124 hack event(s)
Description of the event: On June 27th, Entangle Protocol's Discord was hacked.
Amount of loss: - Attack method: Account Compromise
Description of the event: Astaria, the NFT lending platform, tweeted: "At 12:42 BST on June 20, Astaria became aware of an issue with the basic execution of BeaconProxy.sol that allowed an attacker to manipulate the beacon to load a malicious execution that would allow the attacker to invoke the self-destruct feature. All funds and NFTs are secure and no action is required at this point, Astaria is in a suspended state and cannot initiate new loans. The suspended state is to protect all assets in the protocol and we can confirm that no funds are missing. Just now Astaria successfully executed a white hat recovery script that saved all ERC20 and ERC721 assets of all LPs and borrowers. Astaria has been in public beta since May 25. The recovery script extracted all funds and NFTs to Astaria multi-signature addresses using the updated contract implementation and recovery code. We are drafting a plan for the next steps and will follow up as soon as possible."
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Alexpf.eth, co-founder and CEO of NFT exchange EZswap, tweeted: "OpenSea is suspected of having a royalty loophole. Recently, OpenSea seems to have changed the owner's identification standard, which means that NFT projects cannot set or change royalties. This error is very serious. Seriously, it's been around for 2 days."
Amount of loss: - Attack method: Royalty Vulnerability
Description of the event: The encrypted art platform Art Coin deployed a liquidity pool (LP pool) on Uniswap V3 on May 7. After a user discovered a loophole in the pre-sale process of Art Coin’s ART token Uniswap V3, he immediately sold the ART he bought at 0.01 ETH during the pre-sale period, and obtained 181 ETH in the liquidity, worth about 331,000 US dollars. Some have questioned the legitimacy of the user's actions, saying the user performed a Rug Pull. The Art Coin founder has since released a statement saying the bug was due to miscommunication: “Two developers will help us understand LP and set it up. Due to miscommunication, we set up LP before distributing tokens. Therefore, When we sent out the first batch of tokens, the bots ran out of it like crazy."
Amount of loss: $ 331,000 Attack method: LP Vulnerability
Description of the event: Wayne, the co-founder of the NFT game Tales of Elleria, tweeted early this morning: "The bridge contract of Tales of Elleria was exploited, causing its LP to be depleted and losing more than $280,000. The attacker seems to have generated his own signature , and extracted a large amount of ELM tokens, draining the LP. The current findings suspect that the hacker exploited the ecrecover function and was able to generate authorized signatures without our private key."
Amount of loss: $ 280,000 Attack method: Contract Vulnerability
Description of the event: According to a Telegram announcement, the DAO Maker project Degen Zoo is suspected to have been hacked on Binance Oracle. At present, the project team has suspended the game and launched an investigation. No loopholes have been found yet, and better animals cannot be hatched through smart contract errors.
Amount of loss: - Attack method: Unknown
Description of the event: According to news, the NFT series "Archive of PEACEMINUSONE" released by Korean singer Quan Zhilong has the previously disclosed CVE-2022-38217 general vulnerability, and the possibility of being used by hackers cannot be ruled out.
Amount of loss: - Attack method: CVE-2022-38217 general vulnerability
Description of the event: ParaSpace is suspected to have been attacked and it appears that 2,900 WETH were transferred out, with many claiming inconsistent data on the number of loans, health factors and cAPE amounts. However, a security firm tweeted that it had stopped the attack on ParaSpace, saving 2900 ETH assets. ParaSpace tweeted that all user funds and assets on ParaSpace are currently safe, no NFTs were lost, and the financial loss of the protocol was minimal, between 50-150 ETH, due to hackers The slippage caused by the token exchange during the attack.
Amount of loss: 150 ETH Attack method: Contract Vulnerability
Description of the event: When PeopleDAO’s community treasury multi-signature wallet on the digital asset management platform Safe (formerly Gnosis Safe) distributed monthly contributor rewards on March 6, 76 ETH (approximately $120,000) were stolen by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The person in charge of accounting mistakenly shared a link with editing permissions in the Discord public channel. Payments to your own address and set them to be invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe's CSV Airdrop tool for reward distribution. With the assistance of SlowMist and ZachXBT, the team found that the attacked funds had been deposited in two exchanges, HitBTC and Binance, and contacted the two exchanges.
