1525 hack event(s)
Description of the event: These implicit assumptions on Uniswap V2 resulted in 20 addresses on Alpha Homora V2 being impacted and lost a total of 40.93 ETH to miners who extracted this value. We have plans to compensate these 20 addresses. However, what’s more important is to share this with our community, especially other builders in the space to be aware of these implicit assumptions that are not stated, how you can detect this as a builder, and how to prevent/mitigate this.
Amount of loss: 40.93 ETH Attack method: Sandwich attack
Description of the event: Avalanche ecological stability income aggregation agreement Avaterra Finance was attacked by hackers. The security company Rugdoc analyzed that the contract of the agreement is a fork of Goose, but their token contains custom elements, and anyone can call its minting function. In the end, the hacker called the contract and minted and dumped thousands of tokens.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission.
Amount of loss: $ 2,000,000 Attack method: Double Spend Attack
Description of the event: Pancake Hunny, the DeFi protocol on BSC, was attacked by lightning loans, and HUNNY tokens fell by about 70% in a short time. The hacked transactions included 513 transfers, and Gas consumption reached 19 million, of which a large number of transfers were related to Alpaca tokens.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Glide Finance, a DeFi protocol built on the Elastos ecosystem, tweeted that a contract loophole was exploited to siphon money out of the matching contract for a loss of approximately $300,000 because the team changed the fee parameters after an audit but did not update the number on the contract from 1,000 to 10,000. The team is now contacting the exchange to block the transfer of funds and reminding users who have money in Glide's liquidity pool to withdraw funds.
Amount of loss: $300,000 Attack method: Contract Vulnerability
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues
Description of the event: The report released by Sophos stated that the crypto fraud application CryptoRom stole 1.4 million U.S. dollars through the use of "super signature service" and Apple's developer enterprise plan. It is reported that fraudsters gain the trust of victims through Facebook and dating platforms (such as Tinder, Grindr, Bumble, etc.), and then lure them to install a fake cryptocurrency application CryptoRom and invest. The victim installs apps, invests, makes a profit, and is allowed to withdraw funds. After being encouraged, they were forced to invest more, but once they deposited a larger amount, they could no longer withdraw cash. To date, Bitcoin addresses related to the scam have sent more than 1.39 million U.S. dollars, and there may be more addresses related to the scam. According to the report, most of the victims are iPhone users. The report stated that CryptoRom bypassed all security checks in the App Store and remained active every day. The report also stated that Apple “should warn users about installing apps through temporary distribution or through the enterprise configuration system that these apps have not been reviewed by Apple.”
Amount of loss: $ 1,400,000 Attack method: Scam
Description of the event: According to news, the security research company discovered that there is a serious security vulnerability in OpenSea in the NFT market, which may cause hackers to steal the user's entire encrypted wallet. Then OpenSea responded that a repair was implemented within one hour of discovering the problem, and other measures will be taken to strengthen community safety education.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Quantitative trading company mgnr stated on Twitter that StarkWare has an urgent security issue, but did not disclose the specific details. Louis Guthmann, the head of ecology of the StarkWare team, confirmed that there is indeed a problem. “This is not a security vulnerability on dYdX. ) Is only related to a specific user." mgnr said he has contacted the StarkWare and Solana teams.
Amount of loss: - Attack method: Unknown
Description of the event: The official Twitter account and website of the NFT project Evolved Apes, the project developer "Evil Ape" disappeared last week, and took away 798 ETH worth US$2.7 million.
Amount of loss: 798 ETH Attack method: Rug Pull
Description of the event: My Farm Pet was suspected of being attacked by lightning loans, and today fell 79.86%.
Amount of loss: $ 31,424 Attack method: Flash loan attack
Description of the event: The Bitcoin sidechain Liquid Network launched by Blockstream encountered block signature-related issues after the recent upgrade, resulting in no block generation for more than 7 hours. According to Liquid Network's block explorer, the last block is 1517039, and it was generated 7 hours ago. Liquid Network said on Twitter, "It is investigating a block signature issue related to a recent feature upgrade, but user funds are safe and will not be affected."
