34 hack event(s)
Description of the event: Hedgey Finance suffered two exploits, one on the Ethereum and another on the Arbitrum network. The ETH attack resulted in a loss of $1.9 million, while the Arbitrum exploit led to a theft of $42.8 million in ARB tokens.
Amount of loss: $ 44,700,000 Attack method: Flash Loan Attack
Description of the event: The full-chain Web3 ecosystem xBlast, built inside Telegram, disclosed on Twitter that it had been hacked. The attacker transferred XBL tokens from its project's main wallet address and sold them for approximately 22 ETH. xBlast's proposed solution is to deploy a new XBL token and restore liquidity, promising fair compensation for all losses.
Amount of loss: $ 84,500 Attack method: Unknown
Description of the event: Lava suffered a flash loan attack, resulting in approximately $340,000 in losses. All lending markets are reportedly paused as the investigation is ongoing.
Amount of loss: $ 340,000 Attack method: Flash Loan Attack
Description of the event: On March 20th, Dolomite, a decentralized trading protocol in the Arbitrum ecosystem, was attacked due to a vulnerability in its old contracts on the Ethereum mainnet. Approximately 187 victims suffered asset losses totaling $1.8 million, including 1,245,271 USDC, 94,423 DAI, and 165.9 WETH. As of March 24th, Dolomite has recovered 90% of the assets taken by the attacker.
Amount of loss: $ 1,800,000 Attack method: Contract Vulnerability
Description of the event: The sPMM algorithm controlling the pricing of WOOFi trades on DEX WOOFi was exploited on Arbitrum. The exploit consisted of a sequence of flash loans that took advantage of low liquidity to manipulate the price of WOO in order to repay the flash loans at a cheaper price. The exploiter repeated this attack 3 times within a very short period of time, which netted about $8.75m in profits after returning the flash loans.
Amount of loss: $ 8,750,000 Attack method: Flash Loan Attack
Description of the event: The CEO of SocialFi xPET tweeted that SocialFi was attacked due to vulnerabilities related to the newly launched PvP feature, resulting in hackers stealing 91.5 ETH (approximately $25,400).
Amount of loss: $ 254,000 Attack method: Contract Vulnerability
Description of the event: Portfolio management tool Citadel.one has been attacked, resulting in a loss of approximately $93K.
Amount of loss: $ 93,000 Attack method: Unknown
Description of the event: The DeFi protocol Concentric Finance, built on the Camelot v3 protocol, has suffered a severe security breach. In an official post on social media, Concentric.fi stated that the security breach due to a targeted social engineering attack on one of their team members holding the deployer wallet. The attacker exploited vulnerabilities to upgrade the vaults, mint new LP tokens, and subsequently drained the platform's assets.
Amount of loss: $ 1,700,000 Attack method: Social Engineering
Description of the event: The decentralized, non-custodial liquidity market protocol Rosa Finance on Arbitrum was exploited, resulting in a loss of approximately $45,000.
Amount of loss: $ 44,800 Attack method: Unknown
Description of the event: The SocialFi and GameFi platform XKingdom Tech, built on Arbitrum, has exit-scammed, resulting in approximately $1.2 million in losses. The stolen funds were bridged to Ethereum and transferred to Tornado Cash.
Amount of loss: $ 1,200,000 Attack method: Rug Pull
Description of the event: The liquidity management protocol Gamma has been attacked, and its post-mortem indicates that there was a flaw in the deposit agent configuration. This flaw allowed the attacker to manipulate the price up to the price change threshold and mint a disproportionately high number of LP tokens.
Amount of loss: $ 6,180,000 Attack method: Price Manipulation
Description of the event: Liquidity layer & AMM Chronos tweeted that its concentrated liquidity pools managed by @dyson_money have been exploited in a manner similar to the gamma exploit. Users are advised to revoke contracts associated with these pools. This vulnerability is specific to concentrated liquidity pools, and all other V2 pools remain safe and unaffected. The rest of the funds are secure.
Amount of loss: $ 148,000 Attack method: Flash Loan Attack
Description of the event: The multi-chain lending protocol Radiant Capital is suspected to have been targeted in a hacker attack, with total losses on Arbitrum ~4.5 million USD.
Amount of loss: $ 4,500,000 Attack method: Flash Loan Attack
Description of the event: The inscription project Libra Protocol on Arbitrum is suspected to have exit scammed. Currently, the project team has transferred the received mint fees to the address 0x0c12acc8e53c6ff7ab3fad5eaa97056ae950288f.
Amount of loss: $ 550,107 Attack method: Rug Pull
Description of the event: Xai, a Layer 3 solution for AAA gaming, has issued an alert for phishing impersonating Xai, where attackers have fraudulently obtained approximately $374 ETH, valued at approximately $845.8K.
Amount of loss: $ 845,800 Attack method: Phishing Attack
Description of the event: On November 7, TheStandard.io was exploited for ~$290k. The key vulnerability here was the low liquidity in the PAXG pool, which the attacker exploited to manipulate the market. On November 9, 243k $EUROs has been returned to the protocol from the attacker which will be burned in due process.
Amount of loss: $ 290,000 Attack method: Liquidity Exploit
Description of the event: The Beluga Protocol on Arbitrum fell victim to a flashloan attack. The attacker made a profit of approximately $175,000 by manipulating the USDT-USDC.e balance, allowing for the withdrawal of extra tokens.
Amount of loss: $ 175,000 Attack method: Flash Loan Attack
Description of the event: GMBL COMPUTER was attacked, and the attacker withdrew GMBL worth approximately US$815,000 from the contract. GMBL said: “We believe that the vulnerability is caused by a flaw in the platform’s recommendation system, which allows people to place bets without depositing any funds and use them to generate referral bonuses. We have identified the exploiter and are working to recover all funds lost due to this exploit. The GMBL team stated that they provided a "Bug Bounty" to the attackers to return 90% of the stolen funds in exchange for a promise not to take legal action. On September 6, the attackers returned 235 ETH (approximately $382, 000), which is 50% of the stolen funds.
Amount of loss: $ 815,000 Attack method: Contract Vulnerability
Description of the event: The official Twitter account of the DeFi platform Shell Protocol on Arbitrum is suspected of being stolen. It posted false news about the application of SHELL tokens and closed the comment area. Please do not interact with it. According to news, this attack seems to be due to the hacking of its founder’s SIM card, resulting in both personal Twitter and Shell Protocol’s Twitter being hacked, and the attacker is the PinkDrainer phishing gang.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The Arbitrum ecological leverage income agreement Rodeo Finance caused hackers to steal about $1.7 million due to price oracle manipulation, and currently about $816,000 has been recovered in the form of unshETH.
Amount of loss: $ 1,700,000 Attack method: Price Manipulation