289 hack event(s)
Description of the event: The Swap-LP contract on BNB Chain (0xe0c352c56af65772ac7c9ab45b858cb43d22f28f) has been attacked with a loss of approximately $1.1 million. The attacker (0xdead) transferred the stolen funds to Tornado Cash. specifically, the attacker manipulated a low-level call in the Swap-LP factory address to trigger the 0x33604058 function of the SwapLP pair. This causes all WDZD tokens in the pair to be transferred to the factory address. As a result, the attacker is able to use fewer WDZDs to obtain more SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743 and subsequently destroy the LPs for profit.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol WDZD Swap on BSC was exploited and lost about $1.1 million. The attackers made nine malicious transactions that drained 609 Binance-Pegged ETH from contracts related to the WDZD project.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol land was suspected of being attacked and lost about 150,000 US dollars. The reason for the attack was the lack of mint permission control.
Amount of loss: $ 150,000 Attack method: Contract Vulnerability
Description of the event: The LW token on BSC was attacked, with a loss of 48,415 USDT, and the price of LW token plummeted by 69%. The attackers have transferred about 150 BNB to Tornado Cash.
Amount of loss: $ 48,415 Attack method: Contract Vulnerability
Description of the event: The SNK project was attacked. The hacker used SNK's invitation reward mechanism to make a profit of 190,000 US dollars.
Amount of loss: $ 190,000 Attack method: Reward Mechanism Flaw
Description of the event: Neverfall protocol Hacked, $75,000 Lost. The attackers have deposited funds into TornadoCash.
Amount of loss: $ 75,000 Attack method: Contract Vulnerability
Description of the event: LEVEL Finance, a project on BNB, was hacked and lost $1 million. The hackers created an unverified contract 7 days before the attack, used a delegate function to extract LVL tokens in 15,000 increments, converted 214,000 LVL tokens into 3,345 BNB and transferred them to Tornado Cash.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: MetaPoint ($POT) on BSC was hacked with a loss of $920K. The root cause is that users will create a new contract to hold their funds each time they deposit $POT, but the contract has a public approve function to transfer all users' assets.
Amount of loss: $ 920,000 Attack method: Contract Vulnerability
Description of the event: Safemoon, a DeFi protocol based on the BNB chain, was attacked, and its liquidity pool lost nearly $8.9 million. Safemoon CEO John Karony said on Twitter: "This security incident affected the SFM:BNB LP pool and other LP pools on DEX were not affected. We have located the suspected vulnerability and fixed it. " According to analysis, the recent update may have introduced a "public destruction vulnerability", which facilitated hacker attacks. The hacker was able to use code functionality to artificially inflate the price of SFM tokens, then sell enough tokens back to the liquidity pool in the same transaction, effectively draining WBNB from the contract. On April 20, the SafeMoon attacker returned 80% of the stolen funds, that is, transferred 21,804 BNB (approximately $7.2 million) to the SafeMoon vault wallet, leaving the remaining 20% as a bounty.
Amount of loss: $ 8,900,000 Attack method: Contract Vulnerability
Description of the event: The FASTSWAP (FAST) project on BNB Chain was attacked by a flash loan and lost 26.77 BNB
Amount of loss: 26.77 BNB Attack method: Flash Loan Attack
Description of the event: According to news, the Harvest_Keeper project maliciously transferred user funds, involving an amount of about 933,000 US dollars. Through the data on the chain, it was found that the attacker used the owner authority to transfer the USDT pledged by the user in the HarvestKeeper contract by calling the getAmount function, and then the attacker used the user's token authorization to the EOA account to transfer the user's funds through the EOA multiple times.
Amount of loss: $ 933,000 Attack method: Insider Manipulation
Description of the event: 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about US$700,000.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: The DeFi project DND Token (DungeonSwap Token) on BSC has been utilized. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.
Amount of loss: $ 728,000 Attack method: Contract Vulnerability
Description of the event: The Baby Doll (BABYDOLL) project was hit by a flash loan attack, losing 25 BNB (~$7,900). BSC contract address is 0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2
Amount of loss: $ 7,900 Attack method: Flash Loan Attack
Description of the event: The project fcdep (EPMAX) on BSC was attacked by flash loan, and the loss was about 350,000 US dollars.
Amount of loss: $ 350,000 Attack method: Flash Loan Attack
Description of the event: The LianGoPay project announced on February 7 that its assets in the LGTPool pledge contract on the BNB Chain were stolen, 6,148,859 LGT reward coins were stolen, and the loss was about 1.6 million US dollars. According to analysis, the reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (Pool No. 3), and then the thief put a large amount of LP tokens into the pool for pledge, and obtained 6.14 million pieces LGT reward token.
Amount of loss: $ 1,600,000 Attack method: Leveraging fake LP staking pools
Description of the event: Orion Protocol, an exchange aggregation platform, suffered a reentrancy attack and lost about $3 million in assets. The attackers have transferred some of the cryptocurrency to Tornado Cash. Orion Protocol CEO Alexey Koloskov tweeted that no users suffered any losses in the incident and all users’ funds are safe, including staking, Orion Pool, bridges, and liquidity providers. Assets at risk are held in in-house brokerage accounts run by the Orion team. This problem is not caused by a flaw in the core protocol code, but may be caused by a bug in a mix of third-party libraries in its experimental and smart contracts used by private brokers.
Amount of loss: $ 3,000,000 Attack method: Reentrancy Attack
Description of the event: The BEVO NFT Art Token (BEVO) on BSC was exploited with a total loss of approximately $45,000. The root cause is that BEVO is a deflationary token, and the attacker calls the function deliver(), the value of _rTotal will decrease, which will further affect the return value of getRate() used to calculate the balance. After the attacker manipulates the token balance, he calls the function skim to transfer the increased PancakePair balance to his own account. Finally, the attacker calls the function deliver() again and exchanges the increased BEVO back to WBNB.
Amount of loss: $ 45,000 Attack method: Reward Mechanism Flaw
Description of the event: It is reported that the FFF token deployed on the BSC has an abnormal additional issue event. This event is that the administrator of the original project party purchased the additional issue through the pre-set additional issue contract, and then sold the additional issued tokens and transferred the acquired assets in part. More than US $1.03 million of FFF tokens were sold in this issue.
Amount of loss: $ 1,030,000 Attack method: Insider Manipulation
Description of the event: Thoreum Finance was hacked. According to analysis, because the transfer function of the non-open source contract 0x79fe created by the Thoreum Finance project party is suspected to have a loophole, when the from and to addresses of the transfer function are the same, due to the use of temporary variables to store the balance, the balance will double when you transfer to yourself , the attacker repeated the operation many times, and finally made a profit of 2,000 BNB, involving an amount of about 580,000 US dollars.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability