308 hack event(s)
Description of the event: FriesDAO was attacked and lost about $2.3 million. An attacker gained control of the FriesDAO protocol operator's wallet through the Profanity wallet generator vulnerability, which would force the use of the private key of the address generated by the tool. FriesDAO stated in the official Discord channel that the official developers are currently trying to negotiate with the attackers to negotiate a white hat bounty in exchange for the return of the stolen funds.
Amount of loss: $ 2,300,000 Attack method: Profanity Vulnerability
Description of the event: Team Finance tweeted that the protocol’s management funds were hacked during the migration from Uniswap v2 to v3, with an identified loss of approximately $14.5 million worth of tokens. On October 31, the Team Finance white hat hacker address has returned $13.4 million in digital assets, including 548.7 ETH ($860,000) to FEG, 765,000 DAI and 11.8 million TSUKA ($626,000) to Tsuka, about 5 million DAI and 74.6 trillion CAW (~$5.5 million) to CAW, 209 ETH ($328,000) to KNDX, smithbot.eth has returned 263 billion KNDX ($292,000) to KNDX.
Amount of loss: $ 14,500,000 Attack method: Contract Vulnerability
Description of the event: The redeem() function in OlympusDAO’s BondFixedExpiryTeller contract resulted in a loss of approximately $292,000 due to inability to properly validate inputs. The OlympusDAO hacker has returned the stolen funds to the DAO.
Amount of loss: $ 292,000 Attack method: Contract Vulnerability
Description of the event: The Mango INU (MNGO) project has been confirmed to be an exit scam, and the currency price has dropped by more than 80%. This token project was deployed by attackers at Mango Market and has made a profit of about $48,500.
Amount of loss: $ 48,500 Attack method: Scam
Description of the event: According to Cointelegraph, a vulnerability in the Ethereum Alarm Clock service (Ethereum Alarm Clock) has been exploited, and the hacker has so far made about $260,000 in profit. According to the analysis, hackers managed to exploit a loophole in the scheduled transaction process to profit from the refund of gas fees for canceled transactions. According to Etherscan transaction history, the hackers have obtained 204 ETH, worth about $259,800. It is reported that the Ethereum alarm clock service is to allow users to schedule future transactions by pre-determining the recipient address, sending amount and transaction time.
Amount of loss: $ 260,000 Attack method: Contract Vulnerability
Description of the event: The EFLeverVault contract of Earning.Farm was attacked twice by flash loans. The first attack was intercepted by MEV bot, causing the contract to lose 480 ETH; the second hacker completed the attack, and the hacker made a profit of 268 ETH. After analysis, the vulnerability is caused by the contract’s flash loan callback function not verifying the flash loan initiator. The attacker can trigger the contract’s flash loan callback logic by itself: repay the Aave stETH debt in the contract and withdraw cash, and then exchange stETH for ETH. Then the attacker can call the withdraw function to withdraw the ETH balance in all contracts.
Amount of loss: 268 ETH Attack method: Flash Loan Attack
Description of the event: The Journey of Awakening (ATK) project suffered a flash loan attack. The attacker attacked the strategy contract of the ATK project (0x96bF2E6CC029363B57Ffa5984b943f825D333614) through a flash loan attack, and obtained a large amount of ATK tokens from the contract. The attackers have exchanged all of the obtained ATK tokens for approximately $120,000 in BSC-USD, and the stolen funds are currently being exchanged for BNB and all transferred to Tornado Cash.
Amount of loss: $ 120,000 Attack method: Flash Loan Attack
Description of the event: The TempleDAO project was hacked, involving an amount of approximately $2.36 million. According to the analysis of the SlowMist security team, in this incident, because the migrateStake function did not check the oldStaking, the attacker could forge the oldStaking contract to add the balance arbitrarily.
Amount of loss: $ 2,360,000 Attack method: Contract Vulnerability
Description of the event: The Xave Finance project was hacked, resulting in a 1000x increase in RNBW issuance. The attack transaction is 0xc18ec2eb7d41638d9982281e766945d0428aaeda6211b4ccb6626ea7cff31f4a. The attacker first creates the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3. The attack contract first calls the executeProposalWithIndex() function of the DaoModule contract 0x8f90 to execute the proposal. The content of the proposal is to call the mint() function to mint 100,000,000,000,000 RNBWs and transfer the ownership rights to the attacker. Finally, the hacker exchanged it for xRNBW, which was stored at the attacker's address (0x0f44f3489D17e42ab13A6beb76E57813081fc1E2).
