1914 hack event(s)
Description of the event: The decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident.
Amount of loss: $ 120,000,000 Attack method: Malicious Code Injection Attack
Description of the event: The automatic market maker protocol MonoX was hacked. In this attack, approximately US$18.2 million worth of WETH and 10.5 million US dollars of MATIC were stolen. Other stolen tokens included WBTC, LINK, GHST, DUCK, MIM and IMX. The total loss was approximately 31 million U.S. dollars.
Amount of loss: $ 31,000,000 Attack method: Price Update Issue
Description of the event: The malicious contract attacked Visor's OHM-ETH 1% LP management contract. Funds in the targeted pool were recovered by Visor just hours after the attack. The funds deposited by users into Visor are not at risk.
Amount of loss: $ 975,720 Attack method: Flash Loan Attack
Description of the event: This weekend, the biggest rug pull in Avalanche history shocked the network and its users. SDOG is the first meme coin launched on Avalanche, with a price of up to 10 million U.S. dollars, and the team admitted that they "smashed it up." On the other hand, however, what they called a "game theory experiment" went wrong. Snowdog DAO is the protocol behind the SDOG token, and as of press time, its value has lost more than 90%. This is a complex plan that involves insiders using a "key" in a smart contract that only they can access.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Lever, a decentralized margin trading protocol based on AMM, was attacked by lightning loans. According to the official statement, Lever attacked contract A to borrow 2,100 BNB from PancakeSwap and deposit 2,000 BNB into Lever’s BNB vault. Then borrowed 1500 BNB from Lever’s BNB vault and transferred it to Lever Attack Contract B. Lever Attack Contract B deposited 1500 BNB and used it to consume 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89 DAI, 674,360 USDT. BTC , 1,930.01 CAKE, 463.0078 DOT and 332.9184 WBNB. (Calculated at the current market price, the total loss is equal to US$652,941.949.)
Amount of loss: $ 652941.949 Attack method: Flash Loan Attack
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract Vulnerability
Description of the event: SnowdogDAO, an Avalanche-based decentralized reserve memecoin, suffered a severe failure yesterday after only 8 days of operation. Snowdog created its own AMM based on Uniswap V2 to move all SDOG liquidity from DEX Avalanche Trader Joe. However, the redemption failed miserably within seconds of launch, with hundreds of users losing most of their funds.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Optics Bridge was attacked and ownership of the multi-signature wallet was transferred. cLabs engineer Tim Moreton said that the multi-signature permission of Optics, a cross-chain communication protocol on Celo, was replaced because someone activated the Optics recovery mode (recovery mode) on the Ethereum GovernanceRouter contract, which caused the recovery account to take over the Optics protocol and overwrite it. The original multi-signature permissions. Tim Moreton said that he believes that the funds on the current cross-chain bridge are not risky. Tim Moreton also said that the situation occurred within 15 minutes after cLabs expelled James Prestwich. The team is currently contacting James Prestwich to find a solution. The team is currently working to exit the recovery mode and restore the community's multi-signature governance. James Prestwich responded on Twitter that he had never had the right to activate the recovery mode and expressed regret for cLabs and Celo's damage to his reputation.
Amount of loss: - Attack method: Multi-signature permission vulnerability
Description of the event: Ploutoz Finance, the BSC loan agreement, was attacked. Hackers made a profit of 365,000 US dollars, and the agreement suffered even greater losses. The hacker manipulated the oracle price of DOP tokens and used DOP as collateral to lend assets such as CAKE, ETH, BTCB, etc. After that, the hackers used ParaSwap and PancakeSwap to trade for BNB and then transferred to Tornado.Cash.
Amount of loss: $ 365,000 Attack method: Price Manipulation
Description of the event: The administrator of OlympusDAO, a new algorithmic stablecoin protocol based on Ethereum, said on Discord, the administrator of Discord said that yesterday, someone bonds OHM/DAI bonds that are considered to be closed so that they can get a large discount and receive 1,697 OHM (over 1.4 million U.S. dollars) instead of 59 OHM (approximately US$50,000). After OlympusDAO discovered this incident, it immediately closed the bond contract.
Amount of loss: 1,697 OHM Attack method: Contract Vulnerability
Description of the event: DeFi protocol Formation.Fi was attacked by flash loans. The main reason for this incident is that the project party underestimated the impact of fee on totalTokens when designing the function swapIn, and ignored the impact of decimal point accuracy between different tokens.
