410 hack event(s)
Description of the event: A cross-chain stablecoin (TSD) on ETH and BSC stated that malicious attackers used TSD DAO to mint 11.8 billion TSD tokens in their accounts and sold them all on Pancakeswap. The specific process is that True Seigniorage Dollar stated that the developer account only has 9% of the DAO, and the malicious attacker has gradually controlled 33% of the DAO with the accumulation of low prices, and then proposed an implementation plan and voted in favor. In the implementation, the attacker added code to Mint and minted 11.8 billion TSDs for himself.
Amount of loss: $ 7,095,340 Attack method: Contract Vulnerability
Description of the event: The decentralized exchange DODO announced the progress of the attack on some fund pools. The main reason for this attack was that the crowdfunding fund pool contract initialization function did not prevent repeated calls, which led to hackers reinitializing the contract and completing the attack through lightning loans. In this incident, there were three participants, a hacker and two trading robots. A total of approximately US$3.8 million worth of funds were attacked. At present, the owners of the two trading robots have returned approximately US$3.1 million in tokens. In addition, funds worth approximately US$200,000 are frozen on the centralized exchange, and the remaining value of approximately US$500,000 is borne by the DODO team, and all funds will be returned within 24 hours. At the same time, security companies Chengdu Lian'an and SlowMist Technology have been invited to conduct a new round of code audits, and it is expected that the crowdfunding pool building function will be restored within a week.
Amount of loss: $ 500,000 Attack method: Init function unlimited
Description of the event: Curve Finance tweeted that a vulnerability was found in the Pool Factory v1 version of the fund pool, and it is recommended that v1 users use crv.finance to withdraw funds immediately. Curve.fi and Pool Factory v2 fund pools do not respond. But it only affects the v1 pool, and hackers cannot use it to steal user funds.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The agent of the DeFi platform Furucombo was attacked and the amount stolen amounted to more than 15 million U.S. dollars. The DeFi aggregation platform Furucombo officially released a tweet, saying: "The root cause has been found and the vulnerability has been patched. The funds are now safe. We are investigating the stolen funds and organizing follow-up actions. The follow-up will continue to be updated."Later, Furucombo stated that it would issue 5 million iouCOMBO tokens to affected users
Amount of loss: $ 15,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi Insurance Agreement The Armor team claimed that some team members were scammed by OTC and were defrauded of 1.2 million ARMOR tokens. The scammers have already dumped all tokens for a profit of 600 ETH (approximately US$850,000). The Armor team disclosed that the scammers pretended to be strategic investors on social media, falsely claiming to purchase tokens from the team through OTC, defrauded 1.2 million ARMOR tokens in OTC transactions, and then sold them. According to the Armor team, "No hacking, the project is still safe."
Amount of loss: $ 850,000 Attack method: Scam
Description of the event: The DAI pool of Yeld.finance, the DeFi revenue aggregator, was attacked by a lightning loan, resulting in a loss of 160,000 DAI, involving more than 10 users. Tether, TrueUSD and USDC were not affected. According to reports, Yeld’s problem is consistent with the previous Yearn.Finance DAI pool vulnerability problem. The official also stated that the affected users will be repaid with tokens, which will be rewarded with income from the DAI pool to make up for some of their losses. Later, Yeld.finance officially stated that the 160,000 DAI caused by the lightning loan attack has been returned. This event is suspected to be the work of a white hat, and the official will further update the details.
Amount of loss: $ 160,000 DAI Attack method: Flash loan attack
Description of the event: A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: DeFi revenue aggregator BT.Finance tweeted, "It was hacked. The attacked strategies include ETH, USDC and USDT. Other strategies are not affected. BT.Finance withdrawal fee protection has reduced the loss of this attack by nearly 140,000 US dollars." BT.Finance expressed the hope that hackers can return the funds and will use BT tokens to thank its bug test. According to ICO Analytics, the affected funds are approximately US$1.5 million.
Amount of loss: $ 1,500,000 Attack method: Flash loan attack
Description of the event: Yearn v1 yDAI vault was attacked and the attackers stole 2.8 million US dollars. Banteg, the core developer of Yearn finance, subsequently stated that the attacker received 2.8 million US dollars and vault lost 11 million US dollars.
Amount of loss: $ 11,000,000 Attack method: Flash loan attack
Description of the event: The DeFi insurance project ArmorFi has paid a $1.5 million bug bounty to the white hat hacker Alexander Schlindwein. Because the hacker discovered a "critical loophole" in the agreement, and may cause all the company's underwriting funds to be depleted.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Weibo user “CryptoBlanker” broke the news: the refi.finance project party directly used the reserved setBoardroom() function to change the Boardroom address to the address it deployed. Light BAS was taken away 2,600, worth 111 ETH (about 144,000 US dollars).
Amount of loss: 111 ETH Attack method: Rug Pull
Description of the event: On January 27, 2021, SushiSwap was attacked again. This attack took advantage of the fact that DIGG itself did not have a WETH trading pair, and the attacker created this trading pair and manipulated the initial transaction price, resulting in a huge slippage during the fee exchange process. The attacker only needs to use a small amount of DIGG and WETH provide initial liquidity to obtain huge profits.
