377 hack event(s)
Description of the event: MetaDAO took a Rug Pull, took away the funds (800 ETH, about 3.2 million US dollars), and has been transferred to Tornado.cash mixed currency. MetaDAO's website is currently unavailable due to suspension.
Amount of loss: 800 ETH Attack method: Rug Pull
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract Vulnerability
Description of the event: The staking and yield farming platform Bent Finance tweeted that the Bent Deployer wallet upgraded the curve pool contract from November 30, 2021 to 2021 01:09:27 PM +UTC, and the exploiter added a malicious contract that made cvxcrv and cvxcrv and The mim pool is able to hardcode user balances and then deploy another contract to mask it. The attackers stole a total of 513,000 cvxcrv LP tokens. Bent Finance later updated the incident report saying that with the help of two white hat hackers, the team analyzed the incident and concluded: "This was actually the work of an 'inside member'. After several days of hacking, the attackers finally agreed to return the funds to the following multisig address: 0xaBb8B277F49de499b902A1E09A2aCA727595b544. The attackers sold off (now bounced back) and sent us ETH and DAI, there was a slight shortfall in returning funds, but we've fixed that. So far, we have raised another 200,000 cvxcrv (~$1 million) from the community to help fill the gap. "The official said that the vulnerability has been fixed to ensure that such incidents do not occur again.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle Attack
Description of the event: Smart contract automation tool Gelato Network tweeted: "We have been alerted to a critical vulnerability in Sorbet Finance's G-UNI router contract. This vulnerability only affects users interacting with the Sorbet UI." Gelato Network released a security incident investigation report, saying that white hat hackers transferred a total of $27 million in assets to ensure the safety of user assets, but there were still $744,000 of funds that were maliciously attacked by MEV. The project stated that the vulnerability that emerged this time is similar to the previous dydx vulnerability, and the smart contract at risk can make arbitrary low-level calls aimed at executing transactions on 1inch, making potential exploits possible.
Amount of loss: $ 744,000 Attack method: Contract Vulnerability
Description of the event: The decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident.
Amount of loss: $ 120,000,000 Attack method: Malicious Code Injection Attack
Description of the event: The automatic market maker protocol MonoX was hacked. In this attack, approximately US$18.2 million worth of WETH and 10.5 million US dollars of MATIC were stolen. Other stolen tokens included WBTC, LINK, GHST, DUCK, MIM and IMX. The total loss was approximately 31 million U.S. dollars.
Amount of loss: $ 31,000,000 Attack method: Price Update Issue
Description of the event: The malicious contract attacked Visor's OHM-ETH 1% LP management contract. Funds in the targeted pool were recovered by Visor just hours after the attack. The funds deposited by users into Visor are not at risk.
Amount of loss: $ 975,720 Attack method: Flash Loan Attack
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract Vulnerability
Description of the event: The administrator of OlympusDAO, a new algorithmic stablecoin protocol based on Ethereum, said on Discord, the administrator of Discord said that yesterday, someone bonds OHM/DAI bonds that are considered to be closed so that they can get a large discount and receive 1,697 OHM (over 1.4 million U.S. dollars) instead of 59 OHM (approximately US$50,000). After OlympusDAO discovered this incident, it immediately closed the bond contract.
Amount of loss: 1,697 OHM Attack method: Contract Vulnerability
Description of the event: DeFi protocol Formation.Fi was attacked by flash loans. The main reason for this incident is that the project party underestimated the impact of fee on totalTokens when designing the function swapIn, and ignored the impact of decimal point accuracy between different tokens.
Amount of loss: $ 100,000 Attack method: Flash Loan Attack
Description of the event: The stablecoin transaction protocol Curve caused losses to users who provided USDM liquidity due to the "governance attack" of the USDM stablecoin protocol Mochi. At present, Curve has dealt with urgently to avoid a wider range of losses. Previously, the Mochi project party purchased Convex's CVX tokens, voted to increase the USDM pool rewards to increase the liquidity of USDM and other assets, and then converted a large amount of USDM tokens owned by the project party into DAI after the liquidity increased. The team A total of 46 million USDM was exchanged for DAI. Based on the USDM to DAI exchange rate, the user loss that provides USDM liquidity to other stablecoins may be close to 30-40 million U.S. dollars.
Amount of loss: $ 30,000,000 Attack method: Governance Attack
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Oracle Attack
Description of the event: Cream Finance, the DeFi lending agreement, was attacked and lost approximately US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. It is reported that this is the third largest DeFi hacking in history (although the two larger hacking incidents have funds returned), in addition, Cream Finance has suffered multiple lightning loan attacks before, and lost 37.5 million US dollars in February. Another $19 million was lost.
Amount of loss: $ 130,000,000 Attack method: Flash loan attack
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues
Description of the event: Staking liquidity solution Lido Finance discovered a loophole through the Lido vulnerability bounty program, which can be used by whitelisted node operators to steal a small portion of user funds. Approximately 20,000 ETH were exposed to risk at the time of the vulnerability report. At present, the team has taken short-term remedial measures. The white hat for reporting the vulnerability is Dmitri Tsumak, the founder of StakeWise, who is expected to receive the highest reward of the vulnerability bounty program of $100,000.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: While the decentralized lending agreement Compound tried to fix the loopholes in the liquidity mining token distribution contract through the No. 63 or No. 64 community proposal, another COMP token worth US$68.8 million (a total of 202,472 COMP) was due to The call of the drip() function was entered into the liquidity mining token distribution contract that has existing loopholes.
Amount of loss: $ 68,800,000 Attack method: Contract Vulnerability
Description of the event: Compound, a decentralized lending protocol, confirmed through Twitter that after the implementation of Proposal 062, the liquidity mining of the protocol has an abnormal distribution of COMP tokens. Compound Labs and community members are investigating. Compound said that deposits and borrowed funds have not been found to be at risk. Compound founder Robert Leshner stated that the problem appeared to be an error in the initial setting of the distribution rate of COMP tokens based on Proposal 062, resulting in too much COMP tokens being distributed; however, modification of the corresponding code must go through governance , It takes at least 7 days.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The DONA token auction of the Jay Pegs Auto Mart project on the SushiSwap Launchpad platform MISO was attacked. The attacker inserted malicious code into the MISO front end and changed the auction wallet address to his own wallet address. The loss has now reached 865 ETH (approximately 3.07 million). Dollar). Joseph Delong, CTO of SushiSwap, said on Twitter that the vulnerability has been fixed and that FTX and Binance have been asked to provide the attacker's KYC information, but both exchanges refused to cooperate. In addition, Joseph Delong also stated that he has reported the case to the FBI through his lawyer and reminded the project party to check whether there are similar front-end vulnerabilities. According to the Ethereum block explorer Etherscan, the attacker returned all ETH to SushiSwap. The operation was divided into two transactions, the first return 100 ETH, the second return 700 ETH, and the third return 65 ETH.
Amount of loss: - Attack method: Malicious Code Injection Attack