Amount of loss: $ 635 Attack method: Contract Vulnerability
Description of the event: Bitcoin DeFi application Sovryn tweeted that it found a vulnerability affecting the lending pool and was attacked. The attacker used the abandoned lending protocol to withdraw 44.93 RBTC and 211,045 USDT. After the developer detected the attack, the system entered maintenance mode. Half of the funds will be recovered, and any additional losses will be fully compensated by the treasury. A plan to restore system functions and provide post-mortem analysis will also be formulated in the future.
Amount of loss: 44.93 RBTC + 211,045 USDT Attack method: Price Manipulation
Description of the event: @EvgenyGaevoy, founder and CEO of crypto market maker Wintermute tweeted that Wintermute lost $160 million in DeFi hacking attacks. Wintermute used Profanity to create a wallet in order to optimize fees. Funds from old address were transferred, but due to internal (human) error, wrong function was called and attacked.
Amount of loss: $ 160,000,000 Attack method: Operational Mistake
Description of the event: The security of the GERA token was compromised due to private key leakage. Hackers transferred the ownership of the smart contract deployer of GERA tokens to another address 0x510E4d61663bE6a24D600AaF90F892dd8c8C61dC.
Amount of loss: $ 1,480,000 Attack method: Private Key Leakage
Description of the event: Decentralized liquidity protocol Kyber Network disclosed on Twitter that its users lost $265,000 in funds due to a front-end exploit. The vulnerability stems from malicious Google Tag Manager code in the KyberSwap website, where attackers target whale wallets and gain permission to transfer user funds by inserting fake approvals.
Amount of loss: $ 265,000 Attack method: Malicious Code Injection Attack
Description of the event: Sudoswap imitation disk Sudorare is suspected to have a Rug Pull, and the Looks, WETH and XMON tokens in the contract address were transferred to the first 0xbb42 address (0xbb42f789b39af41b796f6C28D4c4aa5aCE389d8A), and then sold for ETH on Uniswap, with a total profit of about 519.5 ETH (about 800,000 US dollars) , the Sudorare website and Twitter account are now inaccessible. According to the analysis, the initial deployment funds came from the exchange Kraken.
Amount of loss: 519.5 ETH Attack method: Rug Pull
Description of the event: The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March.
Amount of loss: $ 5,500,000 Attack method: Scam
Description of the event: The Curve Finance frontend was attacked, prompting users to grant token approvals to malicious smart contracts. The attackers moved the stolen funds to FixedFloat and Tornado Cash, with at least 362 ETH (~$620,000) stolen. FixedFloat tweeted that they had frozen 112 stolen ETH (~$192,000).
Amount of loss: $ 428,000 Attack method: Malicious Code Injection Attack
Description of the event: An official incident report from Impermax Finance stated that a hacker was able to steal approximately 9M IMX from several wallets controlled by the team. The IMX was not sold immediately after the hackers stole the funds. So the official team decided to get a head start by dumping a lot of tokens on the market before the hackers did anything. The Impermax lending protocol is completely immune to this, as the attack is caused by stolen private keys, not a bug in the smart contract.
Amount of loss: 9,000,000 IMX Attack method: Private Key Leakage
Description of the event: The pledge platform Freeway tweeted, “The price of its token FWT fluctuated violently on July 13 and is currently under investigation. Freeway’s blockchain bridging service provider Coffe was attacked, and a large number of FWT tokens were bridged from Coffe. The Freeway platform was not compromised in any way, nor was Supercharger. However, Freeway has temporarily disabled FWT withdrawals, deposits, and purchases on the platform,” crypto influencer FatManTerra claimed on Twitter. Projects are running a "Ponzi scheme" because large withdrawals are "delayed" even before they stop. He refers to stopping withdrawals as income of more than $100 million. FatManTerra states that the project has removed its team biographies. In an October 22 Twitter post, FatManTerra said Freeway's chief executive had made false statements about his background, which were removed from the site after FatManTerra confronted him.
Amount of loss: - Attack method: Rug Pull
Description of the event: More than 70,000 addresses connected to Uniswap were airdropped tokens that tricked users into approving transactions that would allow attackers to control their wallets. The airdrop links users to a phishing site that resembles the real Uniswap site. Users are tricked into signing contracts, and cryptocurrencies and NFTs are stolen from wallets. One of the wallets lost more than $6.5 million worth of ether and bitcoin, and the other lost about $1.68 million worth of cryptocurrency.
Amount of loss: $ 12,900,000 Attack method: Phishing attack
Description of the event: BIFROST officially released a report saying that the BTC address registration server of the BiFi service was attacked. According to the analysis, the attack was limited to the BTC address registration server, and neither the smart contract nor the BiFi protocol detected the vulnerability. BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi only in the case when the signature is verified. In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi. As a result, the attacker was able to borrow 1,852 ETH with fake deposit.
Amount of loss: 1,852 ETH Attack method: Private Key Leakage