395 hack event(s)
Description of the event: Twitter netizen "mhonkasalo" stated that there was a bug in the dYdX pledge contract. The user received 0 stkDYDX when pledged, the front end was disabled, and there were 64 affected addresses. Later, dYdX released the "Pledge Contract Bug" incident report. During the deployment of the upgradeable smart contract, the dYdX security module made an error, which caused the ratio of DYDX to stkDYDX to change from 1 to 0, so that users who pledged DYDX did not receive stkDYDX. dYdX stated that the error was caused by an error in the smart contract deployment process. It believed that there was no error in the code itself. The security module was previously audited by the smart contract, and based on the liquidity module design, the design was also audited. The security module is thoroughly tested before deployment. At present, user funds are safely locked in the security module until the end of the 28-day epoch, and no security module rewards are distributed and no withdrawals are possible. In order to restore the contract function, an upgrade is required. The suggested solution is to restore the security module function, allow the pledged user to retrieve the funds, and compensate the user for the wrong reward for participating in the security module.
Amount of loss: - Attack method: Contract deployment error
Description of the event: The Vesting contract of DAO Maker was attacked by hackers. DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker's distribution system, and the DAO Maker contract is attacked when the holder is issued (SHO) in DAO Maker , That is, there is a loophole in the distribution system of SHO participants: init is not initialized protection, the attacker initializes the key parameters of init, and changes the owner at the same time, and then steals the target token through emergencyExit and exchanges it into DAI, attacking The final profit of nearly 4 million U.S. dollars.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: The mortgage lending platform Cream Finance had a flash loan attack. In its post-mortem analysis report on the flash loan attack, it stated that a total of 460 million AMP tokens and 2804 ETH (worth approximately US$34 million at the time) were stolen from the vulnerability and promised 20% of all agreed fees will be used for repayment until it is fully repaid. This security incident has a major vulnerability attacker and an imitator. On October 4, according to a Cointelegraph report, DeFi security agency Lossless has assisted in recovering the stolen 5152.6 ETH worth nearly $16.7 million.
Amount of loss: $ 2,300,000 Attack method: Flash loan attack
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: Private Key Leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Contract Vulnerability
Description of the event: BachOnChain, a core member of Duet Protocol, a multi-chain synthetic asset protocol, tweeted that the Duet Protocol pioneer network Zerogoki experienced an oracle attack a few hours ago, and the wrong price led to unrecognized transactions. BachOnChain said that the oracle has been suspended, zUSD has experienced certain fluctuations, and it is expected that the price will resume in market trading and arbitrage after a period of time.
Amount of loss: $ 670,000 Attack method: Oracle attack
Description of the event: Popsicle Finance, a multi-chain revenue optimization platform, was attacked. The core of this vulnerability is that the same PLP certificate can bring benefits to multiple holders at the same time node due to the defect in the reward update record.
Amount of loss: $ 20,000,000 Attack method: Reward Mechanism Flaw
Description of the event: Using the mechanism of deflation token KEANU to attack the reward vulnerabilities in the Memestake contract deployed by Sanshu Inu, the attacker finally made a profit of about 56 ETH.
Amount of loss: 56 ETH Attack method: Reward Mechanism Flaw
Description of the event: The DeFi project Array Finance was attacked by a lightning loan. The attacker used Array Finance's pricing mechanism to rely on aBPT's totalSupply to attack Array Finance. Officials stated that the attacker made a profit of about 272.94 ETH, worth about $515,000.
Amount of loss: 272.94 ETH Attack method: Flash loan attack
Description of the event: DeFiPie (PIE), the lending protocol on the Ethereum and Binance smart chains, was hacked. It is recommended that all liquidity providers extract all liquidity from the application. PIE tokens fell by more than 66% in 24 hours. The attacker used a re-entry attack to over-borrow and lent a portion of valuable assets. Later, the counterfeit currency was used for liquidation operations and took away the mortgaged valuable assets, which led to the DeFiPie agreement not only lent assets, but also lost all mortgage assets, and liquidity was lost.
