1708 hack event(s)
Description of the event: DeFi project helios on Polygon rug pull. (0x8eb6ead701b7d378cf62c898a0a7b72639a89201)
Amount of loss: $ 1,446,704 Attack method: Rug Pull
Description of the event: The cross-chain bridge Chainswap announced the details of the stolen incident on its official blog. A total of 20 project assets were stolen, with a total value of approximately US$4 million. At present, the ChainSwap team has reached a consensus with the affected projects and initially formulated and implemented a compensation plan. According to the project investigation, due to the error in the token cross-chain quota code, the on-chain swap bridge quota is automatically increased by the signature node, the purpose of which is to be more decentralized without manual control. However, due to a logical flaw in the code, this led to a vulnerability that automatically increases the number of invalid addresses that are not whitelisted.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: The cross-chain bridge project Multichain issued an announcement stating that the newly launched V3 cross-chain liquidity pool was hacked in the early hours of yesterday, with a total loss of 2.39 million USDC and 5.5 million MIM. According to Etherscan, the hacker has sold all MIMs and obtained 548 Million DAI, which means that Multichain's total loss is more than 7.87 million U.S. dollars. According to the explanation of the reason for the theft in the Multichain announcement, two v3 router transactions were detected under the V3 router MPC account on the BSC. These two transactions have the same R value signature, and the hacker reversed the private key of this MPC account. At present, the team has fixed the code to avoid using the same R signature. Multi-chain router V3 will restart in about 48 hours. There is no security risk for v1 and v2. Multichain stated that it has taken remedial measures to provide full compensation. Multichain will refill the stolen liquidity within 48 hours, and the liquidity provider will be able to withdraw assets from the fund pool again without any loss.
Amount of loss: $ 7,870,000 Attack method: Contract Vulnerability
Description of the event: According to official news, Polkadot's ecological oracle and prediction protocol OptionRoom stated that it was affected by the "cross-chain asset bridge ChainSwap attack", and many projects including OptionRoom were affected by the hacker attack. Hackers can obtain 2.3 million ROOM tokens on Ethereum and 10 million ROOM tokens on BSC. OptionRoom noticed the hacking before the hackers sold any tokens and decided to remove liquidity from Uniswap and Pancakeswap to protect token holders and liquidity providers from being sold to the liquidity pool by hackers. By selling the deployer's tokens to the Uniswap pool, OptionRoom was able to recover $342,117. In this way, OptionRoom successfully extracted liquidity on behalf of the liquidity provider of the project. The recovered amount will be allocated according to the share of the liquidity provider.
Amount of loss: 12,300,000 ROOM Attack method: Contract Vulnerability
Description of the event: According to official sources, DAFI Protocol, an on-chain incentive protocol, stated that DAFI worth 200,000 US dollars was sold due to the “cross-chain asset bridge ChainSwap attack”. DAFI Protocol requests the community to withdraw liquidity from Uniswap and LP plans until further notice. DAFI Protocol added that the DAFI token contract and Super Staking are safe.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi asset management platform DAO ventures was stolen 300,000 DVG tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge. DAOventures stated that it has taken snapshots of DVG holders and LPs before the attack, and stated that it will compensate the affected token holders. The DAOventures team stated that the user's assets in DAOventures are safe. Before the compensation plan is announced, DAOventures reminds users not to purchase the DVG of the transaction for the time being and pay attention to the latest developments of the team.
Amount of loss: 300,000 DVG Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge.
Amount of loss: 3,000,000 UMB Attack method: Contract Vulnerability
Description of the event: According to official sources, Dora Factory, a multi-chain service infrastructure based on Polkadot, suffered a contract vulnerability in the cross-chain asset bridge ChainSwap. The 7,872 DORA locked in the ChainSwap cross-chain bridge contract was taken out by hackers and sold through Uniswap.
Amount of loss: $ 42,373 Attack method: Contract Vulnerability
Description of the event: Circle Internet Financial, the issuer of the US dollar stable currency USDC, reported in a regulatory filing with the US Securities and Exchange Commission (SEC) that Circle Internet Financial lost US$2 million in email fraud last month. Circle stated that the email fraud incident did not affect customer funds and accounts, Circle's information system is still safe, and the US$2 million is the company's own funds.
Amount of loss: $ 2,000,000 Attack method: Scam
Description of the event: Lookout Threat Lab security researchers exposed more than 170 Android applications, and the number of deceived users exceeded 93,000. Among them, 25 applications managed to evade the Google Play Store detection and successfully launched, but this is mainly because they do not involve any malicious operations, and may even be purely to fool users. Lookout security researchers pointed out that these counterfeit applications belong to the BitScam and CouldScam series respectively, claiming to provide cloud-based cryptocurrency mining services that can aggregate the computing power of users' mobile devices and share mining revenue. These apps are not free, and various additional payment excuses such as subscriptions and upgrades will be made. Prices range from 12.99 to 259.99 US dollars, and cryptocurrencies such as BTC or ETH are accepted as payment methods. LookoutThreatLab estimates that these malware creators defrauded 300,000 U.S. dollars through illegal sales and 50,000 U.S. dollars in cryptocurrency through fake payments and upgrade services.
