345 hack event(s)
Description of the event: The liquidity restaking protocol Renzo tweeted that the Renzo Discord server has been compromised by malicious attackers. Please do not click on any links posted in the server.
Amount of loss: - Attack method: Account was Compromised
Description of the event: A misconfiguration in the Rho Markets lending protocol allowed an MEV bot operator to take $7.6 million from the project's users across multiple chains. The MEV bot operator sent an on-chain message indicating their willingness to return all the funds. Subsequently, the MEV bot operator returned the funds as planned.
Amount of loss: $ 7,600,000 Attack method: Oracle Misconfiguration
Description of the event: According to on-chain sleuth ZachXBT, the Ethena Discord server has been hacked. Do not click on any links for the time being.
Amount of loss: - Attack method: Account was Compromised
Description of the event: According to monitoring by the SlowMist security team, Dough Finance was attacked due to a contract vulnerability. Some unauthorized funds were extracted by hackers, resulting in a loss of approximately $1.81 million.
Amount of loss: $ 1,810,000 Attack method: Contract Vulnerability
Description of the event: Compound DAO security advisor Michael Lewellen tweeted that the Compound Finance official website (http://compound.finance) has been compromised and is currently hosting a phishing site. Do not interact with the site until further notice.
Amount of loss: - Attack method: DNS Hijacking Attack
Description of the event: According to Cyber's official Twitter, the Discord server @BuildOnCyber of the decentralized social L2 Cyber (formerly CyberConnect) was compromised. A phishing link was posted in the announcements channel and all permissions have been stripped. Do not interact with the attached announcement, Do not click any links.
Amount of loss: - Attack method: Account was compromised
Description of the event: APEMAGA on Ethereum suspected to have been attacked, resulting in a loss of approximately $32,000.
Amount of loss: $ 32,000 Attack method: Unknown
Description of the event: According to the latest official blog post by the Ethereum Foundation, their email account was hacked, and phishing emails were sent to 35,794 recipients. The email falsely claimed that the Foundation was partnering with LidoDAO to offer a 6.8% Ethereum staking yield. If users clicked the link in the email and approved the transaction, their wallets would be drained. The Foundation quickly halted the malicious emails, closed the attack vector, and ensured that the hackers could no longer access the email account. The investigation revealed that the hackers obtained 81 new email addresses during the attack, but no victims lost any funds.
Amount of loss: - Attack method: Account was compromised
Description of the event: The meme coin WIFCOIN_ETH was suspected to be attacked, with a loss of ~$16K.
Amount of loss: $ 16,000 Attack method: Unknown
Description of the event: After the attack on June 10, UwU Lend was exploited again by the same attacker, resulting in a loss of $3.72 million. The attacker held a significant amount of USDE tokens obtained from the first attack, which allowed them to leverage the remaining USDE funds and drain other UwU lending pools.
Amount of loss: $ 3,720,000 Attack method: Contract Vulnerability
Description of the event: On June 10, 2024, according to the security monitoring system MistEye by SlowMist, the digital asset lending platform UwU Lend on the EVM chain was attacked, resulting in a loss of approximately $19.3 million. The attacker manipulated the price oracle by making large exchanges in the CurveFinance pool, affecting the price of the sUSDE token, and used the manipulated price to arbitrage other assets from the pool.
Amount of loss: $ 19,300,000 Attack method: Contract Vulnerability
Description of the event: MEV Bot JokInTheBoxETH was attacked, lost ~$34K. The root cause of the exploit was poorly implemented unstake function fo the staking contract. Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets.
Amount of loss: $ 34,000 Attack method: Contract Vulnerability
Description of the event: Ethereum Layer 2 protocol Loopring posted on Twitter that the some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets. The attack succeeded by compromising Loopring's 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian. Subsequently, the attacker transferred assets out of the affected wallets.
Amount of loss: $ 5,000,000 Attack method: Security Vulnerability
Description of the event: Renzo's co-founder, Lucas Kozinski, posted a warning on Twitter stating that the @RenzoProtocol Twitter account has been compromised. He advised not to click any links and mentioned that the team is working with Twitter to resolve the issue.
Amount of loss: - Attack method: Account was compromised
Description of the event: On May 20, 2024, the Web3 gaming platform Gala Games was attacked, resulting in a loss of approximately $21.8 million. The attacker minted 5 billion GALA tokens, worth over $200 million, and quickly sold 592 million GALA, receiving 5,952 ETH. On May 22, according to on-chain records and a statement from Gala Games on Discord, the digital wallet associated with the Gala Games hacker transferred 5,913.2 ETH, which was the hacker returning the stolen funds.
Amount of loss: $ 21,800,000 Attack method: Private Key Leakage
Description of the event: Fake Notcoin on ETH is suspected of a rug pull, and the current token price has dropped by 100%.
Amount of loss: $ 281,300 Attack method: Rug Pull
Description of the event: Patton on the ETH appears to have exit scammed, resulting in a 100% price drop and causing losses exceeding $260,000.
Amount of loss: $ 266,000 Attack method: Rug Pull
Description of the event: Fake Lifeform (LFT) on Ethereum is suspected of an exit scam. The deployer called removeLimits() backdoor to mint additional tokens and dump them on the dex pair to drain 81 ETH (~$243K).
Amount of loss: $ 243,000 Attack method: Rug Pull
Description of the event: The Social Fi project Perpy Finance was attacked. A hacker was able to update the contract and illicitly withdrew 58,489,594 PRY tokens. These were then transferred and exchanged for 41.895 ETH. According to Perpy Finance's incident analysis report, "this breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. We overconfidently chose not to audit this fork, incorrectly considering it risk-free, a decision that led to this exploit."
Amount of loss: $ 132,000 Attack method: Contract Vulnerability
Description of the event: NOVAMIND_ (NMD) on ETH is suspected of a rug pull. ~41 ETH (~$123k) was transferred to a multisig and the token price has dropped ~97%.
Amount of loss: $ 123,000 Attack method: Rug Pull