395 hack event(s)
Description of the event: Sudoswap imitation disk Sudorare is suspected to have a Rug Pull, and the Looks, WETH and XMON tokens in the contract address were transferred to the first 0xbb42 address (0xbb42f789b39af41b796f6C28D4c4aa5aCE389d8A), and then sold for ETH on Uniswap, with a total profit of about 519.5 ETH (about 800,000 US dollars) , the Sudorare website and Twitter account are now inaccessible. According to the analysis, the initial deployment funds came from the exchange Kraken.
Amount of loss: 519.5 ETH Attack method: Rug Pull
Description of the event: The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March.
Amount of loss: $ 5,500,000 Attack method: Scam
Description of the event: The Curve Finance frontend was attacked, prompting users to grant token approvals to malicious smart contracts. The attackers moved the stolen funds to FixedFloat and Tornado Cash, with at least 362 ETH (~$620,000) stolen. FixedFloat tweeted that they had frozen 112 stolen ETH (~$192,000).
Amount of loss: $ 428,000 Attack method: Malicious Code Injection Attack
Description of the event: An official incident report from Impermax Finance stated that a hacker was able to steal approximately 9M IMX from several wallets controlled by the team. The IMX was not sold immediately after the hackers stole the funds. So the official team decided to get a head start by dumping a lot of tokens on the market before the hackers did anything. The Impermax lending protocol is completely immune to this, as the attack is caused by stolen private keys, not a bug in the smart contract.
Amount of loss: 9,000,000 IMX Attack method: Private Key Leakage
Description of the event: The pledge platform Freeway tweeted, “The price of its token FWT fluctuated violently on July 13 and is currently under investigation. Freeway’s blockchain bridging service provider Coffe was attacked, and a large number of FWT tokens were bridged from Coffe. The Freeway platform was not compromised in any way, nor was Supercharger. However, Freeway has temporarily disabled FWT withdrawals, deposits, and purchases on the platform,” crypto influencer FatManTerra claimed on Twitter. Projects are running a "Ponzi scheme" because large withdrawals are "delayed" even before they stop. He refers to stopping withdrawals as income of more than $100 million. FatManTerra states that the project has removed its team biographies. In an October 22 Twitter post, FatManTerra said Freeway's chief executive had made false statements about his background, which were removed from the site after FatManTerra confronted him.
Amount of loss: - Attack method: Rug Pull
Description of the event: More than 70,000 addresses connected to Uniswap were airdropped tokens that tricked users into approving transactions that would allow attackers to control their wallets. The airdrop links users to a phishing site that resembles the real Uniswap site. Users are tricked into signing contracts, and cryptocurrencies and NFTs are stolen from wallets. One of the wallets lost more than $6.5 million worth of ether and bitcoin, and the other lost about $1.68 million worth of cryptocurrency.
Amount of loss: $ 12,900,000 Attack method: Phishing attack
Description of the event: BIFROST officially released a report saying that the BTC address registration server of the BiFi service was attacked. According to the analysis, the attack was limited to the BTC address registration server, and neither the smart contract nor the BiFi protocol detected the vulnerability. BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi only in the case when the signature is verified. In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi. As a result, the attacker was able to borrow 1,852 ETH with fake deposit.
Amount of loss: 1,852 ETH Attack method: Private Key Leakage
Description of the event: $MAD was hacked, and the hacker transferred all $MAD in the contract by directly calling the transfer function of the contract holding the token, and finally made a profit of $556 BNB (worth about $115,681), which was then transferred to Tornado.Cash. The reason is that the sensitive function was not checked in the contract that holding tokens, resulting in anyone can directly call the 0x9763a894 function to transfer out the tokens held in the contract.
Amount of loss: $ 115,681 Attack method: Contract Vulnerability
Description of the event: ConvexFinance officially tweeted that a DNS attack caused users to approve malicious contracts on some interactions on the website, and the problem has been fixed.
Amount of loss: 215 ETH Attack method: DNS Attack
Description of the event: Ribbon Finance said in a tweet that the homepage of the URL suffered a DNS attack, causing 2 users to approve a malicious contract for vault deposits. At present, the team has solved the problem, and the funds in all contracts are in a safe state. After analyzing the data on the chain, SlowMist believes that it is the same attacker as Convex. At the same time, it is found that a user of Ribbon Finance lost 16.5 WBTC in the attack.
