1909 hack event(s)
Description of the event: BurgerSwap, an automatic market maker on the BSC chain, suffered a lightning loan attack and lost nearly 7 million U.S. dollars. This attack is a problem in the BurgerSwap architecture. Since the Pair layer completely trusts the data of the PaltForm layer, it did not perform another check on its own, which led to the attack.
Amount of loss: $ 7,000,000 Attack method: Flash loan attack
Description of the event: The JulSwap of the DEX protocol and the automated liquidity protocol on the BSC chain was attacked by lightning loans, and $JULB fell more than 95% in a short time.
Amount of loss: 1,500,000 Attack method: Flash loan attack
Description of the event: MerlinLabs, the DeFi revenue aggregator, was attacked. The attack method was similar to that of PancakeBunny, which was attacked by lightning loan 5 days ago, and lost US$6.8 million.
Amount of loss: $ 6,800,000 Attack method: Flash loan attack
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain (BSC) was attacked by a lightning loan, and the currency price suffered a flash crash, with a drop of more than 99% at one time, loss of 750,000 USD.
Amount of loss: $ 750,000 Attack method: Flash loan attack
Description of the event: The official website of the DeFi protocol DeFi100 on Binance Smart Chain (BSC) is no longer accessible. Previously, Twitter user "Mr. Whale" pointed out that the project may be a scam. "About 32 million US dollars of user funds were swept away by the team. road". About 10 hours ago, the words "We lied to you, you can't do anything with us" appeared on the DeFi100 official website, and the page was subsequently deleted. The DeFi100 project website was no longer accessible. It is not yet certain whether the website was hacked or the project team itself Close the website. DeFi100 is a decentralized flexible synthetic asset index product on the Binance Smart Chain, developed by an anonymous team.
Amount of loss: $ 32,000,000 Attack method: Rug Pull
Description of the event: The DeFi protocol Bogged Finance officially stated that hackers carried out a lightning loan attack on the staking function vulnerability of BOG token contracts and withdrew 3 million US dollars from the liquidity pool. The hackers used the Pancake Pair Swap code to withdraw the pledge before the contract verification was completed. income. The official team stated that the remaining 8 million US dollars in the current liquidity pool is safe. The vulnerabilities used by hackers have been "blocked" and cannot be reused. The tools provided by Bogged Finance are still safe to use, and the team is repairing the front end. Display the problem.
Amount of loss: $ 3,000,000 Attack method: Flash loan attack
Description of the event: PancakeBunny, the DeFi revenue aggregator on Binance Smart Chain (BSC), suffered a lightning loan attack and lost 114,631.5421 WBNB and 697,245.5699 BUNNY, totaling approximately US$45 million. The price of the token BUNNY crashed from 240 US dollars at around 6:35, and once fell below 2 US dollars, with the highest drop of more than 99% at one time. The official response stated that the hacker used PancakeSwap to borrow a large amount of BNB from a flash loan attack from an external developer, and then continued to manipulate the USDT/BNB and BUNNY/BNB prices to obtain a large amount of BUNNY and sell it, resulting in a flash crash of the BUNNY price. Hackers exchanged back to BNB through PancakeSwap.
Amount of loss: $ 45,000,000 Attack method: Flash loan attack
Description of the event: On the evening of May 18, the BSC-based DeFi lending platform Venus token XVS was doubled by the giant whale. After that, XVS was used as collateral to borrow and transfer BTC and ETH worth hundreds of millions of dollars. Since then, the price of collateral XVS is large. It fell and faced liquidation, but due to insufficient liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge shortfall of hundreds of millions of dollars in Venus. On the 30th, Venus officially released an article that disclosed the process and results of the incident. The survey showed that the liquidator made a profit of about 20 million U.S. dollars, and the seller made a profit of about 55 million U.S. dollars; the "scalper" made a profit of about 2 million U.S. dollars; the 0xef044 address account had a net loss of about 66 million U.S. dollars. Secondly, its address attribution is based on the Swipe escrow address used on Binance, so there is no insider trading. The agreement lost approximately $77 million due to market fluctuations. VGP will recover approximately US$77 million from the distribution fund, and formulate a community recovery plan for XVS holders and others in the form of airdrops from the distribution fund and agreement income.
Amount of loss: $ 145,000,000 Attack method: Lack of Liquidity
Description of the event: According to an official statement from on-chain options protocol FinNexus, part of FinNexus’ hardware has been attacked by malware, and an unknown hacker infiltrated the FinNexus system and managed to recover the private key of the ownership of the FNX token contract. FNX was minted, transferred or sold in large numbers in a short period of time, involving more than 300 million FNX tokens (about 7 million US dollars) in BSC and Ethereum.
Amount of loss: $ 7,000,000 Attack method: Private Key Leakage
Description of the event: The DeFi protocol bEarnFi stated that on May 16, its bVaults BUSD-Alpaca strategy was attacked, and nearly 10.86 million BUSD in the pool was exhausted. However, the remaining bvault and other pools of the platform are not at risk. At the same time, bEarnFi released a rough compensation plan, which will create a compensation fund, which will consist of the remaining savings funds, development funds, DAO funds, and part of the expenses incurred by the agreement. After that, a snapshot of the balance will be taken to deploy compensation contracts. Affected users will receive an additional 5% of their deposit amount.
