130 hack event(s)
Description of the event: BNBChain was attacked and lost more than 500 million US dollars. According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attackers stole 1 million BNB twice, but both used the height of 110217401, which is much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
Amount of loss: 2,000,000 BNB Attack method: Pseudo-authentication
Description of the event: According to official news, Transit Swap, a cross-chain trading platform aggregator supported by TokenPocket, was hacked. According to the analysis of SlowMist MistTrack, the stolen assets exceeded 28.9 million US dollars. The hacker's account address is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46. The largest attacker had returned 6,500 BNB (about $1.95 million) on October 10, and on October 13, the attackers returned 3,485 BNB (about $950,000).
Amount of loss: $ 28,900,000 Attack method: Incoming data not validated
Description of the event: The New Free Dao project on the BSC chain suffered a flash loan attack. According to SlowMist analysis, the main reason for this attack is that the way of calculating rewards in the contract is too simple, and it only depends on the balance of the caller, which leads to arbitrage by flash loans.
Amount of loss: 4,481 WBNB Attack method: Contract Vulnerability
Description of the event: On September 5th, DaoSwap lost 580,000 USDT in an attack that allowed users to set the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification.
Amount of loss: $ 580,000 Attack method: Lack of validation
Description of the event: Privacy project ShadowFi suffered a hack, and its official TokenSDF fell 98.5%. The attacker exploited the vulnerability of SDF to allow anyone to burn the Token, making a profit of about 1078 BNB (about $300,000), and the stolen funds have been transferred to TornadoCash.
Amount of loss: 1,078 BNB Attack method: Contract vulnerabilities
Description of the event: The attacker made a profit of $78,622 through a flash loan on BNB Chain, causing the token CUPID to plummet by more than 90%, and the token VENUS to rise by more than 300% and then fall back.
Amount of loss: 78,623 USDT Attack method: Flash loan attack
Description of the event: DDC was exploited and lost $104,600. The cause of the event is the problem of arbitrarily deducting pool fees.
Amount of loss: $ 104,600 Attack method: Deduct pool fees arbitrarily
Description of the event: Kaoyaswap on BSC appears to have been attacked, with hackers making 37,294 BUSD and 271.2 WBNB, caused by faulty logic in the Swap function.
Amount of loss: $ 118,000 Attack method: Contract Vulnerability
Description of the event: BSC DEX protocol Kaoyaswap was attacked, losing 37,294 BUSD and 271.2 WBNB. The reason for this attack is the Swap value flaw.
Amount of loss: 37,294 BUSD + 271.2 WBNB Attack method: Contract Vulnerability
Description of the event: Yield aggregator Blur Finance withdrew more than $600,000 in assets from BNB Chain and Polygon before deleting websites and social media accounts. The project, which has only been active for about a month, has amassed about 750 users on its initial BNB Chain implementation, which was announced on Polygon on August 5.
Amount of loss: $ 600,000 Attack method: Rug Pull
Description of the event: According to SlowMist, the EGD Finance project on BSC was attacked by hackers, resulting in the unexpected withdrawal of funds from its pool. The SlowMist security team analyzed this and said that this incident was because the price-feeding mechanism for calculating rewards when EGD Finance's contracts obtained rewards was too simple, resulting in the token price being manipulated by flash loans for profit.
Amount of loss: 36,000 BUSD Attack method: Price manipulation
Description of the event: Saxon James Musk has Rug Pull. Project developers suddenly sold their token share for around 1355 WBNB (~$442,000), causing the token price to plummet by over 68%.
Amount of loss: 1,355 WBNB Attack method: Rug Pull
Description of the event: DeFi project DRAC Network appeared Rug Pull, with the price of the token $TEDDY dropping 99.4%. 10,000 $BNB and 2 million $BUSD have been slowly transferred to Binance. It is said that the deployer deployed the contract and transferred a large quantity of $TEDDY to 0xdbe8ef79a1a7b57fbb73048192edf6427e8a5552, then pump and dump the price of $TEDDY.
Amount of loss: $ 4,500,000 Attack method: Rug Pull
Description of the event: Raccoon Network and Freedom Protocol are scam projects, scammers have transferred 20 million BUSD (IDO) to address 0xf800...469336.
Amount of loss: $ 20,000,000 Attack method: Scam
Description of the event: SpaceGodzilla was attacked by price manipulation and lost approximately 25,000 USDT.
Amount of loss: $ 25000 Attack method: Price Manipulation
Description of the event: SpaceGodzilla, a project on the BSC chain, was attacked by hackers with a flash loan. Hackers used flash loans to borrow large amounts of money, manipulated the price of SpaceGodzilla in the trading pool on PancakeSwap, and exploited vulnerabilities in the project for arbitrage. At present, the hacker has exchanged the 25,378.78 BUSD profited from this attack to BNB and transferred it through Tornado.Cash.
Amount of loss: 25,378.78 BUSD Attack method: Flash loan attack
Description of the event: A fake Shade Inu Token project deployer removed approximately $101,000 (424 BNB) of liquidity from the liquidity pool. After investigation, this Shade Inu Token was identified as a scam, the project launched a fake Shade Inu Token, created a WBNB/SadeIT pool with the initial 200 BNB and provided liquidity to it, so the deployer made a total profit of about $53,000 ( 224 BNB).
Amount of loss: 224 BNB Attack method: Scam
Description of the event: The pandorachainDAO project suffered a flash loan attack, resulting in a loss of assets worth about $128,000.
Amount of loss: $ 128,000 Attack method: Flash loan attack
Description of the event: The LV PLUS (Token LVP) project has been identified as a Rug Pull project. So far, the project has resulted in losses of about $1.5 million. LV PLUS claims to be affiliated with the "LV Metaverse", and the main reason for the loss, which is defined as a Rug Pull, is that the LV PLUS contract deployer sent tokens to certain wallets - these wallet addresses subsequently sold the project's tokens, causing the project's market to crash .
Amount of loss: $ 1,500,000 Attack method: Rug Pull
Description of the event: The whaleswap.finance project was attacked, and at least 5946 BUSD and 5964 USDT were lost. The reason may be that there is a problem with the K value verification of the whaleswap.finance Pair contract. Whenever the user exchanges, there is a problem with the parameter magnitude passed in the K value verification, which causes the K value verification to fail. The attacker first borrows a BSC-USD through a flash loan, and then returns the flash loan when the K value verification parameter is on the order of 10000^4. The parameter verification level used in the K value verification is 10000^2, which causes the K verification to fail.
Amount of loss: 5946 BUSD+5964 USDT Attack method: K value verification vulnerability