118 hack event(s)
Description of the event: Quiuixotic, the largest NFT platform in the Optimism ecosystem, has a serious vulnerability, and a large number of user assets have been stolen. Users who have traded on this market should cancel their authorization as soon as possible. According to SlowMist analysis, only the sell order is checked in the fillSellOrder function of the market contract, and the buyer's buy order is not checked. Therefore, the attacker first creates an arbitrary NFT contract, calls the fillSellOrder function to generate a sell order, and passes the buyer parameter as the victim's address and the paymentERC20 parameter as the token address to be stolen, then the user who is authorized to the market contract can be transferred. Tokens are transferred for profit.
Amount of loss: 220,000 OP Attack method: Contract Vulnerability
Description of the event: Metaverse project Quint was hacked and lost $130,000. The root cause of the attack is that when the reStake function executes the reStake reward reStake, the reward amount of the LP token is not updated, so that the attacker can claim the issued reward multiple times.
Amount of loss: $ 130,000 Attack method: Contract Vulnerability
Description of the event: The NFT liquidity solver XCarnival was attacked, the hacker made a profit of 3,087 ETH (about 3.8 million US dollars), and the hacker has returned 1,467 ETH after the negotiation. The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn.
Amount of loss: 1,620 ETH Attack method: Contract Vulnerability
Description of the event: Clothing brand LACOSTE's Discord was hacked, and scammers posted phishing links on the announcement channel. Recently, the Discords of several projects have been attacked, including Clyde, Good Skellas, Duppies, Oak Paradise, Tasties, Yuko Clan, Mono Apes, ApeX Club, Anata, GREED, CITADEL, DegenIslands, Sphynx Underground Society, FUD Bois, and Uncanny Club etc.
Amount of loss: - Attack method: Discord was hacked
Description of the event: KnownOrigin officially tweeted that its discord had been attacked, and reminded users not to click on any links. Other servers hacked in recent days include those of Curiosity, Meta Hunters, Parallel, Goat Society, RFTP and Gooniez.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Discord servers for Yuga Lab projects Bored Ape Yacht Club (BAYC) and Otherside appear to have been affected by phishing attacks. The attackers allegedly stole more than 145 ethereum ($256,000) worth of tokens. It appears that the community administrator's account was compromised, which gave attackers access to the administrator account on the server. They then went on to post a link to a phishing site that encouraged users to link their wallets to access "exclusive giveaways." Subsequently, the NFT project BAYC stated on its official Twitter that its Discord server was briefly attacked today, and the team quickly resolved the problem, but some NFTs were still affected.
Amount of loss: 145 ETH Attack method: Discord was hacked
Description of the event: The Discord of Homeless Friends NFT was attacked, homelessfriends[.]net is a phishing website.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The work of Animoon with 9999 NFTs is taken from Pokémon. They claim to have signed a non-disclosure agreement (NDA) with Pokémon partner TopDeck. But with no evidence of an actual P2E game being developed, the Animoon team disappeared, deleting their Twitter account and website.
Amount of loss: $ 6,300,000 Attack method: Rug Pull
Description of the event: A Rug Pull occurred in the NFT metaverse game project Pokemoney on BNBChian, its Token PMY has dropped by 99.98%%, and about 11,800 BNB (about 3.5 million US dollars) have been withdrawn and transferred.
Amount of loss: $ 3,500,000 Attack method: Rug Pull
Description of the event: The project behind the Llamaverse, the Llamascape NFT series, was hacked. Hackers targeted their Discord server and scammers took around 30-40 ETH.
Amount of loss: 30-40 ETH Attack method: Discord was hacked
Description of the event: Axie Infinity says the Mee6 bot on its main server was hacked. Hackers use Mee6 bot to add permissions to fake Jiho account to post fake announcements about mint. MEE6 is a Discord bot that allows admins to automatically assign and remove roles and send messages. The fake announcement has now been removed.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Discord for NFT series Lazy Lions was hacked. Notably, this attack appears to infiltrate many other large NFT projects throughout the day, seemingly due to MEE6 staff being able to use MEE6 remotely to give themselves roles in any server.
Amount of loss: - Attack method: Discord was hacked
Description of the event: NFT project Alien Frens tweeted that Discord had been attacked. Users are asked not to click on any MINT links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: There was an abnormality on the Tianqiong Digital Collection platform. The price of its collections on the secondary market skyrocketed thousands of times, and collections with a price of nearly 10 million yuan were sold in seconds. The Tianqiongshuzang announcement stated that the platform was maliciously attacked by hackers and used false balances to purchase and steal player collections.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: The ownlyio project's NFTStaking contract was attacked, with a total of 115 BNB stolen and a loss of about $36,418. The reason for this attack is that the unstake function of the pledge contract of the ownio project does not check the user's claim status, so the attacker can use the unstake function to receive the own tokens in the contract infinitely, thereby extracting all the own tokens in the pledge contract, and finally the attacker The acquired owned tokens are exchanged for 115 BNB through the pair transaction.
Amount of loss: 115 BNB Attack method: Contract Vulnerability
Description of the event: The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. However, the NFT rollout has not been smooth - out of a total supply of 9,671 NFTs, less than 2,800 NFTs have been minted. The project attempted to relaunch but failed to generate more interest, so the creators decided to pull it out — while preserving funding, of course. The project founders have left a long message to the community that they will close the project.
Amount of loss: $ 300,000 Attack method: Rug Pull
Description of the event: Day of Defeat has rug pull, value has suddenly dropped by over 96%, and over $1.35 million in assets has been moved from BSC-based projects to external wallets. After the funds ran out, the project claimed they had been hacked by outside actors and had “reported to Binance and local authorities.”
Amount of loss: $ 1,350,000 Attack method: Rug Pull
Description of the event: Sentinel founder Serpent tweeted that OpenSea's official Discord was attacked. Hackers used bot accounts to post fake links in the channel, and said that "OpenSea has reached a cooperation with YouTube. Click the link to participate in the mint pass NFT limited to 100 pieces." Users should be aware of the risks and do not click on links provided by hackers.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official Instagram of the NFT project Bored Ape Yacht Club (BAYC) was hacked, and the attackers have stolen 91 NFTs including 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, etc.
Amount of loss: - Attack method: Instagram was hacked
Description of the event: The Akutars (@AkuDreams) project auction contract was permanently unable to withdraw 11,539.5 ETH due to multiple code flaws. According to SlowMist analysis, even if the problem of users' inability to refund is solved, due to the inconsistency between the number of bidders and the number of auctions and the defects of the project party's withdrawal function, Akutars funds will eventually be permanently locked.
Amount of loss: 11,539.5 ETH Attack method: Contract Vulnerability