243 hack event(s)
Description of the event: Ethscriptions.com was hacked, and about 123 individual addresses lost a total of about 202 Ethscriptions. In terms of value, it is unclear how much the attack caused. Based on the current lowest price of $14, the loss is at least $2,828. Ethscriptions creator Tom Lehman stated that this is not a vulnerability in the Ethscriptions protocol. This is a vulnerability in a specific smart contract (0x3ca843b98a2fe8ef69bb0f169afad3812c275f5e). The protocol itself and other applications running on it are not affected in any way. Meanwhile, Lehman claimed responsibility for the attack, explaining that the vulnerability can be traced back to a smart contract he and Indelible Labs co-founder Michael Hirsch created. It is reported that a small piece of code included in it allows people to withdraw Ethscriptions that do not belong to them from the market. Lehman also said that the Ethscriptions.com marketplace will be relaunched and that he has been in touch with many users affected by the bug.
Amount of loss: $ 2,828 Attack method: Contract Vulnerability
Description of the event: Arcadia Finance has been attacked on Ethereum and Optimism, with total profits of $400K. The root cause is that in function vaultManagementAction, the attacker can first transfer all the asset to his own controlled contract and re-entry the function liquidateVault to liquidiate the vault. In this case, the global variable "isTrustedCreditorSet" will be set as false and the Collateral check can be bypassed.
Amount of loss: $ 455,000 Attack method: Contract Vulnerability
Description of the event: CivFund's ETH contract was attacked and lost $180,000. The attacker calls uniswapV3MintCallback to transfer funds approved by other users. Please revoke approval for the contract under attack as soon as possible.
Amount of loss: $ 180,000 Attack method: Unknown
Description of the event: Mike Wazowski Monsters Inc $MIKE and Sid Ice Age $SID on the Ethereum chain have been rugged via a backdoor function that allows unlimited minting of tokens. The scammer has profited 87.9 $ETH, equivalent to about $171,000.
Amount of loss: $ 171,000 Attack method: Contract Vulnerability
Description of the event: The Smurfs Coin project is an exit scam, and the contract deployer sold the tokens on June 13 and removed a total of 227 ETH (approximately $423,000) of liquidity. The contract address is ETH: 0x5F250ed62CF3E5cF25F4F370d35D04782b0678a3, not to be confused with a project with a similar name.
Amount of loss: $ 423,000 Attack method: Rug Pull
Description of the event: Themis, a cryptographic lending protocol, has been subject to a prophecy machine manipulation attack, and the attackers have stolen approximately $370,000. The hack is due to a flawed oracle, exploited to inflate the B-wstETH-WETH-Stable-gauge price. Specifically, the deposit of 54.6 B-wstETH-WETH-Stable-gauge (obtained by joining the balancer pool w/ 55 WETH) is able to borrow 317 WETH, basically draining the lending funds.
Amount of loss: $ 370,000 Attack method: Oracle Attack
Description of the event: DEP/USDT and LEV/USDC pools were stolen with 105,800 stablecoins worth (36,000 USDC and 69,960,000 USDT), and the attackers initially received 1 ETH of initial funding from Tornado Cash.
Amount of loss: $ 105,800 Attack method: Unknown
Description of the event: The DeFi lending protocol Sturdy is suspected to have been hacked, and information on the chain suggests that the attack may have been carried out through price manipulation. The attackers have transferred 442.6 ETH to Tornado Cash.
Amount of loss: $ 770,000 Attack method: Price Manipulation
Description of the event: The LSDFi protocol unshETH stated that at around 22:00 on May 31, one of the deployment private keys of the unshETH contract was leaked. For the sake of caution, the official has urgently suspended the withdrawal of unshETH's ETH. According to the security model, unshETH's ETH deposit (TVL up to 35 million US dollars) is protected by multi-signature + time lock and is not at risk.
Amount of loss: $ 375,000 Attack method: Private Key Leakage
Description of the event: On-chain detective ZachXBT tweeted that a Rug Pull occurred on Pixel Penguin, a charity project created by Hopeexist1, which claimed to raise funds to help him fight cancer. At present, the social accounts of Hopeexist1 and Pixel Penguin have been deleted, and the Pixel Penguin contract is worth only $117,000 (61.686 ETH).
