1458 hack event(s)
Description of the event: Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.53 million.
Amount of loss: 3,530,000 PCT Attack method: Compatibility Issue
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: Contract Vulnerability
Description of the event: On August 17, the DeFi project XSURGE on BSC suffered a lightning loan attack. On August 16, local time, XSURGE officially issued a statement about the SurgeBNB vulnerability before the attack. Since the SurgeBNB contract cannot be changed and has been abandoned, the vulnerability cannot be patched. XSURGE said that it did not disclose any specific details about the nature of this vulnerability, but strongly recommends that users migrate out of SurgereBnb as soon as possible. The vulnerability may be triggered by an attacker at any time. After the announcement, XSURGE was subsequently attacked, and the attacker stole $5 million from SurgeBNB.
Amount of loss: $ 5,000,000 Attack method: Flash loan attack
Description of the event: The NEAR ecological decentralized exchange Ref.Finance team tweeted that at around 2 pm UTC on August 14th, the Ref team noticed the abnormal behavior of the REF-NEAR trading pair, and then discovered that the patch of the recently deployed contract An error, which has been exploited by multiple users, affected approximately 1 million REFs and 580,000 NEARs.
Amount of loss: $ 3,202,539 Attack method: Fix bug
Description of the event: According to Reuters, a High Court judge in London granted artificial intelligence firm Fetch.ai’s request, ordering Binance to track down the hackers who stole $2.6 million in assets from Fetch.ai’s Binance account and freeze the stolen assets. Fetch.ai, founded in the U.K. and Singapore to develop artificial intelligence projects for blockchain databases, claims fraudsters hacked into their cryptocurrency accounts on the Binance exchange on June 6. A Binance spokesperson said that to protect users’ property, Binance regularly freezes accounts identified as having suspicious activity.
Amount of loss: $ 2,600,000 Attack method: Hacked account
Description of the event: The Neko Network, a lending protocol on the Binance Smart Chain (BSC), was attacked. The attacker used vulnerabilities in the protocol to mortgage assets in the name of the user and sent the borrowed funds directly to the attacker’s own address. All asset pools on the Neko Network have been frozen to avoid changes. Multiple attacks occur. Due to the setting of the time lock, it takes 24 hours to develop the fund pool and allow users to raise funds in the pool. Neko Network is a product developed by the Zero Coupon Money Market Protocol Maze Protocol team.
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: Private Key Leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Contract Vulnerability
Description of the event: Poly Network, a cross-chain interoperability protocol, said it was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. Among them, the funds transferred to Binance smart chain addresses starting with 0x0D6e2 exceeded 250 million US dollars, and they were transferred to the ether starting with 0xC8a65. There are over 270 million U.S. dollars in workshop addresses, and over 85 million U.S. dollars in transfers to Polygon addresses. Affected by this, the large amount of assets in the O3 Swap cross-chain pool was transferred out, and the official is investigating.With the efforts of many parties, the hackers have now returned tokens worth 342 million U.S. dollars.
Amount of loss: $ 613,062,100.7 Attack method: Permission Stolen
Description of the event: BachOnChain, a core member of Duet Protocol, a multi-chain synthetic asset protocol, tweeted that the Duet Protocol pioneer network Zerogoki experienced an oracle attack a few hours ago, and the wrong price led to unrecognized transactions. BachOnChain said that the oracle has been suspended, zUSD has experienced certain fluctuations, and it is expected that the price will resume in market trading and arbitrage after a period of time.
Amount of loss: $ 670,000 Attack method: Oracle attack
Description of the event: Wault Finance on the BSC chain was attacked, and the attacker made a profit of 930,000 US dollars. Attackers due to design flaws in the economic model can carry out arbitrage attacks on the pool of WaultSwapPair (BSC_USDT-WEX).
Amount of loss: $ 930,000 Attack method: Flash loan attack
Description of the event: Some Twitter users reported receiving a token airdrop named VERA (The Vera) project, but the tokens in the wallet were stolen after the official website was authorized. After inquiry, it was found that the project was suspected to be an airdrop trap. The specific method was to airdrop 80,000 tokens (worth approximately US$9,600) through a single address to attract user attention, and set up a mechanism to allow users to fail transactions on Pancakeswap, which in turn led users to the official website to cheat. Authorize the implementation of theft.
Amount of loss: - Attack method: Scam
Description of the event: Popsicle Finance, a multi-chain revenue optimization platform, was attacked. The core of this vulnerability is that the same PLP certificate can bring benefits to multiple holders at the same time node due to the defect in the reward update record.
Amount of loss: $ 20,000,000 Attack method: Reward Mechanism Flaw
Description of the event: Starting at around 23:45 on August 3, Beijing time, BSV suffered a “large-scale” 51% attack, resulting in the simultaneous mining of three versions of the chain.
Amount of loss: - Attack method: 51% attack
Description of the event: A crook named "cryptopunksbot" was published on CryptoPunk's Discord server, providing NFT investors with the opportunity to win ten elusive NFT avatars. Stazie, the co-founder of the NFT game project Hedgie, accepted the false offer poster, but this move eventually cost him 16 CryptoPunks, which may be worth at least $1 million. Stazie inadvertently sent the wallet seed phrase to the scammer, resulting in the loss of some ETH. The scammer sold 5 CryptoPunks for 149 ETH ($385,000).
Amount of loss: $ 1,000,000 Attack method: Phishing attack
Description of the event: Levyathan, the encryption index protocol on the BSC chain, was attacked. According to the official event update, the hacker minted 100,000,000,000,000,000,0 billion LEV tokens, which caused the price of LEV to return to zero. The loss of this attack was approximately USD 1.5 million. The official attributed the accident to the leak of the developer's private key.
Amount of loss: $ 1,500,000 Attack method: Private Key Leakage
Description of the event: The profit farming agreement PolyYeld Finance was attacked. The project contract was used to mint 4.9 trillion YELD tokens and dump them in the secondary market.
Amount of loss: 4,900,000,000,000 YELD Attack method: Compatibility Issue
Description of the event: THORChain (RUNE), a decentralized cross-chain transaction protocol, claims that hackers airdrop UniH tokens to Ethereum addresses as bait to steal RUNE tokens in users' wallets. Hackers have airdropped UniH tokens with malicious contracts to at least 76,000 Ethereum addresses. Once receiving users sell their newly received UniH tokens (or even just approve the sale) on decentralized trading platforms such as Uniswap, the hackers will They can steal any RUNE tokens they have in their wallets. This is because the RUNE token uses a non-standard token contract called "tx.origin". According to Thorchain’s RUNE token contract code “Beware of phishing contracts that may steal tokens by intercepting tx.origin”, it knows that this type of attack may occur. In just a few hours, hackers have stolen USD 76,000 worth of tokens. currency.
Amount of loss: $ 76,000 Attack method: Phishing attack
Description of the event: THORChain (RUNE), a decentralized cross-chain transaction protocol, said it was attacked again, and many ERC20 tokens including XRUNE were affected. This attack targeted ETH routing and lost 8 million U.S. dollars. The attacker "intentionally limited the impact of the attack, which seems to be done by a white hat."
Amount of loss: $ 8,000,000 Attack method: Logic Vulnerability
Description of the event: Using the mechanism of deflation token KEANU to attack the reward vulnerabilities in the Memestake contract deployed by Sanshu Inu, the attacker finally made a profit of about 56 ETH.
Amount of loss: 56 ETH Attack method: Reward Mechanism Flaw