323 hack event(s)
Description of the event: Lever, a decentralized margin trading protocol based on AMM, was attacked by lightning loans. According to the official statement, Lever attacked contract A to borrow 2,100 BNB from PancakeSwap and deposit 2,000 BNB into Lever’s BNB vault. Then borrowed 1500 BNB from Lever’s BNB vault and transferred it to Lever Attack Contract B. Lever Attack Contract B deposited 1500 BNB and used it to consume 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89 DAI, 674,360 USDT. BTC , 1,930.01 CAKE, 463.0078 DOT and 332.9184 WBNB. (Calculated at the current market price, the total loss is equal to US$652,941.949.)
Amount of loss: $ 652941.949 Attack method: Flash Loan Attack
Description of the event: Ploutoz Finance, the BSC loan agreement, was attacked. Hackers made a profit of 365,000 US dollars, and the agreement suffered even greater losses. The hacker manipulated the oracle price of DOP tokens and used DOP as collateral to lend assets such as CAKE, ETH, BTCB, etc. After that, the hackers used ParaSwap and PancakeSwap to trade for BNB and then transferred to Tornado.Cash.
Amount of loss: $ 365,000 Attack method: Price Manipulation
Description of the event: The margin trading lending platform bZx tweeted that the private keys controlling Polygon and Binance Smart Chain (BSC) deployment appeared to have been leaked, resulting in a loss of funds. The bZx smart contract itself was not compromised, and the deployment, governance and DAO vault of Ethereum were not affected by this incident.
Amount of loss: $ 55,040,167 Attack method: Private Key Leakage
Description of the event: According to reports, the BSC project SQUID, which has the same name as the popular Korean drama "Squid Game", is suspected of running off or being attacked, with an estimated loss of 12 million USDT. According to the data, the official website of the project party cannot be opened at present; all the tokens in the current Pancake pledge pool have been transferred to the address: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728 through two transactions. The hash value of one of the transactions on the BSC is: 0xf7c9d0e5a81999f9e06fe78df7ce41da112d8bd4f2da7b16cfdbbe46c92cb6af. The address for initiating the token withdrawal transaction is 0x614826D885FF973324a5C3f43369d7C413a88aea. In addition, traders from the address 0x1f5eabba9c56bca4a7828969b79bc87051125b31 sold SQUID tokens to transfer the BNB in the trading pair in Pancake to: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728. The source of the initial gas required for the above transactions comes from the currency mixing application Tornado.Cash.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: The decentralized transaction protocol BXH tweeted that the assets of the protocol on the Binance Smart Chain (BSC) chain were hacked.
Amount of loss: $ 139,195,315 Attack method: Private Key Leakage
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by hackers in a series of transactions, and the hackers made a profit of US$2 million (the protocol loss may be even greater). Previously, AutoShark was attacked by a flash loan in May, and the currency price crashed. AutoShark responded that it would issue a new token, JAWS, to compensate damaged users. Since then, AutoShark was attacked by lightning loan again in early October, and hackers made a profit of approximately US$580,000.
Amount of loss: $ 2,000,000 Attack method: Flash loan attack
Description of the event: Pancake Hunny, the DeFi protocol on BSC, was attacked by lightning loans, and HUNNY tokens fell by about 70% in a short time. The hacked transactions included 513 transfers, and Gas consumption reached 19 million, of which a large number of transfers were related to Alpaca tokens.
Amount of loss: - Attack method: Flash loan attack
Description of the event: My Farm Pet was suspected of being attacked by lightning loans, and today fell 79.86%.
Amount of loss: $ 31,424 Attack method: Flash loan attack
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by lightning loans. The main reason was that the exchange mining function was used by hackers in a series of transactions. Hackers could use lightning loans to occupy most of the mining pool (to make up for exchange losses/fees) ), at the same time, the exchange fee reward was obtained, and a total profit of 3.18 million FINS was obtained. Afterwards, the hacker exchanged FINS for 1,388 BNB (approximately US$580,000).
Amount of loss: 3,180,000 FINS Attack method: Flash loan attack
Description of the event: Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.53 million.
Amount of loss: 3,530,000 PCT Attack method: Compatibility Issue
Description of the event: On August 17, the DeFi project XSURGE on BSC suffered a lightning loan attack. On August 16, local time, XSURGE officially issued a statement about the SurgeBNB vulnerability before the attack. Since the SurgeBNB contract cannot be changed and has been abandoned, the vulnerability cannot be patched. XSURGE said that it did not disclose any specific details about the nature of this vulnerability, but strongly recommends that users migrate out of SurgereBnb as soon as possible. The vulnerability may be triggered by an attacker at any time. After the announcement, XSURGE was subsequently attacked, and the attacker stole $5 million from SurgeBNB.