Amount of loss: 16.5 BTC Attack method: DNS Attack
Description of the event: One-stop asset management solution DeFiSaver tweeted that it experienced an attempted DNS attack and, according to its analysis, no users were affected. DeFi Saver said that what the DNS attack has in common with Convex Finance and Ribbon Finance is the domain name registration service Name cheap, reminding other projects to use it with caution.
Amount of loss: - Attack method: DNS Attack
Description of the event: The SNOOD ERC-777 smart contract was attacked, causing the liquidity of the UniswapV2Pair token to be completely drained (104 ETH).
Amount of loss: 104 ETH Attack method: Reentrancy Attack
Description of the event: Inverse Finance suffered a flash loan attack, resulting in a loss of approximately 1068.215 ETH (approximately $1.26 million). This is the second time that Inverse Finance has suffered a flash loan attack in the past two months. The main reason for this attack is the use of insecure oracles to calculate LP prices.
Amount of loss: $ 1,260,000 Attack method: Flash Loan Attack
Description of the event: The treasure swap project was attacked. The attacker only used 0.000000000000000001 WETH to exchange all the WETH tokens in the transaction pool. The reverse of the source code found that the swap function of the attacked contract lacked the K value check. At present, the attacker has completed the attack on the two contracts 0xe26e436084348edc0d5c7244903dd2cd2c560f88 and 0x96f6eb307dcb0225474adf7ed3af58d079a65ec9, and accumulated a profit of 3,945 BNB.
Amount of loss: 3,945 BNB Attack method: K-value Verification Vulnerability
Description of the event: The ApolloX project was attacked due to a flaw in the ApolloX signature system. The attacker used the signature system flaw to generate 255 signatures, with a total of 53,946,802 $APX extracted from the contract, worth about $1.6 million.
Amount of loss: $ 1,600,000 Attack method: Signature system flaws
Description of the event: Equalizer Finance suffered flash loan attacks on four chains: Ethereum, BSC, Polygon and Optimism. The main reason for this attack is that the FlashLoanProvider contract of the Equalizer Finance protocol is not compatible with the Vault contract. According to officials, funds on Ethereum and BSC have been recovered, but funds on Optimism and Polygon remain unaccounted for.
Amount of loss: $ 50,000 Attack method: Compatibility Issue
Description of the event: The multi-chain DeFi protocol FEG was attacked again, and the flash loan attack suffered on the BNB chain lost about $1.3 million in assets. The subsequent flash loan attack on Ethereum caused a loss of about $590,000, with a total loss of about $1.9 million in assets. This attack is similar to yesterday's attack and is caused by a vulnerability in the "swapToSwap()" function. This function directly uses the "path" entered by the user as a trusted party without screening and validating the incoming parameters. Additionally, the function will allow an unverified "path" parameter (address) to use the current contract's assets. Therefore, by calling "depositInternal()" and "swapToSwap()", the attacker can obtain permission to use the assets of the current contract, thereby stealing the assets within the contract.
Amount of loss: $ 1,900,000 Attack method: Flash Loan Attack
Description of the event: The GOAT project claimed to be "the new standard in cryptocurrencies," but one of the project's developers abruptly sold their assets, taking $260,000 with them, and the token price fell to nearly $0.
Amount of loss: $ 260,000 Attack method: Rug Pull
Description of the event: Fei Protocol officially tweeted that it has noticed multiple exploits of Rari Capital’s Fuse pool, has identified the root cause and suspended all lending to mitigate further losses. And shout that hackers, if they can return user funds, will get a bounty of 10 million US dollars. According to previous news, Fei Protocol was attacked, and the loss exceeded 28,380 ETH, about 80.34 million US dollars. The attacker's address was 0x6162759eDAd730152F0dF8115c698a42E666157F. The Rari Capital pool was attacked due to a classic reentrancy vulnerability. Its function exitMaket has no reentrancy protection.
Amount of loss: $ 80,000,000 Attack method: Reentrancy Attack
Description of the event: DeFi protocol Saddle Finance was attacked, causing the protocol to lose more than $10 million.
Amount of loss: $ 10,000,000 Attack method: Flash Loan Attack