1910 hack event(s)
Description of the event: The metaverse financial project Paraluni on the BSC chain was hacked, and the hackers made more than $1.7 million in profits. The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project side. This method does not check whether the token array parameter address[2] memory _tokens matches the LP pointed to by the pid parameter, and does not add lock when the LP amount changes.
Amount of loss: $ 1,700,000 Attack method: Reentrancy Attack
Description of the event: Fantom’s on-chain synthetic asset protocol, Fantasm Finance, posted on social media that its FTM collateral reserves had been exploited, and called on users to exchange their XFTM immediately. After exploiting the vulnerability, the hacker exchanged all the profits for ETH, and used Tornado.cash to mix coins across the chain to the Ethereum main network. According to statistics, the hacker made a profit of 1,007 ETH (about 2.73 million US dollars).
Amount of loss: 1,007 ETH Attack method: Contract Vulnerability
Description of the event: ActiveCampaign (AC), an external email marketing provider used by Unchained, was hacked last week, according to Joe Kelly, CEO of Bitcoin financial services firm Unchained Capital. Information shared with AC, including customer email addresses, usernames, account status, whether customers have active multi-signature vaults or loans using Unchained Capital, and possibly IP addresses may have flowed out without authorization. Kelly said no systems on Unchained were affected, meaning customer profile information that was never shared with AC was not leaked. Kelly added that while customer Bitcoin custody is protected by multi-signature cold storage, customers should still be aware of what's going on and be wary of phishing attacks.
Amount of loss: - Attack method: Information Leakage
Description of the event: The pledge contract (0x6912B19401913F1bd5020b3f59EE986c5792DA54) of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back. The attackers put these tokens on the market and made a profit of about 212 BNB.
Amount of loss: 212 BNB Attack method: Private Key Leakage
Description of the event: The Arbitrum-based TreasureDAO NFT trading market was exposed and discovered a vulnerability. According to SlowMist analysis, the core of this vulnerability lies in the lack of judgment that the incoming _quantity parameter is not 0 before the ERC-721 standard NFT transfer, resulting in ERC -721 Standard NFT can be transferred directly and the cost of purchasing NFT is calculated as 0 when calculating the price. Hours after it was stolen, developers confirmed that hackers had begun returning stolen “Smol Brains” and other NFTs.
Amount of loss: - Attack method: Unchecked Input Data
Description of the event: Flurry Finance’s Vault contract was hit by a flash loan attack, resulting in the theft of approximately $293,000 worth of assets in the Vault contract.
Amount of loss: $293,000 Attack method: Flash Loan Attack
Description of the event: According to OpenSea's official tweet, hackers sent phishing emails to all users' mailboxes at the same time as the OpenSea contract was upgraded. Many users mistakenly thought it was an official email and authorized the wallet, which resulted in the wallet being stolen. OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet.
Amount of loss: $ 3,400,000 Attack method: Phishing Attack
Description of the event: MOX was hacked because transferFrom Function did not check the authorization limit.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Rugdoc.io tweeted that the Fantom ecological project Gold Mine Finance has rug pull.
Amount of loss: $ 800,000 Attack method: Rug Pull
Description of the event: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, Whitehat, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.
Amount of loss: 160.86 ETH Attack method: Contract Vulnerability
Description of the event: Hot wallets operated by TopGoal were attacked and compromised. In this hack, only the hot wallet operated by TopGoal, which manages the distribution of TopPrize rewards, was affected. All user assets including NFTs and TMTs are safe. The hackers transferred a total of 4,809,984 TMT from the TopGoal-operated hot wallet to the address 0x7F0D082D08874A57110c73a8853967e7C19D1a6e. The hackers then exchanged all those TMTs from PancakeSwap for over 2,600 BNB and used Tornado to transfer the BNB out of the address.
