243 hack event(s)
Description of the event: On September 21st, a large liquidity of YZER was removed. Deployer profited ~$28.6k from this liquidity removal.
Amount of loss: $ 28,600 Attack method: Rug Pull
Description of the event: On September 10, according to on-chain intelligence from the SlowMist security team, when the LDO token contract is processing a transfer operation, if the transfer amount exceeds the amount actually held by the user, the operation will not trigger the rollback of the transaction. Instead, it will directly return a `false` as the processing result. This approach is different from many common ERC20 standard token contracts. Due to the above characteristics, there is a potential risk of "fake top-up", and malicious attackers may try to use this feature to conduct fraud. On September 11, Lido stated that this behavior was expected and complies with ERC20 token standards. LDO and stETH are still safe. The Lido Token Integration Guide will be updated with LDO details to show this more obviously.
Amount of loss: - Attack method: False top-up
Description of the event: A fake Lybra Finance token executed a exit scam on September 5th. Deployer added 60 WETH to LP and removed 83 WETH, profiting 23 WETH (~$37k).
Amount of loss: $ 37,000 Attack method: Exit Scam
Description of the event: The CoredeFinance project performed an exit scam and EOA (0x18500) made a profit of 27 ETH (~$43,900).
Amount of loss: $ 43,900 Attack method: Rug Pull
Description of the event: The BabyShia project implemented an exit scam. The deployer (0xCbcd8) has earned 133 ETH (about $226,000).
Amount of loss: $ 226,000 Attack method: Rug Pull
Description of the event: For months, Ethereum layer 2 solution Starkware has repeatedly warned users that their funds would be lost if they did not take action before upgrading, but some users apparently did not see these notifications, which resulted in many users being locked out. Locked out of StarkWare accounts, losing access to funds, totaling $550,000 in affected accounts. Due to community pressure, Starkware has re-enabled the ability to upgrade wallets.
Amount of loss: $ 550,000 Attack method: Wallet not upgraded
Description of the event: Balancer says it has received reports of a critical vulnerability affecting multiple V2 pools. Emergency mitigation procedures have been implemented to secure the majority of TVL, but some funds remain at risk. Users are advised to immediately withdraw affected LPs. According to news on August 28, Balancer’s losses have exceeded $2.1 million, and multiple fund pools on Ethereum, Fantom, and Optimism have been affected.
Amount of loss: $ 2,100,000 Attack method: Flash Loan Attack
Description of the event: The DeFi lending protocol Exactly Protocol was attacked and lost more than 7,160 ETH (approximately $12.04 million). The two contract attackers attack by calling the function kick() multiple times and use the developer contract on Ethereum to transfer deposits to Optimism and eventually transfer the stolen funds back to Ethereum. The root cause of the Exactly Protocol attack is #insufficient_check, the attacker bypasses the permission check in the leverage function of the DebtManager contract by directly passing an unverified fake market address and changing _msgSender to the victim address. Then, in an untrusted external call, the attacker re-enters the crossDeleverage function in the DebtManager contract and steals the collateral from the _msgSender class. Exactly Protocol tweeted that the suspension of the agreement has been lifted, users can perform all operations, and no liquidation has occurred. The hack only affected users using the peripheral contract (DebtManager), the protocol is still functioning normally.
Amount of loss: $ 7,300,000 Attack method: Unchecked Input Data
Description of the event: The official Twitter account of Ethereum expansion solution Metis was stolen. According to officials, team members fell victim to a Sim Swap attack, resulting in malicious actors being able to take over the account for approximately 30 hours.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The Zunami Protocol on Ethereum suffered a price manipulation attack and lost 1,179 ETH (approximately $2.2 million). The reason for the incident is that the calculation of LP price in the vulnerable contract depends on the CRV balance of the contract itself and the conversion ratio of CRV in the wETH/CRV pool. The attacker manipulated the LP price by transferring CRV to the contract and manipulating the conversion ratio of the wETH/CRV pool. According to MistTrack analysis, ETH has been transferred to Tornado Cash at present.
Amount of loss: $ 2,200,000 Attack method: Price Manipulation
Description of the event: The DeFi project Earning.Farm suffered a reentrancy attack and lost 286 ETH (approximately $530,000). According to the analysis of SlowMist, the attacker re-enters the transfer function of LP to transfer LP tokens when withdrawing money, making the balance of the account smaller than the previously calculated shares value, triggering the logic of updating the shares value, resulting in the number of manipulated LPs being updated to the desired value. In terms of the value of the burned shares, this resulted in the final amount of LP burned being much smaller than expected, and the user can withdraw the funds in the pool by withdrawing the transferred LP again.
Amount of loss: $ 530,000 Attack method: Reentrancy Attack
Description of the event: Steadefi, an automated yield leveraged strategy platform, tweeted: “Our protocol deployer wallet (which is also the owner of all vaults in the protocol) has been compromised. Attackers have transferred ownership of all vaults (borrows and strategies) to them in a wallet controlled by the user and continue to take various owner-only operations, such as allowing any wallet to be able to borrow any available funds from the lending vault. Currently, all available lending capacity on Arbitrum and Avalanche has been exhausted by the attackers, and the assets have been swapped for ETH and bridged to Ethereum. On-chain messages have been sent to the attacker wallet address for negotiation. Steadefi wants to discuss the bounty with parties involved in the exploit, offering a 10% reward on the stolen funds. " Steadefi has lost approximately $1.1 million in the incident. On August 8, the Steadefi team managed to recover approximately $540,000 in user funds from remaining vaults.
Amount of loss: $ 1,100,000 Attack method: Private Key Leakage
Description of the event: Bitlord (BITLORD) A lot of liquidity has been removed. The deployer removed about 309 WETH from LP, worth about $567,000. The token project is suspected to be a honeypot scam.
Amount of loss: $ 567,000 Attack method: Scam
Description of the event: he Uwerx network was attacked and lost about 174.78 ETH. According to the analysis of SlowMist, the root cause is that when the receiving address is uniswapPoolAddress (0x01), it will burn off 1% more tokens of the transfer amount of the from address, so the attacker uses the skim function of the uniswapv2 pool to consume a large number of WERX tokens, and then calls the sync function to maliciously inflate the price of the token, and then reverses the swap to extract the ETH to gain profit.
Amount of loss: $ 324,000 Attack method: Price Manipulation
Description of the event: InsurAce, a DeFi insurance protocol, tweeted: "Our Discord server experienced a security breach. Our team discovered an unauthorized access to the server earlier today. We take this incident very seriously and are working hard to correct the situation. During this time, please do not interact with the server." According to the analysis of SlowMist, the phishing website is insurance.gift, and PinkDrainer is behind it.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome.
Amount of loss: $ 73,500,000 Attack method: Affected by Vyper Vulnerability
Description of the event: DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds.
Amount of loss: 5000 ETH Attack method: Affected by Vyper Vulnerability
Description of the event: On August 6, the Ethereum compiler Vyper released an analysis report on last week's vulnerability incidents: Prior to July 30, due to potential vulnerabilities in the Vyper compiler, multiple Curve liquidity pools were exploited. While the bug was identified and patched, the impact on protocols using the vulnerable compiler was not recognized at the time, nor were they explicitly notified. The vulnerability itself is an improperly implemented reentrancy prevention, and the affected Vype versions are v0.2.15, v0.2.16, v0.3.0. Vulnerability fixed and tested in v0.3.1, v0.3.1 and later are safe.
Amount of loss: - Attack method: Compiler Bug
Description of the event: This second attack was unrelated to the ETH Omnipool's re-entrancy exploit. The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool. We will share more updates as we continue to investigate.
Amount of loss: $ 300,000 Attack method: Flash Loan Attack
Description of the event: On July 21, Conic Finance ’s ETH omnipool was hit by a series of small hacks that cost around $3.2 million. Conic Finance issued an update on the attack, saying, “The root cause of the attack is due to an incorrect assumption about the address returned by the ETH’s Curve meta-registry in the Curve V2 pool, which enables reentrancy attacks and is deploying fixes for the affected contracts.
Amount of loss: $ 3,200,000 Attack method: Reentrancy Attack