48 hack event(s)
Description of the event: According to Yonhap News Agency, Kim Seok-hwan, a representative of Wemix Foundation, a blockchain subsidiary of Wemade, admitted at an emergency meeting that they lost approximately 8.65 million WEMIX tokens (worth about $6.22 million) due to a hack. On February 28, the hacker stole the authentication key of the NFT platform "Nile" and attacked the Play Bridge Vault system.
Amount of loss: $ 6,220,000 Attack method: Security Vulnerability
Description of the event: The Ronin Bridge project experienced unusual cross-chain asset withdrawals, suggesting a potential attack. According to the SlowMist security team, the vulnerability was caused by the modification of weight to an unexpected value, allowing funds to be withdrawn without passing any multi-signature threshold checks. The attacker extracted approximately 4,000 ETH and 2 million USDC from the bridge, amounting to a value of around $12 million. As of August 7th, white hats have returned $12 million worth of assets and received a $500,000 bug bounty.
Amount of loss: $ 12,000,000 Attack method: Contract Vulnerability
Description of the event: Bitcoin DeFi application ALEX Lab was drained of over $4.3 million in various tokens after a suspected private key compromise attacked its bridging service. Hackers transferred over $300,000 USD worth of BTC, $3.3 million USD worth of stablecoins, and $75,000 USD worth of Sugar Kingdom (SKO) tokens.
Amount of loss: $ 4,300,000 Attack method: Private Key Leakage
Description of the event: The cross-chain bridge project XBridge was exploited due to a smart contract vulnerability on the Ethereum Mainnet and the BNB chain, resulting in a loss of approximately $1.44 million.
Amount of loss: $ 1,440,000 Attack method: Contract Vulnerability
Description of the event: The cross-chain bridge X Bridge has experienced multiple suspicious transactions, which are still ongoing. A suspicious address was recently funded by Tornado Cash on BNBChain, then bridged to ETH, and subsequently deposited 0.15 ETH into 'OwnedUpgradeabilityProxy.' Shortly after, a withdrawal of 482M STC totaling $824K was made from your 'OwnedUpgradeabilityProxy' contract.
Amount of loss: $ 824,000 Attack method: Unknown
Description of the event: The Twitter account of the cross-chain bridge Meson Finance posted a tweet containing a phishing link. Meson Finance tweeted that the relevant content has been deleted and confirmed that the issue originated from a third-party API rather than a direct attack on the account.
Amount of loss: - Attack method: Account Compromise
Description of the event: The @GoDaddy account for the L2 cross-chain bridge LayerSwap's domain http://layerswap[.]io was compromised. The compromise of the domain led to a phishing site being displayed, resulting in approximately 50 users losing ~$100K worth assets. To address this, Layerswap is refunding the affected users in full plus and an additional 10% as a compensation for the caused inconvenience.
Amount of loss: $ 100,000 Attack method: DNS Attack
Description of the event: OrdiZK advertized themselves as a privacy bridge between the Ethereum network and Bitcoin, has exited, resulting in approximately $1.4 million in losses.
Amount of loss: $ 1,400,000 Attack method: Rug Pull
Description of the event: Cross-chain bridge protocol Orbit Chain has suffered an attack, resulting in a loss of $81.6 million. Orbit Chain has tweeted that the team has requested major cryptocurrency exchanges worldwide to freeze the stolen assets.
Amount of loss: $ 81,600,000 Attack method: Unknown
Description of the event: A Discord Mod on LayerZero has reported that a scammer who introduced a phishing link within a proposal vote on the Stargate Snapshot platform, enticing users to stake $STG tokens. Over 1K users took part in the vote, resulting in a loss of ~$43K
Amount of loss: $ 43,000 Attack method: Phishing Attack
Description of the event: OmniBTC's Discord was hacked and the attackers posted a phishing link in the announcement channel.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to a number of community users, there seems to be a problem in the Layer2 interoperability protocol Connext airdrop claim process. The NEXT tokens of some accounts were claimed to unexpected addresses. The data on the chain shows that the address starting with 0x44Af received a large number of Connext token NEXT airdrops through 230 accounts in the past 1 hour, and sold them all for ETH, USDT and USDC, earning nearly 39,000 US dollars. According to SlowMist analysis, users can claim NEXT tokens through the claimBySignature function of the NEXT Distributor contract. There are recipient and beneficiary roles, the recipient role is used to receive the NEXT tokens of the claim, and the beneficiary role is the address that is eligible to receive NEXT tokens, which has been determined when the Connext protocol announces the air investment qualifications. When the user makes a NEXT token claim, the contract will perform two checks: one is to check the signature of the beneficiary role, and the other is to check whether the beneficiary role is eligible to receive the airdrop. During the first check, it will check whether the recipient passed in by the user is signed by the beneficiary role, so the random incoming recipient address cannot pass the check if it is not signed by the beneficiary. If you specify a beneficiary address to construct a signature, even if it can pass the signature check, it cannot pass the second check on the eligibility for airdrops. Airdrop claim eligibility checks are checked through Merkle proofs, which should be officially generated by the Connext protocol. Therefore, users who are not eligible to receive airdrops cannot bypass the check to receive other people's airdrops. On September 7, Connext released a post-mortem analysis, stating that the attacker performed DOS operations on Tokensoft’s API, causing the claim database and UI to crash. During this process, 274,956 NEXT from 253 wallets (not related to Connext) were claimed (0.26% of the total airdrop) and sold for approximately 40,000 USDT before ordinary users were able to claim it. But Connext was not compromised in any way. After the DOS attack ended, airdrop claims returned to normal.