Amount of loss: $ 5,000,000 Attack method: Flash loan attack
Description of the event: The Neko Network, a lending protocol on the Binance Smart Chain (BSC), was attacked. The attacker used vulnerabilities in the protocol to mortgage assets in the name of the user and sent the borrowed funds directly to the attacker’s own address. All asset pools on the Neko Network have been frozen to avoid changes. Multiple attacks occur. Due to the setting of the time lock, it takes 24 hours to develop the fund pool and allow users to raise funds in the pool. Neko Network is a product developed by the Zero Coupon Money Market Protocol Maze Protocol team.
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: Wault Finance on the BSC chain was attacked, and the attacker made a profit of 930,000 US dollars. Attackers due to design flaws in the economic model can carry out arbitrage attacks on the pool of WaultSwapPair (BSC_USDT-WEX).
Amount of loss: $ 930,000 Attack method: Flash loan attack
Description of the event: Levyathan, the encryption index protocol on the BSC chain, was attacked. According to the official event update, the hacker minted 100,000,000,000,000,000,0 billion LEV tokens, which caused the price of LEV to return to zero. The loss of this attack was approximately USD 1.5 million. The official attributed the accident to the leak of the developer's private key.
Amount of loss: $ 1,500,000 Attack method: Private Key Leakage
Description of the event: ApeRocket, the DeFi revenue mining aggregator and optimizer, released the lightning loan attack details and compensation plan. ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000.
Amount of loss: $ 1,260,000 Attack method: flash loan attack
Description of the event: Medium user Anonymous Dev published an article stating that there are a large number of loopholes in the BSC ecological Rabbit Finance code, which may be suspected of running away. The vulnerabilities include: 1. The total supply of tokens RABBIT is not the hard cap of 203,000,000 as the team claims; 2. The owner of Rabbit's FairLaunch can issue unlimited RABBIT tokens at any time; 3. 100% of the positions can be liquidated at any time and funds It can be stolen at any time, and there is no maximum limit on the configurable protocol parameters; 4. All funds on the platform may be stolen, and Rabbit’s EOA account can be upgraded to execute the contract at any time. The official did not respond to this matter. Although the Rabbit team did not explain why the vulnerabilities existed, or outright pleaded guilty, the Rabbit team was forced to at least add some restrictions to these security risks through a 24-hour Timelock.
Amount of loss: - Attack method: Rug Pull
Description of the event: The hacking of the revenue aggregator Merlin Lab stems from a logical loophole in MerlinStrategyAlpacaBNB. The contract mistakenly uses the BNB transferred by the beneficiary as mining revenue, which makes the contract issue more MERL as a reward. After repeated operations, the attacker made a profit of 300,000 US dollars.
Amount of loss: $ 300,000 Attack method: Logic Vulnerability
Description of the event: The DeFi protocol xWin Finance based on Binance Smart Chain was attacked by lightning loans. The xWin Finance token XWIN has fallen by nearly 90% in 24 hours. The attacker used xWin Finance's "reward mechanism" to continuously add and remove liquidity to obtain rewards. Under normal circumstances, due to the small amount of users added, the gains may be small, or even not enough to pay the handling fees; but in the face of huge amounts of funds, the rewards will become abnormally high.
Amount of loss: $ 281,599 Attack method: Flash Loan Attack
Description of the event: The BSC on-chain project StableMagnet ran away and lost USD 24 million. On August 12, the Greater Manchester Police Department announced that it had arrested the suspects of the StableMagnet Finance team who had previously taken away $22 million of users on the BSC. The police found a large amount of stolen Ethereum in the encrypted U disk. According to statistics, this money accounted for 90%($ 22,250,000) of the stolen cryptocurrency, and it is now beginning to reconnect with the legitimate owner.
Amount of loss: $ 1,750,000 Attack method: Rug Pull
Description of the event: Nerve Finance, a stablecoin trading platform based on the Binance Smart Chain (BSC), tweeted that the Nerve-related machine gun pool in the revenue aggregator Eleven Finance have been attacked by sparks. After analysis, the reason for the exploit is that the emergencyBurn() function does not calculate the balance correctly and does not execute the destruction. On September 30th, hackers have returned approximately $4.5 million in stolen funds.
Amount of loss: $ 300,000 Attack method: Flash loan attack