1860 hack event(s)
Description of the event: According to official news, Marvin Inu’s cross-chain bridge was hacked, and tokens worth 110 ETH were stolen and sold, causing a sharp drop in price. The project party has closed the cross-chain bridge and fixed the loopholes. At the same time, it has adjusted the purchase tax to 0%, and promised to repurchase and destroy the tokens to make up for this loss after the price fluctuations stabilize.
Amount of loss: 110 ETH Attack method: Contract Vulnerability
Description of the event: There is a fundamental vulnerability in the CF token contract that allows anyone to transfer someone else's CF balance. The losses so far are around $1.9 million, while the CF/USDT trading pair on pancakeswap has been affected.
Amount of loss: $ 1,900,000 Attack method: Contract Vulnerability
Description of the event: The Education Grants Council (UGC) of India was hacked, the hackers used the Twitter account to post a fake Azuki NFT airdrop link and changed the profile to the Azuki NFT co-creator, replacing the avatar with an Azuki-related image. The agency recovered the account after it was held hostage for six hours.
Amount of loss: - Attack method: Account Compromise
Description of the event: Starstream Finance and Agora DeFi projects under attack. Attackers exploited a vulnerability in Starstream to siphon tokens from the protocol, then used the tokens as collateral to obtain large loans from Agora. The Starstream hack was achieved through an unprotected execute function in its DistributorTreasury contract, which is marked as an external function and can be used to call external functions. In total, the attackers borrowed about $8.2 million worth of tokens from Agora.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: According to the official news of each project, the Discord of NFT projects whose servers are currently under attack include BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz. In addition, the source code of the verification robot Captcha has been leaked, and the private message tool Ticket tool has been attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Ola Finance on the Fuse chain published a blog post on the hacking incident, stating that the attack lost approximately $4.67 million, including 216,964.18 USDC, 507,216.68 BUSD, 200,000 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. The attack uses a reentrancy vulnerability in the ERC677 token standard.
Amount of loss: $ 4,670,000 Attack method: Reentrancy Attack
Description of the event: According to BasketDAOOrg's official Twitter, there is a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.
Amount of loss: $ 1,200,000 Attack method: Contract Vulnerability
Description of the event: Castle Finance developer Charlie You discovered a critical vulnerability in Solana's ecological lending protocol, Jet Protocol, that could allow attackers to withdraw tokens from arbitrary accounts. It is reported that Charlie You was discovered in January this year, but it has existed since the code update on December 15, 2021. Charlie You said that the vulnerability may cause up to 20 million US dollars in financial losses. For now, the Jet Protocol team has fixed it.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A Rug Pull occurred in BNB DEFI, and the DEFI token fell by 68% in a short time. At present, the project has closed the community, and DEFI tokens have been exchanged for about 255 BNB.
Amount of loss: 255 BNB Attack method: Rug Pull
Description of the event: Axie Infinity sidechain Ronin Network issued a community alert today. Ronin Network experienced a security breach. Ronin bridge 17.36w ETH and 25.5M USDC were stolen, with a loss of more than 610 million US dollars. As stated by the Ronin developers, the attacker used the hacked private key to forge fake withdrawals, pulling funds out of the Ronin bridge in just two transactions. It is reported that this incident is suspected to be related to the North Korean hacker group Lazarus Group.
Amount of loss: $ 610,000,000 Attack method: Private Key Leakage
Description of the event: According to reports, someone pretended to be a Cryptovoxels official to conduct a phishing attack, induced users to authorize, stole multiple NFTs (including Cryptovoxels Parcel Token, Art Blocks: BLOCKS Token, Mutant Ape Yacht Club: MAYC Token, etc.), and then sold them on opensea. It is reported that anonymous attackers used a vulnerability in the Discord bot to manage to direct community users to phishing sites on the official Cryptovoxels Discord channel. The attacker's address is 0x794ca38bc1e15e528a7991ce25707a25ad71b675.
Amount of loss: 50 ETH Attack method: Phishing Attack
Description of the event: The project BuccaneerFi on the BNB Chain has a Rug Pull. At present, the project social media account and community have been deleted, and about 841 BNB have been transferred to Tornado Cash.
Amount of loss: 841 BNB Attack method: Rug Pull
Description of the event: DeFi protocol Revest Finance has been hacked. Hackers stole nearly 7.7 million ECO, 579 LYXe, nearly 715 million BLOCKS, and over 350,000 RENA. According to SlowMist analysis, this attack is because the handleMultipleDeposits function in the tokenVault contract does not determine whether the newly minted NFT exists, so the attacker uses this point to directly modify the information of the NFT that has been minted, and in the Revest contract The key functions in this are not restricted by reentrant locks, which lead to being used by callbacks.
Amount of loss: $ 120,000 Attack method: Reentrancy Attack
Description of the event: InuSaitama is suspected to have suffered an arbitrage attack. The attacker (0xAd0C834315Abfa7A800bBBB5d776A0B07b672614) Saitamask (0x00480b0abBd14F2d61Aa2E801d483132e917C18B) exchanged almost 10 times the value of SAITAMA Token through swap, and then exchanged it back to ETH through uniswap, and transferred it to 0x63493e679155c2f0aAd5Bf96d65725AD6427faC4, with a total profit of about 4.
Amount of loss: 430 ETH Attack method: Arbitrage attack
Description of the event: Maison Ghost’s Discord was hacked, the hacker posted a fake minting link, and within minutes about 300 NFTs were stolen, including the Sandbox and 3landers NFTs, which were then sold for 128 ETH and eventually sent to Tornado.
Amount of loss: 128 ETH Attack method: Account Compromise
Description of the event: NFT project MekaVerse tweeted that the official Discord was hacked. In addition, according to other users in the community, the wallets of hundreds of thousands of bots are suspected to have been stolen, and it seems that no users have been affected.
Amount of loss: - Attack method: Account Compromise
Description of the event: The NFT project VEVE officially tweeted that the system was exploited, resulting in a large number of gems being illegally obtained.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The stablecoin project Cashio on Solana has been hacked. According to the preliminary analysis of the SlowMist security team, hackers illegally issued 2 billion CASH tokens by bypassing an unverified account, and converted CASH tokens into 8,646,022.04 UST, 17,041,006.5 USDC and 26,340,965.68 USDT-USDC through multiple applications. LP, total profit value: 52027994.22 USD (more than 50 million USD). At present, the official announcement has been issued to allow users to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.
Amount of loss: $ 52,027,994.22 Attack method: Contract Vulnerability
Description of the event: Twitter user cr0ss.eth said Defiance Capital founder Arthur's hot wallet was suspected to have been stolen. OpenSea data shows that in Arthur's wallet address 0x4C53c32980ccE49aaA4bCc53Eef3f143Bc27E0aF, 60 NFTs including 17 azuki and 5 cloneX were transferred on the chain, totaling about 310 ETH.
Amount of loss: 310 ETH Attack method: Private Key Leakage
Description of the event: The NFT project REALSWAK has a Rug Pull, and its official social account (@REALSWAK) has been cancelled. Scammers have transferred 1,300 BNB to the TornadoCash mixer.
Amount of loss: 1330 BNB Attack method: Rug Pull