414 hack event(s)
Description of the event: Decentralized lending protocol Prisma Finance was hacked, with a loss of approximately 3,257.7 ETH (equivalent to around $11.6 million USD). The protocol has currently been suspended for investigation. Officials remind vault owners to disable authorization for related LST and LRT contract delegations.
Amount of loss: $ 11,600,000 Attack method: Contract Vulnerability
Description of the event: The RWA infrastructure of the Curio Ecosystem suffered an attack, involving smart contracts based on MakerDAO within its ecosystem. The attacker exploited a permission access logic vulnerability.
Amount of loss: $ 16,000,000 Attack method: Contract Vulnerability
Description of the event: The hackers gained access to AirDAO LP through a social engineering scam and drained the liquidity pool of AMB/ETH. The scam involved an email with a malicious attachment, impersonating one of their known partners. In total, the hackers stole 41,612,782.10627101 AMB and 126.5 ETH.
Amount of loss: $ 1,050,000 Attack method: Social Engineering
Description of the event: The AI service provider Cloud AI reported that both their deployer and treasury account have been compromised by hackers. The attackers acquired 58,900 CloudAI tokens and some ETH. All CloudAI tokens have been exchanged for ETH. The total loss is approximately $360,000.
Amount of loss: $ 360,000 Attack method: Unknown
Description of the event: The Twitter account of Web3 chat solution beoble has been compromised, with phishing links being posted. Please refrain from clicking on any links until further notice is provided by the official team.
Amount of loss: - Attack method: Account Compromise
Description of the event: The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract. On March 12th, Unizen's CTO Martin Granström tweeted that they had recovered $185,000 worth of stolen funds from four hackers.
Amount of loss: $ 2,100,000 Attack method: Contract Vulnerability
Description of the event: HumanizedAi (HMZ) is suspected to have exited scam, with the project team profiting 173 ETH (approximately $665,000). The project's Twitter account and website have been shut down.
Amount of loss: $ 665,000 Attack method: Rug Pull
Description of the event: The decentralized cross-chain protocol Shido Network on the Ethereum blockchain appears to be a rug pull. The owner of the SHIDO token staking contract first upgraded the staking contract, then withdrew a large amount of SHIDO tokens, and finally dumped a significant amount of SHIDO tokens at a price of 692 ETH (worth $2.1 million).
Amount of loss: $ 2,100,000 Attack method: Rug Pull
Description of the event: On February 28th, a vulnerability was discovered in the contract of Seneca, an omnichain CDP protocol on the Ethereum network. Hackers exploited constructed calldata parameters to call transferfrom, transferring tokens authorized to the project contract to their address, ultimately exchanging them for ETH. Seneca was exploited by hackers for over 1900 ETH, valued at approximately $6.5 million. On February 29th, the hacker address of SenecaUSD returned 1537 ETH (approximately $5.3 million) to the deployer address of Seneca.
Amount of loss: $ 6,500,000 Attack method: Contract Vulnerability
Description of the event: RiskOnBlast, a gambling and trading platform on the new ethereum layer-2 Blast blockchain, appears to be a rug pull. On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform.
Amount of loss: $ 1,300,000 Attack method: Rug Pull
Description of the event: ZoomerCoin on Ethereum suffered a flash loan attack, resulting in a loss of 14.06 ETH (~ $41k).
Amount of loss: $ 41,000 Attack method: Flash Loan Attack
Description of the event: On the evening of February 23rd, UNI experienced a sudden price surge, causing Compound to fail in promptly updating UNI's price. As a result, the protocol used an incorrect price provided by Uniswap's TWAP (Time-Weighted Average Price). This allowed users to borrow UNI using collateral with a lower value than UNI's actual price, leading to $660,000 in bad debt.
Amount of loss: $ 660,000 Attack method: Security Vulnerability
Description of the event: DeFi leverage project Blueberry Protocol was exploited for approximately $1.35 million. However, the attack was intercepted by a white hat, c0ffeebabe.eth. 366 ETH has already been returned to Blueberry. The vulnerability stemmed from the incorrect handling of decimals by the lending contract. This attack occurred due to a faulty oracle deployment.
Amount of loss: $ 1,350,000 Attack method: Oracle Misconfiguration
Description of the event: The official Twitter account of ARPA, a permissionless threshold network based on the BLS signature scheme, has been compromised, and false token claiming links have been posted.
Amount of loss: - Attack method: Account Compromise
Description of the event: The ERC-X protocol Miner (MINER) has been attacked, please do not interact. According to the Miner team's analysis, the _update function of the contract was exploited. The root cause of this exploit is a double-transfer vulnerability caused by a lack of input validation.
Amount of loss: $ 466,000 Attack method: Contract Vulnerability
Description of the event: The blockchain gaming platform PlayDapp was hacked, with the attacker's address being added as a minter, minting 200 million PLA tokens (valued at $36.5 million). Shortly after the incident, PlayDapp sent a message to the attacker through on-chain transactions, requesting the return of the stolen funds and offering a $1 million bug bounty reward, but negotiations ultimately failed. On February 12, the hacker minted an additional 1.59 billion PLA tokens, valued at $253.9 million, and began transferring them through cryptocurrency trading platforms. On February 13, PlayDapp announced on Twitter that the PLA smart contract had been paused, while also advising users to cease trading for migration snapshots and stating that every effort is being made to protect holders' assets.
Amount of loss: $ 290,000,000 Attack method: Private Key Leakage
Description of the event: The Not Found (404) project on ETH is suspected to have exited with losses of approximately $156,000, as the deployer withdrew a large amount of liquidity.
Amount of loss: $ 156,000 Attack method: Rug Pull
Description of the event: The DeFi protocol Abracadabra Money (MIM_Spell) has fallen victim to an attack, resulting in approximately $6.5 million in losses. Following the attack, Abracadabra.Money (MIM_Spell) provided an update on the situation via Twitter, stating that their technical team identified the vulnerability. Preliminary findings indicate the exploit targeted specific Cauldrons V3 & V4, allowing unauthorized MIM borrowing. They’ve mitigated the issue by setting borrowing limits to zero for these cauldrons.
Amount of loss: $ 6,500,000 Attack method: Contract Vulnerability
Description of the event: Barley Finance tweeted that there has been a vulnerability attack on the wBARL pod. The team is working on resolving the issue. Details are as follows: 1. The exploiter took more than 10% of the total BARL supply in the pod, of which about 9% was the development team's collateral, used from Marketing and Dev allocations. Therefore, the damage to users is insignificant. 2. The solution is to change the wBARL pod contract to remove the functions that cause the exploit.
Amount of loss: $ 130,000 Attack method: Contract Vulnerability
Description of the event: Bullran Index was attacked due to a lack of permission control. An MEV bot was able to burn the BUI tokens that a user deposited into a custom safe contract and exploit the lack of permission control to extract 136 ETH.
Amount of loss: $ 310,000 Attack method: Contract Vulnerability