308 hack event(s)
Description of the event: Hakuna Matata ($HAKUNA) Rugged. The scammer initially obtained 2.76 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T HAKUNA for 17 ETH ($31,683.11), and mortgaged 13.5 ETH to Lido.
Amount of loss: $ 31,683.11 Attack method: Rug Pull
Description of the event: FTX ($HIS) Rugged. The scammer initially obtained 2.76 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T HIS for 13 ETH ($24,568.11), and mortgaged 11.5 ETH to Lido.
Amount of loss: $ 24,568.11 Attack method: Rug Pull
Description of the event: Freddie ($FREDDIE) has Rugged. The scammer initially obtained 2.96 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T FREDDIE for 28 ETH ($52,344.4), and mortgaged 22.5 ETH to Lido.
Amount of loss: $ 52,344.4 Attack method: Rug Pull
Description of the event: Derpman ($DMAN) Rugged. The scammer initially obtained 4 ETH from Binance, added 3 ETH to liquidity, then exchanged 1,200T DMAN for 48.55 ETH ($89,611.09), and transferred these ETHs to 0x4d1f…915.
Amount of loss: $ 89,611.09 Attack method: Rug Pull
Description of the event: GeniusMeme ($GNS) has Rugged 33.6 ETH($62,180.81). The scammer initially received 4 ETH from Binance and added 3 ETH to liquidity.
Amount of loss: $ 62,180.81 Attack method: Rug Pull
Description of the event: Pepega ($PEPG) has Rugged 30 ETH ($55,609.2). The scammer initially received 3.58 ETH from Binance and added 2.8 ETH to liquidity.
Amount of loss: $ 55,609.2 Attack method: Rug Pull
Description of the event: MChainCapital suffered a flash loan attack and lost about $18,871. TX: https://etherscan.io/tx/0xf72f1d10fc6923f87279ce6c0aef46e372c6652a696f280b0465a301a92f2e26
Amount of loss: $ 18,871 Attack method: Flash Loan Attack
Description of the event: YODA coin project happened Rug Pull, YODA token price fell 100%, @yodacoineth_ has deleted his social account/group. Scammers have transferred 68 ETH (~$130,000) to FixedFloat.
Amount of loss: $ 130,000 Attack method: Rug Pull
Description of the event: A Rug Pull on the meme coin project WSB Coin, again involving an address on-chain marked “ZJZ.eth,” dumped most of the WSB team’s supply for $635,000 (334 ETH).
Amount of loss: $ 635,000 Attack method: Rug Pull
Description of the event: Ordinals Finance has been identified as an exit scam project that caused $1 million in losses. The deployer withdraws OFI tokens from the OEBStaking contract, exchanges them for ETH and transfers them to the EOA address (0x34e...25cCF), which in turn transfers 550 ETH (approximately $1 million) to Tornado Cash. All social media accounts and websites of the project have been deleted.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: KyberSwap, a DEX aggregator and liquidity platform, tweeted that they discovered a potential loophole in KyberSwap Elastic, and hoped that liquidity providers could extract liquidity as soon as possible. No user assets have been lost so far.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Zksync era mainnet SyncDex project has exited with a rugpull, resulting in over $370,000 USD in losses.
Amount of loss: $370,000 Attack method: Rug Pull
Description of the event: The decentralized revenue aggregation platform Yearn Finance was attacked, and the hackers made more than $10 million in profits. According to the analysis of SlowMist, the reason for this attack is that the attacker used the yUSDT contract to set the fulcrum address by mistake, thereby manipulating the stablecoin reserve balance in the yUSDT contract, and depositing USDT in yUSDT to obtain a large amount of unexpected yUSDT Tokens for profit.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: SUSHI RouteProcessor2 was attacked and lost about 1800 ETH, about $3.34 million. According to the analysis of SlowMist, the root cause is that ProcessRoute does not perform any checks on the route parameters passed in by the user, which leads the attacker to use this problem to construct a malicious route parameter so that the Pool read by the contract is created by the attacker. On April 19, SushiSwap released a postmortem analysis report stating that due to 18 replayed transactions, the 1,800 WETH initially depleted from the first user’s wallet ended up in multiple wallets. A total of 885 ETH have been refunded so far. Of these, approximately 685 ETH were sent to Sushi core contributors to operate the multisig, 190 ETH were sent to affected users, and 10 ETH were sent to the Sushi rescue contract.
Amount of loss: $ 3,340,000 Attack method: Unchecked Input Data
Description of the event: According to official news, the zkSync team announced the cause of the downtime on Twitter. Block generation stopped due to a block queue database failure. Despite this, the server API was not affected. Transactions continue to be added to the mempool, and queries are served normally. Although all components had comprehensive monitoring, logging, and alerting, no alerts were triggered because the API was functioning properly.
Amount of loss: - Attack method: Downtime
Description of the event: Kokomo Finance conducted an exit scam and stole ~$4 million in user funds.
Amount of loss: $ 4,000,000 Attack method: Rug Pull
Description of the event: EC token deployer addresses withdrew approximately $43,800 from the liquidity pool.
Amount of loss: $ 43,800 Attack method: Rug Pull
Description of the event: Defunct Swerve Finance still subject of $1.3 million live governance hack
Amount of loss: $ 1,300,000 Attack method: Governance Attack
Description of the event: Indexed Finance's ORCL5 Token contract was attacked by a flash loan and lost $9,925. Root cause preliminary analysis is that "calcSingleOutGivenPoolIn()" calculates wrong value of tokenAmountOut.
Amount of loss: $ 9,925 Attack method: Flash Loan Attack
Description of the event: Poolz Finance's LockedDeal contract was hacked and lost about $500,000. The attacker called the vulnerable function CreateMassPools in the LockedDeal contract, and triggered an integer overflow vulnerability in the parameter _StartAmount. In addition to obtaining a large number of poolz tokens, the attacker also obtained other tokens.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability