65 hack event(s)
Description of the event: The ownlyio project's NFTStaking contract was attacked, with a total of 115 BNB stolen and a loss of about $36,418. The reason for this attack is that the unstake function of the pledge contract of the ownio project does not check the user's claim status, so the attacker can use the unstake function to receive the own tokens in the contract infinitely, thereby extracting all the own tokens in the pledge contract, and finally the attacker The acquired owned tokens are exchanged for 115 BNB through the pair transaction.
Amount of loss: 115 BNB Attack method: unstake function vulnerability
Description of the event: The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. However, the NFT rollout has not been smooth - out of a total supply of 9,671 NFTs, less than 2,800 NFTs have been minted. The project attempted to relaunch but failed to generate more interest, so the creators decided to pull it out — while preserving funding, of course. The project founders have left a long message to the community that they will close the project.
Amount of loss: $ 300,000 Attack method: Scam
Description of the event: Day of Defeat has rug pull, value has suddenly dropped by over 96%, and over $1.35 million in assets has been moved from BSC-based projects to external wallets. After the funds ran out, the project claimed they had been hacked by outside actors and had “reported to Binance and local authorities.”
Amount of loss: $ 1,350,000 Attack method: Scam
Description of the event: Sentinel founder Serpent tweeted that OpenSea's official Discord was attacked. Hackers used bot accounts to post fake links in the channel, and said that "OpenSea has reached a cooperation with YouTube. Click the link to participate in the mint pass NFT limited to 100 pieces." Users should be aware of the risks and do not click on links provided by hackers.
Amount of loss: - Attack method: Discord server hacked
Description of the event: Solana-based NFT team at Metaplex, a web application and deployment platform, discontinued the program section today, Solana shows the program deployment of its program section, when further stabilized, the Solana team will be used to deploy a bot to use it for Deploy a bot. When attempting to complete a test transaction, 0.01 SOL will be charged for labor. The collected penalty funds will be provided to the configuration account of the Candy Machine instance.
Amount of loss: - Attack method: Program crawler
Description of the event: The official Instagram of the NFT project Bored Ape Yacht Club (BAYC) was hacked, and the attackers have stolen 91 NFTs including 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, etc.
Amount of loss: - Attack method: Official Instagram Hacked
Description of the event: The Akutars (@AkuDreams) project auction contract was permanently unable to withdraw 11,539.5 ETH due to multiple code flaws. According to SlowMist analysis, even if the problem of users' inability to refund is solved, due to the inconsistency between the number of bidders and the number of auctions and the defects of the project party's withdrawal function, Akutars funds will eventually be permanently locked.
Amount of loss: 11,539.5 ETH Attack method: Code bug
Description of the event: The Discord of NFT project Ugly People has been hacked, and attackers are spreading fake mint links.
Amount of loss: - Attack method: Discord server hacked
Description of the event: According to official sources, a large amount of FACE tokens were dumped on-chain, and the investigation turned out that one of the FACE tokens held by the team was transferred and sold by an unauthorized account.
Amount of loss: - Attack method: Phishing attack
Description of the event: The developer of Klaytn-based NFT project Metaconz tweeted that a malicious bot was installed on the administrator account of Metaconz’s Discord overseas team on Saturday, causing 79 users to lose 11.9 ETH (about $36,000), the team said. It promised to compensate all losses, and 53 users have so far been compensated. In addition, the developer reminded that if the user executes the setApprovalForAll function in Etherscan, please transfer the wallet unconditionally. Therefore, in this attack, the hacker used this function to deprive the victim of the wallet permission.
Amount of loss: 11.9 ETH Attack method: Discord server hacked
Description of the event: According to the official news of each project, the Discord of NFT projects whose servers are currently under attack include BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz. In addition, the source code of the verification robot Captcha has been leaked, and the private message tool Ticket tool has been attacked.
Amount of loss: - Attack method: Discord server hacked
Description of the event: According to reports, someone pretended to be a Cryptovoxels official to conduct a phishing attack, induced users to authorize, stole multiple NFTs (including Cryptovoxels Parcel Token, Art Blocks: BLOCKS Token, Mutant Ape Yacht Club: MAYC Token, etc.), and then sold them on opensea. It is reported that anonymous attackers used a vulnerability in the Discord bot to manage to direct community users to phishing sites on the official Cryptovoxels Discord channel. The attacker's address is: 0x794ca38bc1e15e528a7991ce25707a25ad71b675.
Amount of loss: - Attack method: Phishing attack
Description of the event: Maison Ghost Discord was hacked, and about 265 NFTs were transferred to hacker wallets, including Sandbox and 3landers NFTs.
Amount of loss: - Attack method: Discord server hacked
Description of the event: NFT project MekaVerse tweeted that the official Discord was hacked. In addition, according to other users in the community, the wallets of hundreds of thousands of bots are suspected to have been stolen, and it seems that no humans have been affected.
Amount of loss: - Attack method: Discord server hacked
Description of the event: The NFT project VEVE officially tweeted that the system was exploited, resulting in a large number of gems being illegally obtained.
Amount of loss: - Attack method: Unknown
Description of the event: The NFT project REALSWAK has a Rug Pull, and its official social account (@REALSWAK) has been cancelled. Scammers have transferred 1,300 BNB to the TornadoCash mixer.
Amount of loss: 1330 BNB Attack method: Scam
Description of the event: According to a report by Twitter user Will Sheehan, the arbitrage bot took out more than 6w APE Coins (worth $8 each) through flash loans. After analysis, it was found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, whether APE Coin can be airdropped depends on whether a user holds the instantaneous state of BYAC NFT, and this instantaneous state attacker can manipulate by borrowing a flash loan and then redeeming to obtain BYAC NFT. The attacker first borrows BYAC Token through flash loan, and then redeems to obtain BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan.
Amount of loss: $ 500,000 Attack method: Airdrop Mechanism Vulnerability
Description of the event: Several NFT players posted on social media that a project called "NFTflow" had a Rug Pull, ran away without completing the pre-sale, and transferred the 92 ETHs from the sale to the Tornado mixer. According to the official website, NFTflow calls itself "a platform for creating liquid markets for illiquid NFTs on StarkNet".
Amount of loss: 92 ETH Attack method: Scam
Description of the event: The pledge contract (0x6912B19401913F1bd5020b3f59EE986c5792DA54) of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back. The attackers put these tokens on the market and made a profit of about 212 BNB.
Amount of loss: 212 BNB Attack method: Private key leak
Description of the event: The Arbitrum-based TreasureDAO NFT trading market was exposed and discovered a vulnerability. According to SlowMist analysis, the core of this vulnerability lies in the lack of judgment that the incoming _quantity parameter is not 0 before the ERC-721 standard NFT transfer, resulting in ERC -721 Standard NFT can be transferred directly and the cost of purchasing NFT is calculated as 0 when calculating the price. Hours after it was stolen, developers confirmed that hackers had begun returning stolen “Smol Brains” and other NFTs.
Amount of loss: - Attack method: Parameter validity check is not performed