401 hack event(s)
Description of the event: The decentralized exchange Balancer disclosed on Twitter that in the Euler Finance attack, about $11.9 million was sent to Euler from the bbeUSD liquidity pool, accounting for 65% of the liquidity pool TVL, and bbeUSD was also deposited The other 4 liquidity pools: wstETH/bbeUSD, rETH/bbeUSD, TEMPLE/bbeUSD, DOLA/bbeUSD, all other Balancer liquidity pools are safe.
Amount of loss: $ 11,900,000 Attack method: Affected by Euler Finance Attack
Description of the event: Angle Protocol, a decentralized stablecoin protocol, tweeted: "Angle Protocol was affected by the Euler exploit, which deposited 17.6 million USDC into Euler. The protocol has been suspended, the debt ceiling has been set to 0, and the Euler AMO has been closed .are monitoring the situation and will update as soon as they are received.” Angle Protocol stated that before the Euler hack, the total value locked (TVL) of the Angle Core module was about 36 million US dollars, and 17.2 million agEUR had passed through the core. Module casting. In addition, in the agreement are: about 11.6 million US dollars in deposits from standard liquidity providers, about 353,000 US dollars in deposits from hedging agents, and a surplus of about 5.58 million yuan.
Amount of loss: $ 17,600,000 Attack method: Affected by Euler Finance Attack
Description of the event: Inverse Finance, a DeFi lending protocol, tweeted: “Euler attack impacted DOLA-bb-e-USD pool on Balancer. Despite quick action to mitigate 90% of the impact, DOLA Fed suffered up to 86% for this pool. million in losses, excluding rewards points. Will be working with Balancer to recover the remaining funds.”
Amount of loss: $ 860,000 Attack method: Affected by Euler Finance Attack
Description of the event: SwissBorg is a crypto asset management platform that is regulated and licensed in Switzerland, France and Estonia. It has its own SwissBorg app and can earn money through this mobile wallet. SwissBorg stated that the ETH and USDT in the Earn strategy suffered partial losses, including 1617.23 ETH and about 1.69 million USDT, accounting for 2.27% and 29.52% of the subscription funds respectively. SwissBorg will bear all losses.
Amount of loss: $ 4,500,000 Attack method: Affected by Euler Finance Attack
Description of the event: Opyn built the first decentralized option protocol, developed the perpetual option Opyn Squeeth, and built a variety of income strategies on Suqeeth. This time Opyn is affected by the Zen Bull strategy, which combines the Crab strategy and ETH leveraged long positions, and is suitable for low-volatility markets where ETH prices are on an upward trend. Since this strategy requires mortgage assets to buy ETH through leverage, it may be a mortgage loan in Euler, resulting in losses. Opyn has not announced the amount of the loss and how it will be dealt with.
Amount of loss: - Attack method: Affected by Euler Finance Attack
Description of the event: On February 24, 2023, Earning.farm’s USDC vault was exploited and lost about 5.15 million USDC.
Amount of loss: $ 5,150,000 Attack method: Flash Loan Attack
Description of the event: The AMM liquidity management protocol Revert Finance disclosed on Twitter that its v3utils contract was attacked, and 90% of the funds were stolen from a single account. The stolen assets included: 22983.235188 USDC, 4106.316699 USDT, 485.5786287699002 OP, 0.18217977664322793 WETH, 36.59093198260223 DAI, 211.21463945524238 WMATIC and 22 Premia. At current prices, that's about $29,000.
Amount of loss: $ 29,000 Attack method: Contract Vulnerability
Description of the event: The DEX tool Dexible was suspected of being attacked and lost about $2 million. According to the analysis, there is a logical loophole in the selfSwap function of the Dexible contract, which will call the fill function. This function has a call to the attacker's custom data, and the attacker constructs a transferfrom function in this data, and transfers other users (0x58f5f0684c381fcfc203d77b2bba468ebb29b098) address and its own attack address (0x684083f312ac50f538cc4b634d85a2feafaab77a), causing the tokens authorized by the user to the contract to be transferred by the attacker.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: SushiSwap's BentoBoxv1 contract was attacked, and the hacker made a profit of about $26,000. According to analysis, the attack is due to the Kashi Medium Risk ChainLink price update later than the mortgage/loan. In the two attack transactions, the attacker flashloaned 574,275 and 785,560 xSUSHI respectively. After mortgage and loan, the price of kmxSUSHI/USDT in LINK Oracle dropped by 16.9%. By exploiting this price gap, the attacker can call the liquidate() function to liquidate and obtain 15,429 and 11,333 USDT.
Amount of loss: $ 26,000 Attack method: Price Manipulation
Description of the event: A fake token project named "Nostr" on the Ethereum chain has run away, and its funds have been transferred to a new EOA address 0xeeB8EB5CC144eDddDB204c3ABA499de6b6081696. In the end, the fraudsters made a profit of 232.1 ETH, worth about $370,000. The token contract is 0xA2be922174605BAd450775C76CEb632369480336.