Amount of loss: $ 350,000 Attack method: Scam
Description of the event: Cobra, the anonymous creator and principal of Bitcoin.org, tweeted that the Bitcoin.org website is being subjected to an "absolutely large-scale" distributed denial of service (DDoS) attack, as well as a Bitcoin ransom demand. Currently Bitcoin.org is accessible.
Amount of loss: - Attack method: DDoS Attack
Description of the event: RAI Finance, a cross-chain transaction protocol based on the Polkadot blockchain, issued a post stating that due to the vulnerability of the ChainSwap smart contract, the RAI access and payment permission addresses connected to it were also hacked and stolen. The total amount of stolen RAI in the account reached 2.9 million. On July 5, Rai Finance tweeted that after investigation by the team, hackers had returned 2.2 million RAIs to ChainSwap Deployer. The total loss caused by this incident was reduced to 670,000 RAI.
Amount of loss: $ 414,013 Attack method: Affected by ChainSwap Attack
Description of the event: A blackmailer with an ID of ZeroX is suspected of using a 0day vulnerability attack to steal 1TB of Saudi Aramco's corporate data resources. According to the ID's post on the dark web forum, the data leaked this time involves the complete information of 14,254 employees, internal analysis reports, pricing tables, refinery locations, enterprise-related system project specifications, and the most important customer data, etc. Sensitive information, the earliest data range can be traced back to 1993, spanning 28 years. The blackmailer gave Saudi Aramco a validity period of 662 hours (approximately 28 days) and demanded to pay 50 million U.S. dollars in Monero or sell it for 5 million U.S. dollars. This has also become a large-scale data breach after Saudi Aramco was hacked in 2012, 35,000 computers were affected, and 75% of the company’s computer data was deleted.
Amount of loss: - Attack method: Information Leakage
Description of the event: Based on Monero’s privacy-centric DeFi protocol Haven Protocol (XHV), it released analysis reports and measures for three serious attacks related to it in late June. The chain rollback plan will be initiated and a hard fork will be implemented. Fix the known vulnerabilities in protocol minting. Regarding specific attacks, on June 24, 203,000 xUSD and 13.5 xBTC were minted in two attacks; on June 27, an unknown amount of XHV was minted due to a vulnerability in the conversion verification of xAsset; June 29 , The attacker exploited a vulnerability that allowed the minting of 9 million xUSD.
Amount of loss: $ 8,186,549 Attack method: Minting Attack
Description of the event: The DEX trading tool DEXTools (DEXT) tweeted that it was recently hacked and affected some DEXT holders.
Amount of loss: - Attack method: Unknown
Description of the event: The XDX Swap (DDEX) on the Heco chain's cross-chain decentralized exchange DDEX was attacked. The attacker made a profit of 85.17 ETH (approximately $176,000) and cross-chained it to Ethereum. The DDEX code appears to have a backdoor. With the support and cooperation of DDEX, Star Labs, and HECO White Hat Security Alliance, XDX Swap has successively recovered most of the funds involved in this attack, with a total value of more than 5 million US dollars.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The cross-chain asset bridge Chainswap announced the details of the hacking incident today, saying that at 04:30 AM UTC on July 2nd, they noticed an abnormality on the cross-chain bridge. Some users reported that their tokens were actively removed from wallets interacting with ChainSwap. After it was taken out, the ChainSwap team immediately froze the cross-chain bridge, shut down all nodes, and deployed the fix within 30 minutes. The team of the affected project received an alert. According to the announcement, the stolen assets include 32237576.17 TSHP, 80052.82027 CORRA, 643405.7157 BLANK, 2922720 RAI, 19392.27712 ROOM, 4820309.98 DEXT, 210,108.22 UMB, 55476328.8 FAIR. Chainswap stated that after negotiating with hackers, it has recovered some of the CORRA and RAI tokens, and the total loss is estimated to be 800,000 US dollars. At present, a small amount of affected tokens have been repurchased from the market and returned to the contract wallet. The rest will be fully paid by Chainswap Vault Compensation. In addition, Chainswap will also issue compensation to affected users.
Amount of loss: $ 800,000 Attack method: Contract Vulnerability
Description of the event: THORChain, a decentralized cross-chain transaction protocol, tweeted that a malicious attack against THORChain was discovered. THORChain nodes have responded and isolated defenses. The capital loss caused by this attack was US$140,000, but THORChain stated that user funds will not be affected. The fund pool will be used to make up for the leaked funds. The team stated that the path of the attack was that EthBifrost had a logical error in processing the same symbol as ETH. THORChain claimed that it repaired Bifrost within 30 minutes and adopted node defense to stop Bifrost and THORNode. The team said it will also invest funds for ongoing code reviews and monitoring.
Amount of loss: $ 140,000 Attack method: False top-up
Description of the event: The algorithmic stablecoin project SafeDollar on Polygon is suspected of being hacked, and an unconfirmed contract seems to have taken away 250,000 USD in USDC and USDT.
Amount of loss: $ 250,000 Attack method: Flash loan attack
Description of the event: The hacking of the revenue aggregator Merlin Lab stems from a logical loophole in MerlinStrategyAlpacaBNB. The contract mistakenly uses the BNB transferred by the beneficiary as mining revenue, which makes the contract issue more MERL as a reward. After repeated operations, the attacker made a profit of 300,000 US dollars.
Amount of loss: $ 300,000 Attack method: Logic Vulnerability