1853 hack event(s)
Description of the event: MetaDAO took a Rug Pull, took away the funds (800 ETH, about 3.2 million US dollars), and has been transferred to Tornado.cash mixed currency. MetaDAO's website is currently unavailable due to suspension.
Amount of loss: 800 ETH Attack method: Rug Pull
Description of the event: The NFT project Monkey Kindom stated that hackers stole $1.3 million in SOL from the community through a security breach in discord. The hacker first attacked Grape, the solution to authenticate users on Solana, and took advantage of the vulnerability to take over an administrative account that posted a phishing link in the announcement channel of Monkey Kindom discord.
Amount of loss: $ 1,300,000 Attack method: Account Compromise
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract Vulnerability
Description of the event: The staking and yield farming platform Bent Finance tweeted that the Bent Deployer wallet upgraded the curve pool contract from November 30, 2021 to 2021 01:09:27 PM +UTC, and the exploiter added a malicious contract that made cvxcrv and cvxcrv and The mim pool is able to hardcode user balances and then deploy another contract to mask it. The attackers stole a total of 513,000 cvxcrv LP tokens. Bent Finance later updated the incident report saying that with the help of two white hat hackers, the team analyzed the incident and concluded: "This was actually the work of an 'inside member'. After several days of hacking, the attackers finally agreed to return the funds to the following multisig address: 0xaBb8B277F49de499b902A1E09A2aCA727595b544. The attackers sold off (now bounced back) and sent us ETH and DAI, there was a slight shortfall in returning funds, but we've fixed that. So far, we have raised another 200,000 cvxcrv (~$1 million) from the community to help fill the gap. "The official said that the vulnerability has been fixed to ensure that such incidents do not occur again.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A Discord server run by Fractal in the recently launched game NFT market was hacked. The hacker defrauded 373 members of 800 Solana cryptocurrencies worth US$150,000. The startup said in its announcement that it will compensate the victims in full.
Amount of loss: $ 150,000 Attack method: Account Compromise
Description of the event: The Discord server run by Fractal, a gaming NFT marketplace, was hacked, a fake Discord bot disguised as an official posted a fake minting link in Fractal's "#announcements" channel, and nearly 3,500 people fell victim to it, losing nearly 600,000 Dollar. In its announcement, the company said it would fully compensate victims of the hack.
Amount of loss: $ 600,000 Attack method: Account Compromise
Description of the event: According to official sources, GrimFinance, a compound income platform on the Fantom chain, suffered a lightning loan attack, and the current loss has exceeded 30 million U.S. dollars. The attacker uses the function named "beforeDeposit()" in GrimFinance's vault strategy to attack and enter the malicious Token contract.
Amount of loss: $ 30,000,000 Attack method: Flash Loan Attack
Description of the event: The data on CoinMarketCap's website flashed bugs, and the quotes of multiple cryptocurrencies were wrong.
Amount of loss: - Attack method: Data error
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: Chain game project Vulcan Forged officially tweeted that 148 wallets holding PYR were hacked, and more than 4.5 million PYR had been stolen. It then stated: Most of the PYR has been returned from the treasury to the affected wallets.
Amount of loss: $ 102,820,974 Attack method: Private Key Leakage
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle Attack
Description of the event: Dharma Wallet officially tweeted that there was a downtime. After Dharma updated Twitter, it said that it has returned to normal and all funds are safe.
Amount of loss: - Attack method: Downtime
Description of the event: According to the official announcement, some ERC-20, BSC and Polygon tokens of AscendEX were abnormally transferred out of the hot wallet of the exchange, and the cold wallet of AscendEX was not affected by this incident. It is estimated that Pinnacle AscendEX’s losses totaled US$77.7 million (of which US$60 million was on Ethereum, US$9.2 million was on BSC, and US$8.5 million was on Polygon).
Amount of loss: $ 77,700,000 Attack method: Wallet Stolen
Description of the event: Smart contract automation tool Gelato Network tweeted: "We have been alerted to a critical vulnerability in Sorbet Finance's G-UNI router contract. This vulnerability only affects users interacting with the Sorbet UI." Gelato Network released a security incident investigation report, saying that white hat hackers transferred a total of $27 million in assets to ensure the safety of user assets, but there were still $744,000 of funds that were maliciously attacked by MEV. The project stated that the vulnerability that emerged this time is similar to the previous dydx vulnerability, and the smart contract at risk can make arbitrary low-level calls aimed at executing transactions on 1inch, making potential exploits possible.
Amount of loss: $ 744,000 Attack method: Contract Vulnerability
Description of the event: The payment system of ONUS, the largest cryptocurrency trading platform in Vietnam, running a vulnerable version of Log4j suffered a cyber attack. Cyclos notified ONUS to repair the system on December 13, but it was too late. Although ONUS has fixed the security loopholes in the Cyclos instance, the window of loopholes allowed attackers to successfully steal data from sensitive databases. The stolen database contained nearly 2 million user data, including KYC (Know Your Customer) data, hashed passwords, etc. Subsequently, the attacker asked ONUS to pay a ransom of 5 million, otherwise the stolen data would be made public. On December 25, because ONUS did not pay the full ransom, the attackers sold customer data on the dark web data exchange market.
Amount of loss: - Attack method: Ransomware
Description of the event: At 8 pm on December 8, the hacker account itsspiderman used an overflow vulnerability to issue additional tripool market-making certificates in eCurve out of thin air, pledged and loaned most of the tokens in the agreement in PIZZA. Afterwards, hackers created more than 1.3 million accounts and dispersed the stolen assets. The loss of the PIZZA protocol in this attack is equivalent to about 5 million U.S. dollars. After negotiations, the hackers agreed to a ransom of $500,000.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: 8ight Finance on the Harmony chain was hacked, and $1.75 million was stolen due to the leak of the private key due to google doc. The platform tweeted about the loss yesterday, and in its discord server provided an explanation for the loss of funds: "Two developers on the team have the keys and they were sent via Facebook group chat and google drive. This is our first project, so we have to admit that our opsec is low.”
Amount of loss: $ 1,750,000 Attack method: Private Key Leakage
Description of the event: BitMart founder and CEO Sheldon Xia tweeted to admit that a large-scale security breach occurred on the platform, and hackers were able to extract assets worth about US$150 million. The affected ETH hot wallet and BSC hot wallet carry a small amount of assets on BitMart, and the other wallets are safe and undamaged.
Amount of loss: $ 150,000,000 Attack method: Wallet Stolen
Description of the event: On December 3, a group of white hat hackers notified Polygon’s vulnerability bounty agency Immunefi of a vulnerability in the Polygon PoS creation contract. The Polygon core team contacted the organization and Immunefi's expert team and immediately launched a repair procedure. Validators and the full-node community are notified to upgrade 80% of the network without interruption within 24 hours. The upgrade was performed on December 5th at block #22156660, which did not affect the activity and performance of the network. The vulnerability has been fixed and the damage has been mitigated, with no substantial damage to the agreement and its end users. All Polygon contracts and node implementations remain fully open source. Polygon paid a total of approximately $3.46 million in bounty to the two white hats who helped discover the vulnerability. Despite our best efforts, malicious hackers were able to use this vulnerability to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.
Amount of loss: 801,601 MATIC Attack method: Contract Vulnerability
Description of the event: The decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident.
Amount of loss: $ 120,000,000 Attack method: Malicious Code Injection Attack