152 hack event(s)
Description of the event: On the evening of May 18, the BSC-based DeFi lending platform Venus token XVS was doubled by the giant whale. After that, XVS was used as collateral to borrow and transfer BTC and ETH worth hundreds of millions of dollars. Since then, the price of collateral XVS is large. It fell and faced liquidation, but due to insufficient liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge shortfall of hundreds of millions of dollars in Venus. On the 30th, Venus officially released an article that disclosed the process and results of the incident. The survey showed that the liquidator made a profit of about 20 million U.S. dollars, and the seller made a profit of about 55 million U.S. dollars; the "scalper" made a profit of about 2 million U.S. dollars; the 0xef044 address account had a net loss of about 66 million U.S. dollars. Secondly, its address attribution is based on the Swipe escrow address used on Binance, so there is no insider trading. The agreement lost approximately $77 million due to market fluctuations. VGP will recover approximately US$77 million from the distribution fund, and formulate a community recovery plan for XVS holders and others in the form of airdrops from the distribution fund and agreement income.
Amount of loss: $ 145,000,000 Attack method: Due to insufficient liquidity in the XVS market, the system failed to liquidate in time
Description of the event: The DeFi protocol bEarnFi stated that on May 16, its bVaults BUSD-Alpaca strategy was attacked, and nearly 10.86 million BUSD in the pool was exhausted. However, the remaining bvault and other pools of the platform are not at risk. At the same time, bEarnFi released a rough compensation plan, which will create a compensation fund, which will consist of the remaining savings funds, development funds, DAO funds, and part of the expenses incurred by the agreement. After that, a snapshot of the balance will be taken to deploy compensation contracts. Affected users will receive an additional 5% of their deposit amount.
Amount of loss: $ 11,000,000 Attack method: Contract Vulnerability
Description of the event: According to the SlowMist Intelligence, the Binance smart chain project Spartan Protocol was hacked and the loss amounted to about 30 million U.S. dollars. The event was due to a flaw in the calculation of liquidity shares in the protocol.
Amount of loss: $ 30,000,000 Attack method: Contract Vulnerability
Description of the event: A loophole in the BSC ecosystem Uranium Finance resulted in the theft of US$50 million in funds. Research analyst Igor Igamberdiev pointed out an error in the Pair contract in Uranium v2. Due to calculation errors, this was used to withdraw almost all tokens. The balance of these Pair contracts has also been overstated. Igamberdiev believes that the project team made a carpet pull.
Amount of loss: $ 50,000,000 Attack method: Contract Vulnerability
Description of the event: According to sources, since April 12, 2021, a person who has access to Binance Smart Chain account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1 (PancakeSwap administrator account) has stolen 59,765 Cakes (approximately US$1,800,000) from the PancakeSwap lottery pool. After hackers exploited the vulnerability several times, PancakeSwap banned the account.
Amount of loss: $ 1,800,000 Attack method: Private Key Leaked
Description of the event: Recently, Iron Finance, a stablecoin mortgage platform based on Binance Chain, was attacked. Two vFarm liquidity pools (50% IRON—50% SIL pool; 50% IRON—50% BUSD pool) lost a total of 170,000 US dollars. Later, the official publication of the incident stated that: 1. The cause of the attack was due to the upgrade of the cloud service (FaaS) and the change in the reward rate integer, but the official team was not aware of the problem. Later, an attacker made a profit of 170,000 U.S. dollars by selling all the local token SIL rewards. 2. The Iron Finance smart contract has no loopholes. 3. vFarms will be restarted on March 18th, and SIL tokens will be restarted to sIRON. 4. Users should not sell or exchange IRON tokens for the time being. When the new pool is restarted, the full amount of BUSD can be redeemed. The Iron Finance agreement was launched on the BSC in early March. The IRON stablecoin is pegged to the U.S. dollar, partly backed by collateral such as BUSD and USDT, and partly backed by the SIL algorithm.
Amount of loss: $ 170,000 Attack method: Change the reward rate integer
Description of the event: Many DeFi protocol websites on BSC (Binance Smart Chain) were attacked by DNS, including Cream Finance and BSC header DEX PancakeSwap. The attacker requested users to submit personal private keys or mnemonics through the website. The relevant project team has passed Twitter Remind users not to visit the website and do not submit information such as private keys. Later PancakeSwap and Cream Finance both stated that they had regained access to DNS.
Amount of loss: - Attack method: DNS attack
Description of the event: According to the official community information of Meerkat Finance, its vault contract was hacked, and the hacker used the loophole to steal all the funds in the vault. According to reports, the BSC project Meerkat Finance is suspected of running away and swept away about 31 million US dollars, of which 14 million BUSD and the other 73,000 BNB. MKAT claims to have been hacked to steal all resources.
Amount of loss: $ 31,000,000 Attack method: Rug Pull
Description of the event: The attacker uses Lightning Loan to Alpha Finance for leveraged lending, and uses Alpha Finance’s own Cream IronBank quota to return the Lightning Loan. In this process, the attacker obtains a large amount of cySUSD by adding liquidity to Cream, allowing the attacker to use it. These cySUSD are further borrowed in Cream Finance. Due to problems with Alpha Finance, both agreements suffered losses at the same time.
Amount of loss: $ 37,500,000 Attack method: Flash loan attack
Description of the event: According to feedback from Binance Smartchain investors, on February 1st, the BSC listed project Multi Financial ran away, and it only took about 5000 BNB in one day. The compromised investor stated that it had reported that Binance had blocked the address of the project party and reported to the police. Recently, there have been many running incidents on BSC. The popcornswap project has approached 48,000 BNB. In a few days, three other projects (Zap Finance and Tin Finance, SharkYield) ran away. The current SharkYield ran away is suspected to have taken away 6000 BNB. Binance said that BSC is the same public chain as Ethereum and should not be responsible for the above projects. It hopes that users will manually intervene in investment and select high-quality projects to participate.
Amount of loss: 5,000 BNB Attack method: Rug Pull
Description of the event: Another DeFi project popcornswap on Binance Smart Chain has gone. It is reported that some users said in the community that the project used cake's LP, the contract was open source but there was no audit, and the LP was run in less than two hours. Currently, there are more than 40,000 BNB in the wallet and no action is taken.
Amount of loss: 48,000 BNB Attack method: Rug Pull
Description of the event: The Bantiample team, a project on the Binance Smart Chain, has cashed out 3000 BNB to run away. At present, the main developer of the team has deleted the Telegram account, and the project token BMAP has fallen by more than 90% in a single day. According to the project's description, BMAP is a kind of AMPL-like imitation. Every time a user participates in a transaction, the total amount is reduced by 1%. However, it is actually just a common token, and it does not have the functions described by the project party. It just uses the AMPL project hotspot to commit fraud.
Amount of loss: 3,000 BNB Attack method: Scam