Amount of loss: 232.1 ETH Attack method: Rug Pull
Description of the event: According to the intelligence of the SlowMist security team, the Numbers Protocol (NUM) token project on the ETH chain was attacked, and the attacker made a profit of about $13,836. The main reason for this attack is that the NUM token does not have a permit function and has a callback function, so a fake signature can be passed in to deceive the cross-chain bridge and cause the user's assets to be transferred out unexpectedly.
Amount of loss: $ 13,836 Attack method: Contract Vulnerability
Description of the event: The DFX Finance project on the ETH chain was attacked, and the attackers made a profit of about $231,138. According to SlowMist analysis, the main reason for this attack is that the Curve contract flash loan function does not have re-entrancy protection, which causes the attack to re-enter the deposit function to transfer tokens to judge the balance of flash loan repayments. The account so that the attacker can successfully withdraw money to profit.
Amount of loss: $ 231,138 Attack method: Reentrancy Attack
Description of the event: According to the monitoring of the SlowMist security team, the brahTOPG project on the ETH chain was attacked, and the attacker made a profit of about $89,879. The main reason for this attack is that the Zapper contract strictly checks the data passed in by the user, which leads to the problem of arbitrary external calls. The attacker uses this arbitrary external call problem to steal the tokens of users who are still authorized to the contract.
Amount of loss: $ 89,879 Attack method: Contract Vulnerability
Description of the event: FriesDAO was attacked and lost about $2.3 million. An attacker gained control of the FriesDAO protocol operator's wallet through the Profanity wallet generator vulnerability, which would force the use of the private key of the address generated by the tool. FriesDAO stated in the official Discord channel that the official developers are currently trying to negotiate with the attackers to negotiate a white hat bounty in exchange for the return of the stolen funds.
Amount of loss: $ 2,300,000 Attack method: Profanity Vulnerability
Description of the event: Team Finance tweeted that the protocol’s management funds were hacked during the migration from Uniswap v2 to v3, with an identified loss of approximately $14.5 million worth of tokens. On October 31, the Team Finance white hat hacker address has returned $13.4 million in digital assets, including 548.7 ETH ($860,000) to FEG, 765,000 DAI and 11.8 million TSUKA ($626,000) to Tsuka, about 5 million DAI and 74.6 trillion CAW (~$5.5 million) to CAW, 209 ETH ($328,000) to KNDX, smithbot.eth has returned 263 billion KNDX ($292,000) to KNDX.
Amount of loss: $ 14,500,000 Attack method: Contract Vulnerability
Description of the event: The redeem() function in OlympusDAO’s BondFixedExpiryTeller contract resulted in a loss of approximately $292,000 due to inability to properly validate inputs. The OlympusDAO hacker has returned the stolen funds to the DAO.
Amount of loss: $ 292,000 Attack method: Contract Vulnerability
Description of the event: The Mango INU (MNGO) project has been confirmed to be an exit scam, and the currency price has dropped by more than 80%. This token project was deployed by attackers at Mango Market and has made a profit of about $48,500.
Amount of loss: $ 48,500 Attack method: Scam
Description of the event: According to Cointelegraph, a vulnerability in the Ethereum Alarm Clock service (Ethereum Alarm Clock) has been exploited, and the hacker has so far made about $260,000 in profit. According to the analysis, hackers managed to exploit a loophole in the scheduled transaction process to profit from the refund of gas fees for canceled transactions. According to Etherscan transaction history, the hackers have obtained 204 ETH, worth about $259,800. It is reported that the Ethereum alarm clock service is to allow users to schedule future transactions by pre-determining the recipient address, sending amount and transaction time.
Amount of loss: $ 260,000 Attack method: Contract Vulnerability
Description of the event: The EFLeverVault contract of Earning.Farm was attacked twice by flash loans. The first attack was intercepted by MEV bot, causing the contract to lose 480 ETH; the second hacker completed the attack, and the hacker made a profit of 268 ETH. After analysis, the vulnerability is caused by the contract’s flash loan callback function not verifying the flash loan initiator. The attacker can trigger the contract’s flash loan callback logic by itself: repay the Aave stETH debt in the contract and withdraw cash, and then exchange stETH for ETH. Then the attacker can call the withdraw function to withdraw the ETH balance in all contracts.
Amount of loss: 268 ETH Attack method: Flash Loan Attack
Description of the event: The Journey of Awakening (ATK) project suffered a flash loan attack. The attacker attacked the strategy contract of the ATK project (0x96bF2E6CC029363B57Ffa5984b943f825D333614) through a flash loan attack, and obtained a large amount of ATK tokens from the contract. The attackers have exchanged all of the obtained ATK tokens for approximately $120,000 in BSC-USD, and the stolen funds are currently being exchanged for BNB and all transferred to Tornado Cash.
Amount of loss: $ 120,000 Attack method: Flash Loan Attack