401 hack event(s)
Description of the event: According to the SlowMist MistEye security monitoring system, Aventa, which specializes in creating intuitive Web3 utilities for the crypto community, appears to have been attacked, resulting in a loss of approximately 3.9 ETH.
Amount of loss: $ 7,000 Attack method: Flash Loan Attack
Description of the event: A member of the crypto community previously revealed that "a smart contract of a certain Web3 project was suspected to have been implanted with malicious code by an employee," leading to losses of several hundred thousand dollars. Thomson, a developer of the DeFi trading and asset management project QuantMaster, stated that he was the primary victim of this theft. According to Thomson, the suspect has been largely identified. The GitHub submission records clearly point to a specific employee, and the device used to submit the code is also unique. Cursor retains a complete local AI activity log, which has been reviewed, ruling out the possibility that the malicious code was generated or modified by AI.
Amount of loss: - Attack method: Insider Manipulation
Description of the event: R0AR has been exploited, with total losses amounting to approximately $780K. According to analysis by the SlowMist security team, the root cause of the exploit was the presence of a backdoor in the contract. During deployment, the R0ARStaking contract altered the balance (user.amount) of a specified address by directly modifying storage slots. Subsequently, the attacker extracted all funds from the contract through an emergency withdrawal function. R0AR stated in a tweet: “At this stage, we do not believe this to be an external exploit. One nefarious developer, external to the R0AR core team, is seemingly behind the drain. They have been removed from the project with all accesses revoked.”
Amount of loss: $ 780,000 Attack method: Insider Manipulation
Description of the event: According to the SlowMist MistEye security monitoring system, a MEV bot (address: 0x49e27d11379f5208cbb2a4963b903fd65c95de09) has lost approximately 116.7 ETH due to a lack of access control.
Amount of loss: $ 210,000 Attack method: Lack of Strict Access Control
Description of the event: According to the SlowMist MistEye security monitoring system, the leveraged trading project SIR.trading (@leveragesir) on the Ethereum chain has been attacked, resulting in a loss of over $300,000 in assets. The root cause of this hack is that the transiently stored value set using tstore in the function was not cleared after the function call ended. This allowed the attacker to exploit this characteristic by constructing specific malicious addresses to bypass permission checks and transfer tokens.
Amount of loss: $ 355,000 Attack method: Contract Vulnerability
Description of the event: An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra Money project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
Amount of loss: $ 13,000,000 Attack method: Contract Vulnerability
Description of the event: Moonray's Discord was Compromised, and the attackers posted fraudulent airdrop messages. Users are advised to stay cautious and aware of potential risks.
Amount of loss: - Attack method: Account Compromise
Description of the event: On January 13, 2025, the SlowMist MistEye security monitoring system detected an attack on UniLend, resulting in a loss of ~$197K.
Amount of loss: $ 197,600 Attack method: Contract Vulnerability
Description of the event: The SuperVerse X account was compromised and used to post a fraudulent airdrop claim containing a phishing link.
Amount of loss: - Attack method: Account Compromise
Description of the event: Sorra was suspected to have been attacked on ETH, resulting in an approximate loss of $43K.
Amount of loss: $ 43,000 Attack method: Contract Vulnerability
Description of the event: LAURA was suspected to have been attacked on ETH, resulting in an approximate loss of $48.2K.
Amount of loss: $ 48,200 Attack method: Contract Vulnerability
Description of the event: The FEG project suffered an attack resulting in a loss of approximately $1 million. Analysis suggests that the root cause of the incident appears to be a composability issue arising from the integration with the underlying Wormhole cross-chain bridge, which facilitates cross-chain message and token transfers.
Amount of loss: $ 1,000,000 Attack method: Security Vulnerability
Description of the event: A series of exploiting transactions on Ethereum targeting the liquidity pool of the HarryPotterObamaSonic10Inu 2.0 token. The attacker profited approximately $243K and deposited the funds into Tornado.
Amount of loss: $ 243,000 Attack method: Price Manipulation
Description of the event: Arata tweeted that the Arata ecosystem and CEX wallet have been exploited. The hacker managed to sell a significant portion of the tokens.
Amount of loss: - Attack method: Unknown
Description of the event: Vestra DAO tweeted that a hacker exploited a vulnerability in the locked staking contract, manipulating the reward mechanism to claim rewards exceeding their entitlement. As a result, a total of 73,720,000 VSTR tokens were stolen. The stolen tokens were gradually sold on Uniswap, causing approximately $500,000 in ETH liquidity losses.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: DeBox officially announced that due to the leakage of the private key of an operational account's personal EOA wallet, 31.03 ETH and 4.879 million BOX tokens were stolen.
Amount of loss: $ 275,000 Attack method: Private Key Leakage
Description of the event: Spectral tweeted that they received an alert about a vulnerability affecting certain tokens on the bonding curve contracts on Syntax, which was used to remove approximately $200K in liquidity.
Amount of loss: $ 250,000 Attack method: Contract Vulnerability
Description of the event: The Sweepr Token (SWEEPR) on ETH was suspected to have been attacked, resulting in a loss of approximately $14K.
Amount of loss: $ 14,000 Attack method: Contract Vulnerability
Description of the event: The vETH token suffered an attack, resulting in approximately $450K in losses.
Amount of loss: $ 450,000 Attack method: Price Manipulation
Description of the event: On November 8, a hacker breached the CoinPoker’s hot wallet, resulting in the unauthorized draining of approximately $2M USD. The attack spanned across multiple blockchain networks, including BNB Chain, Ethereum, and Polygon networks. Later, it funneled through Tornado Cash to obscure the trail and to launder the funds.
Amount of loss: $ 2,000,000 Attack method: Third-party Vulnerability