302 hack event(s)
Description of the event: The treasure swap project was attacked. The attacker only used 0.000000000000000001 WETH to exchange all the WETH tokens in the transaction pool. The reverse of the source code found that the swap function of the attacked contract lacked the K value check. At present, the attacker has completed the attack on the two contracts 0xe26e436084348edc0d5c7244903dd2cd2c560f88 and 0x96f6eb307dcb0225474adf7ed3af58d079a65ec9, and accumulated a profit of 3,945 BNB.
Amount of loss: 3,945 BNB Attack method: K-value Verification Vulnerability
Description of the event: The ApolloX project was attacked due to a flaw in the ApolloX signature system. The attacker used the signature system flaw to generate 255 signatures, with a total of 53,946,802 $APX extracted from the contract, worth about $1.6 million.
Amount of loss: $ 1,600,000 Attack method: Signature system flaws
Description of the event: Equalizer Finance suffered flash loan attacks on four chains: Ethereum, BSC, Polygon and Optimism. The main reason for this attack is that the FlashLoanProvider contract of the Equalizer Finance protocol is not compatible with the Vault contract. According to officials, funds on Ethereum and BSC have been recovered, but funds on Optimism and Polygon remain unaccounted for.
Amount of loss: $ 50,000 Attack method: Compatibility Issue
Description of the event: The multi-chain DeFi protocol FEG was attacked again, and the flash loan attack suffered on the BNB chain lost about $1.3 million in assets. The subsequent flash loan attack on Ethereum caused a loss of about $590,000, with a total loss of about $1.9 million in assets. This attack is similar to yesterday's attack and is caused by a vulnerability in the "swapToSwap()" function. This function directly uses the "path" entered by the user as a trusted party without screening and validating the incoming parameters. Additionally, the function will allow an unverified "path" parameter (address) to use the current contract's assets. Therefore, by calling "depositInternal()" and "swapToSwap()", the attacker can obtain permission to use the assets of the current contract, thereby stealing the assets within the contract.
Amount of loss: $ 1,900,000 Attack method: Flash Loan Attack
Description of the event: The GOAT project claimed to be "the new standard in cryptocurrencies," but one of the project's developers abruptly sold their assets, taking $260,000 with them, and the token price fell to nearly $0.
Amount of loss: $ 260,000 Attack method: Rug Pull
Description of the event: In April, attackers exploited a vulnerability to steal $80 million from Rari Capital, and the asset management project Babylon Finance, Rari's main lending pool, lost $3.4 million as a result. On Aug. 31, Babylon Finance founder Ramon Recuero published a blog post announcing that Babylon would be shutting down and pledging to distribute remaining project funds to holders.
Amount of loss: $ 3,400,000 Attack method: Affected by the Rari Capital vulnerability
Description of the event: Fei Protocol officially tweeted that it has noticed multiple exploits of Rari Capital’s Fuse pool, has identified the root cause and suspended all lending to mitigate further losses. And shout that hackers, if they can return user funds, will get a bounty of 10 million US dollars. According to previous news, Fei Protocol was attacked, and the loss exceeded 28,380 ETH, about 80.34 million US dollars. The attacker's address was 0x6162759eDAd730152F0dF8115c698a42E666157F. The Rari Capital pool was attacked due to a classic reentrancy vulnerability. Its function exitMaket has no reentrancy protection.
Amount of loss: $ 80,000,000 Attack method: Reentrancy Attack
Description of the event: DeFi protocol Saddle Finance was attacked, causing the protocol to lose more than $10 million.
Amount of loss: $ 10,000,000 Attack method: Flash Loan Attack
Description of the event: The protocol loss caused by the flash loan attack of Ethereum-based algorithm stablecoin project Beanstalk Farms is about 182 million US dollars. The specific assets include 79238241 BEAN3CRV-f, 1637956 BEANLUSD-f, 36084584 BEAN and 0.54 UNI-V2_WETH_BEAN . The attackers made over $80 million, including about 24,830 ETH and 36 million BEAN. The main reason for this attack is that there is no time interval between the voting and execution of the proposal, so that the attacker can directly execute malicious proposals without community review after completing the voting.
Amount of loss: $ 182,000,000 Attack method: Flash loan attack
Description of the event: According to BasketDAOOrg's official Twitter, there is a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.
