1843 hack event(s)
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Contract Vulnerability
Description of the event: The DONA token auction of the Jay Pegs Auto Mart project on the SushiSwap Launchpad platform MISO was attacked. The attacker inserted malicious code into the MISO front end and changed the auction wallet address to his own wallet address. The loss has now reached 865 ETH (approximately 3.07 million). Dollar). Joseph Delong, CTO of SushiSwap, said on Twitter that the vulnerability has been fixed and that FTX and Binance have been asked to provide the attacker's KYC information, but both exchanges refused to cooperate. In addition, Joseph Delong also stated that he has reported the case to the FBI through his lawyer and reminded the project party to check whether there are similar front-end vulnerabilities. According to the Ethereum block explorer Etherscan, the attacker returned all ETH to SushiSwap. The operation was divided into two transactions, the first return 100 ETH, the second return 700 ETH, and the third return 65 ETH.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Defibox discovered an abnormal exchange situation of the EOS-EMOON trading pair at 22:00 on September 16th. After an emergency investigation, the swap contract was suspended at 0:00 on September 17th, and it was reopened on the morning of September 17th after auditing and multiple signings were completed. Swap contract. This exchange abnormality is caused by the incompatibility between the Defibox Swap contract and the EMOON contract. Before the event, the number of pots was 482636464535179.88 EMOON/4866.1494 EOS. When the contract was suspended, the EMOON pot was 5790970803030.11 EMOON/3.4553EOS, resulting in about 4863 EOS. loss. At present, the Defibox team has eliminated this type of risk caused by other burning tokens, and has upgraded the Swap contract to further improve the security of the contract. The Defibox Foundation will activate the risk reserve and pay 4863 EOS to the EMOON community.
Amount of loss: 4,863 EOS Attack method: Compatibility Issue
Description of the event: The private public chain Secret Network stated on Twitter that the main network has undergone an unplanned upgrade, from secret-2 to secret-3, to prevent major network security issues from causing financial losses. The team stated that neither the native token SCRT nor the cross-chain bridge contract were affected. Only a single smart contract was affected. The contract came from SecretSwap. A vulnerability was exploited, allowing the attacker to take away the pledged SEFI contract. funds. At present, the cross-chain bridge is still closed, and the deposit function of the exchange is also closed.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Nowswap, a decentralized exchange on Ethereum, was attacked by a flash loan. The attacker emptied Nowswap’s liquidity pool. The liquidity pool was reduced from US$1,069,197 to US$24.15. The attacker made a profit of 536,000 USDT and 158 WETH. A total of more than 1 million US dollars. The attacker used the K value verification vulnerability in the Nowswap USDT/WETH transaction pair contract to perform multiple exchanges, and each exchange obtained multiple times the normal due assets, until the assets in the trading pair pool were exhausted.
Amount of loss: $ 1,000,000 Attack method: K value verification vulnerability
Description of the event: The expansion of the Ethereum network, Arbitrum One, released a report on network failures. Beginning at 10:14 on September 14th, EST, Arbitrum One was out of service for 45 minutes, during which time the Arbitrum Sequencer was offline, and funds were never at risk. The root cause of the downtime was a bug that caused the Sequencer to get stuck when receiving a large number of transactions in a short period of time. The Arbitrum team has located the problem and deployed a fix. The team also stated that even if the Sequencer fails, it will not affect the continuous operation of the network. Users can bypass the Sequencer and submit transactions directly to Ethereum.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: The beta version of the mainnet of the public chain Solana has been unstable since 19:52 Beijing time last night, and it has been 12 hours since the Solana chain application has not been able to operate normally. According to information released by Solana Status, the Solana validator community chose to restart the network cooperatively, and the snapshot height is slot 96542804. Solana Status recommends that the verification node be updated to Mainnet-Beta 1.6.24 version. On September 21, Solana officially released a preliminary overview of the network outage on September 14. It is reported that on September 14, Solana’s network was offline for 17 hours. There was no financial loss, and the network resumed full functionality within 24 hours. The cause of network stagnation is denial of service attacks. At 12:00 UTC time, Grape Protocol launched IDO on Raydium, and transactions generated by robots congested the network. These transactions caused a memory overflow, causing many validating nodes to crash, forcing the network to slow down and eventually stop. When the verification node network cannot agree on the current state of the blockchain, the network will go offline, preventing the network from confirming new blocks.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Klondike Finance was attacked by hackers, with a total loss of approximately 35,281.71 KXUSD (6.5629 WETH).
Amount of loss: 35,281.71 KXUSD Attack method: Flash loan attack
Description of the event: The Zabu Finance project on the Avalanche chain suffered a flash loan attack. Officially, the attackers withdrew 4.5 billion ZABU tokens from the Zabu Farm Contract, bringing the supply to 5 billion and dumping all of it to ZABU’s Pangolin LPs and Trader Joe LPs. According to DeFi analytics provider DeFiprime, the total was estimated at $3.2 million in exploits.
