312 hack event(s)
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: Private Key Leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Contract Vulnerability
Description of the event: BachOnChain, a core member of Duet Protocol, a multi-chain synthetic asset protocol, tweeted that the Duet Protocol pioneer network Zerogoki experienced an oracle attack a few hours ago, and the wrong price led to unrecognized transactions. BachOnChain said that the oracle has been suspended, zUSD has experienced certain fluctuations, and it is expected that the price will resume in market trading and arbitrage after a period of time.
Amount of loss: $ 670,000 Attack method: Oracle attack
Description of the event: Popsicle Finance, a multi-chain revenue optimization platform, was attacked. The core of this vulnerability is that the same PLP certificate can bring benefits to multiple holders at the same time node due to the defect in the reward update record.
Amount of loss: $ 20,000,000 Attack method: Reward Mechanism Flaw
Description of the event: Using the mechanism of deflation token KEANU to attack the reward vulnerabilities in the Memestake contract deployed by Sanshu Inu, the attacker finally made a profit of about 56 ETH.
Amount of loss: 56 ETH Attack method: Reward Mechanism Flaw
Description of the event: The DeFi project Array Finance was attacked by a lightning loan. The attacker used Array Finance's pricing mechanism to rely on aBPT's totalSupply to attack Array Finance. Officials stated that the attacker made a profit of about 272.94 ETH, worth about $515,000.
Amount of loss: 272.94 ETH Attack method: Flash loan attack
Description of the event: DeFiPie (PIE), the lending protocol on the Ethereum and Binance smart chains, was hacked. It is recommended that all liquidity providers extract all liquidity from the application. PIE tokens fell by more than 66% in 24 hours. The attacker used a re-entry attack to over-borrow and lent a portion of valuable assets. Later, the counterfeit currency was used for liquidation operations and took away the mortgaged valuable assets, which led to the DeFiPie agreement not only lent assets, but also lost all mortgage assets, and liquidity was lost.
Amount of loss: 124,999 BUSD Attack method: Reentrancy Attack
Description of the event: According to official sources, the DeFi asset management platform DAO ventures was stolen 300,000 DVG tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge. DAOventures stated that it has taken snapshots of DVG holders and LPs before the attack, and stated that it will compensate the affected token holders. The DAOventures team stated that the user's assets in DAOventures are safe. Before the compensation plan is announced, DAOventures reminds users not to purchase the DVG of the transaction for the time being and pay attention to the latest developments of the team.
Amount of loss: 300,000 DVG Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge.
Amount of loss: 3,000,000 UMB Attack method: Contract Vulnerability
Description of the event: The DEX trading tool DEXTools (DEXT) tweeted that it was recently hacked and affected some DEXT holders.
Amount of loss: - Attack method: Unknown
Description of the event: The Ethereum 2.0 staking solution SharedStake released an attacked report, stating that the reason the SharedStake token was minted before the official launch was due to the use of vulnerabilities in time-locked contracts (that is, smart contracts that perform certain operations at a fixed time) by internal personnel. The vulnerability was submitted to the team by the white hat Lucash-dev on April 26. Because a team member had permission to view the vulnerability, he used the vulnerability to cast a value of about 50 on the main network four times on June 19 and 23. Ten thousand USD tokens were sold and mortgaged after the official launch. Although there is not enough evidence, the core members of SharedStake suspect that it was the work of a new team member.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: The Visor Finance smart contract, a DeFi liquidity protocol based on Uniswap V3, was withdrawn with 230 ETH in an emergency, and the attacker gained access to an account that manages certain Hypervisor management functions, and then transferred the funds to Tornado.cash.
Amount of loss: $ 504,845 Attack method: Permission Stolen
Description of the event: The DeFi lending agreement Alchemix alETH pool is suspected to have a loophole, and users can raise collateralized ETH when they have outstanding alETH debts. Alchemix released an alETH pool accident report stating that due to an error in the deployment of the alETH pool script, users have borrowed alETH at a 4:1 mortgage ratio but have no debt to be repaid, and the debt ceiling of nearly 2000 ETH has been released and new ones can be minted again. alETH, combined with Alchemix's use of the wrong index in the vault array, forced the transmuter to support the agreement mechanism to completely send the funds to repay the user's debt. The team has stopped the mortgage lending of the pool. As of the time of the report, alETH currently has a gap of -2,688.634, which is about 6.53 million U.S. dollars. Alchemix stated that there was no loss of user funds, and Yearn did not suffer any loss.
