398 hack event(s)
Description of the event: According to an official statement from on-chain options protocol FinNexus, part of FinNexus’ hardware has been attacked by malware, and an unknown hacker infiltrated the FinNexus system and managed to recover the private key of the ownership of the FNX token contract. FNX was minted, transferred or sold in large numbers in a short period of time, involving more than 300 million FNX tokens (about 7 million US dollars) in BSC and Ethereum.
Amount of loss: $ 7,000,000 Attack method: Private Key Leakage
Description of the event: The DeFi pledge and liquidity strategy platform xToken was attacked, and the xBNTaBancor pool and the xSNXaBalancer pool were immediately exhausted, causing nearly $25 million in losses. The SlowMist security team analyzed that the two modules that were hacked this time were the xBNTa contract and the xSNXa contract in xToken. The two contracts were subjected to a "counterfeit currency" attack and an oracle manipulation attack.
Amount of loss: $ 25,000,000 Attack method: Oracle Attack
Description of the event: DeFi robo-advisor agreement Rari Capital stated on Twitter that its ETH fund pool had a vulnerability caused by the integration of the Alpha Finance Lab protocol, which was attacked. The rebalancer has now removed all funds from Alpha. The team stated that it is still investigating and evaluating, and a full report will be released in the future. Data shows that about 14 million U.S. dollars of funds were transferred by the attackers. The Alpha Finance team stated that the funds on Alpha Homora are safe. In this attack, the address of Rari Capital had previously attacked Value DeFi on the Binance Smart Chain.
Amount of loss: $ 14,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol ValueDeFi is suspected of being hacked again after being hacked on the 5th. ValueDeFi reminds users in the community, "All non-50/50 transaction pools of the project have been used. Please stop purchasing gvVALUE and vBSWAP until the project team provides a solution." It was subsequently confirmed that more than 3,000 ETH (approximately 10 million U.S. dollars) were lost.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: Value DeFi stated that at 11:22 on May 5th, the attacker reinitialized the fund pool and set the operator role to himself, and _stakeToken was set to HACKEDMONEY. The attacker controlled the pool and called governmentRecoverUnsupported (), which was exhausted. The original pledge token (vBWAP/BUSD LP). Then, the attacker removes 10839.16 vBWAP/BUSD LP and liquidity, and obtains 7342.75 vBSWAP and 205659.22 BUSD. Subsequently, the attacker sells all 7342.75 vBSWAP at 1inch to obtain 8790.77 BNB, and buys BNB and BUSD renBTC through renBridge. Converted to BTC. The attacker made a total of 205,659.22 BUSD and 8,790.77 BNB. The 2802.75 vBSWAP currently in the reserve fund and the 205,659.22 BUSD of the ValueDeFi deployer will be used to compensate all users in the pool. The remaining 4540 vBSWAP can be compensated in the following two ways. The first option is to cast 4540 vBSWAP to immediately compensate all affected users, and the other option is to cast 2270 vBSWAP to immediately compensate, and the rest will be returned to the contract within 3 months. Value DeFi emphasized that only the vStake profit sharing pool of vBSWAP in bsc.valuedefi.io has received the impression, and other fund pools and funds are in a safe state.
Amount of loss: $ 5,817,780 Attack method: Contract Vulnerability
Description of the event: Fei Labs, the development team of the decentralized stablecoin project Fei Protocol, tweeted that a vulnerability involving the ETH joint curve contract was discovered and disclosed on May 2 and the contract was immediately suspended. The vulnerability has not been exploited and will not affect any users. . This loophole will cause the flash loan market manipulation to exhaust Fei Protocol's Protocol Control Fund (PCV). In addition, Fei Protocol awarded the vulnerability discoverer Alexander Schlindwein a $800,000 TRIBE token reward. Currently, OpenZeppelin and Alexander Schlindwein have assisted in repair review and verification, sending ETH from the joint curve to the reserve stabilizer instead of the ETH-FEI Uniswap pool to eliminate the attack vector, and adding to the pool to prevent malicious arbitrage Other reviews.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The DeFi quantitative hedge fund Force DAO posted a blog stating that it was responsible for the previous attack and has implemented procedures to ensure that any such incidents are mitigated in the future. A total of 183 ETH (about 367,000 U.S. dollars) worth of FORCE tokens were exhausted and liquidated in this attack.
Amount of loss: 183 ETH Attack method: Contract Vulnerability
Description of the event: DeFi gathers reasonable financial services SIL.Finance contract has high-risk loopholes. Later, SIL.Finance issued an article saying that the incident was caused by a vulnerability in the smart contract permissions, which in turn triggered a general preemptive trading robot to submit a series of transactions for profit. After discovering that the smart contract could not be withdrawn due to high-risk loopholes, after 36 hours of efforts such as SlowMist, it has successfully recovered USD 12.15 million.SIL.Finance stated that if any user assets are damaged in this incident, the team decided to use its own funds to launch a compensation plan: all users who suffered losses will receive 2 times the compensation, which will be issued in SIL.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A cross-chain stablecoin (TSD) on ETH and BSC stated that malicious attackers used TSD DAO to mint 11.8 billion TSD tokens in their accounts and sold them all on Pancakeswap. The specific process is that True Seigniorage Dollar stated that the developer account only has 9% of the DAO, and the malicious attacker has gradually controlled 33% of the DAO with the accumulation of low prices, and then proposed an implementation plan and voted in favor. In the implementation, the attacker added code to Mint and minted 11.8 billion TSDs for himself.
