401 hack event(s)
Description of the event: The attackers withdrew approximately 350 ETH (equivalent to $1.1 million) from Float Protocol’s Rari Capital pool. The reason is that Uniswap V3 FLOAT/USDC oracles lack liquidity, which allows attackers to manipulate the price in the pool and then deposit at a higher interest rate. The hackers returned about $250,000 for some reason.
Amount of loss: 350 ETH Attack method: Price Manipulation
Description of the event: Vesper Finance tweeted that its No. 23 lending pool Vesper Lend beta launched on the interest rate agreement Fuse has been attacked again. The attacker manipulated an oracle and depleted the beta test borrowing pool of DAI, ETH, WBTC, and USDC of approximately $1 million. This is not an attack on the Vesper contract, no VSP or VVSP is threatened. Vesper has banned the lending of all tokens in Beta Vesper Lend Rari Pool #23, and also switched the oracle from VUSD/USDC to VUSD/ETH (Uni v3). Prior to this, the Vesper Lend loan pool on Rari Fuse was attacked, and the attacker made a profit of 3 million US dollars.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: SashimiSwap was attacked due to a logic error in the swap function, and the attacker finally made a profit: 6,261.304 uni, 4,466,096 Sashimi and 63,762 usdt, nearly $200,000.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: On December 28th, according to Twitter user coby.eth, a fake MetaMask governance token was created and launched on the DEXTools platform. The creator of the token used malicious code to make users browse the token information, and a pop-up interface showed that the MASK Token was verified and displayed A forged platform verification mark (blue certification symbol) is displayed. coby.eth stated that after the transaction volume exceeded US$1 million, the token was transformed into a "Pixiu plate", and users could only buy but not sell. According to browser data, the total transaction volume of this "Pixiu Pan" MASK Token is close to 10 million U.S. dollars, with a total of 642 related transactions and close to 400 addresses.
Amount of loss: $ 10,000,000 Attack method: Scam
Description of the event: MetaDAO took a Rug Pull, took away the funds (800 ETH, about 3.2 million US dollars), and has been transferred to Tornado.cash mixed currency. MetaDAO's website is currently unavailable due to suspension.
Amount of loss: 800 ETH Attack method: Rug Pull
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract Vulnerability
Description of the event: The staking and yield farming platform Bent Finance tweeted that the Bent Deployer wallet upgraded the curve pool contract from November 30, 2021 to 2021 01:09:27 PM +UTC, and the exploiter added a malicious contract that made cvxcrv and cvxcrv and The mim pool is able to hardcode user balances and then deploy another contract to mask it. The attackers stole a total of 513,000 cvxcrv LP tokens. Bent Finance later updated the incident report saying that with the help of two white hat hackers, the team analyzed the incident and concluded: "This was actually the work of an 'inside member'. After several days of hacking, the attackers finally agreed to return the funds to the following multisig address: 0xaBb8B277F49de499b902A1E09A2aCA727595b544. The attackers sold off (now bounced back) and sent us ETH and DAI, there was a slight shortfall in returning funds, but we've fixed that. So far, we have raised another 200,000 cvxcrv (~$1 million) from the community to help fill the gap. "The official said that the vulnerability has been fixed to ensure that such incidents do not occur again.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle Attack
Description of the event: Smart contract automation tool Gelato Network tweeted: "We have been alerted to a critical vulnerability in Sorbet Finance's G-UNI router contract. This vulnerability only affects users interacting with the Sorbet UI." Gelato Network released a security incident investigation report, saying that white hat hackers transferred a total of $27 million in assets to ensure the safety of user assets, but there were still $744,000 of funds that were maliciously attacked by MEV. The project stated that the vulnerability that emerged this time is similar to the previous dydx vulnerability, and the smart contract at risk can make arbitrary low-level calls aimed at executing transactions on 1inch, making potential exploits possible.
Amount of loss: $ 744,000 Attack method: Contract Vulnerability
Description of the event: The decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident.
Amount of loss: $ 120,000,000 Attack method: Malicious Code Injection Attack
Description of the event: The automatic market maker protocol MonoX was hacked. In this attack, approximately US$18.2 million worth of WETH and 10.5 million US dollars of MATIC were stolen. Other stolen tokens included WBTC, LINK, GHST, DUCK, MIM and IMX. The total loss was approximately 31 million U.S. dollars.
Amount of loss: $ 31,000,000 Attack method: Price Update Issue
Description of the event: The malicious contract attacked Visor's OHM-ETH 1% LP management contract. Funds in the targeted pool were recovered by Visor just hours after the attack. The funds deposited by users into Visor are not at risk.
Amount of loss: $ 975,720 Attack method: Flash Loan Attack
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract Vulnerability
Description of the event: The administrator of OlympusDAO, a new algorithmic stablecoin protocol based on Ethereum, said on Discord, the administrator of Discord said that yesterday, someone bonds OHM/DAI bonds that are considered to be closed so that they can get a large discount and receive 1,697 OHM (over 1.4 million U.S. dollars) instead of 59 OHM (approximately US$50,000). After OlympusDAO discovered this incident, it immediately closed the bond contract.
Amount of loss: 1,697 OHM Attack method: Contract Vulnerability
Description of the event: DeFi protocol Formation.Fi was attacked by flash loans. The main reason for this incident is that the project party underestimated the impact of fee on totalTokens when designing the function swapIn, and ignored the impact of decimal point accuracy between different tokens.
Amount of loss: $ 100,000 Attack method: Flash Loan Attack
Description of the event: The stablecoin transaction protocol Curve caused losses to users who provided USDM liquidity due to the "governance attack" of the USDM stablecoin protocol Mochi. At present, Curve has dealt with urgently to avoid a wider range of losses. Previously, the Mochi project party purchased Convex's CVX tokens, voted to increase the USDM pool rewards to increase the liquidity of USDM and other assets, and then converted a large amount of USDM tokens owned by the project party into DAI after the liquidity increased. The team A total of 46 million USDM was exchanged for DAI. Based on the USDM to DAI exchange rate, the user loss that provides USDM liquidity to other stablecoins may be close to 30-40 million U.S. dollars.
Amount of loss: $ 30,000,000 Attack method: Governance Attack
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Oracle Attack
Description of the event: Cream Finance, the DeFi lending agreement, was attacked and lost approximately US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. It is reported that this is the third largest DeFi hacking in history (although the two larger hacking incidents have funds returned), in addition, Cream Finance has suffered multiple lightning loan attacks before, and lost 37.5 million US dollars in February. Another $19 million was lost.
Amount of loss: $ 130,000,000 Attack method: Flash loan attack
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues