440 hack event(s)
Description of the event: After about 48 hours of testing on both the Ethereum and Bitcoin mainnets, the Keep team decided to trigger the 10-day emergency deposit moratorium allowed by the TBTCSystem contract, the team found that deposits were being blocked when certain types of Bitcoin addresses were used for redemption. The decision to trigger the moratorium came after a major issue with the redemption flow of the contract that put open deposit signer deposits at risk of liquidation. The team summarizes as follows: 1. First, the Keep team failed to conduct more tests after the new commit was proposed. As a result, the team missed the opportunity to catch this issue during development. 2. During the dApp-based manual QA process, the Keep team did not verify whether a successful exchange in the UI resulted in a closed deposit on-chain. As a result, the team missed the opportunity to find issues during the manual QA process. 3. The Keep team did not adequately consider input validation at the entry point of redemption. This is one of the relatively few pieces of data in the system that is completely user-controlled, and should therefore be a top consideration for input validation. 4. The Keep team did not spend enough time generating Bitcoin test vectors for unit tests.
Amount of loss: - Attack method: Insufficient testing
Description of the event: Loopring has appeared a serious front-end error, the private key material is set within a range of 32-bit integer, you can find all user private key pairs by brute force method, due to the user's EdDSA key pair is actually limited to a space of 32-bit integer, the hacker can find out the EdDSA key pair of all users by brute force method. Affected by this, Loopring Exchange shut down for half a day for maintenance and upgrade.
Amount of loss: - Attack method: System design defect
Description of the event: Hegic: There are 152.2 ETH (about 28,537 USD) permanently locked in the contract pool of unexercised put / call options. Out of the 19 contracts, 16 are put options (DAI is locked) and 3 are call options (ETH is locked). Hegic said it will process a 100% refund for all involved users.
Amount of loss: $28,537 Attack method: Unknown
Description of the event: DeFi lending protocol Lendf.Me was hacked.
Amount of loss: $24,696,616 Attack method: ERC777 Reentrancy Attack
Description of the event: The attacker used a reentrancy attack to steal funds (containing approximately 1,278 ETH) from Uniswap's ETH-imBTC Uniswap liquidity pool.
Amount of loss: 1,278 ETH Attack method: ERC777 Reentrancy Attack
Description of the event: Due to the congestion of Ethereum, the gas soared, and the liquidated ETH was sold at a price of 0 US dollars using the MakerDao auction loophole.
Amount of loss: $ 7,900,000 Attack method: Liquidation Mechanism Flaw
Description of the event: bZx was attacked again with an estimated loss of $645,000 of ETH
Amount of loss: $645,000 Attack method: Oracle Attack
Description of the event: DeFi lending protocol bZx exploited, may lose up to $350,000.
Amount of loss: $350,000 Attack method: Oracle Attack
Description of the event: Synthetix, a synthetic asset issuance platform built on Ethereum, experienced an oracle attack which netted the attacker over 37 million sETH, according to Etherscan. However, the true dollar value is difficult to calculate at this time given the relative illiquidity of sETH on secondary markets.
Amount of loss: 35,759,524 sETH Attack method: Database attack
Description of the event: Fountain (FTN) has an overflow vulnerability, the attacker performs an overflow attack by calling batchTransfers.
Amount of loss: - Attack method: Overflow
Description of the event: The attacker created a malicious contract masquerading as an ERC20 token, and the "transfer" function re-invokes the payment channel contract repeatedly, each time exhausting some ETH.
Amount of loss: 165.38 ETH Attack method: Reentrancy attack
Description of the event: Ethereum Fomo 3D was hacked and hacker used special attack techniques to take the bonus.
Amount of loss: 10,469.66 ETH Attack method: Transaction congestion attack
Description of the event: Ethereum Fomo 3D was hacked, Fomo 3D website 24-hour access reduced 21.95 percent, 24-hour flow decreased 38.32%
Amount of loss: - Attack method: DDoS Attack
Description of the event: The Bancor platform theft was related to the BancorConverter contract, and the attacker (hacker/mole) is very likely to get the private key of the 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c.
Amount of loss: 24,984 ETH,3,236,967 BNT,229,356,645 NPXS, Attack method: Private Key Leakage
Description of the event: EDU smart contract has critical vulnerability , and can transfer the EDU Token in any account.
Amount of loss: - Attack method: Logic Vulnerability
Description of the event: According to the SlowMist Zone disclosure, the BAI smart contract has the same vulnerabilities as the EDU, and can transfer the BAI Token in any account. There are also a large number of robbery.
Amount of loss: - Attack method: Logic Vulnerability
Description of the event: SmartMesh has a significant security like BEC.
Amount of loss: $ 140,000,000 Attack method: Overflow
Description of the event: Hacker exploited the data overflow to attack the smart contract of BeautyChain, successfully transferred the BEC token to the two addresses resulted in the massive BEC being sold in the market, and the value of the digital currency was almost zero, which brought a crushing blow to BEC market.
Amount of loss: $ 1,000,000,000 Attack method: Overflow
Description of the event: On July 29, 2017, the Ethereum multi-signature wallet company Parity issued a security alert, notifying users of serious vulnerabilities in its wallet v1.5 or later. That day, a black hat hacker used the vulnerability to exhaust the Parity wallets of three Ethereum projects, stealing a total of 153,037 ETH from Swarm City, Edgeless, and Aeternity.
Amount of loss: 153,037 ETH Attack method: Unauthorized operation
Description of the event: The DAO smart contract running on the Ethereum suffered a reentrancy-attack-on-smart-contract.
Amount of loss: $ 60,000,000 Attack method: Reentrancy attack