1716 hack event(s)
Description of the event: The margin trading lending platform bZx tweeted that the private keys controlling Polygon and Binance Smart Chain (BSC) deployment appeared to have been leaked, resulting in a loss of funds. The bZx smart contract itself was not compromised, and the deployment, governance and DAO vault of Ethereum were not affected by this incident.
Amount of loss: $ 55,040,167 Attack method: Private Key Leakage
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Oracle Attack
Description of the event: Chivo Wallet is a national digital wallet issued by the government of El Salvador on September 7 for the implementation of the Bitcoin Act. To this end, El Salvador promised that users who download and authenticate the Chivo Wallet will receive a $30 bitcoin reward. This move allowed the official wallet of El Salvador to exceed 2 million users in one month. Between October 9th and October 14th, Cristosal, a human rights organization in El Salvador, received 755 notices about Salvadorans reporting that their Chivo wallet identity was stolen.
Amount of loss: $ 22,650 Attack method: Wallet Stolen
Description of the event: According to reports, the BSC project SQUID, which has the same name as the popular Korean drama "Squid Game", is suspected of running off or being attacked, with an estimated loss of 12 million USDT. According to the data, the official website of the project party cannot be opened at present; all the tokens in the current Pancake pledge pool have been transferred to the address: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728 through two transactions. The hash value of one of the transactions on the BSC is: 0xf7c9d0e5a81999f9e06fe78df7ce41da112d8bd4f2da7b16cfdbbe46c92cb6af. The address for initiating the token withdrawal transaction is 0x614826D885FF973324a5C3f43369d7C413a88aea. In addition, traders from the address 0x1f5eabba9c56bca4a7828969b79bc87051125b31 sold SQUID tokens to transfer the BNB in the trading pair in Pancake to: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728. The source of the initial gas required for the above transactions comes from the currency mixing application Tornado.Cash.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: The decentralized transaction protocol BXH tweeted that the assets of the protocol on the Binance Smart Chain (BSC) chain were hacked.
Amount of loss: $ 139,195,315 Attack method: Private Key Leakage
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by hackers in a series of transactions, and the hackers made a profit of US$2 million (the protocol loss may be even greater). Previously, AutoShark was attacked by a flash loan in May, and the currency price crashed. AutoShark responded that it would issue a new token, JAWS, to compensate damaged users. Since then, AutoShark was attacked by lightning loan again in early October, and hackers made a profit of approximately US$580,000.
Amount of loss: $ 2,000,000 Attack method: Flash loan attack
Description of the event: According to Etherscan data, the OHM imitation project AnubisDAO, which was launched at Copper Launch, withdrew its liquidity pool one day after it went online. It is suspected that the volume of money went off the road. A total of more than 13,556 ETH were transferred to the address @0x9fc, worth about 58.3 million U.S. dollars. Jayson, the founding partner of PFR Capital, pointed out that AnubisDAO is just a Twitter account that was only registered a few days ago. There is no website, white paper, medium, and no products.
Amount of loss: 13,556 ETH Attack method: Rug Pull
Description of the event: Cream Finance, the DeFi lending agreement, was attacked and lost approximately US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. It is reported that this is the third largest DeFi hacking in history (although the two larger hacking incidents have funds returned), in addition, Cream Finance has suffered multiple lightning loan attacks before, and lost 37.5 million US dollars in February. Another $19 million was lost.
Amount of loss: $ 130,000,000 Attack method: Flash loan attack
Description of the event: According to Cointelegraph reports, some Youtube channels were hacked and seized control. The original content and information of these channels were destroyed by hackers. Hackers pretended to be large technology companies or cryptocurrency exchanges to commit fraud. These channels were also used by hackers for $3 to $4,000. Sold at varying prices. The Google Threat Analysis Team (TAG) stated that the hackers who attacked the Youtube channel came from a Russian-speaking forum. In addition, Google has shared the findings with the FBI for further investigation.
