176 hack event(s)
Description of the event: On September 21st, the Linear stable coin $LUSD appears to be under an exploit attack. While the team investigates, do not buy LUSD, do not trade $LUSD. Liquidations are paused and users accounts are not at risk.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: On September 21st, a large liquidity of BNBpay was removed. Deployer profited ~$114k from this liquidity removal.
Amount of loss: $ 114,000 Attack method: Rug pull
Description of the event: A fake "LayerZero" token on the BSC chain has had a lot of liquidity removed. The deployer removed 4,827.99 WBNB worth about $1 million. The contract address of the fake token is 0x2266362f414Bf2476C5465dc2eA953Fe2A99AE1c.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: Derivatives marketplace Thales issued an announcement that a core contributor’s PC/Metamask had been hacked and that some hot wallets acting as casual deployers ($25k) or admin bots ($10k) had been compromised. Do not interact with any Thalesmarket contracts on the BNB Chain and revoke any contracts that are pending approval. All funds are safe on Optimism, Arbitrum, Polygon and Base. Thales said that due to the attack, support for the BSC will be officially dropped.
Amount of loss: $ 35,000 Attack method: Information Leakage
Description of the event: A Rug Pull occurred on the Apache NFT SalesRoom (ASN) on the BNB Chain, and the deployer made a profit of about $680,000. The deployer transferred a large number of tokens to the address starting with 0xdc8, which has now dumped 1 million ASNs at a price of $680,000 in BSC-USD.
Amount of loss: $ 680,000 Attack method: Rug Pull
Description of the event: DefiLabs on the BNB chain has run away, taking about $1.6 million. The privileged address 0xee08 drains user funds by exploiting the backdoor function withdrawFunds() in the vPoolv6 contract. DeFiLabs claimed on Twitter that the platform had “experienced unexpected issues” while it was “going through maintenance and updates.”
Amount of loss: $ 1,600,000 Attack method: Rug Pull
Description of the event: The BSC ecology Carson was attacked and lost about $145,000. At present, the price of Carson tokens has dropped by 96%, and the attacker has exchanged the stolen assets for 600 BNB and transferred them to Tornado Cash. The attacker repeatedly called the swapExactTokensForTokensSupportingFeeOnTransferTokens function in the 0x2bdf...341a contract (not open-source) through flash loans, swapped for BUSD and burned Carson in the pair, then repeatedly inflated the price of Carson for profit.
Amount of loss: $ 145,000 Attack method: Flash Loan Attack
Description of the event: According to SlowMist, IEGT tokens were created on BSC on July 13. Its creators "secretly minted a large number of tokens in preparation for pulling the rug". Although the project’s token supply is only 5 million tokens, this enabled the team to sell 1 billion tokens, cashing out approximately $1.14 million in USDT stablecoins. According to SlowMist, the project party modified the balance of the specified address through inline assembly when the contract was initialized, and secretly issued a large number of tokens that were not known to other users, causing users to be Rug when participating in the project.
Amount of loss: $ 1,140,000 Attack method: Rug Pull
Description of the event: The Palmswap project on the BSC chain was attacked, and the attacker made a profit of more than 900,000 US dollars. According to the analysis of SlowMist, this attack was due to the fact that the authority control function of the core function was not enabled, and the price calculation model of the liquidity token was designed too simply, depending only on the number of USDT tokens in the treasury and the total supply, resulting in the attacker can use flash loans to maliciously manipulate prices to obtain unexpected profits. On July 28, Palmswap tweeted that 80% of the stolen funds had been returned, and the remaining 20% was used as a bug bounty for hackers.
Amount of loss: $ 900,000 Attack method: Flash Loan Attack
Description of the event: MetaLabz tweeted: "In order to ensure the supply we hold, we deployed an unaudited contract (token locker), but the contract has been exploited. The situation was then exacerbated by the liquidity attack, resulting in a total loss of slightly more than 400 BNB." According to analysis, the reason is that the authorization check was bypassed.
