321 hack event(s)
Description of the event: Safemoon, a DeFi protocol based on the BNB chain, was attacked, and its liquidity pool lost nearly $8.9 million. Safemoon CEO John Karony said on Twitter: "This security incident affected the SFM:BNB LP pool and other LP pools on DEX were not affected. We have located the suspected vulnerability and fixed it. " According to analysis, the recent update may have introduced a "public destruction vulnerability", which facilitated hacker attacks. The hacker was able to use code functionality to artificially inflate the price of SFM tokens, then sell enough tokens back to the liquidity pool in the same transaction, effectively draining WBNB from the contract. On April 20, the SafeMoon attacker returned 80% of the stolen funds, that is, transferred 21,804 BNB (approximately $7.2 million) to the SafeMoon vault wallet, leaving the remaining 20% as a bounty.
Amount of loss: $ 8,900,000 Attack method: Contract Vulnerability
Description of the event: The FASTSWAP (FAST) project on BNB Chain was attacked by a flash loan and lost 26.77 BNB
Amount of loss: 26.77 BNB Attack method: Flash Loan Attack
Description of the event: According to news, the Harvest_Keeper project maliciously transferred user funds, involving an amount of about 933,000 US dollars. Through the data on the chain, it was found that the attacker used the owner authority to transfer the USDT pledged by the user in the HarvestKeeper contract by calling the getAmount function, and then the attacker used the user's token authorization to the EOA account to transfer the user's funds through the EOA multiple times.
Amount of loss: $ 933,000 Attack method: Insider Manipulation
Description of the event: 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about US$700,000.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: The DeFi project DND Token (DungeonSwap Token) on BSC has been utilized. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.
Amount of loss: $ 728,000 Attack method: Contract Vulnerability
Description of the event: The Baby Doll (BABYDOLL) project was hit by a flash loan attack, losing 25 BNB (~$7,900). BSC contract address is 0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2
Amount of loss: $ 7,900 Attack method: Flash Loan Attack
Description of the event: The project fcdep (EPMAX) on BSC was attacked by flash loan, and the loss was about 350,000 US dollars.
Amount of loss: $ 350,000 Attack method: Flash Loan Attack
Description of the event: The LianGoPay project announced on February 7 that its assets in the LGTPool pledge contract on the BNB Chain were stolen, 6,148,859 LGT reward coins were stolen, and the loss was about 1.6 million US dollars. According to analysis, the reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (Pool No. 3), and then the thief put a large amount of LP tokens into the pool for pledge, and obtained 6.14 million pieces LGT reward token.
Amount of loss: $ 1,600,000 Attack method: Leveraging fake LP staking pools
Description of the event: Orion Protocol, an exchange aggregation platform, suffered a reentrancy attack and lost about $3 million in assets. The attackers have transferred some of the cryptocurrency to Tornado Cash. Orion Protocol CEO Alexey Koloskov tweeted that no users suffered any losses in the incident and all users’ funds are safe, including staking, Orion Pool, bridges, and liquidity providers. Assets at risk are held in in-house brokerage accounts run by the Orion team. This problem is not caused by a flaw in the core protocol code, but may be caused by a bug in a mix of third-party libraries in its experimental and smart contracts used by private brokers.
Amount of loss: $ 3,000,000 Attack method: Reentrancy Attack
Description of the event: The BEVO NFT Art Token (BEVO) on BSC was exploited with a total loss of approximately $45,000. The root cause is that BEVO is a deflationary token, and the attacker calls the function deliver(), the value of _rTotal will decrease, which will further affect the return value of getRate() used to calculate the balance. After the attacker manipulates the token balance, he calls the function skim to transfer the increased PancakePair balance to his own account. Finally, the attacker calls the function deliver() again and exchanges the increased BEVO back to WBNB.
Amount of loss: $ 45,000 Attack method: Reward Mechanism Flaw
Description of the event: It is reported that the FFF token deployed on the BSC has an abnormal additional issue event. This event is that the administrator of the original project party purchased the additional issue through the pre-set additional issue contract, and then sold the additional issued tokens and transferred the acquired assets in part. More than US $1.03 million of FFF tokens were sold in this issue.