Amount of loss: 124,999 BUSD Attack method: Reentrancy Attack
Description of the event: According to official sources, the DeFi asset management platform DAO ventures was stolen 300,000 DVG tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge. DAOventures stated that it has taken snapshots of DVG holders and LPs before the attack, and stated that it will compensate the affected token holders. The DAOventures team stated that the user's assets in DAOventures are safe. Before the compensation plan is announced, DAOventures reminds users not to purchase the DVG of the transaction for the time being and pay attention to the latest developments of the team.
Amount of loss: 300,000 DVG Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge.
Amount of loss: 3,000,000 UMB Attack method: Contract Vulnerability
Description of the event: The DEX trading tool DEXTools (DEXT) tweeted that it was recently hacked and affected some DEXT holders.
Amount of loss: - Attack method: Unknown
Description of the event: The Ethereum 2.0 staking solution SharedStake released an attacked report, stating that the reason the SharedStake token was minted before the official launch was due to the use of vulnerabilities in time-locked contracts (that is, smart contracts that perform certain operations at a fixed time) by internal personnel. The vulnerability was submitted to the team by the white hat Lucash-dev on April 26. Because a team member had permission to view the vulnerability, he used the vulnerability to cast a value of about 50 on the main network four times on June 19 and 23. Ten thousand USD tokens were sold and mortgaged after the official launch. Although there is not enough evidence, the core members of SharedStake suspect that it was the work of a new team member.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: The Visor Finance smart contract, a DeFi liquidity protocol based on Uniswap V3, was withdrawn with 230 ETH in an emergency, and the attacker gained access to an account that manages certain Hypervisor management functions, and then transferred the funds to Tornado.cash.
Amount of loss: $ 504,845 Attack method: Permission Stolen
Description of the event: The DeFi lending agreement Alchemix alETH pool is suspected to have a loophole, and users can raise collateralized ETH when they have outstanding alETH debts. Alchemix released an alETH pool accident report stating that due to an error in the deployment of the alETH pool script, users have borrowed alETH at a 4:1 mortgage ratio but have no debt to be repaid, and the debt ceiling of nearly 2000 ETH has been released and new ones can be minted again. alETH, combined with Alchemix's use of the wrong index in the vault array, forced the transmuter to support the agreement mechanism to completely send the funds to repay the user's debt. The team has stopped the mortgage lending of the pool. As of the time of the report, alETH currently has a gap of -2,688.634, which is about 6.53 million U.S. dollars. Alchemix stated that there was no loss of user funds, and Yearn did not suffer any loss.
Amount of loss: $ 6,530,000 Attack method: Contract Vulnerability
Description of the event: According to an official statement from on-chain options protocol FinNexus, part of FinNexus’ hardware has been attacked by malware, and an unknown hacker infiltrated the FinNexus system and managed to recover the private key of the ownership of the FNX token contract. FNX was minted, transferred or sold in large numbers in a short period of time, involving more than 300 million FNX tokens (about 7 million US dollars) in BSC and Ethereum.
Amount of loss: $ 7,000,000 Attack method: Private Key Leakage
Description of the event: The DeFi pledge and liquidity strategy platform xToken was attacked, and the xBNTaBancor pool and the xSNXaBalancer pool were immediately exhausted, causing nearly $25 million in losses. The SlowMist security team analyzed that the two modules that were hacked this time were the xBNTa contract and the xSNXa contract in xToken. The two contracts were subjected to a "counterfeit currency" attack and an oracle manipulation attack.
Amount of loss: $ 25,000,000 Attack method: Oracle Attack
Description of the event: DeFi robo-advisor agreement Rari Capital stated on Twitter that its ETH fund pool had a vulnerability caused by the integration of the Alpha Finance Lab protocol, which was attacked. The rebalancer has now removed all funds from Alpha. The team stated that it is still investigating and evaluating, and a full report will be released in the future. Data shows that about 14 million U.S. dollars of funds were transferred by the attackers. The Alpha Finance team stated that the funds on Alpha Homora are safe. In this attack, the address of Rari Capital had previously attacked Value DeFi on the Binance Smart Chain.
Amount of loss: $ 14,000,000 Attack method: Contract Vulnerability