Amount of loss: 76 ETH Attack method: Permission Stolen
Description of the event: According to the official blog, The Sandbox issued a security incident notice on February 26 that an unauthorized third party gained access to the computer of an employee of the team and used its permissions to send a false email claiming to be from The Sandbox . Titled "The Sandbox Game (PURELAND) Access," the email contained hyperlinks to malware that could remotely install malware on a user's computer, granting it control of the computer and access to the user's personal information right. The Sandbox said that after the unauthorized access was discovered, the recipient was notified and the employee's account and access to The Sandbox were disabled, and no further impact has been identified.
Amount of loss: - Attack method: Phishing Attack
Description of the event: According to official news, the NFT project Azuki confirmed that its Twitter account was hacked, and the team has regained control of the account. Hackers posted two tweets on Azuki's Twitter account, prompting users to claim the virtual land, one of which was pinned to the top. Azuki officials remind users to be alert to this scam and not to click on any links.
Amount of loss: 618 ETH Attack method: Twitter was hacked
Description of the event: The official Twitter account of Chimpers, the NFT project, was hacked and embezzled, and multiple links to fake websites were published to lure users to forge NFT through the links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official Twitter account of CyberKongz in the NFT project was attacked by hackers, who replaced the homepage links, etc. with phishing links and released false Mint information. At present, the account has been renamed and is under freezing protection.
Amount of loss: $ 50,000 Attack method: Twitter was hacked
Description of the event: Aurelien Michel, developer of MAYC's Mutant Ape Planet NFT series, has pleaded guilty after being arrested on charges of defrauding $2.9 million. Aurelien Michel and the other defendants marketed the Mutant Ape Planet NFT to potential buyers with promises including “rewards, sweepstakes, exclusive access to other crypto assets, and community-controlled wallets to fund the marketing of the NFT collection.” The project developer also implicitly promises that NFT holders can obtain "metaverse land". However, none of Michel's promises were kept. When all the NFTs were sold, Michel and the other defendants allegedly transferred the proceeds of $2.9 million to other wallets, including wallets under Michel’s control.
Amount of loss: $ 2,900,000 Attack method: Scam
Description of the event: For several weeks last year, Webaverse was targeted by a skilled scam gang posing as investors, Webaverse reported. The Webaverse team and the crooks met in Rome at the end of November 2022, and approximately $4 million was stolen. They reported the theft to the local Rome police station the same day, and then to the FBI a few days later on Form IC3.
Amount of loss: $ 4,000,050 Attack method: Scam
Description of the event: Browser security plug-in Pocket Universe tweeted that a new vulnerability was discovered in Opensea’s old contracts that could be used to steal users’ NFTs, potentially emptying wallets once the transaction was signed. It can steal any NFT users listed on Opensea before May 2022 (i.e. before Seaport upgrades), mainly involving the Wyvern protocol, which grants proxy contracts the right to withdraw user NFTs, and this new exploit will Trick the user into signing a transaction, giving the attacker ownership of the user's proxy contract. Cosine, the founder of SlowMist, tweeted that it is necessary to be vigilant about the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization, and this use is invalid for the new OpenSea protocol (Seaport).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: NFT platform Blur tweeted that it noticed a phishing account with the ID @Blur_DAO and reminded users not to click on fake links. The fake account tweeted that the BLUR token query was now open, and posted a phishing URL.
Amount of loss: - Attack method: Phishing attack
Description of the event: The Discord server of NFT project Vivity was attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leakage
Description of the event: The Web3 social platform Sex DAO is suspected to have been Rug. The original white paper has been deleted. Over 220,000 USDT and 4.17 billion SED (SEXDAO Token) have been transferred on the chain. Currently, the Sex DAO official website and official Twitter account are inaccessible.
Amount of loss: 220,000 USDT Attack method: Rug Pull