Amount of loss: $ 1,030,000 Attack method: Insider Manipulation
Description of the event: Thoreum Finance was hacked. According to analysis, because the transfer function of the non-open source contract 0x79fe created by the Thoreum Finance project party is suspected to have a loophole, when the from and to addresses of the transfer function are the same, due to the use of temporary variables to store the balance, the balance will double when you transfer to yourself , the attacker repeated the operation many times, and finally made a profit of 2,000 BNB, involving an amount of about 580,000 US dollars.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability
Description of the event: The OMNI Real Estate Token (ORT) project on BSC was attacked. The cause of the attack is suspected to be a loophole in the contract code. The attacker’s address is: 0x9BbD94506398a1459F0Cd3B2638512627390255e, one of the attack contracts is 0x0eFfECA3dBCBcda4d5e4515829b0d42181700606, the initial gas source of the attack is FixedFloat, and the attacker made more than 236 BNB, worth about $57.
Amount of loss: $ 70,705 Attack method: Contract Vulnerability
Description of the event: RoeFinance was attacked. The victim pool (0x574f) has just been emptied, with a total loss of about $80000. This is a typical price manipulation attack.
Amount of loss: $ 80,000 Attack method: Price Manipulation
Description of the event: The price of BRA token on BNB Chain is zero. According to the analysis, the token will be taxed during the transaction, and the tax collected will be directly sent to the transaction pair, and the tax will be added twice. Under this mechanism, after many such transactions, the number of tokens in the transaction pair continues to increase. At the same time, any user can call the skim function to retrieve the extra tokens in the transaction pair, which results in the actual number of tokens exceeding its issuance limit. This BRA token attack has caused 820 WBNB losses. The address of the attacker (0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B).
Amount of loss: 820 WBNB Attack method: Taxation Mechanism Flaw
Description of the event: Mycelium, a perpetual agreement, tweeted that due to the oracle feeding problem of the ETH-USD trading pair, MLP suffered a loss of 4~6% from robot arbitrage (the current pool size is about $6.6 million, and the estimated loss is about $300,000), but the team has fixed the loophole and resumed trading. The reason for this is that due to the fact that Binance began blocking US IPs in late December, one of Mycelium's three oracle data vendors went offline, and the other vendor also seemed to have gone wrong overnight, resulting in prices relying only on Coinbase and Bitfinex. Coinciding with about 4 pm yesterday, Bitfinex's ETH-USD feed price fluctuated significantly, and the spread was extremely large, perhaps the arbitrage robot detected the spread and began to arbitrage at a higher than usual amount, resulting in a loss of MLP.
Amount of loss: $ 300,000 Attack method: Oracle Attack
Description of the event: The NimbusPlatform project on the BSC chain was attacked, and the attacker made a profit of about 278 BNB. According to the analysis of SlowMist, the main reason for this attack is that the calculation of rewards only depends on the number of tokens in the pool, which leads to being manipulated by flash loans, thereby obtaining more rewards than expected.
Amount of loss: 278 BNB Attack method: Contract Vulnerability
Description of the event: Ankr's deployer key was suspected to be leaked, and hackers minted a total of 60 trillion aBNBc. According to MistTrack analysis, some funds have been cross-chained from BSC to ETH and Polygon. The hacker used Celer Network, PancakeSwap, Multichain, deBridge, 1inch, PancakeSwap, SushiSwap, ParaSwap in the process of transferring funds, and 900 BNB has been transferred to Tornadocash so far. The Ankr team stated, “Our aBNB tokens (the proof tokens for BNB pledges) have been stolen and we are currently working with exchanges to stop trading immediately. Currently all underlying assets on Ankr pledges are safe and all infrastructure Services will not be affected."
Amount of loss: $ 5,000,000 Attack method: Private Key Leakage
Description of the event: After the attack on Ankr’s aBNBc token, an address exchanged 10 BNB for 15.5 million BUSD with the help of the Ankr vulnerability, resulting in the emptying of the Hay liquidity pool. Another user made a profit through the same method, with an income of about $3.5 million. Helio Protocol tweeted that the BNB pledged by users is safe, and the official is in close communication with the Ankr team to discuss the restart plan of aBNBc.
Amount of loss: $ 19,000,000 Attack method: The impact of the Ankr vulnerability
Description of the event: The SheepFarm project on the BNB chain was attacked by a vulnerability. After analysis, it was found that because the register function of the SheepFarm contract could be called multiple times, the attacker 0x2131c67ed7b6aa01b7aa308c71991ef5baedd049 used the register function multiple times to increase his own gems, and then used the upgradeVillage function to accumulate yield while consuming gems properties, and finally call the sellVillage method to convert yield to money before withdrawing money. The attack caused the project to lose about 262 BNB, about $72,000.
Amount of loss: 262 BNB Attack method: Contract Vulnerability