15 hack event(s)
Description of the event: According to an official tweet from Avalanche, their Discord server has been compromised. The official team advises users not to click on any links until the situation is fully resolved.
Amount of loss: - Attack method: Account Compromise
Description of the event: On July 23, an attacker exploited a misconfiguration to gain access to $1 million from 13 different Prime accounts. This misconfiguration allowed the attacker to illegitimately transfer ownership of the Prime accounts to their own address, enabling them to repay loans and withdraw collateral. On July 24, the attacker returned $900,000.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: On February 23rd, the Avalanche mainnet experienced block production interruptions. Addressing this issue, Ava Labs co-founder Kevin Sekniqi stated on Twitter that the problem appears to be a gossip-related mempool management error, which is purely a code-related issue, not a performance handling problem. It seems that inscriptions have reached an edge case, but they did not affect performance. The mainnet downtime issue appears to be related to an edge-case bug in mempool processing, and bug fix testing is currently underway on the Avalanche testnet. On February 24th, Ava Labs engineering lead Patrick O'Grady tweeted that nodes need to be upgraded to AvalancheGo version 1.11.1, which disables the logic added in v1.10.18 that caused validators to send excessive amounts of gossip to each other. Avalanche Validators provision a stake-weighted bandwidth allocation for each peer, and this flawed logic led each node to saturate their allocation with useless transaction gossip. This dynamic prevented pull queries issued by validators from being processed in a timely manner and resulted in consensus stalling.
Amount of loss: - Attack method: Logic Vulnerability
Description of the event: On October 12th, the stablecoin trading project Platypus Finance appeared to have been hit by a suspected hacker attack, with total losses of around $2.2 million. Platypus Finance tweeted, "Due to suspicious activities in our protocol, we have taken the proactive measure of temporarily suspending all pools. Further updates will be communicated to the community in a timely manner." On October 13, Platypus Finance tweeted that it had recovered around 50k sAVAX and 7k AVAX from one of the exploiters successfully. On October 17, Platypus Finance announced that 90% of the stolen funds have been returned and that the net loss has been reduced to approximately 18,000 AVAX.
Amount of loss: $ 2,200,000 Attack method: Unknown
Description of the event: According to SlowMist, Stars Arena appeared to have been stolen due to a major security breach in its smart contract. Currently, the hacker has transferred 266,103 AVAX to the address (0xa2Eb...ad7A). The address (0xa2Eb...ad7A) transferred 50.32 AVAX to FixedFloat on October 6. On October 12, Stars Arena tweeted that they have recovered approximately 90% of the lost funds. An agreement has been reached with the hacker to return the funds, with a 10 percent bounty and 1,000 AVAX lost in the cross-chain bridge. 266,104 AVAX were lost, and the hacker returned 239,493 AVAX in two transactions. 27,610 AVAX were paid as a bounty.
Amount of loss: $ 2,900,000 Attack method: Reentrancy Attack
Description of the event: The Avalanche project Platypus has been attacked again. According to the analysis of SlowMist, since the price difference between the two pools was not taken into account during the token exchange via CoverageRatio, it resulted in users being able to arbitrage by depositing USDC and then withdrawing more USDT. Arbitrageurs have arbitraged around 50,000 USDC in this way.
Amount of loss: $ 50,000 Attack method: Arbitrage attack
Description of the event: The stablecoin trading project Platypus encountered a flash loan attack on AAVE, resulting in a total asset loss of approximately $9 million. According to the analysis, the vulnerability seems to lie in the verification of the MasterPlatypusV4 contract by the emergencyWithdraw function, which will only fail when the borrowed assets exceed the borrowing limit. The function then proceeds to transfer all of the user's deposit assets regardless of the value of the user's borrowed assets. On Feb. 18, The Block reported that at least $2.4 million has been recovered with the help of security firms after the Platypus hack.
Amount of loss: $ 9,000,000 Attack method: Flash Loan Attack
Description of the event: On December 23, Defrost Finance V2, the Avalanche ecological native stablecoin project, was attacked by a flash loan, and the hackers made a profit of $173,000. On December 25th, Defrost Finance V1 went wrong again, hackers managed to steal the owner’s key, the protocol was added with fake collateral tokens, and a malicious price oracle was used to liquidate current users, with losses estimated at more than $12 million. On December 27, the hackers who carried out the attack on Defrost Finance V1 have returned the stolen funds.
Amount of loss: $ 12,173,000 Attack method: Private Key Leakage
Description of the event: The project Nereus Finance on AVAX was attacked. The attacker made a profit of about 371,000 USDC by using the classic flash loan attack mode, namely "flash loan -> skew reserve -> fake LP token pricing -> repay the flash loan".
Amount of loss: 371,000 USDC Attack method: Flash Loan Attack
Description of the event: Avalanche lending protocol Blizz Finance tweeted that Chainlink suspended LUNA oracles, allowing several attackers to deposit millions of LUNA and borrow all collateral at $0.1 per Chainlink oracle. Due to the timelock mechanism, the protocol assets are exhausted before the team is suspended. According to DeFi Llama data, the agreement’s TVL was $8.28 million yesterday, and it is now 0.
Amount of loss: $ 8,300,000 Attack method: Oracle Attack
Description of the event: This weekend, the biggest rug pull in Avalanche history shocked the network and its users. SDOG is the first meme coin launched on Avalanche, with a price of up to 10 million U.S. dollars, and the team admitted that they "smashed it up." On the other hand, however, what they called a "game theory experiment" went wrong. Snowdog DAO is the protocol behind the SDOG token, and as of press time, its value has lost more than 90%. This is a complex plan that involves insiders using a "key" in a smart contract that only they can access.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: SnowdogDAO, an Avalanche-based decentralized reserve memecoin, suffered a severe failure yesterday after only 8 days of operation. Snowdog created its own AMM based on Uniswap V2 to move all SDOG liquidity from DEX Avalanche Trader Joe. However, the redemption failed miserably within seconds of launch, with hundreds of users losing most of their funds.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Avalanche ecological stability income aggregation agreement Avaterra Finance was attacked by hackers. The security company Rugdoc analyzed that the contract of the agreement is a fork of Goose, but their token contains custom elements, and anyone can call its minting function. In the end, the hacker called the contract and minted and dumped thousands of tokens.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Contract Vulnerability
Description of the event: The Zabu Finance project on the Avalanche chain suffered a flash loan attack. Officially, the attackers withdrew 4.5 billion ZABU tokens from the Zabu Farm Contract, bringing the supply to 5 billion and dumping all of it to ZABU’s Pangolin LPs and Trader Joe LPs. According to DeFi analytics provider DeFiprime, the total was estimated at $3.2 million in exploits.
Amount of loss: $ 3,200,000 Attack method: Contract Vulnerability