1508 hack event(s)
Description of the event: Iconics, an NFT project on Solana, was accused of being a “Rug pull.” The 17-year-old artist behind Iconics made about $140,000 before disappearing. The project developers also deleted Iconics’ Twitter account and disabled Discord channel chat.
Amount of loss: $ 140,000 Attack method: Rug Pull
Description of the event: Compound, a decentralized lending protocol, confirmed through Twitter that after the implementation of Proposal 062, the liquidity mining of the protocol has an abnormal distribution of COMP tokens. Compound Labs and community members are investigating. Compound said that deposits and borrowed funds have not been found to be at risk. Compound founder Robert Leshner stated that the problem appeared to be an error in the initial setting of the distribution rate of COMP tokens based on Proposal 062, resulting in too much COMP tokens being distributed; however, modification of the corresponding code must go through governance , It takes at least 7 days.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The non-custodial exchange DeversiFi released a post-mortem analysis report for the previous gas transaction that included 7676.62 ETH, saying that the potential problems in the EthereumJS library are combined with the gas fee changes related to the EIP-1559 upgrade in some cases, and the Ledger hardware wallet may exist The display problem of, may lead to extremely high transaction fees. When this happens, only wallets with very large funds will be affected, and other users will display transaction failures during transactions. In addition, after Bitfinex negotiated with the miners, the miners had returned 7,626 ETH, and the remaining 50 ETH was provided to the miners as a refund fee. It was previously reported that a major wallet on the Bitfinex exchange made a $100,000 USDT transfer with a total of 7676.62 ETH (approximately US$23.54 million) in Gas fees. The final recipient was a non-custodial spin-off from Bitfinex in 2019. Exchange DeversiFi.
Amount of loss: 50.62 ETH Attack method: Handle inventory defects with fixed precision and extended value range
Description of the event: The Bitcoin.org website has activities to give back to the community, and it is suspected that the website has been hacked. The homepage of the website shows a Bitcoin address and states that any first 10,000 users who pay to this address will receive double the amount in return. Cobra, the co-owner of the Bitcoin.org website, tweeted that Bitcoin.org has been hacked and is investigating how hackers set up fraud patterns on the website. It is expected that operations will be suspended for a few days. According to reports, the attackers stole more than 17,000 U.S. dollars.
Amount of loss: $ 17,000 Attack method: Malicious Code Injection Attack
Description of the event: The cross-chain protocol pNetwork released an analysis report in response to the previous attack that resulted in the theft of 277 BTC, stating that at 17:20 UTC on September 19, 2021, the pNetwork system was attacked by hackers who attacked multiple pToken bridges. Including pBTC-on-BSC, TLOS-on-BSC, PNT-on-BSC, pBTC-on-ETH, TLOS-on-ETH and pSAFEMOON-on-ETH. However, hackers only cross-chain bridges in pBTC-on-BSC The attack was successful and 277 BTC were stolen from the pBTC-on-BSC collateral. Other pToken bridges were not affected and the funds were safe.
Amount of loss: 277 BTC Attack method: Contract Vulnerability
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Contract Vulnerability
Description of the event: The DONA token auction of the Jay Pegs Auto Mart project on the SushiSwap Launchpad platform MISO was attacked. The attacker inserted malicious code into the MISO front end and changed the auction wallet address to his own wallet address. The loss has now reached 865 ETH (approximately 3.07 million). Dollar). Joseph Delong, CTO of SushiSwap, said on Twitter that the vulnerability has been fixed and that FTX and Binance have been asked to provide the attacker's KYC information, but both exchanges refused to cooperate. In addition, Joseph Delong also stated that he has reported the case to the FBI through his lawyer and reminded the project party to check whether there are similar front-end vulnerabilities. According to the Ethereum block explorer Etherscan, the attacker returned all ETH to SushiSwap. The operation was divided into two transactions, the first return 100 ETH, the second return 700 ETH, and the third return 65 ETH.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Defibox discovered an abnormal exchange situation of the EOS-EMOON trading pair at 22:00 on September 16th. After an emergency investigation, the swap contract was suspended at 0:00 on September 17th, and it was reopened on the morning of September 17th after auditing and multiple signings were completed. Swap contract. This exchange abnormality is caused by the incompatibility between the Defibox Swap contract and the EMOON contract. Before the event, the number of pots was 482636464535179.88 EMOON/4866.1494 EOS. When the contract was suspended, the EMOON pot was 5790970803030.11 EMOON/3.4553EOS, resulting in about 4863 EOS. loss. At present, the Defibox team has eliminated this type of risk caused by other burning tokens, and has upgraded the Swap contract to further improve the security of the contract. The Defibox Foundation will activate the risk reserve and pay 4863 EOS to the EMOON community.
