35 hack event(s)
Description of the event: The Cellframe Network, a blockchain network based on sharding architecture, is suspected of being attacked by a flash loan. The attacker made a profit of 245 BNB (approximately 74,000 US dollars), and the token CELL has fallen by more than 65%. According to MistTrack analysis, the attacker's address (0x252...079) on Ethereum had withdrawn 1.37 ETH from Binance.
Amount of loss: $ 74,000 Attack method: Flash Loan Attack
Description of the event: Multichain tweeted that although most of the cross-chain routes of the Multichain protocol are operating normally, due to force majeure, some cross-chain routes cannot be used, and the time to restore services is unknown. After service is restored, pending transactions will be credited automatically. Multichain will compensate users affected during this process, and the compensation plan will be announced later. According to previous reports from multiple community users, there is an abnormal delay in the arrival of Multichain cross-chain funds. Markets show that the Multichain token MULTI has fallen 24.1% in the past 24 hours and is currently trading at $5.36.
Amount of loss: - Attack method: Unknown
Description of the event: Cross-chain interoperability protocol Celer Network reported Wednesday that it has patched a code vulnerability first discovered by Jump Crypto, The Block reported. In a blog post published by Celer and Jump Crypto, a vulnerability in the State Guardian Network (SGN), Celer's proof-of-stake (PoS) blockchain, was disclosed. If implemented, the vulnerability could allow a malicious validator to submit a large number of fraudulent "votes", resulting in a change in the state of the network. Celer emphasized that the breach did not result in any financial loss. The vulnerability was not publicly accessible and no funds were directly at risk when it was discovered. Celer said it would propose a bug bounty for Jump Crypto as a result of the discovery.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The Discord server of the cross-chain trading platform zkLink has been hacked, and some hackers posted phishing links. Do not click on any links until the team confirms that they have regained control of the server.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The cross-chain bridge Allbridge was hacked and lost about $570,000 (including about 280,000 BUSD and about 290,000 USDT). The root cause appears to be manipulation of the Swap price of the pool. The hacker played the dual role of liquidity provider and trader, draining the funds in the pool. On April 4, Allbridge tweeted: "The owner of address 0xC578 contacted us and refunded 1,500 BNB (approximately $463,600), and the remaining funds will be considered a white hat bounty for this individual.
Amount of loss: $ 570,000 Attack method: Price Manipulation
Description of the event: Multichain's AnyswapV4Router contract suffered a rush attack, and the attacker made a profit of about 87 Ethereum, about $130,000. After analysis, the attacker used the MEV contract (0xd050) to pre-emptively call the anySwapOutUnderlyingWithPermit function of the AnyswapV4Router contract before the normal transaction was executed (the user authorized WETH but has not yet performed the transfer), although the function uses the permit signature of the token verification, but the stolen WETH this time does not have a relevant signature verification function, and only triggers a deposit function in a fallback. In subsequent function calls, the attacker can directly use the safeTransferFrom function to transfer the WETH authorized by the _underlying address to the attacked contract to the attack contract without signature verification.
Amount of loss: $ 130,000 Attack method: Rush Attack
Description of the event: The multi-chain exchange protocol Rubic was hacked and lost more than $1.4 million. The attacker has transferred 1,100 ETH to the Tornado Cash mixing protocol. According to the analysis of the SlowMist security team, the root cause of the attack is that the Rubic protocol wrongly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens of users authorized to the RubicProxy contract.
Amount of loss: $ 1,400,000 Attack method: Data incoming error
Description of the event: An address on the BNB Chain minted more than $1 billion of pGALA tokens out of thin air, and sold them through PancakeSwap to make a profit. The pGALA contract hacker has made a profit of $4.3 million. One Smart Money address arbitraged nearly $6.5 million in this attack, even more than the attacker's profit. Multi-link is tweeted by the protocol pNetwork, and the pGALA contract on the BNB Chain needs to be redeployed due to the misconfiguration of the cross-chain bridge. Huobi Global announced that it would re-list GALA after proposing that the GALA purchased after the abnormal event would be renamed pGALA, and the project party agreed to pay full compensation to the holders of the currency before the accident.
Amount of loss: $ 10,800,000 Attack method: Configuration Error
Description of the event: The multi-chain exchange protocol Rubic tweeted that an administrator’s wallet address, which manages the RBC/BRBC cross-chain bridge and staking rewards, was stolen, and the team suspected that malware stole the private key. The attacker sold about 34 million RBC/BRBC on Uniswap and PancakeSwap, the user's staking funds are safe and the smart contract is not exploited.
