308 hack event(s)
Description of the event: The FriendChipsTech token on ETH was suspected to be a rug pull, resulting in a loss of ~$77.5K. The exploiter created a malicious contract (0x1dB0B6012D64452ED6aa98e87F7c308DB0281E40) to mint tokens and dump them for ~$77.5K which has already been deposited to Tornado Cash.
Amount of loss: $ 77,500 Attack method: Rug Pull
Description of the event: OxODexPool suffered from a flash loan. ETH: 0x6128d5F7c64Dab48a1C66f9D62EaeFa1d5aA03ed. Approximately 40 ETH (~$61k) was lost. The stolen funds currently reside in the attacker's wallet.
Amount of loss: $ 61,000 Attack method: Flash Loan Attack
Description of the event: On September 10, according to on-chain intelligence from the SlowMist security team, when the LDO token contract is processing a transfer operation, if the transfer amount exceeds the amount actually held by the user, the operation will not trigger the rollback of the transaction. Instead, it will directly return a `false` as the processing result. This approach is different from many common ERC20 standard token contracts. Due to the above characteristics, there is a potential risk of "fake top-up", and malicious attackers may try to use this feature to conduct fraud. On September 11, Lido stated that this behavior was expected and complies with ERC20 token standards. LDO and stETH are still safe. The Lido Token Integration Guide will be updated with LDO details to show this more obviously.
Amount of loss: - Attack method: False top-up
Description of the event: On September 9, PEPE stated on Twitter that PEPE’s old Telegram account had been hacked and was no longer under official control. The Twitter account "lordkeklol" has been compromised and used to perpetrate scams and is in no way affiliated with PEPE or its team members. All official information from PEPE will be released via its Twitter account in the coming weeks.
Amount of loss: - Attack method: Telegram was hacked
Description of the event: There is a large liquidity removal on Haribo. Owner removed ~24 ETH ($35.4k) from the tokens LP. Token appears to be a honeypot. Token Contract: 0x582992190976d9d96e5ABbB711259744A00e809e.
Amount of loss: $ 35,400 Attack method: Rug Pull
Description of the event: A fake Lybra Finance token executed a exit scam on September 5th. Deployer added 60 WETH to LP and removed 83 WETH, profiting 23 WETH (~$37k).
Amount of loss: $ 37,000 Attack method: Rug Pull
Description of the event: The encrypted gambling platform Stake.com has been attacked, including the ETH/Polygon/BSC chain, and the loss has reached 41 million US dollars. On September 5, Stake co-founder Edward Craven confirmed the hack but said the platform’s private keys had not been compromised. Craven said the attack was a "sophisticated breach" that targeted the company's services used to authorize transactions on the Ethereum, Polygon and BNB Chain blockchains. On September 6, the US Federal Bureau of Investigation (FBI) stated that the North Korean hacker group Lazarus Group was responsible for the Stake.com attack.
Amount of loss: $ 41,000,000 Attack method: Wallet Stolen
Description of the event: The CoredeFinance project performed an exit scam and EOA (0x18500) made a profit of 27 ETH (~$43,900).
Amount of loss: $ 43,900 Attack method: Rug Pull
Description of the event: The BabyShia project implemented an exit scam. The deployer (0xCbcd8) has earned 133 ETH (about $226,000).
Amount of loss: $ 226,000 Attack method: Rug Pull
Description of the event: For months, Ethereum layer 2 solution Starkware has repeatedly warned users that their funds would be lost if they did not take action before upgrading, but some users apparently did not see these notifications, which resulted in many users being locked out. Locked out of StarkWare accounts, losing access to funds, totaling $550,000 in affected accounts. Due to community pressure, Starkware has re-enabled the ability to upgrade wallets.
Amount of loss: $ 550,000 Attack method: Wallet not upgraded
Description of the event: PEPE said on Twitter that 16 trillion pieces of PEPE were sold yesterday because three former members deleted the multi-signature permissions after stealing tokens. However, Jeremy Cahen, founder of the NFT market Not Larva Labs, issued a post saying that the "truth" announced by PEPE was a complete lie, and said that he and the community were used by the PEPE team. On August 26, PEPE tweeted that PEPE's Telegram group is currently locked, the group owner's old Telegram account was hacked, and the group has been taken over by hackers.
Amount of loss: $ 15,080,000 Attack method: Insider Manipulation
Description of the event: Balancer says it has received reports of a critical vulnerability affecting multiple V2 pools. Emergency mitigation procedures have been implemented to secure the majority of TVL, but some funds remain at risk. Users are advised to immediately withdraw affected LPs. According to news on August 28, Balancer’s losses have exceeded $2.1 million, and multiple fund pools on Ethereum, Fantom, and Optimism have been affected.
