1861 hack event(s)
Description of the event: NFT project Bored Bunny is suspected of being a Rug Pull project. Some netizens said that 2,000 ETH raised have been transferred out, and some of them have been transferred to Binan. In addition, this address had similar behavior 1-2 months ago, associated with 2 NFT items that almost went to zero. Currently Bored Bunny's Discord has turned off all people all channels to speak.
Amount of loss: 2,000 ETH Attack method: Rug Pull
Description of the event: Arbix Finance ran away, taking away more than 10 million US dollars. Arbix Finance bills itself as an arbitrage project on BSC, where users can deposit funds in a single asset vault in order to "get the best return with low risk". Starting at around 3 am on January 4, the project siphoned users’ funds from the treasury and deleted their websites, Twitter and Telegram accounts.
Amount of loss: $ 10,000,000 Attack method: Rug Pull
Description of the event: Solana was down for 4 hours on January 4th, however, Solana.Status showed no problems with the network. The Solana blockchain suffered its third incident in just a few months, resulting in network congestion and failed transactions, with users debating whether it was caused by another DDos attack or just a network issue. Anatoly Yakovenko, co-founder of Solana Labs, denied there was a DDoS attack this time around.
Amount of loss: - Attack method: DDoS Attack
Description of the event: An attack occurred at Tinyman Pools on January 1 /2, algorand-based automated market maker (AMM) Tinyman tweeted. The attack exploits a previously unknown hole in the contract and allows the attacker to extract assets from a pool to which he has no access. So far, attacks have been executed on multiple pools, but not all of them have been attacked.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: Vesper Finance tweeted that its No. 23 lending pool Vesper Lend beta launched on the interest rate agreement Fuse has been attacked again. The attacker manipulated an oracle and depleted the beta test borrowing pool of DAI, ETH, WBTC, and USDC of approximately $1 million. This is not an attack on the Vesper contract, no VSP or VVSP is threatened. Vesper has banned the lending of all tokens in Beta Vesper Lend Rari Pool #23, and also switched the oracle from VUSD/USDC to VUSD/ETH (Uni v3). Prior to this, the Vesper Lend loan pool on Rari Fuse was attacked, and the attacker made a profit of 3 million US dollars.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: SashimiSwap was attacked due to a logic error in the swap function, and the attacker finally made a profit: 6,261.304 uni, 4,466,096 Sashimi and 63,762 usdt, nearly $200,000.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: On December 28th, according to Twitter user coby.eth, a fake MetaMask governance token was created and launched on the DEXTools platform. The creator of the token used malicious code to make users browse the token information, and a pop-up interface showed that the MASK Token was verified and displayed A forged platform verification mark (blue certification symbol) is displayed. coby.eth stated that after the transaction volume exceeded US$1 million, the token was transformed into a "Pixiu plate", and users could only buy but not sell. According to browser data, the total transaction volume of this "Pixiu Pan" MASK Token is close to 10 million U.S. dollars, with a total of 642 related transactions and close to 400 addresses.
Amount of loss: $ 10,000,000 Attack method: Scam
Description of the event: The assets of MetaSwap, a project on the BSC chain, were transferred. The total amount of stolen funds of 1100 BNB was transferred to the Tornado.cash wallet (BSC version), and the price of MGAS tokens fell by 46.99%. All official accounts related to Metaswap - including Twitter , Instagram and Medium - all deleted.
Amount of loss: 1,100 BNB Attack method: Rug Pull
Description of the event: MetaDAO took a Rug Pull, took away the funds (800 ETH, about 3.2 million US dollars), and has been transferred to Tornado.cash mixed currency. MetaDAO's website is currently unavailable due to suspension.
Amount of loss: 800 ETH Attack method: Rug Pull
Description of the event: The NFT project Monkey Kindom stated that hackers stole $1.3 million in SOL from the community through a security breach in discord. The hacker first attacked Grape, the solution to authenticate users on Solana, and took advantage of the vulnerability to take over an administrative account that posted a phishing link in the announcement channel of Monkey Kindom discord.
Amount of loss: $ 1,300,000 Attack method: Account Compromise
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract Vulnerability
Description of the event: The staking and yield farming platform Bent Finance tweeted that the Bent Deployer wallet upgraded the curve pool contract from November 30, 2021 to 2021 01:09:27 PM +UTC, and the exploiter added a malicious contract that made cvxcrv and cvxcrv and The mim pool is able to hardcode user balances and then deploy another contract to mask it. The attackers stole a total of 513,000 cvxcrv LP tokens. Bent Finance later updated the incident report saying that with the help of two white hat hackers, the team analyzed the incident and concluded: "This was actually the work of an 'inside member'. After several days of hacking, the attackers finally agreed to return the funds to the following multisig address: 0xaBb8B277F49de499b902A1E09A2aCA727595b544. The attackers sold off (now bounced back) and sent us ETH and DAI, there was a slight shortfall in returning funds, but we've fixed that. So far, we have raised another 200,000 cvxcrv (~$1 million) from the community to help fill the gap. "The official said that the vulnerability has been fixed to ensure that such incidents do not occur again.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A Discord server run by Fractal in the recently launched game NFT market was hacked. The hacker defrauded 373 members of 800 Solana cryptocurrencies worth US$150,000. The startup said in its announcement that it will compensate the victims in full.
Amount of loss: $ 150,000 Attack method: Account Compromise
Description of the event: The Discord server run by Fractal, a gaming NFT marketplace, was hacked, a fake Discord bot disguised as an official posted a fake minting link in Fractal's "#announcements" channel, and nearly 3,500 people fell victim to it, losing nearly 600,000 Dollar. In its announcement, the company said it would fully compensate victims of the hack.
Amount of loss: $ 600,000 Attack method: Account Compromise
Description of the event: According to official sources, GrimFinance, a compound income platform on the Fantom chain, suffered a lightning loan attack, and the current loss has exceeded 30 million U.S. dollars. The attacker uses the function named "beforeDeposit()" in GrimFinance's vault strategy to attack and enter the malicious Token contract.
Amount of loss: $ 30,000,000 Attack method: Flash Loan Attack
Description of the event: The data on CoinMarketCap's website flashed bugs, and the quotes of multiple cryptocurrencies were wrong.
Amount of loss: - Attack method: Data error
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: Chain game project Vulcan Forged officially tweeted that 148 wallets holding PYR were hacked, and more than 4.5 million PYR had been stolen. It then stated: Most of the PYR has been returned from the treasury to the affected wallets.
Amount of loss: $ 102,820,974 Attack method: Private Key Leakage
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle Attack
Description of the event: Dharma Wallet officially tweeted that there was a downtime. After Dharma updated Twitter, it said that it has returned to normal and all funds are safe.
Amount of loss: - Attack method: Downtime