Amount of loss: $ 1,200,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol Revest Finance has been hacked. Hackers stole nearly 7.7 million ECO, 579 LYXe, nearly 715 million BLOCKS, and over 350,000 RENA. According to SlowMist analysis, this attack is because the handleMultipleDeposits function in the tokenVault contract does not determine whether the newly minted NFT exists, so the attacker uses this point to directly modify the information of the NFT that has been minted, and in the Revest contract The key functions in this are not restricted by reentrant locks, which lead to being used by callbacks.
Amount of loss: $ 120,000 Attack method: Reentrancy Attack
Description of the event: InuSaitama is suspected to have suffered an arbitrage attack. The attacker (0xAd0C834315Abfa7A800bBBB5d776A0B07b672614) Saitamask (0x00480b0abBd14F2d61Aa2E801d483132e917C18B) exchanged almost 10 times the value of SAITAMA Token through swap, and then exchanged it back to ETH through uniswap, and transferred it to 0x63493e679155c2f0aAd5Bf96d65725AD6427faC4, with a total profit of about 4.
Amount of loss: 430 ETH Attack method: Arbitrage attack
Description of the event: According to official reports, attackers exploited Li.finance’s smart contracts and managed to steal around $600,000 (currently worth $587,500 or 205 ETH) from 29 wallets. Attackers took various tokens from users’ wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The project team has found the vulnerability and created a fix, compensating most of the affected users in less than 18 hours.
Amount of loss: $ 600,000 Attack method: Contract Vulnerability
Description of the event: DeFi oracle Umbrella Network’s Ethereum and BNB Chain (formerly BSC) reward pools were hacked, resulting in the hackers earning around $700,000. The hacker was able to succeed because of an unchecked vulnerability in withdraw() , so anyone could withdraw any amount of funds without having any balance.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: DeFi protocol Deus Finance was attacked by a flash loan, and hackers manipulated the price of the oracle machine and stole about $3 million, including 200,000 DAI and 1101.8 ETH through Tornado mixing.
Amount of loss: $ 3,000,000 Attack method: Flash loan attack
Description of the event: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, Whitehat, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.
Amount of loss: 160.86 ETH Attack method: Contract Vulnerability
Description of the event: The venture capital DAO organization Build Finance tweeted that the project suffered a malicious governance takeover. The malicious actors successfully controlled the Build token contract by getting enough votes, minting 1,107,600 BUILD tokens in three transactions, and spent With most of the funds in Balancer and Uniswap liquidity pools exhausted, attackers continue to take control of the balancer pools via governance contracts and drain the remaining funds including 130,000 METRIC tokens, METRIC liquidity on Uniswap and Fantom Both pools subsequently came under intense selling pressure. As it stands, attackers have full control over governance contracts, minting keys, and treasuries, and the DAO no longer controls any part of critical infrastructure.
Amount of loss: 168 ETH Attack method: Governance Attack
Description of the event: The QI Vesting contract on the streaming digital asset protocol Superfluid has been exploited by an attacker by passing in incorrect call data. This vulnerability allows the attacker to transfer funds from Superfluid user wallets to Polygon and exchange them for ETH.
Amount of loss: $ 13,000,000 Attack method: Contract Vulnerability
Description of the event: According to Rugdoc, AFKSystem rug all of their vaults for a combined profit of around $12 million. Although AFKSystem has severely cut their governance authority. But they still retain an important privilege - changing the routers that sell the harvested tokens.
Amount of loss: $ 12,000,000 Attack method: Rug Pull
Description of the event: White hat hackers at @immunefi discovered a critical vulnerability in the wxBTRFLY Token contract. The transferFrom function in the contract did not update the recipient's authorization correctly, and would incorrectly update the msg.sender's authorization. Although the vulnerability itself is serious, the cause is not complicated (more like a clerical error produced by the developer). What is more interesting is the official repair method. Since the contract itself does not support upgrade, the contract code cannot be updated directly; the contract does not support suspension, so it is not possible to transfer user assets by means of snapshot + migration. The final official measure was to launch an attack transaction by itself, transferring the assets of all users affected by the vulnerability to a multi-signature wallet.
Amount of loss: - Attack method: Contract Vulnerability