Amount of loss: $ 1,200,000 Attack method: Private Key Leaked
Description of the event: The THORChain network of the cross-chain DeFi protocol was interrupted. The official said that the consensus problem has been identified and a patch will be released. The code pushes cosmos.Uint (instead of uint64) into the string, which causes the string to get an arbitrarily large integer instead of the actual value, causing the memo string to be on a different node. On October 28th, THORChain was back online and produced blocks. The network is signing block transactions, so pending transactions should start going through. Once the queue is cleared, the transaction will be re-enabled. Expect 2-3 hours. During the network outage, investors did not lose any funds. However, the exchange deposits and withdrawals of Thorchain's native currency RUNE have been suspended on centralized exchanges such as Kucoin.
Amount of loss: - Attack method: Network interruption
Description of the event: Layer1 blockchain QANplatform (QANX), which is resistant to quantum computing attacks, tweeted that its smart contract cross-chain bridge was attacked, and the attacker managed to extract tokens, reminding users not to perform any transactions related to QANX tokens. According to the findings, the hackers obtained the private keys to the bridge wallet and withdrew more than 1.4 billion QANX tokens worth more than $1 million in two transactions.
Amount of loss: $ 2,000,000 Attack method: Profanity Vulnerability
Description of the event: Aurora Labs CEO Alex Shevchenko revealed that an attacker trying to steal funds from Rainbow Bridge was stopped in 31 seconds, losing 5 ETH in the process.
Amount of loss: - Attack method: Fake NEAR blocks
Description of the event: Celer said that cBridge's front-end interface suffered from DNS cache poisoning attacks. This attack targeted third-party DNS providers. Celer's own contract was not affected, and users who suffered losses in this incident, Celer, will be fully compensated.
Amount of loss: 128.4 ETH Attack method: BGP Hijacking
Description of the event: The Nomad Bridge, a cross-chain interoperability protocol, was attacked by hackers. This attack was due to the fact that the trusted root of the Nomad Bridge Replica contract was set to 0x0 during initialization, and the old root was not invalidated when the trusted root was modified. Constructing arbitrary messages to steal funds from the bridge, the attacker was able to extract over $190 million in value from the attack. So far, more than 40 addresses have returned over $36 million to Nomad.
Amount of loss: $ 154,000,000 Attack method: Contract Vulnerability
Description of the event: Harmony Horizon bridge was hacked. According to the analysis of SlowMist MistTrack, the attackers made more than 100 million US dollars, including 11 ERC20 tokens, 13,100 ETH, 5,000 BNB and 640,000 BUSD. On the 26th, Harmony founder Stephen Tse said on Twitter that Horizon was attacked not because of a smart contract vulnerability, but because of a private key leak. Although Harmony stored the private keys encrypted, the attacker decrypted some of them and signed some unauthorized transactions. At present, Harmony has migrated Horizon's verification authority on the Ethereum side to 4/5 multi-signature.
Amount of loss: $ 100,000,000 Attack method: Private Key Leaked
Description of the event: On May 18, QANX Bridge was attacked between 15:01:40 and 18:20:25 UTC. Developers can withdraw 100,450,000 QANX from QANX Bridge and sell it on Uniswap for 325 ETH, then transfer it to Tornado Cash. By May 26, the hackers had sold all the stolen QANX tokens.
Amount of loss: 100,450,000 QANX Attack method: Private Key Leaked
Description of the event: Rainbow Bridge was attacked by forged blocks. However, it was blocked by an automatic watchdog mechanism, depriving the attacker of 2.5 ETH.
Amount of loss: - Attack method: Fake NEAR blocks
Description of the event: According to official news, Marvin Inu’s cross-chain bridge was hacked, and tokens worth 110 ETH were stolen and sold, causing a sharp drop in price. The project party has closed the cross-chain bridge and fixed the loopholes. At the same time, it has adjusted the purchase tax to 0%, and promised to repurchase and destroy the tokens to make up for this loss after the price fluctuations stabilize.
Amount of loss: 110 ETH Attack method: Contract Vulnerability
Description of the event: Axie Infinity sidechain Ronin Network issued a community alert today. Ronin Network experienced a security breach. Ronin bridge 17.36w ETH and 25.5M USDC were stolen, with a loss of more than 610 million US dollars. As stated by the Ronin developers, the attacker used the hacked private key to forge fake withdrawals, pulling funds out of the Ronin bridge in just two transactions.
Amount of loss: $ 610,000,000 Attack method: Private Key Leaked
Description of the event: Meter.io's cross-chain bridge was hacked, resulting in a loss of around $4.3 million ( 1391.24945169 ETH and 2.74068396 BTC). The hacker was able to exploit a vulnerability in the deposit function, which allowed them to fake BNB or ETH transfers. Meter.io announced that Meter Passport (a cross-chain bridge extension) automatically wraps and unwraps Gas Tokens (such as ETH and BNB) for user convenience. However, the contract did not prohibit the wrapped ERC20 Token from interacting directly with the native Gas Token, nor did it properly transfer and verify the correct amount of WETH transferred from the caller address.
Amount of loss: $ 4,300,000 Attack method: Contract Vulnerability