Amount of loss: $ 39,000 Attack method: DoS Attack
Description of the event: Around $126 million worth of tokens have been withdrawn from the Multichain bridge on the Fantom network. 7,200 WETH (approximately $13.7 million) and $4 million in stablecoin DAI (the above four tokens are worth more than $100 million), which also includes other tokens such as Chainlink, YFI, Wootrade Network, and UniDex’s total supply nearly a quarter. Assets also appear to be moving on Multichain’s Moonriver bridge, including 4.8 million USDC and 1 million USDT. Dogechain also experienced abnormal fund flows, and at least 660,000 USDC were sent to the same wallet as Moonriver's fund flows. Multichain tweeted that the “team is unsure of what happened and is currently investigating” and advised users to stop using the service and withdraw contract approval.
Amount of loss: $ 126,000,000 Attack method: Unknown
Description of the event: The Poly Network, a cross-chain interoperability protocol, was attacked again. This attack affected 58 assets on 11 blockchains. According to SlowMist analysis, Poly Network hackers have profited over $10 million worth of mainstream assets. The attackers implanted a Trojan virus into the program compilation environment, allowing them to acquire the consensus keys of Poly Network’s Relay Chain. Subsequently, they utilized these keys to forge cross-chain transactions. The hackers implanted a Trojan horse code block during the program compilation process, obtaining and uploading consensus keys during program startup. They then employed these keys to sign the block header of the forged Poly Network’s Relay Chain, ultimately submitting the forged cross-chain transactions and block header to the target chain to execute the cross-chain exploit.
Amount of loss: $ 10,000,000 Attack method: Trojan horse virus
Description of the event: The Cellframe Network, a blockchain network based on sharding architecture, is suspected of being attacked by a flash loan. The attacker made a profit of 245 BNB (approximately 74,000 US dollars), and the token CELL has fallen by more than 65%. According to MistTrack analysis, the attacker's address (0x252...079) on Ethereum had withdrawn 1.37 ETH from Binance.
Amount of loss: $ 74,000 Attack method: Flash Loan Attack
Description of the event: Multichain tweeted that although most of the cross-chain routes of the Multichain protocol are operating normally, due to force majeure, some cross-chain routes cannot be used, and the time to restore services is unknown. After service is restored, pending transactions will be credited automatically. Multichain will compensate users affected during this process, and the compensation plan will be announced later. According to previous reports from multiple community users, there is an abnormal delay in the arrival of Multichain cross-chain funds. Markets show that the Multichain token MULTI has fallen 24.1% in the past 24 hours and is currently trading at $5.36.
Amount of loss: - Attack method: Unknown
Description of the event: Cross-chain interoperability protocol Celer Network reported Wednesday that it has patched a code vulnerability first discovered by Jump Crypto, The Block reported. In a blog post published by Celer and Jump Crypto, a vulnerability in the State Guardian Network (SGN), Celer's proof-of-stake (PoS) blockchain, was disclosed. If implemented, the vulnerability could allow a malicious validator to submit a large number of fraudulent "votes", resulting in a change in the state of the network. Celer emphasized that the breach did not result in any financial loss. The vulnerability was not publicly accessible and no funds were directly at risk when it was discovered. Celer said it would propose a bug bounty for Jump Crypto as a result of the discovery.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The Discord server of the cross-chain trading platform zkLink has been hacked, and some hackers posted phishing links. Do not click on any links until the team confirms that they have regained control of the server.
Amount of loss: - Attack method: Account Compromise
Description of the event: The cross-chain bridge Allbridge was hacked and lost about $570,000 (including about 280,000 BUSD and about 290,000 USDT). The root cause appears to be manipulation of the Swap price of the pool. The hacker played the dual role of liquidity provider and trader, draining the funds in the pool. On April 4, Allbridge tweeted: "The owner of address 0xC578 contacted us and refunded 1,500 BNB (approximately $463,600), and the remaining funds will be considered a white hat bounty for this individual.
Amount of loss: $ 570,000 Attack method: Price Manipulation
Description of the event: Multichain's AnyswapV4Router contract suffered a rush attack, and the attacker made a profit of about 87 Ethereum, about $130,000. After analysis, the attacker used the MEV contract (0xd050) to pre-emptively call the anySwapOutUnderlyingWithPermit function of the AnyswapV4Router contract before the normal transaction was executed (the user authorized WETH but has not yet performed the transfer), although the function uses the permit signature of the token verification, but the stolen WETH this time does not have a relevant signature verification function, and only triggers a deposit function in a fallback. In subsequent function calls, the attacker can directly use the safeTransferFrom function to transfer the WETH authorized by the _underlying address to the attacked contract to the attack contract without signature verification.
Amount of loss: $ 130,000 Attack method: Rush Attack