176 hack event(s)
Description of the event: The Baby Doll (BABYDOLL) project was hit by a flash loan attack, losing 25 BNB (~$7,900). BSC contract address is 0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2
Amount of loss: $ 7,900 Attack method: Flash Loan Attack
Description of the event: The project fcdep (EPMAX) on BSC was attacked by flash loan, and the loss was about 350,000 US dollars.
Amount of loss: $ 350,000 Attack method: Flash Loan Attack
Description of the event: The LianGoPay project announced on February 7 that its assets in the LGTPool pledge contract on the BNB Chain were stolen, 6,148,859 LGT reward coins were stolen, and the loss was about 1.6 million US dollars. According to analysis, the reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (Pool No. 3), and then the thief put a large amount of LP tokens into the pool for pledge, and obtained 6.14 million pieces LGT reward token.
Amount of loss: $ 1,600,000 Attack method: Leveraging fake LP staking pools
Description of the event: Orion Protocol, an exchange aggregation platform, suffered a reentrancy attack and lost about $3 million in assets. The attackers have transferred some of the cryptocurrency to Tornado Cash. Orion Protocol CEO Alexey Koloskov tweeted that no users suffered any losses in the incident and all users’ funds are safe, including staking, Orion Pool, bridges, and liquidity providers. Assets at risk are held in in-house brokerage accounts run by the Orion team. This problem is not caused by a flaw in the core protocol code, but may be caused by a bug in a mix of third-party libraries in its experimental and smart contracts used by private brokers.
Amount of loss: $ 3,000,000 Attack method: Reentrancy Attack
Description of the event: The BEVO NFT Art Token (BEVO) on BSC was exploited with a total loss of approximately $45,000. The root cause is that BEVO is a deflationary token, and the attacker calls the function deliver(), the value of _rTotal will decrease, which will further affect the return value of getRate() used to calculate the balance. After the attacker manipulates the token balance, he calls the function skim to transfer the increased PancakePair balance to his own account. Finally, the attacker calls the function deliver() again and exchanges the increased BEVO back to WBNB.
Amount of loss: $ 45,000 Attack method: Reward Mechanism Flaw
Description of the event: It is reported that the FFF token deployed on the BSC has an abnormal additional issue event. This event is that the administrator of the original project party purchased the additional issue through the pre-set additional issue contract, and then sold the additional issued tokens and transferred the acquired assets in part. More than US $1.03 million of FFF tokens were sold in this issue.
Amount of loss: $ 1,030,000 Attack method: Insider Manipulation
Description of the event: Thoreum Finance was hacked. According to analysis, because the transfer function of the non-open source contract 0x79fe created by the Thoreum Finance project party is suspected to have a loophole, when the from and to addresses of the transfer function are the same, due to the use of temporary variables to store the balance, the balance will double when you transfer to yourself , the attacker repeated the operation many times, and finally made a profit of 2,000 BNB, involving an amount of about 580,000 US dollars.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability
Description of the event: The OMNI Real Estate Token (ORT) project on BSC was attacked. The cause of the attack is suspected to be a loophole in the contract code. The attacker’s address is: 0x9BbD94506398a1459F0Cd3B2638512627390255e, one of the attack contracts is 0x0eFfECA3dBCBcda4d5e4515829b0d42181700606, the initial gas source of the attack is FixedFloat, and the attacker made more than 236 BNB, worth about $57.
Amount of loss: $ 70,705 Attack method: Contract Vulnerability
Description of the event: RoeFinance was attacked. The victim pool (0x574f) has just been emptied, with a total loss of about $80000. This is a typical price manipulation attack.
Amount of loss: $ 80,000 Attack method: Price Manipulation
Description of the event: The price of BRA token on BNB Chain is zero. According to the analysis, the token will be taxed during the transaction, and the tax collected will be directly sent to the transaction pair, and the tax will be added twice. Under this mechanism, after many such transactions, the number of tokens in the transaction pair continues to increase. At the same time, any user can call the skim function to retrieve the extra tokens in the transaction pair, which results in the actual number of tokens exceeding its issuance limit. This BRA token attack has caused 820 WBNB losses. The address of the attacker (0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B).
