94 hack event(s)
Description of the event: Milady founder Charlotte Fang said that a developer of Milady misappropriated approximately $1 million from the Bonkler treasury of Milady's official project. The developer also seized the code base and asked the team to hand over more funds and NFT reserves. Currently, the X accounts of miladymaker and remilionaire are controlled by this developer. Charlotte Fang said the relevant members have been identified and will be held accountable to the fullest extent of the law. Minting of Bonkler NFTs is temporarily suspended and Bonkler’s community vaults, contracts, and NFTs are safe. Other series of NFTs from Milady parent company Remilia are not affected for the time being.
Amount of loss: $ 1,000,000 Attack method: Insider Manipulation
Description of the event: On September 9, PEPE stated on Twitter that PEPE’s old Telegram account had been hacked and was no longer under official control. The Twitter account "lordkeklol" has been compromised and used to perpetrate scams and is in no way affiliated with PEPE or its team members. All official information from PEPE will be released via its Twitter account in the coming weeks.
Amount of loss: - Attack method: Telegram was hacked
Description of the event: NFT marketplace Paras tweeted that its discord was under attack. Please do not click on the link, mint, or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Balthazar tweeted that his Discord was under attack and please do not click on the link, mint, or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Lamas Finance's Discord is under attack, phishing site is lamas[.]co/airdrop, please do not click on the link, mint or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: PEPE said on Twitter that 16 trillion pieces of PEPE were sold yesterday because three former members deleted the multi-signature permissions after stealing tokens. However, Jeremy Cahen, founder of the NFT market Not Larva Labs, issued a post saying that the "truth" announced by PEPE was a complete lie, and said that he and the community were used by the PEPE team. On August 26, PEPE tweeted that PEPE's Telegram group is currently locked, the group owner's old Telegram account was hacked, and the group has been taken over by hackers.
Amount of loss: - Attack method: Unknown
Description of the event: On-chain analyst ZachXBT tweeted that there was an issue with Made by Apes’ SaaSy Labs APl, an on-chain licensing application platform launched by BAYC, allowing access to personal details for MBA applications. This issue was reported to Yuga Labs before disclosure and has since been fixed. Yuga Labs responded that it is currently uncertain whether there is a case of data misuse, is contacting anyone who may have exposed information, and will provide fraud and identity protection to any users who may need it.
Amount of loss: - Attack method: Information Leakage
Description of the event: The NFT lending platform JPEG'd was hacked, and JPEG tokens fell by 40% in a short period of time, with a loss of at least about $10 million. The root cause is re-entry. When the attacker calls the remove_liquidity function to remove liquidity, he adds liquidity by re-entering the add liquidity function. Because the balance update is before re-entering the add_liquidity function, the price calculation is wrong. JPEG'd tweeted that the PETH-ETH curve pool was attacked. The vault contract that allows NFTs to be borrowed is safe and still functioning. NFT and treasury fund security. The JPEG'd contract has not been hacked and is safe. On August 5, JPEG'd tweeted that the DAO multi-signature address confirmed receipt of 5494.4 WETH, and the address owner who recovered funds from the pETH vulnerability received a 10% white hat bounty, which is 610.6 WETH.
Amount of loss: $ 10,000,000 Attack method: Reentrancy Attack
Description of the event: An attacker has successfully compromised the Twitter accounts of popular NFT project Gutter Cat Gang and its co-founders, and used them to post phishing website airdrops claiming to be new NFTs. Instead of receiving the promised tokens, those who authorized contracted their wallets to be emptied. One victim lost 36 NFTs, including a Bored Ape NFT they bought for about $130,000. In total, the attackers managed to steal between $750,000 and $900,000 worth of NFTs, depending on how the resale value was estimated. The next day, the Gutter Cat Gang announced that they had regained control of the Twitter account and deleted the malicious tweet. They said they were cooperating with law enforcement investigating the theft but, to the dismay of some victims, did not describe any plans to compensate those whose assets were lost.
Amount of loss: $ 800,000 Attack method: Twitter was hacked
Description of the event: After spending nearly $40 million on a new set of Azuki NFTs, the Azuki community was outraged that they were "diluting" a near-replica of the original Azuki collection. To counter what Azuki’s creators called a “blatant scam,” holders who claim to have collectively spent millions of dollars on the Azuki project formed AzukiDAO. The DAO created a governance token, $BEAN, which is distributed to Azuki NFT owners. The DAO then began voting to hire lawyers to sue the creators of Azuki and demand a return of the 20,000 ETH (approximately $38 million) that the Elementals NFTs had spent in total. However, governance tokens were exploited shortly after the DAO was created. Attackers were able to exploit a flaw in the smart contract, and two exploiters stole approximately 35 ETH (approximately $69,000), mainly because the variable signatureClaimed in the contract was not checked properly, resulting in a replay attack. The DAO suspended the contract to prevent further theft.
