312 hack event(s)
Description of the event: Bitlord (BITLORD) A lot of liquidity has been removed. The deployer removed about 309 WETH from LP, worth about $567,000. The token project is suspected to be a honeypot scam.
Amount of loss: $ 567,000 Attack method: Rug Pull
Description of the event: he Uwerx network was attacked and lost about 174.78 ETH. According to the analysis of SlowMist, the root cause is that when the receiving address is uniswapPoolAddress (0x01), it will burn off 1% more tokens of the transfer amount of the from address, so the attacker uses the skim function of the uniswapv2 pool to consume a large number of WERX tokens, and then calls the sync function to maliciously inflate the price of the token, and then reverses the swap to extract the ETH to gain profit.
Amount of loss: $ 324,000 Attack method: Price Manipulation
Description of the event: InsurAce, a DeFi insurance protocol, tweeted: "Our Discord server experienced a security breach. Our team discovered an unauthorized access to the server earlier today. We take this incident very seriously and are working hard to correct the situation. During this time, please do not interact with the server." According to the analysis of SlowMist, the phishing website is insurance.gift, and PinkDrainer is behind it.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome.
Amount of loss: $ 25,123,594 Attack method: Affected by Vyper Vulnerability
Description of the event: DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds.
Amount of loss: $ 35,315,843 Attack method: Affected by Vyper Vulnerability
Description of the event: On August 6, the Ethereum compiler Vyper released an analysis report on last week's vulnerability incidents: Prior to July 30, due to potential vulnerabilities in the Vyper compiler, multiple Curve liquidity pools were exploited. While the bug was identified and patched, the impact on protocols using the vulnerable compiler was not recognized at the time, nor were they explicitly notified. The vulnerability itself is an improperly implemented reentrancy prevention, and the affected Vype versions are v0.2.15, v0.2.16, v0.3.0. Vulnerability fixed and tested in v0.3.1, v0.3.1 and later are safe.
Amount of loss: - Attack method: Compiler Bug
Description of the event: This second attack was unrelated to the ETH Omnipool's re-entrancy exploit. The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool. We will share more updates as we continue to investigate.
Amount of loss: $ 300,000 Attack method: Flash Loan Attack
Description of the event: On July 21, Conic Finance ’s ETH omnipool was hit by a series of small hacks that cost around $3.2 million. Conic Finance issued an update on the attack, saying, “The root cause of the attack is due to an incorrect assumption about the address returned by the ETH’s Curve meta-registry in the Curve V2 pool, which enables reentrancy attacks and is deploying fixes for the affected contracts.
Amount of loss: $ 3,200,000 Attack method: Reentrancy Attack
Description of the event: Ethscriptions.com was hacked, and about 123 individual addresses lost a total of about 202 Ethscriptions. In terms of value, it is unclear how much the attack caused. Based on the current lowest price of $14, the loss is at least $2,828. Ethscriptions creator Tom Lehman stated that this is not a vulnerability in the Ethscriptions protocol. This is a vulnerability in a specific smart contract (0x3ca843b98a2fe8ef69bb0f169afad3812c275f5e). The protocol itself and other applications running on it are not affected in any way. Meanwhile, Lehman claimed responsibility for the attack, explaining that the vulnerability can be traced back to a smart contract he and Indelible Labs co-founder Michael Hirsch created. It is reported that a small piece of code included in it allows people to withdraw Ethscriptions that do not belong to them from the market. Lehman also said that the Ethscriptions.com marketplace will be relaunched and that he has been in touch with many users affected by the bug.
Amount of loss: $ 2,828 Attack method: Contract Vulnerability
Description of the event: Arcadia Finance has been attacked on Ethereum and Optimism, with total profits of $400K. The root cause is that in function vaultManagementAction, the attacker can first transfer all the asset to his own controlled contract and re-entry the function liquidateVault to liquidiate the vault. In this case, the global variable "isTrustedCreditorSet" will be set as false and the Collateral check can be bypassed.
