395 hack event(s)
Description of the event: Onyx protocol suffered a security breach, resulting in a loss of over $3.8 million. The attacker exploited a known precision issue in the Compound V2 code. Additionally, the NFTLiquidation contract failed to properly validate untrusted user input, allowing the attacker to inflate the self-liquidation reward amount, which further worsened the losses.
Amount of loss: $ 3,800,000 Attack method: Contract Vulnerability
Description of the event: On September 24, ether.fi experienced a security incident involving its domain registrar, Gandi.net, resulting in the compromise of the ether[.]fi domain.
Amount of loss: - Attack method: DNS Attack
Description of the event: A crypto yield platform called Shezmu suffered a loss of around $4.9 million in $ShezUSD after an attacker exploited a flaw that allowed anyone to mint collateral, which they could then use to borrow ShezUSD. These tokens were relatively illiquid, however, so the total amount the attacker could have obtained was likely considerably less. Shortly after the attack, Shezmu offered a 10% "bounty" for the return of the funds. The attacker responded that they would only consider a 20% bounty. Shezmu agreed to the terms, and announced to their followers that they had achieved a recovery from the "white hat" hacker.
Amount of loss: $ 4,900,000 Attack method: Contract Vulnerability
Description of the event: The Immutable Discord server was compromised. According to an official tweet from Immutable, a community support contractor’s Discord was compromised, leading to a phishing link being posted.
Amount of loss: - Attack method: Account Compromise
Description of the event: Compound community’s Discord server has been hacked. Please do not click on any links until the situation is resolved.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to on-chain investigator ZachXBT on the X platform, the decentralized AI data network Masa suffered a hack on September 20, incurring losses exceeding six figures in USD. However, Masa did not disclose this hack to the community.
Amount of loss: - Attack method: Unknown
Description of the event: The official X account of the metaverse project Decentraland has been hacked. The hacker has posted a fake phishing link. Please avoid interacting with it.
Amount of loss: - Attack method: Account Compromise
Description of the event: Ethena Labs posted on X platform that their Ethena domain registrar account was recently compromised. They have taken measures to disable the website until further notice. The protocol is not affected, and funds are secure. Please do not interact with any sites or applications claiming to be the Ethena frontend.
Amount of loss: - Attack method: DNS Attack
Description of the event: Banana Gun stated on X platform that some users experienced unauthorized wallet transfers. The issue may have stemmed from a front-end vulnerability. Prioritizing security, the team kept the bot offline during the investigation of the root cause. On September 25, Banana Gun announced on X platform that a total of 11 users were affected, with losses amounting to $3 million. All affected users will be fully compensated from the Banana Gun treasury, without selling any tokens for reimbursement. Following a thorough investigation by the Banana Gun development team and external experts, it was discovered that a potential vulnerability in the Telegram message oracle used by Banana Gun might have led to the attack.
Amount of loss: $ 3,000,000 Attack method: Unknown
Description of the event: Peer-to-peer trading platform OTSea's staking contract on Ethereum was exploited by an EOA, resulting in the theft of approximately $26,000.
Amount of loss: $ 26,000 Attack method: Unknown
Description of the event: Omnipus contracts were drained of approximately $30,000 during the OPUS token presale. The attack exploited a vulnerability in which the contracts mistakenly believed the attackers had sent too much ETH and refunded them.
Amount of loss: $ 30,000 Attack method: Contract Vulnerability
Description of the event: The Ethereum modular execution layer Fuel posted on X, stating that their official Discord had been attacked. Users are advised not to click on any suspicious links or provide any personal information.
Amount of loss: - Attack method: Account Compromise
Description of the event: NEAR's official account posted on X, stating that the official X account of NEAR Protocol had been hijacked. The hacker posted a series of messages attacking the Crypto ecosystem.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The decentralized liquidity yield project Penpie was attacked, resulting in nearly $30 million in losses. According to the analysis by the SlowMist security team, the core issue of this incident lies in Penpie’s erroneous assumption that all markets created by Pendle Finance are legitimate when registering new Pendle markets. However, Pendle Finance’s market creation process is open, allowing anyone to create a market with customizable key parameters such as the SY contract address. Exploiting this, the attacker created a market contract with a malicious SY contract. They leveraged Penpie’s mechanism, which required calls to external SY contracts to claim rewards, and used flash loans to inject a large amount of liquidity into the market and pool, artificially inflating the rewards and profiting from it.
Amount of loss: $ 27,348,259 Attack method: Contract Vulnerability
Description of the event: The official ChainLink Discord has been hacked. Please do not click on any links until the situation is resolved.
Amount of loss: - Attack method: Account Compromise
Description of the event: The stablecoin protocol Usual posted on X to alert users that its official Discord server has been hacked. Please do not click on any links.
Amount of loss: - Attack method: Account Compromise
Description of the event: Australian blockchain energy technology company Powerledger posted on X that its Telegram channel has been hacked. They advise users not to engage with or share any information as they are currently working to resolve the issue.
Amount of loss: - Attack method: Account Compromise
Description of the event: The DeFi lending platform Aave was attacked due to a contract vulnerability. The attack occurred in a smart contract outside of Aave's core protocol, which is used to allow users to repay loans using existing collateral. The attacker exploited an arbitrary call error, successfully stealing around $56,000 from these various contracts. Aave representatives emphasized that the attack posed no risk to user funds and did not affect the security of the core Aave protocol.
Amount of loss: $ 56,000 Attack method: Contract Vulnerability
Description of the event: Vow suffers an attack due to a contract vulnerability, resulting in a loss of approximately $1.2 million.
Amount of loss: $ 1,200,000 Attack method: Contract Vulnerability
Description of the event: The official Discord server of RARI Foundation has been hacked. Please refrain from using the server until the team has regained control.
Amount of loss: - Attack method: Account Compromise