Amount of loss: 81 ETH Attack method: Price Manipulation
Description of the event: Twitter netizens said that due to a loophole in the award contract, the coverage agreement lost $3 million. Conversion, the data on the chain shows that attackers (0xf05Ca...943DF) have used the cover contract to issue a total of about 10,000 COVER, and have replaced them with assets such as WBTC and DAI. Later, the blockchain browser showed that the attacker (address label Grap Finance: Deployer) who made a profit of 3 million US dollars by issuing additional COVER returned 4350 ETH to the address labelled YieldFarming.insure: Deployer. CoverProtocol officially tweeted announcing that it will provide a new COVER token based on the snapshot before the breakthrough was repeated. And the 4350 ETH returned by the attacker will also be returned to LP token holders through snapshot processing.
Amount of loss: $ 3,000,000 Attack method: Contract Vulnerability
Description of the event: DeFi portal DefiPrime said on Twitter this morning that at 06:34 on December 18th, Beijing time, the liquidity LP token mortgage loan DeFi agreement Warp Finance suffered a lightning loan attack and about 8 million US dollars were stolen. In addition, Warp Finance officials also tweeted that they are investigating illegal stablecoin loans that were lent in the last hour, and recommend not to deposit stablecoins until the official finds out the violation.Afterwards, Warp Finance issued a statement regarding the lightning loan attack. It is said that lightning loan attackers can steal up to US$7.7 million worth of stablecoins, but the Warp Finance team has formulated a plan to recover approximately US$5.5 million worth of stablecoins still in the mortgage vault. The US$5.5 million will be The proportion is distributed to users who have suffered losses.
Amount of loss: $ 7,700,000 Attack method: Flash loan attack
Description of the event: According to reports, DeTrade Fund was the biggest scam on Friday, the platform allowing any user to profit by putting money into its arbitrage system and defrauding more than 1,400 ETH raised in a pre-sale. Twitter user Artura discovered that DeTrade Fund is actually run by a Lithuanian. Shortly after Artura’s tweet, the scam’s affiliate addresses distributed hundreds of ETH to presale participants, returning around 65-70% of the initial stolen funds.
Amount of loss: $ 1,200,000 Attack method: Scam
Description of the event: At 3:00 pm on December 1st, Beijing time, the security technical team discovered through Skynet that the Compounder.Finance project located at the address of 0x0b283b107f70d23250f882fbfe7216c38abbd7ca has undergone multiple large-value transactions. After verification, it was found that these transactions were internal operations of Compounder.Finance project owners, transferring a large number of tokens to their own accounts. According to statistics, Compounder.Finance eventually lost a total of about 80 million yuan worth of tokens.
Amount of loss: $ 80,000,000 Attack method: Project owner internal operations
Description of the event: DeFi asset mortgage platform Saffron Finance issued an announcement stating that Epoch 1 redemption errors caused by contract loopholes resulted in 50 million DAI deposits deposited by Epoch 1 being locked for 8 weeks. The team is currently working on an emergency fix to solve this problem and will transition to Epoch 2. Saffron Finance is a DeFi asset mortgage platform released by an anonymous team. The token is SFI, allowing liquidity providers to select customized risk exposures to obtain returns. In each cycle, users can choose different risk-return combinations (A, AA, S) on Saffron to provide liquidity. A cycle of 14 days (LP locks within 14 days). After the cycle ends, users can remove liquidity and obtain Interest and prorated SFI.
Amount of loss: $ 50,000,000 Attack method: Contract Vulnerability
Description of the event: The liquidity mining project SushiSwap (SUSHI) community governor 0xMaki announced in the Discord group that the SushiSwap vulnerability has been fixed, and the lost funds (approximately US$10,000) will be compensated from the SUSHI asset library. Previously, SushiSwap was attacked by a liquidity provider. The attacker obtained between 10,000 and 15,000 US dollars in a transaction. However, after this operation was discovered by 0xMaki, 0xMaki sent a transaction to the attacker with a message saying "I found you and we are working hard to fix it. Contact me on Discord to get bug bounty-0xMaki". According to analysis, the attacker uses SLP and WETH to create a new token pool, uses SLP1 of the new token pool to convert in Sushi Maker, and uses a small amount of SLP to transfer all SLPs in the Sushi Maker contract to the tokens they created. In the pool, all the handling fees of the corresponding transaction pair within a period of time will be collected into the bag. Repeat this process for other trading pairs and continue to make profits.
Amount of loss: $ 15,000 Attack method: Price Manipulation
Description of the event: DeFi robo-advisor Rari Capital released an official Twitter saying that contract vulnerabilities have been fixed with the cooperation of Quantstamp and no funds have been lost. Previously, due to loopholes in the RGT Distributor contract, RGT token application and deposit and withdrawal operations have been suspended. Rari Capital is currently reviewing the code update to confirm that there are no other vulnerabilities in the entire code.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Compound's price feed error caused the liquidation of $90 million in assets. According to DeBank founder, the huge liquidation of Compound was caused by the dramatic fluctuations in the DAI price of the oracle information source Coinbase Pro. It is a typical oracle attack to manipulate the information source that the oracle relies on to perform short-term price manipulation to achieve misleading prices on the chain.
Amount of loss: - Attack method: Oracle Attack