395 hack event(s)
Description of the event: bZx officially tweeted that at 3:28 am Eastern time (15:30, September 13th, Beijing time), we began to study the decline in TVL of the agreement. By 6:18 AM EST (18:30, September 13th, Beijing time), we confirmed that several iTokens had repeated incidents. Lending is temporarily suspended. The duplicate method has been patched from the iToken contract code, and the agreement has resumed normal operation. According to the information of the founder of Compound, there are a total of US$2.6 million in LINK, US$1.6 million in ETH, and US$3.8 million in stablecoins, with a total of US$8 million in assets affected. 1inch co-founder Anton Bukov tweeted that the attacker had stolen about 4,700 ETH in this incident and attached the address of the stolen funds. In response, bZx said that the funds are currently not at risk. The funds listed have been deducted from our insurance fund. On September 16, bZx released an iToken repeat incident report, and the attacker has returned all funds.
Amount of loss: - Attack method: Replay Attack
Description of the event: Amplify, a user of DeFi, discovered a bug in SYFI, a smart contract for DeFi, and made 747 ETH on a single transaction, but from other users. The project crashed.
Amount of loss: 747 ETH Attack method: Unknown
Description of the event: A user with a Twitter account named Amplify revealed that he made a profit of US$250,000 from a system vulnerability in the new DeFi project Soft Finance.
Amount of loss: $ 250,000 Attack method: Unknown
Description of the event: Nine Chainlink node operators were subjected to so-called "spam attacks." The attackers obtained approximately 700 ETH (worth approximately $335,000 at the time) from their "hot wallets".
Amount of loss: 700 ETH Attack method: Spam attacks
Description of the event: Twitter users reported that DeFi's liquidity mining project Degen.Money exploited a double approval vulnerability to get users' Money. The first authorization gives the pledge contract, and the second authorization gives the right to transfer money, which will result in the user's funds being taken away by the attacker. YFI founder Andre Cronje says the project does have risks.
Amount of loss: - Attack method: Double Authorization Vulnerability
Description of the event: The DeFi project YFValue (YFV) officially released an announcement stating that the team found a loophole in the YFV pledge pool yesterday, and malicious participants used the vulnerability to reset the YFV timer in the pledge separately. There is a risk of being locked in $170 million in funds. Currently, a malicious participant is trying to blackmail the team using this vulnerability.
Amount of loss: $ 170,000,000 Attack method: Staking Pool Vulnerability
Description of the event: The DeFi liquidity farming anonymous project BASED officially announced that it would redeploy the pledge pool. The official tweeted that a hacker tried to freeze "Pool1" permanently, but the attempt failed, and "Pool1" will continue as planned. The mortgage funds and BASED tokens are currently safe.
Amount of loss: - Attack method: Unknown
Description of the event: On August 13, 2020, the well-known Ethereum DeFi project YAM officially issued a post on Twitter indicating that there were loopholes in the contract. The price plummeted by 99% within 24 hours, resulting in the “permanent destruction” of the governance contract, with a value of 750,000 USD Curve tokens. It is locked and cannot be used. Since the value of totalSupply was taken during rebase, the value of totalSupply calculated incorrectly will not be immediately applied to initSupply through mint, so before the next rebase, the community still has a chance to recover this error and reduce losses. But once the next rebase is executed, the entire mistake will become irreparable.
Amount of loss: $ 750,000 Attack method: Contract Vulnerability
Description of the event: Opyn, an on-chain options platform, disclosed that its Ethereum put options were maliciously exploited by external participants. Opyn pointed out that all other Opyn contracts except Ethereum put options are not affected by this vulnerability. The attacker doubled the use of oToken and stole the mortgage assets of the put option seller. According to Opyn statistics, a total of 371,260 USDC has been stolen so far. Because the exercise function exercise() in the Opyn ETH Put smart contract does not perform real-time verification of the trader's ETH. According to the business logic of the Opyn platform, the buyer of the put option transfers the corresponding value of ETH to the seller to obtain the digital asset mortgaged by the seller. The cunning attacker first initiates a disguised transaction to himself, and uses the reusable feature of this ETH to initiate a transfer to the seller user again, thereby defrauding the seller's mortgaged digital assets.
Amount of loss: 371,260 USDC Attack method: Contract Vulnerability
Description of the event: Coingecko researcher Daryllautk tweeted that VETH suffered a hacker attack on the decentralized exchange Uniswap. The hacker stole 919,299 VETH (worth $900,000) using only 0.9ETH. After the attack, VETH officially stated that the contract was used by the UX improvement it placed in transferForm(), which was their fault. They will redeploy vether4 and will compensate all affected Uniswap pledgers. This attack mainly uses the visibility of the changeExcluded function in the contract to be external and there is no permission restriction. The user can directly make external calls to create the necessary conditions for the attack.