Amount of loss: 820 WBNB Attack method: Taxation Mechanism Flaw
Description of the event: Mycelium, a perpetual agreement, tweeted that due to the oracle feeding problem of the ETH-USD trading pair, MLP suffered a loss of 4~6% from robot arbitrage (the current pool size is about $6.6 million, and the estimated loss is about $300,000), but the team has fixed the loophole and resumed trading. The reason for this is that due to the fact that Binance began blocking US IPs in late December, one of Mycelium's three oracle data vendors went offline, and the other vendor also seemed to have gone wrong overnight, resulting in prices relying only on Coinbase and Bitfinex. Coinciding with about 4 pm yesterday, Bitfinex's ETH-USD feed price fluctuated significantly, and the spread was extremely large, perhaps the arbitrage robot detected the spread and began to arbitrage at a higher than usual amount, resulting in a loss of MLP.
Amount of loss: $ 300,000 Attack method: The oracle price problem
Description of the event: The NimbusPlatform project on the BSC chain was attacked, and the attacker made a profit of about 278 BNB. According to the analysis of SlowMist, the main reason for this attack is that the calculation of rewards only depends on the number of tokens in the pool, which leads to being manipulated by flash loans, thereby obtaining more rewards than expected.
Amount of loss: 278 BNB Attack method: Contract Vulnerability
Description of the event: Ankr's deployer key was suspected to be leaked, and hackers minted a total of 60 trillion aBNBc. According to MistTrack analysis, some funds have been cross-chained from BSC to ETH and Polygon. The hacker used Celer Network, PancakeSwap, Multichain, deBridge, 1inch, PancakeSwap, SushiSwap, ParaSwap in the process of transferring funds, and 900 BNB has been transferred to Tornadocash so far. The Ankr team stated, “Our aBNB tokens (the proof tokens for BNB pledges) have been stolen and we are currently working with exchanges to stop trading immediately. Currently all underlying assets on Ankr pledges are safe and all infrastructure Services will not be affected."
Amount of loss: $ 5,000,000 Attack method: Private Key Leakage
Description of the event: After the attack on Ankr’s aBNBc token, an address exchanged 10 BNB for 15.5 million BUSD with the help of the Ankr vulnerability, resulting in the emptying of the Hay liquidity pool. Another user made a profit through the same method, with an income of about $3.5 million. Helio Protocol tweeted that the BNB pledged by users is safe, and the official is in close communication with the Ankr team to discuss the restart plan of aBNBc.
Amount of loss: $ 19,000,000 Attack method: The impact of the Ankr vulnerability
Description of the event: The SheepFarm project on the BNB chain was attacked by a vulnerability. After analysis, it was found that because the register function of the SheepFarm contract could be called multiple times, the attacker 0x2131c67ed7b6aa01b7aa308c71991ef5baedd049 used the register function multiple times to increase his own gems, and then used the upgradeVillage function to accumulate yield while consuming gems properties, and finally call the sellVillage method to convert yield to money before withdrawing money. The attack caused the project to lose about 262 BNB, about $72,000.
Amount of loss: 262 BNB Attack method: Contract Vulnerability
Description of the event: The Ranger project on the BSC chain was an exit scam, and the Ranger token fell by 95%. The contract deployer sent the tokens to an external account, which was then sold for a profit of about $77,000. Do not confuse this project with similarly named tokens and symbols, refer to the contract address: bsc: 0xc9efd09c8170e5ce43219967a0564a9b610e5ea2.
Amount of loss: $ 77,000 Attack method: Rug Pull
Description of the event: Rug pull occurred in the DeFiAI project, and the contract deployer made a profit of about 40 million US dollars. According to SlowMist MistTrack analysis, funds have been transferred to Fixedfloat and MEXC.
Amount of loss: $ 40,000,000 Attack method: Rug Pull
Description of the event: The price of the Flare project has dropped by more than 95%, which is suspected to be a Rug Pull scam project. Flare token deployers and associated addresses received approximately 4 billion Flare tokens. The scam has so far made around $18.5 million.
Amount of loss: $ 18,500,000 Attack method: Rug Pull
Description of the event: The MooCakeCTX project suffered a flash loan attack, and the attackers made a profit of $143,921. According to Fairyproof’s analysis, the suspected reason is that the contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settlement of the reward, that is, when the user pledged, the contract did not settle the previous reward and conduct new investment. This will cause users to get the previous pledge dividends immediately after the pledge. After the attacker borrows 50,000 cake tokens using a flash loan in the same block, he pledges it twice in a row, and then withdraws the pledged cake tokens and returns them to make a profit.
Amount of loss: $ 143,921 Attack method: Flash Loan Attack
Description of the event: The FITE (FTE) project is suspected of Rug pull, its website fit[.]app has been shut down, and social media has been deleted. Scammers have transferred 1900 BNB to Tornado Cash.
Amount of loss: 1900 BNB Attack method: Rug Pull