Amount of loss: $ 6,530,000 Attack method: Contract Vulnerability
Description of the event: According to an official statement from on-chain options protocol FinNexus, part of FinNexus’ hardware has been attacked by malware, and an unknown hacker infiltrated the FinNexus system and managed to recover the private key of the ownership of the FNX token contract. FNX was minted, transferred or sold in large numbers in a short period of time, involving more than 300 million FNX tokens (about 7 million US dollars) in BSC and Ethereum.
Amount of loss: $ 7,000,000 Attack method: Private Key Leakage
Description of the event: The DeFi pledge and liquidity strategy platform xToken was attacked, and the xBNTaBancor pool and the xSNXaBalancer pool were immediately exhausted, causing nearly $25 million in losses. The SlowMist security team analyzed that the two modules that were hacked this time were the xBNTa contract and the xSNXa contract in xToken. The two contracts were subjected to a "counterfeit currency" attack and an oracle manipulation attack.
Amount of loss: $ 25,000,000 Attack method: Oracle Attack
Description of the event: DeFi robo-advisor agreement Rari Capital stated on Twitter that its ETH fund pool had a vulnerability caused by the integration of the Alpha Finance Lab protocol, which was attacked. The rebalancer has now removed all funds from Alpha. The team stated that it is still investigating and evaluating, and a full report will be released in the future. Data shows that about 14 million U.S. dollars of funds were transferred by the attackers. The Alpha Finance team stated that the funds on Alpha Homora are safe. In this attack, the address of Rari Capital had previously attacked Value DeFi on the Binance Smart Chain.
Amount of loss: $ 14,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol ValueDeFi is suspected of being hacked again after being hacked on the 5th. ValueDeFi reminds users in the community, "All non-50/50 transaction pools of the project have been used. Please stop purchasing gvVALUE and vBSWAP until the project team provides a solution." It was subsequently confirmed that more than 3,000 ETH (approximately 10 million U.S. dollars) were lost.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: Value DeFi stated that at 11:22 on May 5th, the attacker reinitialized the fund pool and set the operator role to himself, and _stakeToken was set to HACKEDMONEY. The attacker controlled the pool and called governmentRecoverUnsupported (), which was exhausted. The original pledge token (vBWAP/BUSD LP). Then, the attacker removes 10839.16 vBWAP/BUSD LP and liquidity, and obtains 7342.75 vBSWAP and 205659.22 BUSD. Subsequently, the attacker sells all 7342.75 vBSWAP at 1inch to obtain 8790.77 BNB, and buys BNB and BUSD renBTC through renBridge. Converted to BTC. The attacker made a total of 205,659.22 BUSD and 8,790.77 BNB. The 2802.75 vBSWAP currently in the reserve fund and the 205,659.22 BUSD of the ValueDeFi deployer will be used to compensate all users in the pool. The remaining 4540 vBSWAP can be compensated in the following two ways. The first option is to cast 4540 vBSWAP to immediately compensate all affected users, and the other option is to cast 2270 vBSWAP to immediately compensate, and the rest will be returned to the contract within 3 months. Value DeFi emphasized that only the vStake profit sharing pool of vBSWAP in bsc.valuedefi.io has received the impression, and other fund pools and funds are in a safe state.
Amount of loss: $ 5,817,780 Attack method: Contract Vulnerability
Description of the event: Fei Labs, the development team of the decentralized stablecoin project Fei Protocol, tweeted that a vulnerability involving the ETH joint curve contract was discovered and disclosed on May 2 and the contract was immediately suspended. The vulnerability has not been exploited and will not affect any users. . This loophole will cause the flash loan market manipulation to exhaust Fei Protocol's Protocol Control Fund (PCV). In addition, Fei Protocol awarded the vulnerability discoverer Alexander Schlindwein a $800,000 TRIBE token reward. Currently, OpenZeppelin and Alexander Schlindwein have assisted in repair review and verification, sending ETH from the joint curve to the reserve stabilizer instead of the ETH-FEI Uniswap pool to eliminate the attack vector, and adding to the pool to prevent malicious arbitrage Other reviews.
Amount of loss: - Attack method: Contract Vulnerability