Amount of loss: $ 7,095,340 Attack method: Contract Vulnerability
Description of the event: The decentralized exchange DODO announced the progress of the attack on some fund pools. The main reason for this attack was that the crowdfunding fund pool contract initialization function did not prevent repeated calls, which led to hackers reinitializing the contract and completing the attack through lightning loans. In this incident, there were three participants, a hacker and two trading robots. A total of approximately US$3.8 million worth of funds were attacked. At present, the owners of the two trading robots have returned approximately US$3.1 million in tokens. In addition, funds worth approximately US$200,000 are frozen on the centralized exchange, and the remaining value of approximately US$500,000 is borne by the DODO team, and all funds will be returned within 24 hours. At the same time, security companies Chengdu Lian'an and SlowMist Technology have been invited to conduct a new round of code audits, and it is expected that the crowdfunding pool building function will be restored within a week.
Amount of loss: $ 500,000 Attack method: Init function unlimited
Description of the event: Curve Finance tweeted that a vulnerability was found in the Pool Factory v1 version of the fund pool, and it is recommended that v1 users use crv.finance to withdraw funds immediately. Curve.fi and Pool Factory v2 fund pools do not respond. But it only affects the v1 pool, and hackers cannot use it to steal user funds.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The agent of the DeFi platform Furucombo was attacked and the amount stolen amounted to more than 15 million U.S. dollars. The DeFi aggregation platform Furucombo officially released a tweet, saying: "The root cause has been found and the vulnerability has been patched. The funds are now safe. We are investigating the stolen funds and organizing follow-up actions. The follow-up will continue to be updated."Later, Furucombo stated that it would issue 5 million iouCOMBO tokens to affected users
Amount of loss: $ 15,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi Insurance Agreement The Armor team claimed that some team members were scammed by OTC and were defrauded of 1.2 million ARMOR tokens. The scammers have already dumped all tokens for a profit of 600 ETH (approximately US$850,000). The Armor team disclosed that the scammers pretended to be strategic investors on social media, falsely claiming to purchase tokens from the team through OTC, defrauded 1.2 million ARMOR tokens in OTC transactions, and then sold them. According to the Armor team, "No hacking, the project is still safe."
Amount of loss: $ 850,000 Attack method: Scam
Description of the event: The DAI pool of Yeld.finance, the DeFi revenue aggregator, was attacked by a lightning loan, resulting in a loss of 160,000 DAI, involving more than 10 users. Tether, TrueUSD and USDC were not affected. According to reports, Yeld’s problem is consistent with the previous Yearn.Finance DAI pool vulnerability problem. The official also stated that the affected users will be repaid with tokens, which will be rewarded with income from the DAI pool to make up for some of their losses. Later, Yeld.finance officially stated that the 160,000 DAI caused by the lightning loan attack has been returned. This event is suspected to be the work of a white hat, and the official will further update the details.
Amount of loss: $ 160,000 DAI Attack method: Flash loan attack
Description of the event: A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: DeFi revenue aggregator BT.Finance tweeted, "It was hacked. The attacked strategies include ETH, USDC and USDT. Other strategies are not affected. BT.Finance withdrawal fee protection has reduced the loss of this attack by nearly 140,000 US dollars." BT.Finance expressed the hope that hackers can return the funds and will use BT tokens to thank its bug test. According to ICO Analytics, the affected funds are approximately US$1.5 million.
Amount of loss: $ 1,500,000 Attack method: Flash loan attack
Description of the event: Yearn v1 yDAI vault was attacked and the attackers stole 2.8 million US dollars. Banteg, the core developer of Yearn finance, subsequently stated that the attacker received 2.8 million US dollars and vault lost 11 million US dollars.
Amount of loss: $ 11,000,000 Attack method: Flash loan attack
Description of the event: The DeFi insurance project ArmorFi has paid a $1.5 million bug bounty to the white hat hacker Alexander Schlindwein. Because the hacker discovered a "critical loophole" in the agreement, and may cause all the company's underwriting funds to be depleted.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Weibo user “CryptoBlanker” broke the news: the refi.finance project party directly used the reserved setBoardroom() function to change the Boardroom address to the address it deployed. Light BAS was taken away 2,600, worth 111 ETH (about 144,000 US dollars).
Amount of loss: 111 ETH Attack method: Rug Pull
Description of the event: On January 27, 2021, SushiSwap was attacked again. This attack took advantage of the fact that DIGG itself did not have a WETH trading pair, and the attacker created this trading pair and manipulated the initial transaction price, resulting in a huge slippage during the fee exchange process. The attacker only needs to use a small amount of DIGG and WETH provide initial liquidity to obtain huge profits.
Amount of loss: 81 ETH Attack method: Price Manipulation