377 hack event(s)
Description of the event: Fei Protocol officially tweeted that it has noticed multiple exploits of Rari Capital’s Fuse pool, has identified the root cause and suspended all lending to mitigate further losses. And shout that hackers, if they can return user funds, will get a bounty of 10 million US dollars. According to previous news, Fei Protocol was attacked, and the loss exceeded 28,380 ETH, about 80.34 million US dollars. The attacker's address was 0x6162759eDAd730152F0dF8115c698a42E666157F. The Rari Capital pool was attacked due to a classic reentrancy vulnerability. Its function exitMaket has no reentrancy protection.
Amount of loss: $ 80,000,000 Attack method: Reentrancy Attack
Description of the event: DeFi protocol Saddle Finance was attacked, causing the protocol to lose more than $10 million.
Amount of loss: $ 10,000,000 Attack method: Flash Loan Attack
Description of the event: In April, attackers exploited a vulnerability to steal $80 million from Rari Capital, and the asset management project Babylon Finance, Rari's main lending pool, lost $3.4 million as a result. On Aug. 31, Babylon Finance founder Ramon Recuero published a blog post announcing that Babylon would be shutting down and pledging to distribute remaining project funds to holders.
Amount of loss: $ 3,400,000 Attack method: Affected by the Rari Capital vulnerability
Description of the event: The protocol loss caused by the flash loan attack of Ethereum-based algorithm stablecoin project Beanstalk Farms is about 182 million US dollars. The specific assets include 79238241 BEAN3CRV-f, 1637956 BEANLUSD-f, 36084584 BEAN and 0.54 UNI-V2_WETH_BEAN . The attackers made over $80 million, including about 24,830 ETH and 36 million BEAN. The main reason for this attack is that there is no time interval between the voting and execution of the proposal, so that the attacker can directly execute malicious proposals without community review after completing the voting.
Amount of loss: $ 182,000,000 Attack method: Flash loan attack
Description of the event: According to BasketDAOOrg's official Twitter, there is a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.
Amount of loss: $ 1,200,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol Revest Finance has been hacked. Hackers stole nearly 7.7 million ECO, 579 LYXe, nearly 715 million BLOCKS, and over 350,000 RENA. According to SlowMist analysis, this attack is because the handleMultipleDeposits function in the tokenVault contract does not determine whether the newly minted NFT exists, so the attacker uses this point to directly modify the information of the NFT that has been minted, and in the Revest contract The key functions in this are not restricted by reentrant locks, which lead to being used by callbacks.
Amount of loss: $ 120,000 Attack method: Reentrancy Attack
Description of the event: InuSaitama is suspected to have suffered an arbitrage attack. The attacker (0xAd0C834315Abfa7A800bBBB5d776A0B07b672614) Saitamask (0x00480b0abBd14F2d61Aa2E801d483132e917C18B) exchanged almost 10 times the value of SAITAMA Token through swap, and then exchanged it back to ETH through uniswap, and transferred it to 0x63493e679155c2f0aAd5Bf96d65725AD6427faC4, with a total profit of about 4.
Amount of loss: 430 ETH Attack method: Arbitrage attack
Description of the event: According to official reports, attackers exploited Li.finance’s smart contracts and managed to steal around $600,000 (currently worth $587,500 or 205 ETH) from 29 wallets. Attackers took various tokens from users’ wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The project team has found the vulnerability and created a fix, compensating most of the affected users in less than 18 hours.
Amount of loss: $ 600,000 Attack method: Contract Vulnerability
Description of the event: DeFi oracle Umbrella Network’s Ethereum and BNB Chain (formerly BSC) reward pools were hacked, resulting in the hackers earning around $700,000. The hacker was able to succeed because of an unchecked vulnerability in withdraw() , so anyone could withdraw any amount of funds without having any balance.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol Deus Finance was attacked by a flash loan, and hackers manipulated the price of the oracle machine and stole about $3 million, including 200,000 DAI and 1101.8 ETH through Tornado mixing.
Amount of loss: $ 3,000,000 Attack method: Flash loan attack
Description of the event: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, Whitehat, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.