Amount of loss: - Attack method: YouTube was hacked
Description of the event: The IDO project SaturnBeam of MoonSwap, a decentralized exchange on the Moonriver chain, ran away, and MoonSwap tweeted a warning that SaturnBeam would refund the money within 24 hours.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: Email addresses belonging to 3.1 million CoinMarketCap users were leaked last week, according to Have I Been Pwned.Have I Been Pwned says that the website’s database was breached on Oct. 12, 2021. Exactly 3,117,548 email addresses, not including passwords, were stolen in the security breach.
Amount of loss: - Attack method: Information Leakage
Description of the event: These implicit assumptions on Uniswap V2 resulted in 20 addresses on Alpha Homora V2 being impacted and lost a total of 40.93 ETH to miners who extracted this value. We have plans to compensate these 20 addresses. However, what’s more important is to share this with our community, especially other builders in the space to be aware of these implicit assumptions that are not stated, how you can detect this as a builder, and how to prevent/mitigate this.
Amount of loss: 40.93 ETH Attack method: Sandwich attack
Description of the event: Avalanche ecological stability income aggregation agreement Avaterra Finance was attacked by hackers. The security company Rugdoc analyzed that the contract of the agreement is a fork of Goose, but their token contains custom elements, and anyone can call its minting function. In the end, the hacker called the contract and minted and dumped thousands of tokens.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission.
Amount of loss: $ 2,000,000 Attack method: Double Spend Attack
Description of the event: Pancake Hunny, the DeFi protocol on BSC, was attacked by lightning loans, and HUNNY tokens fell by about 70% in a short time. The hacked transactions included 513 transfers, and Gas consumption reached 19 million, of which a large number of transfers were related to Alpaca tokens.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Glide Finance, a DeFi protocol built on the Elastos ecosystem, tweeted that a contract loophole was exploited to siphon money out of the matching contract for a loss of approximately $300,000 because the team changed the fee parameters after an audit but did not update the number on the contract from 1,000 to 10,000. The team is now contacting the exchange to block the transfer of funds and reminding users who have money in Glide's liquidity pool to withdraw funds.
Amount of loss: $300,000 Attack method: Contract Vulnerability
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues
Description of the event: The report released by Sophos stated that the crypto fraud application CryptoRom stole 1.4 million U.S. dollars through the use of "super signature service" and Apple's developer enterprise plan. It is reported that fraudsters gain the trust of victims through Facebook and dating platforms (such as Tinder, Grindr, Bumble, etc.), and then lure them to install a fake cryptocurrency application CryptoRom and invest. The victim installs apps, invests, makes a profit, and is allowed to withdraw funds. After being encouraged, they were forced to invest more, but once they deposited a larger amount, they could no longer withdraw cash. To date, Bitcoin addresses related to the scam have sent more than 1.39 million U.S. dollars, and there may be more addresses related to the scam. According to the report, most of the victims are iPhone users. The report stated that CryptoRom bypassed all security checks in the App Store and remained active every day. The report also stated that Apple “should warn users about installing apps through temporary distribution or through the enterprise configuration system that these apps have not been reviewed by Apple.”
Amount of loss: $ 1,400,000 Attack method: Scam
Description of the event: According to news, the security research company discovered that there is a serious security vulnerability in OpenSea in the NFT market, which may cause hackers to steal the user's entire encrypted wallet. Then OpenSea responded that a repair was implemented within one hour of discovering the problem, and other measures will be taken to strengthen community safety education.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Quantitative trading company mgnr stated on Twitter that StarkWare has an urgent security issue, but did not disclose the specific details. Louis Guthmann, the head of ecology of the StarkWare team, confirmed that there is indeed a problem. “This is not a security vulnerability on dYdX. ) Is only related to a specific user." mgnr said he has contacted the StarkWare and Solana teams.
Amount of loss: - Attack method: Unknown