Amount of loss: $ 455,000 Attack method: Contract Vulnerability
Description of the event: CivFund's ETH contract was attacked and lost $180,000. The attacker calls uniswapV3MintCallback to transfer funds approved by other users. Please revoke approval for the contract under attack as soon as possible.
Amount of loss: $ 180,000 Attack method: Contract Vulnerability
Description of the event: Mike Wazowski Monsters Inc $MIKE and Sid Ice Age $SID on the Ethereum chain have been rugged via a backdoor function that allows unlimited minting of tokens. The scammer has profited 87.9 $ETH, equivalent to about $171,000.
Amount of loss: $ 171,000 Attack method: Contract Vulnerability
Description of the event: The Smurfs Coin project is an exit scam, and the contract deployer sold the tokens on June 13 and removed a total of 227 ETH (approximately $423,000) of liquidity. The contract address is ETH: 0x5F250ed62CF3E5cF25F4F370d35D04782b0678a3, not to be confused with a project with a similar name.
Amount of loss: $ 423,000 Attack method: Rug Pull
Description of the event: Themis, a cryptographic lending protocol, has been subject to a prophecy machine manipulation attack, and the attackers have stolen approximately $370,000. The hack is due to a flawed oracle, exploited to inflate the B-wstETH-WETH-Stable-gauge price. Specifically, the deposit of 54.6 B-wstETH-WETH-Stable-gauge (obtained by joining the balancer pool w/ 55 WETH) is able to borrow 317 WETH, basically draining the lending funds.
Amount of loss: $ 370,000 Attack method: Oracle Attack
Description of the event: The project named "IPO" (Twitter handle @IPO_web3) is suspected to have suffered a Rug Pull, losing around 102,000 BSC-USD, the project's tokens are down 32%, and the stolen funds are now located in addresses beginning with 0x35fe.
Amount of loss: $ 102,000 Attack method: Rug Pull
Description of the event: DEP/USDT and LEV/USDC pools were stolen with 105,800 stablecoins worth (36,000 USDC and 69,960,000 USDT), and the attackers initially received 1 ETH of initial funding from Tornado Cash.
Amount of loss: $ 105,800 Attack method: Unknown
Description of the event: The DeFi lending protocol Sturdy is suspected to have been hacked, and information on the chain suggests that the attack may have been carried out through price manipulation. The attackers have transferred 442.6 ETH to Tornado Cash.
Amount of loss: $ 770,000 Attack method: Price Manipulation
Description of the event: The LSDFi protocol unshETH stated that at around 22:00 on May 31, one of the deployment private keys of the unshETH contract was leaked. For the sake of caution, the official has urgently suspended the withdrawal of unshETH's ETH. According to the security model, unshETH's ETH deposit (TVL up to 35 million US dollars) is protected by multi-signature + time lock and is not at risk.
Amount of loss: $ 375,000 Attack method: Private Key Leakage
Description of the event: On-chain detective ZachXBT tweeted that a Rug Pull occurred on Pixel Penguin, a charity project created by Hopeexist1, which claimed to raise funds to help him fight cancer. At present, the social accounts of Hopeexist1 and Pixel Penguin have been deleted, and the Pixel Penguin contract is worth only $117,000 (61.686 ETH).
Amount of loss: $ 117,000 Attack method: Rug Pull
Description of the event: Twitter user @ChrisONCT cited on-chain data to expose a suspected scam Meme coin project Waifu AI World (WFAI). The token economics announced by the project stated that 95% of the supply was allocated to LPs. However, shortly after WFAI went online, 4 new wallets spent a total of 14.4 ETH in four transactions to purchase 647 trillion WFAI, accounting for approximately 83.2% of supply (777 trillion). At present, the project party has blacklisted the wallets that purchased 457 trillion WFAI, and now the total supply of WFAI is 320 trillion, which means that 190 trillion tokens are held by insiders, accounting for 60% of the total token supply. And DWF Labs spent about 20 ETH to purchase 624.9 billion WFAI yesterday afternoon; DEXTools trust score changed from extremely low to extremely high within a few hours.
Amount of loss: - Attack method: Scam