395 hack event(s)
Description of the event: An external attacker gained access to credentials for managing Nexera Fundrs platform's smart contracts. Using these credentials, the attacker transferred NXRA tokens from Fundrs' staking contracts on Ethereum. Out of the 47.24 million NXRA tokens stolen, the attacker was only able to sell 14.75 million tokens (approximately $449,000). Nexera successfully removed the remaining 32.5 million NXRA balance from the attacker's wallet, preventing further loss.
Amount of loss: $ 1,830,000 Attack method: Malware Attack
Description of the event: According to monitoring by the SlowMist security team, SATOSHI (SATS) was attacked on Ethereum on August 3rd.
Amount of loss: $ 5,000 Attack method: Contract Vulnerability
Description of the event: According to an official tweet from Ethereum Layer 2 network Starknet, their Discord server has been compromised. The official team advises users not to click on any links until the situation is fully resolved.
Amount of loss: - Attack method: Account Compromise
Description of the event: Convergence Finance was attacked. 58M CVG have been minted and sold by the hacker for approximately $210,000 ( the whole portion of tokens dedicated to staking emissions); Approximately $2,000 of unclaimed rewards from Convex have also been stolen. A lack of validation in the input given by the user in the function claimMultipleStaking of the reward distribution contract is the root cause of the exploit.
Amount of loss: $ 210,000 Attack method: Contract Vulnerability
Description of the event: The Ethereum Layer 2 network Metis issued a warning on Twitter stating that their Discord has been compromised. They advised users not to click on any "airdrop links" or any other links.
Amount of loss: - Attack method: Account Compromise
Description of the event: DeFi protocol Spectra suffered an attack, resulting in a loss of approximately $550,000. Spectra has disabled the application and terminated the router contract to contain the situation, while the core protocol contract remains unaffected. Security personnel Chaofan Shou indicated that the attack stemmed from an arbitrary call in the router contract, allowing the attacker to drain all tokens approved by the contract. On July 24th, Spectra released a security incident analysis report, stating that the attacker hijacked user transactions on Spectra, affecting a total of 4 wallets and causing a loss of approximately 168 ETH. The core protocol contract of Spectra remains unaffected, with the funds within the contract secure. The application was restored on the morning of July 24th.
Amount of loss: $ 550,000 Attack method: Contract Vulnerability
Description of the event: The Fake Base Dawgz on Ethereum is suspected of a rug pull, resulting in a loss of over $113,000.
Amount of loss: $ 113,000 Attack method: Rug Pull
Description of the event: The liquidity restaking protocol Renzo tweeted that the Renzo Discord server has been compromised by malicious attackers. Please do not click on any links posted in the server.
Amount of loss: - Attack method: Account Compromise
Description of the event: On July 22, 2024, Kelp's DApp began displaying malicious wallet activity transactions aimed at draining funds. Kelp's engineering team evaluated the situation and identified the root cause to be faulty nameservers routing users to different application code that was attempting to trick the users into phishing. The attackers gained access to Kelp’s domain registrar account impersonating Kelp team and successfully convinced GoDaddy’s customer support that they were the legitimate owners of the account bypassing the 2-FA that was in place.
Amount of loss: - Attack method: DNS Attack
Description of the event: A misconfiguration in the Rho Markets lending protocol allowed an MEV bot operator to take $7.6 million from the project's users across multiple chains. The MEV bot operator sent an on-chain message indicating their willingness to return all the funds. Subsequently, the MEV bot operator returned the funds as planned.
Amount of loss: $ 7,600,000 Attack method: Oracle Misconfiguration
Description of the event: According to Fuzzland co-founder Chaofan Shou, the cross-chain lending protocol Minterest was attacked. The attacker used a flash loan attack, resulting in a loss of approximately $1.4 million for the protocol.
Amount of loss: $ 1,400,000 Attack method: Flash Loan Attack
Description of the event: According to on-chain sleuth ZachXBT, the Ethena Discord server has been hacked. Do not click on any links for the time being.
Amount of loss: - Attack method: Account Compromise
Description of the event: Dough Finance was attacked due to a contract vulnerability. Some unauthorized funds were extracted by hackers, resulting in a loss of approximately $2.1 million. Around 76 ETH (approximately $260,000) has been returned by white hat hackers.
Amount of loss: $ 2,100,000 Attack method: Contract Vulnerability
Description of the event: Compound DAO security advisor Michael Lewellen tweeted that the Compound Finance official website (http://compound.finance) has been compromised and is currently hosting a phishing site. Do not interact with the site until further notice.
Amount of loss: - Attack method: DNS Attack
Description of the event: The OpSec staking contract was maliciously upgraded, allowing the attacker to withdraw and sell OPSEC tokens worth approximately 59 ETH (around $182,000).
Amount of loss: $ 182,000 Attack method: Security Vulnerability
Description of the event: According to Cyber's official Twitter, the Discord server @BuildOnCyber of the decentralized social L2 Cyber (formerly CyberConnect) was compromised. A phishing link was posted in the announcements channel and all permissions have been stripped. Do not interact with the attached announcement, Do not click any links.
Amount of loss: - Attack method: Account Compromise
Description of the event: APEMAGA on Ethereum suspected to have been attacked, resulting in a loss of approximately $32,000.
Amount of loss: $ 32,000 Attack method: Unknown
Description of the event: According to the latest official blog post by the Ethereum Foundation, their email account was hacked, and phishing emails were sent to 35,794 recipients. The email falsely claimed that the Foundation was partnering with LidoDAO to offer a 6.8% Ethereum staking yield. If users clicked the link in the email and approved the transaction, their wallets would be drained. The Foundation quickly halted the malicious emails, closed the attack vector, and ensured that the hackers could no longer access the email account. The investigation revealed that the hackers obtained 81 new email addresses during the attack, but no victims lost any funds.
Amount of loss: - Attack method: Account Compromise
Description of the event: The meme coin WIFCOIN_ETH was suspected to be attacked, with a loss of ~$16K.
Amount of loss: $ 16,000 Attack method: Unknown
Description of the event: After the attack on June 10, UwU Lend was exploited again by the same attacker, resulting in a loss of $3.72 million. The attacker held a significant amount of USDE tokens obtained from the first attack, which allowed them to leverage the remaining USDE funds and drain other UwU lending pools.
Amount of loss: $ 3,720,000 Attack method: Contract Vulnerability