOS, and the exchange confirmed that this total amount has been sold.
Amount of loss: 1,087,522,819.2 COCOS Attack method: Wallet Stolen
Description of the event: Attacker creates malicious Ledger Chrome extensions and tricks users into downloading malicious Ledger Chrome extensions through Google search ad serving and other methods to steal users' cryptocurrency. So far, it is known that at least 1.4 million XRP are stolen.
Amount of loss: 1,400,000 XRP Attack method: Phishing attack
Description of the event: Due to the congestion of Ethereum, the gas soared, and the liquidated ETH was sold at a price of 0 US dollars using the MakerDao auction loophole.
Amount of loss: $ 7,900,000 Attack method: Liquidation Mechanism Flaw
Description of the event: The crypto fund Trident Crypto Fund was hacked and the data of 266,000 users was leaked. The database containing email addresses, mobile numbers, encrypted passwords and IP addresses was uploaded to various file-sharing sites on February 20.
Amount of loss: - Attack method: Information Leakage