Amount of loss: $ 3,200,000 Attack method: Contract Vulnerability
Description of the event: A vulnerability in NFT marketplace OpenSea resulted in at least 42 NFTs being sent to a burn address, worth at least $100,000. The issue was first raised by Nick Johnson, lead developer of the Ethereum Name Service (ENS), who noted that when he transferred an ENS domain name (in the form of an NFT), it was transferred to a burn address. This means it was accidentally sent to an uncontrolled address and can no longer be moved. Regarding the destroyed ENS domain name, Johnson said it was the first registered ENS domain name, called rilxxlir.eth, which was held by an ENS account when Johnson registered it with personal funds. In order to transfer the ENS domain name to his own account, he went to OpenSea to perform the transfer, only to find that it had been sent to a destruction address by mistake. Since Johnson is still the controller of the ENS domain name, he can still make changes, just cannot move the domain name. Johnson then received further reports from others who were similarly affected and compiled a list of 32 affected transactions involving 42 NFTs. Most NFTs use the ERC-721 standard, but a few use ERC-1155. He looked at the floor price of each NFT, which totaled about $100,000. Johnson claims that OpenSea has now fixed the vulnerability.
Amount of loss: $ 100,000 Attack method: Contract Vulnerability
Description of the event: Twitter netizen "mhonkasalo" stated that there was a bug in the dYdX pledge contract. The user received 0 stkDYDX when pledged, the front end was disabled, and there were 64 affected addresses. Later, dYdX released the "Pledge Contract Bug" incident report. During the deployment of the upgradeable smart contract, the dYdX security module made an error, which caused the ratio of DYDX to stkDYDX to change from 1 to 0, so that users who pledged DYDX did not receive stkDYDX. dYdX stated that the error was caused by an error in the smart contract deployment process. It believed that there was no error in the code itself. The security module was previously audited by the smart contract, and based on the liquidity module design, the design was also audited. The security module is thoroughly tested before deployment. At present, user funds are safely locked in the security module until the end of the 28-day epoch, and no security module rewards are distributed and no withdrawals are possible. In order to restore the contract function, an upgrade is required. The suggested solution is to restore the security module function, allow the pledged user to retrieve the funds, and compensate the user for the wrong reward for participating in the security module.
Amount of loss: - Attack method: Contract deployment error
Description of the event: Ethereum Classic (ETC) tweeted that the ETC mainnet was forked due to previous vulnerabilities in the Ethereum client Geth. At present, most of the computing power is on the mainnet. Core-geth node operators should update to v1.12.1 or higher as soon as possible.
Amount of loss: - Attack method: Ethereum client Geth vulnerability
Description of the event: The Vesting contract of DAO Maker was attacked by hackers. DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker's distribution system, and the DAO Maker contract is attacked when the holder is issued (SHO) in DAO Maker , That is, there is a loophole in the distribution system of SHO participants: init is not initialized protection, the attacker initializes the key parameters of init, and changes the owner at the same time, and then steals the target token through emergencyExit and exchanges it into DAI, attacking The final profit of nearly 4 million U.S. dollars.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: A user claimed on Twitter that he had mistakenly entered an NFT auction scam and was taken away by an art website worth 336,000 US dollars of Ethereum. However, the development of the story is somewhat unexpected, because the other party returned 100 ETH in full. In this scam, the victim reported that he inquired about the NFT auction on Monday from a certain population on Discord, and then he thought he was lucky enough to win the bid for the first NFT on the website and paid 100 ETH (about 336,000 US dollars) for this. ). However, according to a BBC report on Tuesday, a hacker exploited a security hole in the artist Banksy's website and set up a web page (banksy.co.uk/NFT) to sell so-called non-fungible tokens (NFT). In the end, although the hacker returned the money, the user still lost $5,000 in transaction fees.
Amount of loss: $ 5,000 Attack method: Phishing attack
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen.
Amount of loss: - Attack method: Fee Collection Mechanism Flaw
Description of the event: OpenZeppelin released a bug fix analysis. Whitehat Zb3 submitted a serious reentrant vulnerability in OpenZeppelin's TimelockController contract on August 21, 2021, which affected a project hosted on the Immunefi vulnerability bounty platform. The project chose to remain anonymous and has paid an undisclosed amount (including an anonymous bonus) to White Hat. OpenZeppelin paid White Hat a bonus of $25,000 to recognize their contribution to community security and released a patch. As far as it knows, this is the only serious vulnerability that OpenZeppelin has in its open source smart contract library. The vulnerability has been patched in the affected projects, and OpenZeppelin has released an updated contract version to fix the vulnerability. All projects that use TimelockController should be migrated.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The mortgage lending platform Cream Finance had a flash loan attack. In its post-mortem analysis report on the flash loan attack, it stated that a total of 460 million AMP tokens and 2804 ETH (worth approximately US$34 million at the time) were stolen from the vulnerability and promised 20% of all agreed fees will be used for repayment until it is fully repaid. This security incident has a major vulnerability attacker and an imitator. On October 4, according to a Cointelegraph report, DeFi security agency Lossless has assisted in recovering the stolen 5152.6 ETH worth nearly $16.7 million.
Amount of loss: $ 2,300,000 Attack method: Flash loan attack
Description of the event: The Bilaxy exchange tweeted that the hot wallet was hacked and lost approximately 296 tokens (including ETH).
Amount of loss: $ 21,709,378 Attack method: Wallet Stolen
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: Polkadot Eco DeFi revenue aggregator Dot.Finance suffered a lightning loan attack. Dot.Finance's token PINK plummeted 35% in a short time, from 0.77 USD to approximately 0.5 USD. The attacker made a profit of 900.89 BNB (approximately $429,724 in total).
Amount of loss: $429,724 Attack method: Flash loan attack