9 hack event(s)
Description of the event: Pike Finance, a cross-chain lending protocol on Base, is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 52,600 Attack method: Rug Pull
Description of the event: Aerodrome tweeted that the frontend is currently compromised, please do not interact with Aerodrome for the time being, the team is investigating.
Amount of loss: - Attack method: DNS Hijacking Attack
Description of the event: On October 5th, blockchain detective ZachXBT posted on social media, stating that a hacker had made a profit of 234 ETH (~$385,000) in the past 24 hours by conducting SIM card swap attacks on four different friend.tech users.
Amount of loss: $ 385,000 Attack method: SIM Card Attack
Description of the event: According to official sources, Base had previously experienced a block failure. The Base team immediately investigated, and a fix was subsequently deployed, and block production began to resume. At present, the team confirmed that the network operation and RPC API have returned to normal, and will continue to monitor. Base later tweeted that the glitch had been fixed and no funds were at risk.
Amount of loss: - Attack method: Block Failure
Description of the event: Base on-chain exit scam Magnate Finance has seen its TVL drop by ~$6.4M as the deployer modifies the price oracle provider and removes all assets. On-chain sleuth ZachXBT says the Magnate Finance deployer address is linked to exit scams Solfire, Kokomo Finance. Magnate Finance's website and social platforms are currently down and its Telegram group has been deleted. According to MistTrack monitoring, funds have cross-chained from Base to ETH, Arbitrum, and Optimism.
Amount of loss: $ 6,400,000 Attack method: Rug Pull
Description of the event: The lending protocol SwirlLend team stole about $2.9 million in cryptocurrency from Base and $1.7 million worth of cryptocurrency from Linea, all of which were cross-chained to Ethereum. As of now, the deployer has transferred 254.2 ETH to Tornado Cash. SwirlLend's official Twitter and Telegram accounts have been logged out, and its official website is also inaccessible.
Amount of loss: $ 460,000 Attack method: Rug Pull
Description of the event: The Base ecological project RocketSwap was attacked. The attacker cross-chained the stolen assets to Ethereum, resulting in a loss of 471 ETH (approximately $868,000). RocketSwap said: "The team needs to use offline signatures and put the private key on the server when deploying Launchpad. It is currently detected that the server has been brute-forced, and because the farm contract uses a proxy contract, there are multiple high-risk permissions that lead to the transfer of farm assets."
Amount of loss: 471 ETH Attack method: Private Key Leakage
Description of the event: The axlUSD/WETH pool in LeetSwap, the largest DEX on the Base chain, suffered a price manipulation attack and has suspended trading for investigation. It appears that 342.5 ETH (~$624,000) was exploited. On August 3, LeetSwap stated that it had withdrawn about 400 ETH from the risky liquidity pool. According to the analysis of SlowMist, the main cause of this attack was that the _transferFeesSupportingTaxTokens function in the Pair contract was externally callable. This function allowed the transfer of any specified tokens in the contract to the address that collects fees. The attacker initiated a normal small-swap operation first to acquire the necessary tokens for the next swap. Then, the attacker called the _transferFeesSupportingTaxTokens function to transfer almost all of the tokens of one of the Pair to the address collecting fees, causing an imbalance in the Pair's liquidity. Finally, the attacker called the sync function to balance the pool and performed a reverse swap to take more ETH than expected.
Amount of loss: $ 624,000 Attack method: Price Manipulation
Description of the event: A MEME coin called BALD, built on the Coinbase Base test network, appears to have pulled in at least $25.6 million. Although the Base network was intended to be used for developer testing, an anonymous cryptocurrency user named "Bald" announced that they would be selling BALD tokens on the Base network, and the token's price skyrocketed. However, token deployers emptied liquidity pools of around $25.6 million worth of tokens just two days after launch, clearly pulling the market. The token price quickly plummeted by around 90%.
Amount of loss: $ 25,600,000 Attack method: Rug Pull