Amount of loss: 160.86 ETH Attack method: Contract Vulnerability
Description of the event: The venture capital DAO organization Build Finance tweeted that the project suffered a malicious governance takeover. The malicious actors successfully controlled the Build token contract by getting enough votes, minting 1,107,600 BUILD tokens in three transactions, and spent With most of the funds in Balancer and Uniswap liquidity pools exhausted, attackers continue to take control of the balancer pools via governance contracts and drain the remaining funds including 130,000 METRIC tokens, METRIC liquidity on Uniswap and Fantom Both pools subsequently came under intense selling pressure. As it stands, attackers have full control over governance contracts, minting keys, and treasuries, and the DAO no longer controls any part of critical infrastructure.
Amount of loss: 168 ETH Attack method: Governance Attack
Description of the event: The QI Vesting contract on the streaming digital asset protocol Superfluid has been exploited by an attacker by passing in incorrect call data. This vulnerability allows the attacker to transfer funds from Superfluid user wallets to Polygon and exchange them for ETH.
Amount of loss: $ 13,000,000 Attack method: Contract Vulnerability
Description of the event: According to Rugdoc, AFKSystem rug all of their vaults for a combined profit of around $12 million. Although AFKSystem has severely cut their governance authority. But they still retain an important privilege - changing the routers that sell the harvested tokens.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: White hat hackers at @immunefi discovered a critical vulnerability in the wxBTRFLY Token contract. The transferFrom function in the contract did not update the recipient's authorization correctly, and would incorrectly update the msg.sender's authorization. Although the vulnerability itself is serious, the cause is not complicated (more like a clerical error produced by the developer). What is more interesting is the official repair method. Since the contract itself does not support upgrade, the contract code cannot be updated directly; the contract does not support suspension, so it is not possible to transfer user assets by means of snapshot + migration. The final official measure was to launch an attack transaction by itself, transferring the assets of all users affected by the vulnerability to a multi-signature wallet.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: CityDAO, an Ethereum-based community blockchain city project, has posted that the CityDAO Discord administrator account has been hacked. 29.67 ETH ($95,000) funds were stolen by hackers using stolen admin accounts to post fake land airdrop messages. The attacked administrator, "Lyons800," tweeted that the attack was a "ridiculous security breach from Discord."
Amount of loss: 29.67 ETH Attack method: Discord was hacked
Description of the event: The attackers withdrew approximately 350 ETH (equivalent to $1.1 million) from Float Protocol’s Rari Capital pool. The reason is that Uniswap V3 FLOAT/USDC oracles lack liquidity, which allows attackers to manipulate the price in the pool and then deposit at a higher interest rate. The hackers returned about $250,000 for some reason.
Amount of loss: 350 ETH Attack method: Price Manipulation
Description of the event: Vesper Finance tweeted that its No. 23 lending pool Vesper Lend beta launched on the interest rate agreement Fuse has been attacked again. The attacker manipulated an oracle and depleted the beta test borrowing pool of DAI, ETH, WBTC, and USDC of approximately $1 million. This is not an attack on the Vesper contract, no VSP or VVSP is threatened. Vesper has banned the lending of all tokens in Beta Vesper Lend Rari Pool #23, and also switched the oracle from VUSD/USDC to VUSD/ETH (Uni v3). Prior to this, the Vesper Lend loan pool on Rari Fuse was attacked, and the attacker made a profit of 3 million US dollars.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: SashimiSwap was attacked due to a logic error in the swap function, and the attacker finally made a profit: 6,261.304 uni, 4,466,096 Sashimi and 63,762 usdt, nearly $200,000.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: On December 28th, according to Twitter user coby.eth, a fake MetaMask governance token was created and launched on the DEXTools platform. The creator of the token used malicious code to make users browse the token information, and a pop-up interface showed that the MASK Token was verified and displayed A forged platform verification mark (blue certification symbol) is displayed. coby.eth stated that after the transaction volume exceeded US$1 million, the token was transformed into a "Pixiu plate", and users could only buy but not sell. According to browser data, the total transaction volume of this "Pixiu Pan" MASK Token is close to 10 million U.S. dollars, with a total of 642 related transactions and close to 400 addresses.
Amount of loss: $ 10,000,000 Attack method: Scam