72 hack event(s)
Description of the event: According to official news, the NFT project Azuki confirmed that its Twitter account was hacked, and the team has regained control of the account. Hackers posted two tweets on Azuki's Twitter account, prompting users to claim the virtual land, one of which was pinned to the top. Azuki officials remind users to be alert to this scam and not to click on any links.
Amount of loss: $ 1,740,000 Attack method: Twitter was hacked
Description of the event: The official Twitter account of Chimpers, the NFT project, was hacked and embezzled, and multiple links to fake websites were published to lure users to forge NFT through the links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official Twitter account of CyberKongz in the NFT project was attacked by hackers, who replaced the homepage links, etc. with phishing links and released false Mint information. At present, the account has been renamed and is under freezing protection.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Browser security plug-in Pocket Universe tweeted that a new vulnerability was discovered in Opensea’s old contracts that could be used to steal users’ NFTs, potentially emptying wallets once the transaction was signed. It can steal any NFT users listed on Opensea before May 2022 (i.e. before Seaport upgrades), mainly involving the Wyvern protocol, which grants proxy contracts the right to withdraw user NFTs, and this new exploit will Trick the user into signing a transaction, giving the attacker ownership of the user's proxy contract. Cosine, the founder of SlowMist, tweeted that it is necessary to be vigilant about the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization, and this use is invalid for the new OpenSea protocol (Seaport).
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: NFT platform Blur tweeted that it noticed a phishing account with the ID @Blur_DAO and reminded users not to click on fake links. The fake account tweeted that the BLUR token query was now open, and posted a phishing URL.
Amount of loss: - Attack method: Phishing attack
Description of the event: The Discord server of NFT project Vivity was attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leaked
Description of the event: The Web3 social platform Sex DAO is suspected to have been Rug. The original white paper has been deleted. Over 220,000 USDT and 4.17 billion SED (SEXDAO Token) have been transferred on the chain. Currently, the Sex DAO official website and official Twitter account are inaccessible.
Amount of loss: 220,000 USDT Attack method: Rug Pull
Description of the event: Pokémon piracy project PokémonFi has RugPull, the project and token first launched in April, the project recently deleted its Twitter account, but its website still exists.
Amount of loss: $ 708,000 Attack method: Rug Pull
Description of the event: Web3 music streaming service platform Audius community treasury was hacked, losing 18.5 million AUDIO Tokens. The hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated that the problem has been found and is currently being repaired. All Audius smart contracts on Ethereum must be stopped, including tokens. The team believes that there is no further capital risk. Before the repair is completed, token balances, transfers, etc. will be temporarily unavailable. use.
Amount of loss: $ 1,100,000 Attack method: Contract vulnerabilities
Description of the event: The permissions of the relevant administrators of the Discord of the Tableland project party were stolen. It is understood that after joining an external Discord server, Tableland members clicked the verification steps of a bot named "Dyno" and clicked a bookmark button with malicious javascript, and were then prompted to interact with the bookmark, triggering the malicious script to run. The attacker got hold of the admin account and posted a link on the announcement channel containing a fake website, anyone who clicked on the link and followed the wallet instructions would grant the attacker access to any NFTs held in their account.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The NFT access list tool PREMINT issued an alert through its official Twitter, because some users reminded that the tool's website was hacked, and the collections of NFT collectors have been stolen. Subsequently, the blockchain security company SlowMist confirmed that the PREMINT website was attacked by hackers. Hackers carried out phishing attacks by implanting malicious JS (JavaScript) files in the website, deceiving users to sign the transaction of "set approvals for all", thereby stealing users. of NFT assets. The attack lost about 280 ETH in total, amounting to $381,818, making it one of the biggest NFT hacks of the year.
Amount of loss: 280 ETH Attack method: Front-end Attack
Description of the event: Multi-chain NFT protocol Citizen Finance claims to have been attacked by an outside party that gained access to the private keys of BNB and the Polygon chain. The attackers used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC, for a total of about $94,300.
Amount of loss: $ 94,300 Attack method: Private key leak
Description of the event: Decentralized NFT financialization protocol Omni X has been attacked and stolen funds have been transferred to Tornado.cash. The main reason for this attack is that the burn function will call the callback function externally to cause the reentrancy problem, and the liquidation function uses the old vars value for judgment, resulting in the user's status identification even after reentrancy and then borrowing. Being set as unborrowed results in no repayments.
Amount of loss: 1,300 ETH Attack method: Reentry attack
Description of the event: Quiuixotic, the largest NFT platform in the Optimism ecosystem, has a serious vulnerability, and a large number of user assets have been stolen. Users who have traded on this market should cancel their authorization as soon as possible. According to SlowMist analysis, only the sell order is checked in the fillSellOrder function of the market contract, and the buyer's buy order is not checked. Therefore, the attacker first creates an arbitrary NFT contract, calls the fillSellOrder function to generate a sell order, and passes the buyer parameter as the victim's address and the paymentERC20 parameter as the token address to be stolen, then the user who is authorized to the market contract can be transferred. Tokens are transferred for profit.
Amount of loss: 220,000 OP Attack method: Contract Vulnerability
Description of the event: Metaverse project Quint was hacked and lost $130,000. The root cause of the attack is that when the reStake function executes the reStake reward reStake, the reward amount of the LP token is not updated, so that the attacker can claim the issued reward multiple times.
Amount of loss: $ 130,000 Attack method: Contract Vulnerability
Description of the event: The NFT liquidity solver XCarnival was attacked, the hacker made a profit of 3,087 ETH (about 3.8 million US dollars), and the hacker has returned 1,467 ETH after the negotiation. The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn.
Amount of loss: 1,620 ETH Attack method: Contract vulnerabilities
Description of the event: Clothing brand LACOSTE's Discord was hacked, and scammers posted phishing links on the announcement channel. Recently, the Discords of several projects have been attacked, including Clyde, Good Skellas, Duppies, Oak Paradise, Tasties, Yuko Clan, Mono Apes, ApeX Club, Anata, GREED, CITADEL, DegenIslands, Sphynx Underground Society, FUD Bois, and Uncanny Club etc.
Amount of loss: - Attack method: Discord was hacked
Description of the event: KnownOrigin officially tweeted that its discord had been attacked, and reminded users not to click on any links. Other servers hacked in recent days include those of Curiosity, Meta Hunters, Parallel, Goat Society, RFTP and Gooniez.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Discord servers for Yuga Lab projects Bored Ape Yacht Club (BAYC) and Otherside appear to have been affected by phishing attacks. The attackers allegedly stole more than 145 ethereum ($256,000) worth of tokens. It appears that the community administrator's account was compromised, which gave attackers access to the administrator account on the server. They then went on to post a link to a phishing site that encouraged users to link their wallets to access "exclusive giveaways." Subsequently, the NFT project BAYC stated on its official Twitter that its Discord server was briefly attacked today, and the team quickly resolved the problem, but some NFTs were still affected.
Amount of loss: 145 ETH Attack method: Discord was hacked