Amount of loss: $ 69,000 Attack method: Replay Attack
Description of the event: NFT Trader, a P2P digital asset trading protocol, said on Twitter that the website has been attacked, and users are asked to monitor their accounts and beware of phishing attacks. The NFT Trader website will be closed until further notice. Currently, the team is still investigating and the platform has been taken offline to avoid any further issues. NFT Trader stated that this is not a problem with the protocol. It is suspected that someone outside the team inserted a malicious code at the front end. The team will continue to investigate.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Astaria, the NFT lending platform, tweeted: "At 12:42 BST on June 20, Astaria became aware of an issue with the basic execution of BeaconProxy.sol that allowed an attacker to manipulate the beacon to load a malicious execution that would allow the attacker to invoke the self-destruct feature. All funds and NFTs are secure and no action is required at this point, Astaria is in a suspended state and cannot initiate new loans. The suspended state is to protect all assets in the protocol and we can confirm that no funds are missing. Just now Astaria successfully executed a white hat recovery script that saved all ERC20 and ERC721 assets of all LPs and borrowers. Astaria has been in public beta since May 25. The recovery script extracted all funds and NFTs to Astaria multi-signature addresses using the updated contract implementation and recovery code. We are drafting a plan for the next steps and will follow up as soon as possible."
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A hack related $APE (ApeCoin) and APE Staking, Currently over 630K gain. The victims are all with smart contracts created by 0x8f7370D5d461559f24b83ba675b4C7e2Fdb514cC looks like it belongs to Pawnfi.
Amount of loss: $ 630,000 Attack method: Unknown
Description of the event: Alexpf.eth, co-founder and CEO of NFT exchange EZswap, tweeted: "OpenSea is suspected of having a royalty loophole. Recently, OpenSea seems to have changed the owner's identification standard, which means that NFT projects cannot set or change royalties. This error is very serious. Seriously, it's been around for 2 days."
Amount of loss: - Attack method: Royalty Vulnerability
Description of the event: The encrypted art platform Art Coin deployed a liquidity pool (LP pool) on Uniswap V3 on May 7. After a user discovered a loophole in the pre-sale process of Art Coin’s ART token Uniswap V3, he immediately sold the ART he bought at 0.01 ETH during the pre-sale period, and obtained 181 ETH in the liquidity, worth about 331,000 US dollars. Some have questioned the legitimacy of the user's actions, saying the user performed a Rug Pull. The Art Coin founder has since released a statement saying the bug was due to miscommunication: “Two developers will help us understand LP and set it up. Due to miscommunication, we set up LP before distributing tokens. Therefore, When we sent out the first batch of tokens, the bots ran out of it like crazy."
Amount of loss: $ 331,000 Attack method: LP Vulnerability
Description of the event: Wayne, the co-founder of the NFT game Tales of Elleria, tweeted early this morning: "The bridge contract of Tales of Elleria was exploited, causing its LP to be depleted and losing more than $280,000. The attacker seems to have generated his own signature , and extracted a large amount of ELM tokens, draining the LP. The current findings suspect that the hacker exploited the ecrecover function and was able to generate authorized signatures without our private key."
Amount of loss: $ 280,000 Attack method: Contract Vulnerability
Description of the event: According to news, the NFT series "Archive of PEACEMINUSONE" released by Korean singer Quan Zhilong has the previously disclosed CVE-2022-38217 general vulnerability, and the possibility of being used by hackers cannot be ruled out.
Amount of loss: - Attack method: CVE-2022-38217 general vulnerability
Description of the event: ParaSpace is suspected to have been attacked and it appears that 2,900 WETH were transferred out, with many claiming inconsistent data on the number of loans, health factors and cAPE amounts. However, a security firm tweeted that it had stopped the attack on ParaSpace, saving 2900 ETH assets. ParaSpace tweeted that all user funds and assets on ParaSpace are currently safe, no NFTs were lost, and the financial loss of the protocol was minimal, between 50-150 ETH, due to hackers The slippage caused by the token exchange during the attack.
Amount of loss: 150 ETH Attack method: Contract Vulnerability
Description of the event: When PeopleDAO’s community treasury multi-signature wallet on the digital asset management platform Safe (formerly Gnosis Safe) distributed monthly contributor rewards on March 6, 76 ETH (approximately $120,000) were stolen by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The person in charge of accounting mistakenly shared a link with editing permissions in the Discord public channel. Payments to your own address and set them to be invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe's CSV Airdrop tool for reward distribution. With the assistance of SlowMist and ZachXBT, the team found that the attacked funds had been deposited in two exchanges, HitBTC and Binance, and contacted the two exchanges.
Amount of loss: 76 ETH Attack method: Permission Stolen
Description of the event: According to the official blog, The Sandbox issued a security incident notice on February 26 that an unauthorized third party gained access to the computer of an employee of the team and used its permissions to send a false email claiming to be from The Sandbox . Titled "The Sandbox Game (PURELAND) Access," the email contained hyperlinks to malware that could remotely install malware on a user's computer, granting it control of the computer and access to the user's personal information right. The Sandbox said that after the unauthorized access was discovered, the recipient was notified and the employee's account and access to The Sandbox were disabled, and no further impact has been identified.
Amount of loss: - Attack method: Phishing Attack