Amount of loss: $ 11,000,000 Attack method: Contract Vulnerability
Description of the event: Ishii, an employee of Tokyo Sony Life Insurance Company ("Sony Life"), allegedly misappropriated US$154 million when attempting to transfer funds between the company’s financial accounts. According to court documents, Ishii changed the transfer address of a Sony Life transaction to Silvergate bank account that you control. Ishii later converted funds into more than 3879 bitcoins through Coinbase. The Coinbase set up to automatically transfer all added funds to an offline cryptocurrency cold wallet with the bitcoin address bc1q7rhc02dvhmlfu8smywr9mayhdph85jlpf6paqu. However, on December 1, after cooperating with Japanese law enforcement agencies, the FBI seized 3789.16242937 BTC in Ishii's wallet after obtaining the private key. The Tokyo Metropolitan Police Department arrested the 32-year-old Ishii on the same day and alleged In mid-May, he was charged with a fraudulent remittance of 154 million U.S. dollars.
Amount of loss: - Attack method: Insider Manipulation
Description of the event: According to previous news, starting from 11:28 UTC on May 14th, the flash.sx flash loan smart contract suffered a reentry attack vulnerability, and approximately 1.2 million EOS and 462,000 USDT were stolen. According to official sources, after EOS Nation's Lightning Loan was hacked, the project party initiated a proposal to directly change the hacker's EOS account permissions and return the assets. It is reported that the proposal initiated by the project party changed the hacker address authority to BP, which will be executed after approval.
Amount of loss: $ 11,742,000 Attack method: Reentrancy Attack
Description of the event: The DeFi pledge and liquidity strategy platform xToken was attacked, and the xBNTaBancor pool and the xSNXaBalancer pool were immediately exhausted, causing nearly $25 million in losses. The SlowMist security team analyzed that the two modules that were hacked this time were the xBNTa contract and the xSNXa contract in xToken. The two contracts were subjected to a "counterfeit currency" attack and an oracle manipulation attack.
Amount of loss: $ 25,000,000 Attack method: Oracle Attack
Description of the event: DeFi robo-advisor agreement Rari Capital stated on Twitter that its ETH fund pool had a vulnerability caused by the integration of the Alpha Finance Lab protocol, which was attacked. The rebalancer has now removed all funds from Alpha. The team stated that it is still investigating and evaluating, and a full report will be released in the future. Data shows that about 14 million U.S. dollars of funds were transferred by the attackers. The Alpha Finance team stated that the funds on Alpha Homora are safe. In this attack, the address of Rari Capital had previously attacked Value DeFi on the Binance Smart Chain.
Amount of loss: $ 14,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol ValueDeFi is suspected of being hacked again after being hacked on the 5th. ValueDeFi reminds users in the community, "All non-50/50 transaction pools of the project have been used. Please stop purchasing gvVALUE and vBSWAP until the project team provides a solution." It was subsequently confirmed that more than 3,000 ETH (approximately 10 million U.S. dollars) were lost.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: On May 7, 2021, Colonial Pipeline, the largest oil and gas pipeline operator in the United States, was targeted by a ransomware attack. The ransomware attack involved national critical infrastructure, which caused global shock and widespread concern. Was blackmailed to pay 5 million U.S. dollars worth of Bitcoin. Court documents show that the government recovered 63.7 bitcoins ($2.3 million).
Amount of loss: $ 2,700,000 Attack method: Ransomware
Description of the event: In response to users reporting that the official website of Hpool could not be opened, Hpool officially responded that the front end of the official website was attacked by DDOS.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Value DeFi stated that at 11:22 on May 5th, the attacker reinitialized the fund pool and set the operator role to himself, and _stakeToken was set to HACKEDMONEY. The attacker controlled the pool and called governmentRecoverUnsupported (), which was exhausted. The original pledge token (vBWAP/BUSD LP). Then, the attacker removes 10839.16 vBWAP/BUSD LP and liquidity, and obtains 7342.75 vBSWAP and 205659.22 BUSD. Subsequently, the attacker sells all 7342.75 vBSWAP at 1inch to obtain 8790.77 BNB, and buys BNB and BUSD renBTC through renBridge. Converted to BTC. The attacker made a total of 205,659.22 BUSD and 8,790.77 BNB. The 2802.75 vBSWAP currently in the reserve fund and the 205,659.22 BUSD of the ValueDeFi deployer will be used to compensate all users in the pool. The remaining 4540 vBSWAP can be compensated in the following two ways. The first option is to cast 4540 vBSWAP to immediately compensate all affected users, and the other option is to cast 2270 vBSWAP to immediately compensate, and the rest will be returned to the contract within 3 months. Value DeFi emphasized that only the vStake profit sharing pool of vBSWAP in bsc.valuedefi.io has received the impression, and other fund pools and funds are in a safe state.
Amount of loss: $ 5,817,780 Attack method: Contract Vulnerability
Description of the event: The Mask Network official stated that the contract address of the second round of ITO was attacked by robots, and the address has been officially blacklisted.
Amount of loss: - Attack method: Robot attack
Description of the event: According to the SlowMist Intelligence, the Binance smart chain project Spartan Protocol was hacked and the loss amounted to about 30 million U.S. dollars. The event was due to a flaw in the calculation of liquidity shares in the protocol.
Amount of loss: $ 30,000,000 Attack method: Contract Vulnerability