424 hack event(s)
Description of the event: Fake MEMEPAD (MEMEPAD) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 80,134 Attack method: Rug Pull
Description of the event: Fake TITANX (TITANX) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 82,385 Attack method: Rug Pull
Description of the event: The Ethereum liquidity restaking pool Astrid was attacked due to a vulnerability in the withdrawal function, resulting in a loss of approximately $228,000. The parameters of the `withdraw()` function, specifically the token address and token amount, were exploitable. On October 29, the hackers returned 80% of the stolen funds (102 ETH).
Amount of loss: $ 228,000 Attack method: Contract Vulnerability
Description of the event: STIMMY on Ethereum pulled liquidity to the tune of 43.8 ETH (~$78.8K) and deleted its social platforms.
Amount of loss: $ 78,800 Attack method: Rug Pull
Description of the event: A fake Linea token is suspected of a rug pull for ~$1.3m. ~$743k has been deposited into Tornado Cash. Contract Address: 0x00000000fEB6A772307C6aA88AB9D57b209aCb18.
Amount of loss: $ 1,300,000 Attack method: Rug Pull
Description of the event: Safereum has conducted an exit scam for ~$1.3m. Contract Address: 0xb504035a11E672e12a099F32B1672b9C4a78b22f.
Amount of loss: $ 1,300,000 Attack method: Rug Pull
Description of the event: Julia (JULIA) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 73,000 Attack method: Rug Pull
Description of the event: On October 18, 2023, , the HopeLend protocol fell victim to a hacker attack. The attack resulted in a loss of approximately 528 ETH, out of which 263.91 ETH were bribed by the frontrunner to a Validator (managed by Lido). The exploit frontrunner eventually profited by 264.08 ETH. On October 20, Hope.money tweeted that a frontrunner from Armor Team voluntarily returned the acquired assets.
Amount of loss: $ 818,747 Attack method: Contract Vulnerability
Description of the event: On Oct 8, zkFlex Finance on ETH was rugged for ~$56K when an address 0x84f90d576247D569D972DB84504b5170aB13bCe7 dumped over 281,164,943.53 zkFlex Finance Tokens for 34.26 WETH. Contract Address: 0x54855D3133669B7EF54A2c962F5f63fdb44bBaE9.
Amount of loss: $ 56,000 Attack method: Rug Pull
Description of the event: On Oct 8, the pSeudoEth token on ETH was exploited for ~$2.3K in a flash loan attack. Contract: 0x62aBdd605E710Cc80a52062a8cC7c5d659dDDbE7. Attacker: 0xea75AeC151f968b8De3789CA201a2a3a7FaeEFbA.
Amount of loss: $ 2,300 Attack method: Flash Loan Attack
Description of the event: There is a flashloan attack on the DePay platform that resulted in the theft of 827 USDC. The exploiter used a security issue with DePay router to steal the USDC.
Amount of loss: $ 827 Attack method: Flash Loan Attack
Description of the event: Mode Discord was hacked. A phishing link was posted in the announcements channel of the Mode Network Discord server.
Amount of loss: - Attack method: Account Compromise
Description of the event: The token Cat Nation is suspected to be a rug pull. Transaction pool address (ETH): 0xC9C1776802216e074eF7A19555cE70bB473B25c0.
Amount of loss: $ 29,700 Attack method: Rug Pull
Description of the event: On September 21st, a large liquidity of YZER was removed. Deployer profited ~$28.6k from this liquidity removal.
Amount of loss: $ 28,600 Attack method: Rug Pull
Description of the event: There is a 70% slippage on PEPEP. ETH: 0xD33830FcC5E434dBb4efF9D5348d74Ee2cbd505F. Drop caused by EOA 0x4af2 who dumped tokens for ~$45k.
Amount of loss: $ 45,000 Attack method: Rug Pull
Description of the event: The FriendChipsTech token on ETH was suspected to be a rug pull, resulting in a loss of ~$77.5K. The exploiter created a malicious contract (0x1dB0B6012D64452ED6aa98e87F7c308DB0281E40) to mint tokens and dump them for ~$77.5K which has already been deposited to Tornado Cash.
Amount of loss: $ 77,500 Attack method: Rug Pull
Description of the event: OxODexPool suffered from a flash loan. ETH: 0x6128d5F7c64Dab48a1C66f9D62EaeFa1d5aA03ed. Approximately 40 ETH (~$61k) was lost. The stolen funds currently reside in the attacker's wallet.
Amount of loss: $ 61,000 Attack method: Flash Loan Attack
Description of the event: On September 10, according to on-chain intelligence from the SlowMist security team, when the LDO token contract is processing a transfer operation, if the transfer amount exceeds the amount actually held by the user, the operation will not trigger the rollback of the transaction. Instead, it will directly return a `false` as the processing result. This approach is different from many common ERC20 standard token contracts. Due to the above characteristics, there is a potential risk of "fake top-up", and malicious attackers may try to use this feature to conduct fraud. On September 11, Lido stated that this behavior was expected and complies with ERC20 token standards. LDO and stETH are still safe. The Lido Token Integration Guide will be updated with LDO details to show this more obviously.
Amount of loss: - Attack method: False top-up
Description of the event: On September 9, PEPE stated on Twitter that PEPE’s old Telegram account had been hacked and was no longer under official control. The Twitter account "lordkeklol" has been compromised and used to perpetrate scams and is in no way affiliated with PEPE or its team members. All official information from PEPE will be released via its Twitter account in the coming weeks.
Amount of loss: - Attack method: Account Compromise
Description of the event: The token GALA of the blockchain gaming platform Gala Games underwent a major upgrade on May 15, 2023, and the token contract address was updated. As a result, there are now two tokens in circulation, both called GALA. The price ratio of old GALA and normal GALA is 1:12. The attacker has been using old GALA tokens to deposit funds on various exchanges since July 27 this year to test fake deposits. At the same time, hackers were also involved in the LDO “fake top-up” incident and the Nomad Bridge attack last August. On September 6, hackers deposited old GALA tokens to CoinHub, successfully causing the exchange to treat the deposited old GALA tokens as normal GALA tokens. Then the hacker user withdrew the real GALA. Now there is only $168 worth of GALA left in the exchange hot wallet, and the hacker earned 2.7 ETH.
Amount of loss: 2.7 ETH Attack method: False top-up