Amount of loss: $ 100,000 Attack method: Flash Loan Attack
Description of the event: According to blockchain game developer Animoca Brands, on November 19, hackers successfully accessed the Discord account of the science fiction NFT game Phantom Galaxies and took over its server. The hacker subsequently issued a fraudulent statement claiming that the game was launching an NFT minting activity. The hacker directs the user to a website, charges the user 0.1 ETH, and then sends the funds to the hacker's Ethereum address. A total of 265 sent ETH, about 1.1 million US dollars. Animoca Brands pointed out that there is no evidence that smart contracts have been breached, and no funds have been stolen from the game or its developers or publishers.
Amount of loss: 265 ETH Attack method: Account Compromise
Description of the event: The Nerve cross-chain bridge MetaPool was attacked. This attack was an exploit of the logical vulnerabilities of fUSDT and UST MetaPool on the Nerve cross-chain bridge BSC, causing the fUSDT and UST liquidity in the Nerve staking pool to be exhausted, and the attacker made a profit of about 900 BNB . The attacked contract code Fork is from Saddle.Finance.
Amount of loss: 900 BNB Attack method: Logic Vulnerability
Description of the event: The stablecoin transaction protocol Curve caused losses to users who provided USDM liquidity due to the "governance attack" of the USDM stablecoin protocol Mochi. At present, Curve has dealt with urgently to avoid a wider range of losses. Previously, the Mochi project party purchased Convex's CVX tokens, voted to increase the USDM pool rewards to increase the liquidity of USDM and other assets, and then converted a large amount of USDM tokens owned by the project party into DAI after the liquidity increased. The team A total of 46 million USDM was exchanged for DAI. Based on the USDM to DAI exchange rate, the user loss that provides USDM liquidity to other stablecoins may be close to 30-40 million U.S. dollars.
Amount of loss: $ 30,000,000 Attack method: Governance Attack
Description of the event: According to a report from BleepingComputer on November 10, the electronic retail giant MediaMarkt suffered a ransomware attack. This attack affected many MediaMarkt retail stores throughout Europe, especially those in the Netherlands. The attacker initially asked for a ransom of 240 million US dollars. It was dropped to 50 million U.S. dollars and demanded to be paid in Bitcoin. According to the company later, customer data is "completely secure." The company's stores are now also reopening for exchanges, returns, and repair orders.
Amount of loss: - Attack method: Ransomware
Description of the event: Robinhood, a stock and cryptocurrency trading platform, stated that on the evening of November 3, an intruder entered the company’s system and stole the personal information of millions of users. The full names of the users, the names of about 310 users, the date of birth and postal code were leaked, and the more detailed account information of about 10 users was leaked. The intruder demanded blackmail for payment. The company notified law enforcement and continued to investigate the incident with the help of the external security company Mandiant. Robinhood stated that the attack had been contained. Robinhood believed that it did not expose social security numbers, bank account numbers or debit card numbers, and did not cause any economic losses to customers due to the incident.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to reports, a currency stolen event occurred in Farmers World, a farm-type game on the WAX chain, and the amount may exceed 100 million yuan. Some players have found that the game shows "Insufficient RAM" prompts, which cannot be solved even after adding WAXP. According to the official Discord discussion information: Neither the project smart contract nor the WAX wallet has vulnerabilities, but the address where the user pledged WAXP is not the official address of the game. It may be that the game "plug-in" script changed the user pledge address, causing the user to be unable to obtain RAM resources.
Amount of loss: $ 15,700,000 Attack method: Malicious Code Injection Attack
Description of the event: The asset cross-chain bridge launched by the cross-chain protocol Synapse Protocol is suspected to have loopholes, and the attacker manipulated the virtual price of nUSD Metapool, reducing it by about 12.5%. Ultimately, although the funds were withdrawn from the metapool itself, the funds were not lost. When the validator is offline, the address that took the funds from the LP tries to move the funds through the bridge, so the transaction has not yet been processed. However, the validators unanimously decided not to process this transaction because it was malicious to the LP and the entire network: as a result, ~$8.2 million in nUSD was not minted to the attacker's address on the target chain. The nUSD will be returned to the affected Avalanche LPs instead.
Amount of loss: - Attack method: Price Manipulation
Description of the event: The margin trading lending platform bZx tweeted that the private keys controlling Polygon and Binance Smart Chain (BSC) deployment appeared to have been leaked, resulting in a loss of funds. The bZx smart contract itself was not compromised, and the deployment, governance and DAO vault of Ethereum were not affected by this incident.
Amount of loss: $ 55,040,167 Attack method: Private Key Leakage
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Oracle Attack