4 hack event(s)
Description of the event: According to SlowMist, LendHub, the HECO ecological cross-chain lending platform, was suspected of being attacked and lost nearly 6 million US dollars. The main hacker profit address is 0x9d01..ab03. The reason for this attack is that there are two lBSV cTokens in LendHub, one of which has been abandoned in April 2021 but has not been removed from the market, which resulted in both the old and new lBSV existing in the market. Moreover, the Comptrollers corresponding to the old and new lBSV are not the same, but both have prices in the market, which results in a split in the calculation of liabilities in the old and new markets. Attackers take advantage of this problem to redeem mortgages in the old market and carry out lending operations in the new market, maliciously extorting protocol funds in the new market. At present, the main profit address for hackers is 0x9d01..ab03, and the source of the hacker attack fee is the 100 ETH received from Tornado.Cash on January 12. SlowMist said that through the threat intelligence network, some traces of hackers have been obtained.
Amount of loss: $ 6,000,000 Attack method: Contract Vulnerability
Description of the event: The XDX Swap (DDEX) on the Heco chain's cross-chain decentralized exchange DDEX was attacked. The attacker made a profit of 85.17 ETH (approximately $176,000) and cross-chained it to Ethereum. The DDEX code appears to have a backdoor. With the support and cooperation of DDEX, Star Labs, and HECO White Hat Security Alliance, XDX Swap has successively recovered most of the funds involved in this attack, with a total value of more than 5 million US dollars.
Amount of loss: - Attack method: Code vulnerabilities
Description of the event: At around 4:00 a.m. on June 8, the GainSwap project, which had been online for less than 12 hours, suddenly swept away nearly $8 million in digital assets pledged by users, closed the website access, and then entered a state of losing contact and running away. This is also Heco. One of the projects with the largest amount of running away on the show. In January 2022, according to the public security information of Chizhou City, Anhui Province, the police in Chizhou City recently cracked a case of illegally obtaining virtual currency data from a computer system using blockchain technology, involving a value of about 50 million yuan. After the cooperation of the police in Guangdong, Sichuan and Hunan, all eight suspects were arrested. The police seized and seized the assets involved in the case, such as villas and luxury cars worth tens of millions purchased by the suspect with the full amount of the stolen money, and frozen about 6 million virtual assets.
Amount of loss: $ 8,000,000 Attack method: Rug Pull
Description of the event: The oracle project HSO on the Huobi Eco-Chain HECO carried out IDO and ran away with 30,000 HT. The website and TELEGRAM could not be opened. Later, under the full promotion of HECO core code contribution team Star Lab, HECO technical community and HECO White Hat Security Alliance, 24823 HTs have been recovered.
Amount of loss: 5,177 HT Attack method: Rug Pull