43 hack event(s)
Description of the event: The liquidity management protocol Gamma has been attacked, and its post-mortem indicates that there was a flaw in the deposit agent configuration. This flaw allowed the attacker to manipulate the price up to the price change threshold and mint a disproportionately high number of LP tokens.
Amount of loss: $ 6,180,000 Attack method: Price Manipulation
Description of the event: The multi-chain lending protocol Radiant Capital is suspected to have been targeted in a hacker attack, with total losses on Arbitrum ~4.5 million USD.
Amount of loss: $ 4,500,000 Attack method: Flash Loan Attack
Description of the event: The inscription project Libra Protocol on Arbitrum is suspected to have exit scammed. Currently, the project team has transferred the received mint fees to the address 0x0c12acc8e53c6ff7ab3fad5eaa97056ae950288f.
Amount of loss: $ 550,107 Attack method: Rug Pull
Description of the event: Xai, a Layer 3 solution for AAA gaming, has issued an alert for phishing impersonating Xai, where attackers have fraudulently obtained approximately $374 ETH, valued at approximately $845.8K.
Amount of loss: $ 845,800 Attack method: Phishing Attack
Description of the event: On November 7, TheStandard.io was exploited for ~$290k. The key vulnerability here was the low liquidity in the PAXG pool, which the attacker exploited to manipulate the market. On November 9, 243k $EUROs has been returned to the protocol from the attacker which will be burned in due process.
Amount of loss: $ 290,000 Attack method: Liquidity Exploit
Description of the event: The Beluga Protocol on Arbitrum fell victim to a flashloan attack. The attacker made a profit of approximately $175,000 by manipulating the USDT-USDC.e balance, allowing for the withdrawal of extra tokens.
Amount of loss: $ 175,000 Attack method: Flash Loan Attack
Description of the event: GMBL COMPUTER was attacked, and the attacker withdrew GMBL worth approximately US$815,000 from the contract. GMBL said: “We believe that the vulnerability is caused by a flaw in the platform’s recommendation system, which allows people to place bets without depositing any funds and use them to generate referral bonuses. We have identified the exploiter and are working to recover all funds lost due to this exploit. The GMBL team stated that they provided a "Bug Bounty" to the attackers to return 90% of the stolen funds in exchange for a promise not to take legal action. On September 6, the attackers returned 235 ETH (approximately $382, 000), which is 50% of the stolen funds.
Amount of loss: $ 815,000 Attack method: Contract Vulnerability
Description of the event: The official Twitter account of the DeFi platform Shell Protocol on Arbitrum is suspected of being stolen. It posted false news about the application of SHELL tokens and closed the comment area. Please do not interact with it. According to news, this attack seems to be due to the hacking of its founder’s SIM card, resulting in both personal Twitter and Shell Protocol’s Twitter being hacked, and the attacker is the PinkDrainer phishing gang.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The Arbitrum ecological leverage income agreement Rodeo Finance caused hackers to steal about $1.7 million due to price oracle manipulation, and currently about $816,000 has been recovered in the form of unshETH.
Amount of loss: $ 1,700,000 Attack method: Price Manipulation
Description of the event: A suspected Rug Pull occurred on the Chibi Finance project on Arbitrum, and $1 million worth of cryptocurrency was drained. The stolen funds have been converted into approximately 555 ETH and transferred to Tornado Cash after bridging from Arbitrum to Ethereum.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: The Arbitrum ecological project Jimbos Protocol was attacked, and about 4,090 ETH were stolen (about $7.5 million). This attack was due to the lack of slippage control on the liquidity transfer operation, which resulted in the protocol owned liquidity being invested in a skewed/imbalanced price range, which was used in reverse swaps for profit.
Amount of loss: $ 7,500,000 Attack method: Contract Vulnerability
Description of the event: The Arbitrum ecological Swaprum project has a Rug Pull, the price of SAPR has dropped by 100%, Swaprum has deleted the social account, and the scammer bridged 1628 ETH (about 2.94 million US dollars) to Ethereum and transferred it to Tornado Cash.
