11 hack event(s)
Description of the event: Reaper Farm's ReaperVaultV2 contract was maliciously exploited, resulting in more than $1.6 million worth of damage. Attackers exploited a vulnerability in the ReaperVaultV2 contract that could destroy other users' vault shares and withdraw tokens, thereby withdrawing large amounts of tokens from multiple vaults.
Amount of loss: $ 1,698,423 Attack method: Lack of access control
Description of the event: Fantom-based DeFi lending protocol Scream caused $35 million in bad debt after failing to adjust the price of two de-pegged USD stablecoins. The two stablecoins are Fantom USD (FUSD) and Dei (DEI). Both stablecoins are still quoted at $1, according to data from the Scream dashboard. However, their trading prices have been severely de-pegged. Among them, FUSD fell to $0.69, and DEI fell to a low of $0.52. Whale players took advantage of this situation to deposit large amounts of FUSD and DEI at a discount, and siphoned all other stablecoins from the Scream platform. Stablecoins such as Fantom USDT, FRAX, DAI, MIM, and USDC have all been withdrawn from the platform. As a result, users who originally had deposits in these stablecoins would not be able to withdraw from Scream.
Amount of loss: $ 35,000,000 Attack method: Stablecoin prices de-anchor
Description of the event: SpiritSwap tweeted that the front-end server placed on AWS was compromised by hackers, the website was tampered with parameters, and $18,000 was currently stolen. According to official postmortem analysis, the attackers contacted GoDaddy and began a social engineering attack on one of its employees. After gaining access to the account, the attackers proceeded to modify DNS settings and change all credentials, effectively hijacking access and Take ownership for yourself. After securing access to the SpiritSwap domain, the attackers then proceeded to deploy a phishing site tricked into appearing to be SpiritSwap. The attacker then uses the "send to" function in the exchange contract to reroute any funds exchanged by the user to the attacker's address.
Amount of loss: $ 18,000 Attack method: Front-end server is attacked
Description of the event: DeFi project Pragma Money on Fantom has announced that around $1.5 million in FTM has been drained from their treasury and project wallets. Appears to be done by a team member.
Amount of loss: $ 1,503,506 Attack method: Scam
Description of the event: Fantom-based decentralized derivatives protocol DEUS Finance was attacked, and the hackers made about $13.4 million in profit. The hack utilized a flash loan-assisted manipulation of price oracles read from the StableV1 AMM-USDC/DEI pair, and then used the manipulated collateral DEI price to borrow and drain the pool.
Amount of loss: $ 13,400,000 Attack method: Flash loan attack
Description of the event: Fantom ecological Stablecoin revenue optimizer OneRing issued a document saying that hackers stole 1,454,672.244369 USDC through flash loan attacks, and the contract has been configured to self-destruct in a specific block, so it is almost impossible to track which specific functions in the contract are called to steal funds. .
Amount of loss: $ 1,454,672.24 Attack method: Flash loan attack
Description of the event: According to RugDoc on Twitter, PulseDAO Finance has rugpulled. Social and website are closed. 4342 FTM was removed by contract developer.
Amount of loss: 4342 FTM Attack method: Scam
Description of the event: Fantom’s on-chain synthetic asset protocol, Fantasm Finance, posted on social media that its FTM collateral reserves had been exploited, and called on users to exchange their XFTM immediately. After exploiting the vulnerability, the hacker exchanged all the profits for ETH, and used Tornado.cash to mix coins across the chain to the Ethereum main network. According to statistics, the hacker made a profit of 1,007 ETH (about 2.73 million US dollars).
Amount of loss: 1,007 ETH Attack method: Contract vulnerabilities
Description of the event: Rugdoc.io tweeted that the Fantom ecological project Gold Mine Finance has rug pull.
Amount of loss: $ 800,000 Attack method: Scam
Description of the event: According to official sources, GrimFinance, a compound income platform on the Fantom chain, suffered a lightning loan attack, and the current loss has exceeded 30 million U.S. dollars. The attacker uses the function named "beforeDeposit()" in GrimFinance's vault strategy to attack and enter the malicious Token contract.
Amount of loss: $ 30,000,000 Attack method: Flash loan attack
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen.
Amount of loss: - Attack method: Service fee collection mechanism