Amount of loss: $ 117,000 Attack method: Rug Pull
Description of the event: Twitter user @ChrisONCT cited on-chain data to expose a suspected scam Meme coin project Waifu AI World (WFAI). The token economics announced by the project stated that 95% of the supply was allocated to LPs. However, shortly after WFAI went online, 4 new wallets spent a total of 14.4 ETH in four transactions to purchase 647 trillion WFAI, accounting for approximately 83.2% of supply (777 trillion). At present, the project party has blacklisted the wallets that purchased 457 trillion WFAI, and now the total supply of WFAI is 320 trillion, which means that 190 trillion tokens are held by insiders, accounting for 60% of the total token supply. And DWF Labs spent about 20 ETH to purchase 624.9 billion WFAI yesterday afternoon; DEXTools trust score changed from extremely low to extremely high within a few hours.
Amount of loss: - Attack method: Scam
Description of the event: A MEV bot (0xb2…2B96 is the MEV bot call contract, 0xb4…0343 is the single-use MEV bot) borrowed 95,000 WETH (worth nearly $180 million) via flash loan to attack Sashimi Swap. The bot swept away the last remaining money in Sashimi’s investment contract and slETH contract, but only about $3,500. It is reported that Sashimi Swap was attacked in December 2021 and lost $210,000, and the project was subsequently abandoned.
Amount of loss: $ 3,500 Attack method: Flash Loan Attack
Description of the event: The perpetual DEX El Dorado Exchange (EDE) is suspected to have been attacked with losses of about $580,000, and an address has been sending small amounts of money to Arbitrum's ELP-1 pool and withdrawing large amounts immediately afterwards. The attacker claimed that the protocol backdoor allowed the developer to force the liquidation of any positions and would return the funds if the developer admitted to price manipulation. 334,000 USDC were returned by the attacker on May 30, and EDE founder Dorado said that the attacker should not be forced to do anything regardless of their moral stance. Dorado also revealed that the attackers charged 10% of the stolen funds as a fee when returning them.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability
Description of the event: The WEEB project was attacked by price manipulation. The hacker used the performUpkeep function in the WEEB token to burn the balance of a large number of WEEB tokens in the pair, thereby increasing the price of WEEB and making a profit of 16 ETH.
Amount of loss: 16 ETH Attack method: Price Manipulation
Description of the event: The ethereum-based meme cryptocurrency FLOKI has suffered a lightning loan attack with a loss of over $50,000. Stolen TX: https://etherscan.io/tx/0x118b7b7c11f9e9bd630ea84ef267b183b34021b667f4a3061f048207d266437a
Amount of loss: $ 50,000 Attack method: Flash Loan Attack
Description of the event: Hakuna Matata ($HAKUNA) Rugged. The scammer initially obtained 2.76 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T HAKUNA for 17 ETH ($31,683.11), and mortgaged 13.5 ETH to Lido.
Amount of loss: $ 31,683.11 Attack method: Rug Pull
Description of the event: FTX ($HIS) Rugged. The scammer initially obtained 2.76 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T HIS for 13 ETH ($24,568.11), and mortgaged 11.5 ETH to Lido.
Amount of loss: $ 24,568.11 Attack method: Rug Pull
Description of the event: Freddie ($FREDDIE) has Rugged. The scammer initially obtained 2.96 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T FREDDIE for 28 ETH ($52,344.4), and mortgaged 22.5 ETH to Lido.
Amount of loss: $ 52,344.4 Attack method: Rug Pull
Description of the event: Derpman ($DMAN) Rugged. The scammer initially obtained 4 ETH from Binance, added 3 ETH to liquidity, then exchanged 1,200T DMAN for 48.55 ETH ($89,611.09), and transferred these ETHs to 0x4d1f…915.
Amount of loss: $ 89,611.09 Attack method: Rug Pull
Description of the event: GeniusMeme ($GNS) has Rugged 33.6 ETH($62,180.81). The scammer initially received 4 ETH from Binance and added 3 ETH to liquidity.
Amount of loss: $ 62,180.81 Attack method: Rug Pull