Amount of loss: 4,863 EOS Attack method: Compatibility Issue
Description of the event: The private public chain Secret Network stated on Twitter that the main network has undergone an unplanned upgrade, from secret-2 to secret-3, to prevent major network security issues from causing financial losses. The team stated that neither the native token SCRT nor the cross-chain bridge contract were affected. Only a single smart contract was affected. The contract came from SecretSwap. A vulnerability was exploited, allowing the attacker to take away the pledged SEFI contract. funds. At present, the cross-chain bridge is still closed, and the deposit function of the exchange is also closed.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Nowswap, a decentralized exchange on Ethereum, was attacked by a flash loan. The attacker emptied Nowswap’s liquidity pool. The liquidity pool was reduced from US$1,069,197 to US$24.15. The attacker made a profit of 536,000 USDT and 158 WETH. A total of more than 1 million US dollars. The attacker used the K value verification vulnerability in the Nowswap USDT/WETH transaction pair contract to perform multiple exchanges, and each exchange obtained multiple times the normal due assets, until the assets in the trading pair pool were exhausted.
Amount of loss: $ 1,000,000 Attack method: K value verification vulnerability
Description of the event: The expansion of the Ethereum network, Arbitrum One, released a report on network failures. Beginning at 10:14 on September 14th, EST, Arbitrum One was out of service for 45 minutes, during which time the Arbitrum Sequencer was offline, and funds were never at risk. The root cause of the downtime was a bug that caused the Sequencer to get stuck when receiving a large number of transactions in a short period of time. The Arbitrum team has located the problem and deployed a fix. The team also stated that even if the Sequencer fails, it will not affect the continuous operation of the network. Users can bypass the Sequencer and submit transactions directly to Ethereum.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: The beta version of the mainnet of the public chain Solana has been unstable since 19:52 Beijing time last night, and it has been 12 hours since the Solana chain application has not been able to operate normally. According to information released by Solana Status, the Solana validator community chose to restart the network cooperatively, and the snapshot height is slot 96542804. Solana Status recommends that the verification node be updated to Mainnet-Beta 1.6.24 version. On September 21, Solana officially released a preliminary overview of the network outage on September 14. It is reported that on September 14, Solana’s network was offline for 17 hours. There was no financial loss, and the network resumed full functionality within 24 hours. The cause of network stagnation is denial of service attacks. At 12:00 UTC time, Grape Protocol launched IDO on Raydium, and transactions generated by robots congested the network. These transactions caused a memory overflow, causing many validating nodes to crash, forcing the network to slow down and eventually stop. When the verification node network cannot agree on the current state of the blockchain, the network will go offline, preventing the network from confirming new blocks.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Klondike Finance was attacked by hackers, with a total loss of approximately 35,281.71 KXUSD (6.5629 WETH).
Amount of loss: 35,281.71 KXUSD Attack method: Flash loan attack
Description of the event: The Zabu Finance project on the Avalanche chain suffered a flash loan attack. Officially, the attackers withdrew 4.5 billion ZABU tokens from the Zabu Farm Contract, bringing the supply to 5 billion and dumping all of it to ZABU’s Pangolin LPs and Trader Joe LPs. According to DeFi analytics provider DeFiprime, the total was estimated at $3.2 million in exploits.