Amount of loss: $ 3,000,000 Attack method: Rug Pull
Description of the event: The stablecoin DEI launched by the DeFi protocol DEUS has been hacked, and the loss has exceeded $6.3 million. Over $5 million was lost on Arbitrum and $1.3 million on the BSC chain. This appears to be a public destroy bug. On May 7, one of the DEI hacker addresses (starting with 0xdf610228) returned about 1.07 million DAIs. on May 8, DEUS tweeted to confirm that the DEI attackers had returned 2,023 ETH.
Amount of loss: $ 6,300,000 Attack method: Contract Vulnerability
Description of the event: XIRTAM, a project built on the Arbitrum ecology, is a reputation building platform that does not require KYC. It advocates building digital reputation step by step through the XIRTAM system in an anonymous and decentralized manner. At the same time, users can get rewards for participating in activities on XIRTAM. The project party is on the 3rd Rug Pull. However, unlike the usual practice of the Rug Pull project, the runaway XIRTAM project party did not transfer the raised 1909 ETH to the currency mixing service to hide the identity and the direction of the funds, but deposited all the funds in Binance. In this regard, Binance stated that the funds involved in the XIRTAM project have been frozen and will cooperate with law enforcement agencies to investigate.
Amount of loss: 1,909 ETH Attack method: Rug Pull
Description of the event: The Arbitrum ecological Arbtomb project is suspected of Rug Pull. The scammer has bridged 54 ETH (approximately $110,000) to Ethereum, then transferred 52 ETH to Tornado Cash, and transferred 2.4 ETH to Binance.
Amount of loss: $ 110,000 Attack method: Rug Pull
Description of the event: The DeFi lending agreement Sentiment stated that the team discovered abnormal lending activities. This malicious use led to the theft of about $966,000 from Sentiment on the Arbitrum network. The root cause is the read-only reentrancy of Balancer. On April 7, Sentiment announced that it had successfully recovered more than $900,000 of the stolen funds, leaving the remaining $95,000 as a reward for the attackers.
Amount of loss: $ 966,000 Attack method: Contract Vulnerability
Description of the event: Tender.fi is suspected of being attacked by white hat hackers and lost $1.59 million. Hackers used Tender.fi’s misconfigured oracles to borrow $1.59 million worth of crypto assets with just $70 worth of GMX tokens as collateral. On March 8, on-chain data showed that the hackers who attacked the Arbitrum ecological lending protocol Tender.fi had returned their funds, and the Tender.fi team agreed to pay the hackers 62 ETH ($96,500) as a bounty.
Amount of loss: $ 1,590,000 Attack method: Oracle Attack
Description of the event: Arbitrum ecological DEX ArbiSwap is suspected of Rug Pull. ArbiSwap deployers minted 1 trillion ARBI before Rug Pull, and then converted ARBI into USDC, which caused a sharp drop in ARBI in the USDC/ARBI transaction pair. In the next block, the robot passed USDC to ARBI then traded ETH for spatial arbitrage, making a profit of 68.47 ETH. ArbiSwap has transferred 84 ETH to the Ethereum mainnet and sent it to TornadoCash.
Amount of loss: 84 ETH Attack method: Rug Pull
Description of the event: The DeFi aggregation platform dForce was attacked in Arbitrum and Optimism, and the attackers made a profit of about 3.65 million US dollars. According to the analysis of SlowMist, the root cause of this attack is that the attacker used the process of first transferring Native tokens and then burning LP when removing liquidity in wstETH/ETH Pool, triggering the callback of receiving Native tokens to re-enter to manipulate the virtual price and Liquidate other users for profit. On February 13, dForce tweeted that the attackers had returned all stolen funds to the project multi-signature addresses on Arbitrum and Optimism, and all affected users would be compensated.
Amount of loss: $ 3,650,000 Attack method: Price Manipulation
Description of the event: Umami Finance, a DeFi protocol on Arbitrum, offers yield products to institutional clients. On January 31, they announced they were suspending yields, saying they were concerned about regulatory tactics. Soon after, the project CEO started dumping tokens on the market, cashing out 44,000 UMAMI tokens. These were ostensibly priced at $800,000, and although the sell-off sent UMAMI prices crashing by more than 60%, the CEO still netted around $380,000 in USDC.
Amount of loss: $ 380,000 Attack method: Rug Pull