23 hack event(s)
Description of the event: The Base ecological project RocketSwap was attacked. The attacker cross-chained the stolen assets to Ethereum, resulting in a loss of 471 ETH (approximately $868,000). RocketSwap said: "The team needs to use offline signatures and put the private key on the server when deploying Launchpad. It is currently detected that the server has been brute-forced, and because the farm contract uses a proxy contract, there are multiple high-risk permissions that lead to the transfer of farm assets."
Amount of loss: 471 ETH Attack method: Private Key Leakage
Description of the event: The axlUSD/WETH pool in LeetSwap, the largest DEX on the Base chain, suffered a price manipulation attack and has suspended trading for investigation. It appears that 342.5 ETH (~$624,000) was exploited. On August 3, LeetSwap stated that it had withdrawn about 400 ETH from the risky liquidity pool. According to the analysis of SlowMist, the main cause of this attack was that the _transferFeesSupportingTaxTokens function in the Pair contract was externally callable. This function allowed the transfer of any specified tokens in the contract to the address that collects fees. The attacker initiated a normal small-swap operation first to acquire the necessary tokens for the next swap. Then, the attacker called the _transferFeesSupportingTaxTokens function to transfer almost all of the tokens of one of the Pair to the address collecting fees, causing an imbalance in the Pair's liquidity. Finally, the attacker called the sync function to balance the pool and performed a reverse swap to take more ETH than expected.
Amount of loss: $ 624,000 Attack method: Price Manipulation
Description of the event: A MEME coin called BALD, built on the Coinbase Base test network, appears to have pulled in at least $25.6 million. Although the Base network was intended to be used for developer testing, an anonymous cryptocurrency user named "Bald" announced that they would be selling BALD tokens on the Base network, and the token's price skyrocketed. However, token deployers emptied liquidity pools of around $25.6 million worth of tokens just two days after launch, clearly pulling the market. The token price quickly plummeted by around 90%.
Amount of loss: $ 25,600,000 Attack method: Rug Pull