123 hack event(s)
Description of the event: The SheepFarm project on the BNB chain was attacked by a vulnerability. After analysis, it was found that because the register function of the SheepFarm contract could be called multiple times, the attacker 0x2131c67ed7b6aa01b7aa308c71991ef5baedd049 used the register function multiple times to increase his own gems, and then used the upgradeVillage function to accumulate yield while consuming gems properties, and finally call the sellVillage method to convert yield to money before withdrawing money. The attack caused the project to lose about 262 BNB, about $72,000.
Amount of loss: 262 BNB Attack method: Contract vulnerabilities
Description of the event: The Ranger project on the BSC chain was an exit scam, and the Ranger token fell by 95%. The contract deployer sent the tokens to an external account, which was then sold for a profit of about $77,000. Do not confuse this project with similarly named tokens and symbols, refer to the contract address: bsc: 0xc9efd09c8170e5ce43219967a0564a9b610e5ea2.
Amount of loss: $ 77,000 Attack method: Scam
Description of the event: Rug pull occurred in the DeFiAI project, and the contract deployer made a profit of about 40 million US dollars. According to SlowMist MistTrack analysis, funds have been transferred to Fixedfloat and MEXC.
Amount of loss: $ 40,000,000 Attack method: Scam
Description of the event: The price of the Flare project has dropped by more than 95%, which is suspected to be a Rug Pull scam project. Flare token deployers and associated addresses received approximately 4 billion Flare tokens. The scam has so far made around $18.5 million.
Amount of loss: $ 18,500,000 Attack method: Scam
Description of the event: The MooCakeCTX project suffered a flash loan attack, and the attackers made a profit of $143,921. According to Fairyproof’s analysis, the suspected reason is that the contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settlement of the reward, that is, when the user pledged, the contract did not settle the previous reward and conduct new investment. This will cause users to get the previous pledge dividends immediately after the pledge. After the attacker borrows 50,000 cake tokens using a flash loan in the same block, he pledges it twice in a row, and then withdraws the pledged cake tokens and returns them to make a profit.
Amount of loss: $ 143,921 Attack method: Flash loan attack
Description of the event: An address on the BNB Chain minted more than $1 billion of pGALA tokens out of thin air, and sold them through PancakeSwap to make a profit. The pGALA contract hacker has made a profit of $4.3 million. One Smart Money address arbitraged nearly $6.5 million in this attack, even more than the attacker's profit. Multi-link is tweeted by the protocol pNetwork, and the pGALA contract on the BNB Chain needs to be redeployed due to the misconfiguration of the cross-chain bridge. Huobi Global announced that it would re-list GALA after proposing that the GALA purchased after the abnormal event would be renamed pGALA, and the project party agreed to pay full compensation to the holders of the currency before the accident.
Amount of loss: $ 10,800,000 Attack method: Cross-chain bridge configuration error
Description of the event: The FITE (FTE) project is suspected of Rug pull, its website fit[.]app has been shut down, and social media has been deleted. Scammers have transferred 1900 BNB to Tornado Cash.
Amount of loss: 1900 BNB Attack method: Scam
Description of the event: The UvTokenWallet Eco Staking mining pool contract was hacked. The key reason for the vulnerability is that the mining pool contract withdrawal function does not strictly judge the user input, so that the attacker can directly pass in the malicious contract address and use the malicious contract to empty the relevant funds. SlowMist MistTrack conducted a traceability analysis of the funds: so far, hackers have transferred a total of 5,011 BNB of profit to Tornado Cash. In addition, the source of the attack fee is also Tornado Cash.
Amount of loss: 5,011 BNB Attack method: Function vulnerability
Description of the event: The PLTD project was attacked by hackers, all BUSD in its trading pool was sold out, and the attackers gained a total of 24,497 BUSD. This attack mainly exploits the code loopholes in the PLTD contract, reduces the PLTD token balance in Cake-LP (0x4397c7) to 1 through a flash loan attack, and then uses the PLTD in hand to exchange all BUSD into the attack contract .
Amount of loss: 24,497 BUSD Attack method: Flash loan attack
Description of the event: The unopened contract 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 of the MTDAO project party was attacked by a flash loan, and the affected tokens were MT and ULM, with a total profit of 487,042.615 BUSD. The attacker used the functions 0xd672c6ce and 0x70d68294 in the unopened contract to call the sendtransfer function in the MT and ULM token contracts to profit (because they are both deployed by the project party, the unopened contract 0xFaC06484 has minter permission).
Amount of loss: 487,042.615 BUSD Attack method: Flash loan attack
Description of the event: The Micro Elements (TME) project is an exit scam, with a drop of more than 95%, and about $548,600 has been stolen. BSC address 0xd631464f596e2ff3b9fe67a0ae10f6b73637f71e.
Amount of loss: $ 548,600 Attack method: Scam
Description of the event: Jumpnfinance project Rugpull, involving an amount of about 1.15 million US dollars. The attacker first calls the 0x6b1d9018() function of the 0xe156 contract to extract the user assets in the contract and store them at the attacker's address (0xd3de02b1af100217a4bc9b45d70ff2a5c1816982).
Amount of loss: $ 1,150,000 Attack method: Scam
Description of the event: BNBChain was attacked and lost more than 500 million US dollars. According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attackers stole 1 million BNB twice, but both used the height of 110217401, which is much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
Amount of loss: 2,000,000 BNB Attack method: Pseudo-authentication
Description of the event: According to official news, Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. According to the analysis of SlowMist MistTrack, the stolen assets exceeded 28.9 million US dollars. The hacker's account address is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46. The largest attacker had returned 6,500 BNB (about $1.95 million) on October 10, and on October 13, the attackers returned 3,485 BNB (about $950,000).
Amount of loss: $ 28,900,000 Attack method: Incoming data not validated
Description of the event: The New Free Dao project on the BSC chain suffered a flash loan attack. According to SlowMist analysis, the main reason for this attack is that the way of calculating rewards in the contract is too simple, and it only depends on the balance of the caller, which leads to arbitrage by flash loans.
Amount of loss: 4,481 WBNB Attack method: Flash loan attack
Description of the event: On September 5th, DaoSwap lost 580,000 USDT in an attack that allowed users to set the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification.
Amount of loss: $ 580,000 Attack method: Lack of validation
Description of the event: Privacy project ShadowFi suffered a hack, and its official TokenSDF fell 98.5%. The attacker exploited the vulnerability of SDF to allow anyone to burn the Token, making a profit of about 1078 BNB (about $300,000), and the stolen funds have been transferred to TornadoCash.
Amount of loss: 1,078 BNB Attack method: Contract vulnerabilities
Description of the event: The attacker made a profit of $78,622 through a flash loan on BNB Chain, causing the token CUPID to plummet by more than 90%, and the token VENUS to rise by more than 300% and then fall back.
Amount of loss: 78,623 USDT Attack method: Flash loan attack
Description of the event: DDC was exploited and lost $104,600. The cause of the event is the problem of arbitrarily deducting pool fees.
Amount of loss: $ 104,600 Attack method: Deduct pool fees arbitrarily
Description of the event: Kaoyaswap on BSC appears to have been attacked, with hackers making 37,294 BUSD and 271.2 WBNB, caused by faulty logic in the Swap function.
Amount of loss: $ 118,000 Attack method: Function logic error