Amount of loss: $ 2,100,000 Attack method: Flash Loan Attack
Description of the event: The DeFi lending protocol Exactly Protocol was attacked and lost more than 7,160 ETH (approximately $12.04 million). The two contract attackers attack by calling the function kick() multiple times and use the developer contract on Ethereum to transfer deposits to Optimism and eventually transfer the stolen funds back to Ethereum. The root cause of the Exactly Protocol attack is #insufficient_check, the attacker bypasses the permission check in the leverage function of the DebtManager contract by directly passing an unverified fake market address and changing _msgSender to the victim address. Then, in an untrusted external call, the attacker re-enters the crossDeleverage function in the DebtManager contract and steals the collateral from the _msgSender class. Exactly Protocol tweeted that the suspension of the agreement has been lifted, users can perform all operations, and no liquidation has occurred. The hack only affected users using the peripheral contract (DebtManager), the protocol is still functioning normally.
Amount of loss: $ 7,300,000 Attack method: Unchecked Input Data
Description of the event: The Zunami Protocol on Ethereum suffered a price manipulation attack and lost 1,179 ETH (approximately $2.2 million). The reason for the incident is that the calculation of LP price in the vulnerable contract depends on the CRV balance of the contract itself and the conversion ratio of CRV in the wETH/CRV pool. The attacker manipulated the LP price by transferring CRV to the contract and manipulating the conversion ratio of the wETH/CRV pool. According to MistTrack analysis, ETH has been transferred to Tornado Cash at present.
Amount of loss: $ 2,200,000 Attack method: Price Manipulation
Description of the event: The DeFi project Earning.Farm suffered a reentrancy attack and lost 286 ETH (approximately $530,000). According to the analysis of SlowMist, the attacker re-enters the transfer function of LP to transfer LP tokens when withdrawing money, making the balance of the account smaller than the previously calculated shares value, triggering the logic of updating the shares value, resulting in the number of manipulated LPs being updated to the desired value. In terms of the value of the burned shares, this resulted in the final amount of LP burned being much smaller than expected, and the user can withdraw the funds in the pool by withdrawing the transferred LP again.
Amount of loss: $ 530,000 Attack method: Reentrancy Attack
Description of the event: Steadefi, an automated yield leveraged strategy platform, tweeted: “Our protocol deployer wallet (which is also the owner of all vaults in the protocol) has been compromised. Attackers have transferred ownership of all vaults (borrows and strategies) to them in a wallet controlled by the user and continue to take various owner-only operations, such as allowing any wallet to be able to borrow any available funds from the lending vault. Currently, all available lending capacity on Arbitrum and Avalanche has been exhausted by the attackers, and the assets have been swapped for ETH and bridged to Ethereum. On-chain messages have been sent to the attacker wallet address for negotiation. Steadefi wants to discuss the bounty with parties involved in the exploit, offering a 10% reward on the stolen funds. " Steadefi has lost approximately $1.158 million in the incident. On August 8, the Steadefi team managed to recover approximately $540,000 in user funds from remaining vaults.
Amount of loss: $ 1,158,000 Attack method: Private Key Leakage
Description of the event: Bitlord (BITLORD) A lot of liquidity has been removed. The deployer removed about 309 WETH from LP, worth about $567,000. The token project is suspected to be a honeypot scam.
Amount of loss: $ 567,000 Attack method: Rug Pull
Description of the event: he Uwerx network was attacked and lost about 174.78 ETH. According to the analysis of SlowMist, the root cause is that when the receiving address is uniswapPoolAddress (0x01), it will burn off 1% more tokens of the transfer amount of the from address, so the attacker uses the skim function of the uniswapv2 pool to consume a large number of WERX tokens, and then calls the sync function to maliciously inflate the price of the token, and then reverses the swap to extract the ETH to gain profit.
Amount of loss: $ 324,000 Attack method: Price Manipulation
Description of the event: InsurAce, a DeFi insurance protocol, tweeted: "Our Discord server experienced a security breach. Our team discovered an unauthorized access to the server earlier today. We take this incident very seriously and are working hard to correct the situation. During this time, please do not interact with the server." According to the analysis of SlowMist, the phishing website is insurance.gift, and PinkDrainer is behind it.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome.
Amount of loss: $ 25,123,594 Attack method: Affected by Vyper Vulnerability