Amount of loss: 4,809,984 TMT Attack method: Wallet Stolen
Description of the event: The venture capital DAO organization Build Finance tweeted that the project suffered a malicious governance takeover. The malicious actors successfully controlled the Build token contract by getting enough votes, minting 1,107,600 BUILD tokens in three transactions, and spent With most of the funds in Balancer and Uniswap liquidity pools exhausted, attackers continue to take control of the balancer pools via governance contracts and drain the remaining funds including 130,000 METRIC tokens, METRIC liquidity on Uniswap and Fantom Both pools subsequently came under intense selling pressure. As it stands, attackers have full control over governance contracts, minting keys, and treasuries, and the DAO no longer controls any part of critical infrastructure.
Amount of loss: 168 ETH Attack method: Governance Attack
Description of the event: On February 14, the Titano Finance project on the BSC chain was attacked. The attackers made a total of 4,828.7 BNB, or about $190w. According to the official Titano Finance investigation, “The problem arose when we trusted a contractor to deploy the PLAY contract. Although ownership was transferred back to us after deployment, it was the same deployer wallet that allowed two days ago from our PLAY Hacking that steals all Titano in the protocol.”
Amount of loss: 4,828.7 BNB Attack method: Insider Manipulation
Description of the event: IRA Financial Trust, South Dakota’s self-directed retirement account provider, has filed a lawsuit against crypto trading platform Gemini Trust Company (Gemini), alleging huge losses to the IRA as a result of Gemini’s security glitch. In February 2022, $36 million in crypto assets held by Gemini and belonging to customer retirement accounts was stolen. The lawsuit also claims that Gemini did not have adequate safeguards to protect customers’ crypto assets, failed to freeze accounts immediately after the incident, and instead allowed criminals to continue to transfer funds from customer accounts on Gemini’s trading platform after the IRA notified Gemini Middle-to-outward transfer.
Amount of loss: $ 36,000,000 Attack method: Wallet Stolen
Description of the event: Decentralized derivatives trading platform FutureSwap tweeted that an account with around 300,000 FST reward reserves (0.3% of supply) was compromised yesterday. The credentials for this account were compromised by human error, and the attacker was able to gain access on Arbitrum and transfer the available reward FST to himself.
Amount of loss: 300,000 FST Attack method: Private Key Leakage
Description of the event: BabyMuskCoin plummeted 99%, 1,571 BNB (~$660,000) was dumped, and funds were moved to Tornado. The project team claimed to have been scammed through Telegram, but Twitter and the website were down, suspected of Rugpull.
Amount of loss: 1,571 BNB Attack method: Rug Pull
Description of the event: Dego Finance, an NFT and DeFi aggregator, announced that it was hacked, and now the DEGO liquidity on UniSwap and PancakeSwap has been exhausted.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage
Description of the event: On February 8, the LockBit ransomware group claimed to have stolen substantial customer data from cryptocurrency exchange PayBito. PayBito is a cryptocurrency exchange operated by HashCash, a global blockchain, and IT services company. Some of the stolen data is published on the group's Tor leak site. In this cyberattack, the ransomware group successfully stole a database containing personal data information from more than 100,000 customers worldwide. In addition, the group also stole some email data and password hashes, some of which can easily be decrypted. To make matters worse, the gang also managed to steal the administrator's personal data, claiming that the stolen data would be released on February 21, 2022, if the ransom is not paid.
Amount of loss: - Attack method: Ransomware
Description of the event: The QI Vesting contract on the streaming digital asset protocol Superfluid has been exploited by an attacker by passing in incorrect call data. This vulnerability allows the attacker to transfer funds from Superfluid user wallets to Polygon and exchange them for ETH.
Amount of loss: $ 13,000,000 Attack method: Contract Vulnerability
Description of the event: Meter.io's cross-chain bridge was hacked, resulting in a loss of around $4.3 million ( 1391.24945169 ETH and 2.74068396 BTC). The hacker was able to exploit a vulnerability in the deposit function, which allowed them to fake BNB or ETH transfers. Meter.io announced that Meter Passport (a cross-chain bridge extension) automatically wraps and unwraps Gas Tokens (such as ETH and BNB) for user convenience. However, the contract did not prohibit the wrapped ERC20 Token from interacting directly with the native Gas Token, nor did it properly transfer and verify the correct amount of WETH transferred from the caller address.
Amount of loss: $ 4,300,000 Attack method: Contract Vulnerability