174 hack event(s)
Description of the event: On June 14, NFT perpetual contract trading platform nftperp announced on Twitter that a critical bug had been found in the clearingHouse contract. All vulnerable contracts have been suspended until further notice. On June 15, nftperp stated that all funds lost due to the vulnerability had been successfully recovered. The developers are currently prioritizing the resumption of the contracts so trading and withdrawal can go live.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Lykke, the zero-fee crypto exchange, was suspected to be exploited, which resulted in a loss of assets worth over $22.4 million. The root cause of the exploit is unknown at the moment, and the team has yet to acknowledge the occurrence of the exploit. The stolen assets include roughly 158 BTC from the Bitcoin network and over 2161 ETH from the Ethereum Mainnet, among other assets.
Amount of loss: $ 22,400,000 Attack method: Unknown
Description of the event: DEX Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses approximating $6.8 million in ETH. The primary cause of the incident was faulty logic within the velocore__execute() function of the ConstantProductPool. When a user makes a swap on Velocore, the Vault contract makes an external call to this function to calculate the result of the swap.
Amount of loss: $ 6,800,000 Attack method: Contract Vulnerability
Description of the event: DMM Bitcoin, a Japanese cryptocurrency exchange, announced it lost 48.2 billion yen ($305 million) worth of bitcoin (BTC) due to a hack.
Amount of loss: $ 305,000,000 Attack method: Malware Attack
Description of the event: On May 14th, the decentralized trading protocol Equalizer Exchange within the Fantom ecosystem was suspected to have been attacked. The official team tweeted that they are investigating the incident and advised users not to interact with the Equalizer Exchange frontend. On May 15th, Equalizer Exchange announced that the domain has been restored.
Amount of loss: - Attack method: Unknown
Description of the event: Crypto detective ZachXBT stated on his Telegram channel that the Middle Eastern cryptocurrency exchange Rain appears to have been hacked, resulting in a loss of $14.8 million USD. The breach occurred on April 29, 2024, when Rain's BTC, ETH, SOL, and XRP wallets experienced suspicious outflows of funds, which were quickly transferred to instant exchanges and converted into BTC and ETH.
Amount of loss: $ 14,800,000 Attack method: Unknown
Description of the event: FixedFloat, a decentralized exchange, tweeted that they have encountered another attack, with hackers exploiting vulnerabilities in their third-party services. The company assured that both company and user funds remain unaffected.
Amount of loss: $ 3,000,000 Attack method: Third-party Vulnerability
Description of the event: Decentralized exchange (DEX) aggregator ParaSwap announced the discovery of a critical vulnerability affecting its approved aggregation smart contract Augustus V6. This vulnerability impacts users who have authorized the Augustus V6 contract. In response, ParaSwap has temporarily halted the V6 API and employed white-hat attack methods to ensure the safety of user funds. These funds have been securely transferred to a secure wallet starting with 0x66E90 and are slated to be returned to users promptly. Additionally, ParaSwap urges users to revoke authorization for the Augustus V6 contract to mitigate potential risks. Currently, it is known that 4 addresses have been affected by this vulnerability, resulting in a total loss of approximately $24,000. ParaSwap is taking measures to address and fix this vulnerability while ensuring the safety of user funds.
Amount of loss: $ 24,000 Attack method: Contract Vulnerability
Description of the event: On February 23, 2024, Hong Kong-based cryptocurrency exchange BitForex was suspected of an exit scam after approximately $56.5 million in suspicious fund outflows were detected across multiple blockchains. The platform subsequently restricted access. On-chain investigator ZachXBT was the first to notice irregularities in withdrawals, highlighting that the exchange had ceased processing withdrawals and failed to respond to customers. In mid-2023, the company faced regulatory scrutiny in Japan for operating without a license and was accused of inflating trading volumes. Its CEO resigned in January, promising a new team would take over. On July 19, BitForex updated the situation on X, stating that platform access was disrupted due to unforeseen events and that it would reopen soon.
Amount of loss: $ 56,500,000 Attack method: Unknown
Description of the event: According to on-chain data, the cryptocurrency exchange FixedFloat appears to have been exploited, resulting in the theft of approximately $26.1 million worth of Bitcoin and Ethereum. On February 18th, FixedFloat tweeted: "We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon. We will provide details on this case a little later."