Amount of loss: $ 900,000 Attack method: Contract Vulnerability
Description of the event: According to DeBank Twitter, hackers once again used dYdX's lightning loan to attack the COMP trading pair in Balancer's part of the liquidity pool, and took away the unreceived COMP rewards from the pool to make a profit of 10.8 ETH, which is about $2408.
Amount of loss: $ 2,408 Attack method: Flash loan attack
Description of the event: The Balancer liquidity pool was attacked by Lightning Loan and lost $500,000. The two losses suffered by Balacer are STA and STONK. At present, the liquidity of these two token pools has been exhausted. Both STA and STONK tokens are deflation tokens, which means that this attack only affects the liquidity pool of deflation tokens. The deflationary tokens on Balancer and its smart contracts are incompatible in certain specific scenarios, allowing attackers to create and profit from STA/STONK circulation pools with price deviations.
Amount of loss: $ 500,000 Attack method: Compatibility Issue
Description of the event: The malicious Web3 applications "phishing dapps" were discovered in a recent study, they pretend to be legitimate applications or services to steal cryptocurrencies. For example, since MakerDAO officially closed the single-mortgage Sai system, such phishing tools have begun to appear, and they pretended to need a new tool to help users migrate from SAI to DAI. For example, a domain name provides a simple interface to start the migration from SAI to the new DAI at a 1:1 ratio, it seems like an official channel. However, the actual transaction to be signed simply sends the SAI to an address owned by the attacker. SAI, which has been traced to more than US$100,000, was transferred to the attacker's account.
Amount of loss: $ 100,000 Attack method: Phishing attack
Description of the event: Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests. The decision shows that the security researcher samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents.oth vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances. Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2.
Amount of loss: - Attack method: Unknown
Description of the event: The official DeFi money market agreement DMM Twitter said that during $DMG public sale today, its telegram was unfortunately brigaded by malicious actors who impersonated the DMM Foundation with sole the intent of stealing funds. After digging through the on-chain transactions to find those affected, the official sent a total of $40k worth of DMG to those affected at an exchange rate of $0.40 per DMG, hoping to make sure everyone who lost funds were made whole.
Amount of loss: $ 40,000 Attack method: Malicious hijacking
Description of the event: Due to the unverified safeTransferFrom () function in the new Bancor network contract, user funds are about to be depleted. The Bancor team stated: 1. A security vulnerability was discovered in the new Bancor Network v0.6 contract released two days ago; 2. After the vulnerability was discovered, the team conducted a white hat attack to transfer funds to a secure address; 3. The audit of the smart contract has been completed.But there are still $135,229 preemptively traded by two unknown arbitrage robots.
Amount of loss: $ 135,229 Attack method: Unknown
Description of the event: After about 48 hours of testing on both the Ethereum and Bitcoin mainnets, the Keep team decided to trigger the 10-day emergency deposit moratorium allowed by the TBTCSystem contract, the team found that deposits were being blocked when certain types of Bitcoin addresses were used for redemption. The decision to trigger the moratorium came after a major issue with the redemption flow of the contract that put open deposit signer deposits at risk of liquidation. The team summarizes as follows: 1. First, the Keep team failed to conduct more tests after the new commit was proposed. As a result, the team missed the opportunity to catch this issue during development. 2. During the dApp-based manual QA process, the Keep team did not verify whether a successful exchange in the UI resulted in a closed deposit on-chain. As a result, the team missed the opportunity to find issues during the manual QA process. 3. The Keep team did not adequately consider input validation at the entry point of redemption. This is one of the relatively few pieces of data in the system that is completely user-controlled, and should therefore be a top consideration for input validation. 4. The Keep team did not spend enough time generating Bitcoin test vectors for unit tests.
Amount of loss: - Attack method: Insufficient testing
Description of the event: Loopring has appeared a serious front-end error, the private key material is set within a range of 32-bit integer, you can find all user private key pairs by brute force method, due to the user's EdDSA key pair is actually limited to a space of 32-bit integer, the hacker can find out the EdDSA key pair of all users by brute force method. Affected by this, Loopring Exchange shut down for half a day for maintenance and upgrade.
Amount of loss: - Attack method: System design defect
Description of the event: Hegic: There are 152.2 ETH (about 28,537 USD) permanently locked in the contract pool of unexercised put / call options. Out of the 19 contracts, 16 are put options (DAI is locked) and 3 are call options (ETH is locked). Hegic said it will process a 100% refund for all involved users.
Amount of loss: $28,537 Attack method: Unknown
Description of the event: DeFi lending protocol Lendf.Me was hacked.
Amount of loss: $24,696,616 Attack method: ERC777 Reentrancy Attack