318 hack event(s)
Description of the event: The MooCakeCTX project suffered a flash loan attack, and the attackers made a profit of $143,921. According to Fairyproof’s analysis, the suspected reason is that the contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settlement of the reward, that is, when the user pledged, the contract did not settle the previous reward and conduct new investment. This will cause users to get the previous pledge dividends immediately after the pledge. After the attacker borrows 50,000 cake tokens using a flash loan in the same block, he pledges it twice in a row, and then withdraws the pledged cake tokens and returns them to make a profit.
Amount of loss: $ 143,921 Attack method: Flash Loan Attack
Description of the event: The FITE (FTE) project is suspected of Rug pull, its website fit[.]app has been shut down, and social media has been deleted. Scammers have transferred 1900 BNB to Tornado Cash.
Amount of loss: 1900 BNB Attack method: Rug Pull
Description of the event: The UvTokenWallet Eco Staking mining pool contract was hacked. The key reason for the vulnerability is that the mining pool contract withdrawal function does not strictly judge the user input, so that the attacker can directly pass in the malicious contract address and use the malicious contract to empty the relevant funds. SlowMist MistTrack conducted a traceability analysis of the funds: so far, hackers have transferred a total of 5,011 BNB of profit to Tornado Cash. In addition, the source of the attack fee is also Tornado Cash.
Amount of loss: 5,011 BNB Attack method: Contract Vulnerability
Description of the event: Metaverse data platform Dataverse tweeted that it has detected hackers attacking the GEO BSC contract, and reminded users not to buy GEO in BSC, any code purchased on BNB Chian from October 19th to 22nd UTC Coins are invalid. It may be caused by the "allow unlimited minting" vulnerability in the minting function of BGEO (Binance GeoDB Coin).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The PLTD project was attacked by hackers, all BUSD in its trading pool was sold out, and the attackers gained a total of 24,497 BUSD. This attack mainly exploits the code loopholes in the PLTD contract, reduces the PLTD token balance in Cake-LP (0x4397c7) to 1 through a flash loan attack, and then uses the PLTD in hand to exchange all BUSD into the attack contract .
Amount of loss: 24,497 BUSD Attack method: Flash Loan Attack
Description of the event: The unopened contract 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 of the MTDAO project party was attacked by a flash loan, and the affected tokens were MT and ULM, with a total profit of 487,042.615 BUSD. The attacker used the functions 0xd672c6ce and 0x70d68294 in the unopened contract to call the sendtransfer function in the MT and ULM token contracts to profit (because they are both deployed by the project party, the unopened contract 0xFaC06484 has minter permission).
Amount of loss: 487,042.615 BUSD Attack method: Flash Loan Attack
Description of the event: The Micro Elements (TME) project is an exit scam, with a drop of more than 95%, and about $548,600 has been stolen. BSC address 0xd631464f596e2ff3b9fe67a0ae10f6b73637f71e.
Amount of loss: $ 548,600 Attack method: Rug Pull
Description of the event: Jumpnfinance project Rugpull, involving an amount of about 1.15 million US dollars. The attacker first calls the 0x6b1d9018() function of the 0xe156 contract to extract the user assets in the contract and store them at the attacker's address (0xd3de02b1af100217a4bc9b45d70ff2a5c1816982).
Amount of loss: $ 1,150,000 Attack method: Rug Pull
Description of the event: BNBChain was attacked and lost more than 500 million US dollars. According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attackers stole 1 million BNB twice, but both used the height of 110217401, which is much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
Amount of loss: 2,000,000 BNB Attack method: Pseudo-authentication
Description of the event: According to official news, Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. According to the analysis of SlowMist MistTrack, the stolen assets exceeded 28.9 million US dollars. The hacker's account address is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46. The largest attacker had returned 6,500 BNB (about $1.95 million) on October 10, and on October 13, the attackers returned 3,485 BNB (about $950,000).
Amount of loss: $ 28,900,000 Attack method: Unchecked Input Data
Description of the event: The New Free Dao project on the BSC chain suffered a flash loan attack. According to SlowMist analysis, the main reason for this attack is that the way of calculating rewards in the contract is too simple, and it only depends on the balance of the caller, which leads to arbitrage by flash loans.
Amount of loss: 4,481 WBNB Attack method: Contract Vulnerability
Description of the event: On September 5th, DaoSwap lost 580,000 USDT in an attack that allowed users to set the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification.
Amount of loss: $ 580,000 Attack method: Reward Mechanism Flaw
Description of the event: Privacy project ShadowFi suffered a hack, and its official TokenSDF fell 98.5%. The attacker exploited the vulnerability of SDF to allow anyone to burn the Token, making a profit of about 1078 BNB (about $300,000), and the stolen funds have been transferred to TornadoCash.
Amount of loss: 1,078 BNB Attack method: Contract Vulnerability
Description of the event: The attacker made a profit of $78,622 through a flash loan on BNB Chain, causing the token CUPID to plummet by more than 90%, and the token VENUS to rise by more than 300% and then fall back.
Amount of loss: 78,623 USDT Attack method: Flash Loan Attack
Description of the event: DDC was exploited and lost $104,600. The cause of the event is the problem of arbitrarily deducting pool fees.
Amount of loss: $ 104,600 Attack method: Contract Vulnerability
Description of the event: Kaoyaswap on BSC appears to have been attacked, with hackers making 37,294 BUSD and 271.2 WBNB, caused by faulty logic in the Swap function.
Amount of loss: $ 118,000 Attack method: Contract Vulnerability
Description of the event: BSC DEX protocol Kaoyaswap was attacked, losing 37,294 BUSD and 271.2 WBNB. The reason for this attack is the Swap value flaw.
Amount of loss: 37,294 BUSD + 271.2 WBNB Attack method: Contract Vulnerability
Description of the event: Yield aggregator Blur Finance withdrew more than $600,000 in assets from BNB Chain and Polygon before deleting websites and social media accounts. The project, which has only been active for about a month, has amassed about 750 users on its initial BNB Chain implementation, which was announced on Polygon on August 5.
Amount of loss: $ 600,000 Attack method: Rug Pull
Description of the event: According to SlowMist, the EGD Finance project on BSC was attacked by hackers, resulting in the unexpected withdrawal of funds from its pool. The SlowMist security team analyzed this and said that this incident was because the price-feeding mechanism for calculating rewards when EGD Finance's contracts obtained rewards was too simple, resulting in the token price being manipulated by flash loans for profit.
Amount of loss: 36,000 BUSD Attack method: Price Manipulation
Description of the event: Saxon James Musk has Rug Pull. Project developers suddenly sold their token share for around 1355 WBNB (~$442,000), causing the token price to plummet by over 68%.
Amount of loss: 1,355 WBNB Attack method: Rug Pull