Amount of loss: $ 26,100,000 Attack method: Third-party Vulnerability
Description of the event: Tron founder Justin Sun tweeted that Htx.com and HTX_DAO have been attacked by DDoS attack. The official HTX Twitter account also mentioned that the HTX application is currently experiencing interruptions, and the technical team is actively working to resolve the issues.
Amount of loss: - Attack method: DDoS Attack
Description of the event: Liquidity layer & AMM Chronos tweeted that its concentrated liquidity pools managed by @dyson_money have been exploited in a manner similar to the gamma exploit. Users are advised to revoke contracts associated with these pools. This vulnerability is specific to concentrated liquidity pools, and all other V2 pools remain safe and unaffected. The rest of the funds are secure.
Amount of loss: $ 148,000 Attack method: Flash Loan Attack
Description of the event: OKX Wallet BRC20 marketplace has experienced a vulnerability where a large number of fake sats are displayed in the order book. Users are advised to immediately cease trading sats to avoid purchasing false assets and potential asset loss. On December 30th, OKX announced on Twitter that the Ordinals market has been restored, and trading for the affected currencies has resumed as usual. For genuine users who mistakenly purchased tokens due to this issue, the platform will compensate them after completing the assessment.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: Multi-chain trading platform Thunder suffered an attack. Thunder responded by stating that a third-party service it uses appears to have been targeted. No one's private keys are compromised. Only 114 wallets out of over 14,000 were affected.
Amount of loss: $ 192,000 Attack method: Third-party Vulnerability
Description of the event: The INX Digital Company, a security token and digital asset trading platform, announced that on December 20, 2023, it learned of a cyberattack that occurred on the computer systems of a third-party vendor providing services to one of the Company's subsidiaries. As a result, a malicious actor managed to access the third-party vendor's servers and executed unauthorized trades which resulted in a loss of funds of the Company's subsidiary of approximately $1.6 million. The Company took immediate actions to remediate the security vulnerability and to investigate the nature and scope of the incident. The Company also notified relevant law enforcement in the appropriate jurisdictions and is working with the affected trading venue to investigate this incident and take appropriate legal action. INX customers were not affected by the incident, and the security breach at the third-party provider did not have any impact on the platforms and servers of INX. No personal information or other data of INX's customers was compromised, and INX.One remains fully operational.
Amount of loss: $ 1,600,000 Attack method: Third-party Vulnerability
Description of the event: According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue. After SlowMist's analysis, it was found that when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls, with its functionality being to invoke the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin. On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin. The new implementation contract's functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade. This attack may be a result of the Proxy Admin Owner's private key being leaked. Currently, the DEX Proxy has been removed from the trusted list.
Amount of loss: $ 2,700,000 Attack method: Private Key Leakage
Description of the event: Virtual Asset Platform HOUNAX Investigated for Fraud. On November 1, HOUNAX was placed by the Hong Kong Securities and Futures Commission (SFC) on a warning list of "Suspicious Virtual Asset Trading Platforms," which is designed to alert investors to risks. On November 29, Hong Kong police reported that 158 Hong Kong investors had been lured by the unlicensed platform HOUNAX and lost approximately HK$155 million ($19.83 million).
Amount of loss: $ 19,830,000 Attack method: Scam
Description of the event: HTX (formerly Huobi) and its related Heco Bridge were hacked for a combined $113.3 million.
Amount of loss: $ 113,300,000 Attack method: Unknown
Description of the event: Trader Joe, the largest native DEX on Avalanche, tweeted that the team's preliminary analysis identified a potential exploit in a 3rd party analytics plugin hacked JavaScript code used by the frontend.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: DEX SpookySwap on Fantom tweeted that the team is investigating a frontend vulnerability on their domain. Please do not execute any transactions on the DEX. On November 19, Spooky updated that a 3rd party JavaScript plugin enabled code injection from npm packages. This enabled replacing the spooky router contract on the Spooky Fi frontend with a malicious contract which sent funds that users attempted to swap to the exploiter.
Amount of loss: $ 5,000 Attack method: Malicious Code Injection Attack