Amount of loss: $ 3,200,000 Attack method: Contract Vulnerability
Description of the event: A vulnerability in NFT marketplace OpenSea resulted in at least 42 NFTs being sent to a burn address, worth at least $100,000. The issue was first raised by Nick Johnson, lead developer of the Ethereum Name Service (ENS), who noted that when he transferred an ENS domain name (in the form of an NFT), it was transferred to a burn address. This means it was accidentally sent to an uncontrolled address and can no longer be moved. Regarding the destroyed ENS domain name, Johnson said it was the first registered ENS domain name, called rilxxlir.eth, which was held by an ENS account when Johnson registered it with personal funds. In order to transfer the ENS domain name to his own account, he went to OpenSea to perform the transfer, only to find that it had been sent to a destruction address by mistake. Since Johnson is still the controller of the ENS domain name, he can still make changes, just cannot move the domain name. Johnson then received further reports from others who were similarly affected and compiled a list of 32 affected transactions involving 42 NFTs. Most NFTs use the ERC-721 standard, but a few use ERC-1155. He looked at the floor price of each NFT, which totaled about $100,000. Johnson claims that OpenSea has now fixed the vulnerability.
Amount of loss: $ 100,000 Attack method: Contract Vulnerability
Description of the event: Twitter netizen "mhonkasalo" stated that there was a bug in the dYdX pledge contract. The user received 0 stkDYDX when pledged, the front end was disabled, and there were 64 affected addresses. Later, dYdX released the "Pledge Contract Bug" incident report. During the deployment of the upgradeable smart contract, the dYdX security module made an error, which caused the ratio of DYDX to stkDYDX to change from 1 to 0, so that users who pledged DYDX did not receive stkDYDX. dYdX stated that the error was caused by an error in the smart contract deployment process. It believed that there was no error in the code itself. The security module was previously audited by the smart contract, and based on the liquidity module design, the design was also audited. The security module is thoroughly tested before deployment. At present, user funds are safely locked in the security module until the end of the 28-day epoch, and no security module rewards are distributed and no withdrawals are possible. In order to restore the contract function, an upgrade is required. The suggested solution is to restore the security module function, allow the pledged user to retrieve the funds, and compensate the user for the wrong reward for participating in the security module.
Amount of loss: - Attack method: Contract deployment error
Description of the event: Ethereum Classic (ETC) tweeted that the ETC mainnet was forked due to previous vulnerabilities in the Ethereum client Geth. At present, most of the computing power is on the mainnet. Core-geth node operators should update to v1.12.1 or higher as soon as possible.
Amount of loss: - Attack method: Ethereum client Geth vulnerability
Description of the event: The Vesting contract of DAO Maker was attacked by hackers. DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker's distribution system, and the DAO Maker contract is attacked when the holder is issued (SHO) in DAO Maker , That is, there is a loophole in the distribution system of SHO participants: init is not initialized protection, the attacker initializes the key parameters of init, and changes the owner at the same time, and then steals the target token through emergencyExit and exchanges it into DAI, attacking The final profit of nearly 4 million U.S. dollars.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: A user claimed on Twitter that he had mistakenly entered an NFT auction scam and was taken away by an art website worth 336,000 US dollars of Ethereum. However, the development of the story is somewhat unexpected, because the other party returned 100 ETH in full. In this scam, the victim reported that he inquired about the NFT auction on Monday from a certain population on Discord, and then he thought he was lucky enough to win the bid for the first NFT on the website and paid 100 ETH (about 336,000 US dollars) for this. ). However, according to a BBC report on Tuesday, a hacker exploited a security hole in the artist Banksy's website and set up a web page (banksy.co.uk/NFT) to sell so-called non-fungible tokens (NFT). In the end, although the hacker returned the money, the user still lost $5,000 in transaction fees.
Amount of loss: $ 5,000 Attack method: Phishing attack
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen.
Amount of loss: - Attack method: Fee Collection Mechanism Flaw