Amount of loss: 400 BNB Attack method: Contract Vulnerability
Description of the event: BNO suffered a flash loan attack on BNBChain, resulting in a loss of about $500,000 due to business logic problems. The root cause of the attack is a problem with the reward calculation mechanism in the pool that supports NFT and ERC20 token rights. The pool has an "emergencyWithdraw" function that allows users to withdraw their ERC20 token stake immediately. Crucially, however, this feature does not process or interpret NFT stake records. Attackers exploited this flaw by depositing NFTs and ERC20 tokens into a pool and then executing the "emergencyWithdraw" function specifically for their ERC20 tokens. By doing so, an attacker can bypass the reward calculation check, effectively manipulating the system to his advantage. Through this manipulation, an attacker is able to clear a user's "reward debt," earn undeserved rewards, and cause significant financial damage to the mining pool and its users.
Amount of loss: $ 500,000 Attack method: Flash Loan Attack
Description of the event: GMETA on BSC has been Rug Pulled, with a price drop of 96%, taking about $3.6 million. The contract creator is 0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1.
Amount of loss: $ 3,600,000 Attack method: Rug Pull
Description of the event: APEDAO on the BNB chain was attacked and the loss was approximately $7,000. The attacker transferred APEDAO to the pair contract. The APEDAO contract mistook the attacker's behavior as a selling operation and gradually accumulated a value named "amountToDead". The attacker repeatedly transferred APEDAO and then used the skim function to withdraw excess tokens. Eventually, the attacker calls the godead function to destroy APEDAO held in the pairing contract, causing the token price to rise.
Amount of loss: $ 7,000 Attack method: Contract Vulnerability
Description of the event: Encryption project Encryption AI (0XENCRYPT) crashed 99% as the developers behind it performed a retreat. Losing a total of $2 million, the developer released a message citing his online gambling addiction.
Amount of loss: $ 2,000,000 Attack method: Rug Pull
Description of the event: BiSwap, a BSC cross-chain trading platform, said: "The team detected and resolved the Migrator contract vulnerability. The assets on the Biswap V2 and V3 AMM protocols are safe. The team prevents access to the migration process through the website, because the Migrator contract has been exploited, do not try to access directly This contract, if you have not already done so, please withdraw your approval of these contracts. The results of this vulnerability are being reviewed in more detail and a report will be issued later. User funds are safe and the above vulnerability has nothing to do with AMM V2 and V3 funds.” This time The attack has caused approximately $710,000 in damage.
Amount of loss: $ 710,000 Attack method: Contract Vulnerability
Description of the event: Shido has been exploited for ~976 $BNB (~$238.5K). The exploiter transferred 1 $BNB to Tornado Cash and bridged the stolen funds to Ethereum, subsequently transferring 125 $ETH to Tornado Cash.
Amount of loss: $ 238,500 Attack method: Unknown
Description of the event: The Ara project was attacked by a flash loan. The attackers are suspected to have made about $124,000 in BUSD. attacker address: 0xF84efA8a9F7E68855CF17EAaC9c2f97A9d131366.
Amount of loss: $ 124,000 Attack method: Flash Loan Attack
Description of the event: Seems like @VPandaCommunity rugged for ~265K $BSC-USD $VPC has dropped -97.4%, the stolen funds has already been transferred to 0x33d2a4...af65
Amount of loss: $ 265,000 Attack method: Rug Pull
Description of the event: Cross-chain money market solution Midas Capital has been hacked, causing losses of more than $600,000 after an integer rounding problem in its lending protocol (derived from a fork of the well-known Compound Finance v2 codebase) was exploited. The same situation was also exploited in the previous attack on Hundred Finance. The attacker deposited 400 BNB into Tornado Cash, and some other proceeds were bridged to Ethereum.
Amount of loss: $ 600,000 Attack method: Contract Vulnerability
Description of the event: A governance attack on the BSC eco-protocol Atlantis Loans, in which attackers gained control of the contract and replaced it with a contract containing backdoor functionality to transfer user assets, is currently costing approximately $1 million. The attackers created the malicious governance proposal in the GovernorBravo contract on June 7, 2023.
Amount of loss: $ 1,000,000 Attack method: Governance Attack