Amount of loss: - Attack method: Block signature problem
Description of the event: Staking liquidity solution Lido Finance discovered a loophole through the Lido vulnerability bounty program, which can be used by whitelisted node operators to steal a small portion of user funds. Approximately 20,000 ETH were exposed to risk at the time of the vulnerability report. At present, the team has taken short-term remedial measures. The white hat for reporting the vulnerability is Dmitri Tsumak, the founder of StakeWise, who is expected to receive the highest reward of the vulnerability bounty program of $100,000.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: While the decentralized lending agreement Compound tried to fix the loopholes in the liquidity mining token distribution contract through the No. 63 or No. 64 community proposal, another COMP token worth US$68.8 million (a total of 202,472 COMP) was due to The call of the drip() function was entered into the liquidity mining token distribution contract that has existing loopholes.
Amount of loss: $ 68,800,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by lightning loans. The main reason was that the exchange mining function was used by hackers in a series of transactions. Hackers could use lightning loans to occupy most of the mining pool (to make up for exchange losses/fees) ), at the same time, the exchange fee reward was obtained, and a total profit of 3.18 million FINS was obtained. Afterwards, the hacker exchanged FINS for 1,388 BNB (approximately US$580,000).
Amount of loss: 3,180,000 FINS Attack method: Flash loan attack
Description of the event: According to a notification letter submitted by Coinbase to the California Attorney General’s Office to affected customers, a vulnerability that allows hackers to bypass Coinbase’s multi-factor authentication SMS option has affected at least 6,000 Coinbase users between March and May 2021. During the 20th day, hackers took advantage of this omission to access the accounts of affected users and transfer user funds from Coinbase. After Coinbase learned of this issue, it immediately updated its SMS account recovery agreement to prevent hackers from further bypassing the authentication process. In addition, Coinbase will deposit funds of the same value into the accounts of affected users. Coinbase has also been working closely with law enforcement agencies and is conducting an internal investigation into the incident.
Amount of loss: - Attack method: Security Mechanism Issue
Description of the event: POAP, the proof of attendance badge protocol, stated that its minting system was hacked on September 29, and several POAPs of XCOPY and Polygonal Mind were fraudulently issued and sold. At the request of the artist, POAP has burned down the relevant NFT.
Amount of loss: - Attack method: Minting Attack
Description of the event: Iconics, an NFT project on Solana, was accused of being a “Rug pull.” The 17-year-old artist behind Iconics made about $140,000 before disappearing. The project developers also deleted Iconics’ Twitter account and disabled Discord channel chat.
Amount of loss: $ 140,000 Attack method: Rug Pull
Description of the event: Compound, a decentralized lending protocol, confirmed through Twitter that after the implementation of Proposal 062, the liquidity mining of the protocol has an abnormal distribution of COMP tokens. Compound Labs and community members are investigating. Compound said that deposits and borrowed funds have not been found to be at risk. Compound founder Robert Leshner stated that the problem appeared to be an error in the initial setting of the distribution rate of COMP tokens based on Proposal 062, resulting in too much COMP tokens being distributed; however, modification of the corresponding code must go through governance , It takes at least 7 days.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The non-custodial exchange DeversiFi released a post-mortem analysis report for the previous gas transaction that included 7676.62 ETH, saying that the potential problems in the EthereumJS library are combined with the gas fee changes related to the EIP-1559 upgrade in some cases, and the Ledger hardware wallet may exist The display problem of, may lead to extremely high transaction fees. When this happens, only wallets with very large funds will be affected, and other users will display transaction failures during transactions. In addition, after Bitfinex negotiated with the miners, the miners had returned 7,626 ETH, and the remaining 50 ETH was provided to the miners as a refund fee. It was previously reported that a major wallet on the Bitfinex exchange made a $100,000 USDT transfer with a total of 7676.62 ETH (approximately US$23.54 million) in Gas fees. The final recipient was a non-custodial spin-off from Bitfinex in 2019. Exchange DeversiFi.
Amount of loss: 50.62 ETH Attack method: Handle inventory defects with fixed precision and extended value range