170 hack event(s)
Description of the event: The Arbitrum ecological project Jimbos Protocol was attacked, and about 4,090 ETH were stolen (about $7.5 million). This attack was due to the lack of slippage control on the liquidity transfer operation, which resulted in the protocol owned liquidity being invested in a skewed/imbalanced price range, which was used in reverse swaps for profit.
Amount of loss: $ 7,500,000 Attack method: Lack of slippage control
Description of the event: The Sandbox tweeted that the Twitter account of its CEO and co-founder Arthur Madrid was hacked, and the hackers posted a scam/phishing link for a fake SAND token airdrop. The Sandbox reminds users not to click on the link, but to report the post so it can be blocked.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The team behind Fintoch, a blockchain financial platform, is suspected of being a Ponzi scheme. It defrauded users of 31.6 million USDT on BNB Chain, and the funds were bridged to multiple addresses on Tron and Ethereum. Users reported that they could not withdraw funds. Fintoch advertises that it is a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team page on the Fintoch website refers to "Bobby Lambert" as its CEO, when in fact he doesn't exist and is a paid actor. Earlier, the Singapore government and Morgan Stanley both issued warnings about the investment plan.
Amount of loss: $ 31,600,000 Attack method: Scam
Description of the event: At 15:25 on May 20, Tornado Cash encountered a governance attack. The attacker granted himself 1.2 million votes through a malicious proposal, exceeding the number of legal votes (about 700,000), and gained full governance control. An attacker could withdraw all locked votes and drain all tokens in the governance contract, disabling routers, though the attacker would still not be able to drain individual pools. Tornado Cash governance attackers obtained a total of 483,000 TORN from governance vaults.
Amount of loss: $ 2,173,500 Attack method: Governance Attack
Description of the event: A Nevada man has been charged in connection with his alleged involvement in CoinDeal, an investment fraud scheme that defrauded more than 10,000 victims of more than $45 million, the U.S. Department of Justice announced. According to court documents, Lee allegedly conspired with Neil Chandran and others to defraud investors of companies controlled by Chandran. Operating under the name "ViRSE," these companies include Free Vi Lab, Studio Vi Inc., ViDelivery Inc., ViMarket Inc., and Skalex USA Inc., among others. Presumably, these companies are developing virtual world technology, including their own cryptocurrency, for use in virtual worlds. Chandran allegedly misled investors by falsely promising extremely high returns on the premise that his company was about to be acquired by a syndicate of wealthy buyers. As further alleged, Lee was the nominal owner and director of ViMarket and was instructed by Chandran on how to transfer received investor funds into ViMarket's bank accounts.
Amount of loss: $ 45,000,000 Attack method: Scam
Description of the event: The Arbitrum ecological Swaprum project has a Rug Pull, the price of SAPR has dropped by 100%, Swaprum has deleted the social account, and the scammer bridged 1628 ETH (about 2.94 million US dollars) to Ethereum and transferred it to Tornado Cash.
Amount of loss: $ 3,000,000 Attack method: Rug Pull
Description of the event: The Web3 content publishing platform Mirror application is currently experiencing an outage under load.
Amount of loss: - Attack method: Load
Description of the event: The stablecoin DEI launched by the DeFi protocol DEUS has been hacked, and the loss has exceeded $6.3 million. Over $5 million was lost on Arbitrum and $1.3 million on the BSC chain. This appears to be a public destroy bug. On May 8, DEUS tweeted to confirm that the DEI attacker had returned 2023 ETH.
Amount of loss: $ 6,300,000 Attack method: Contract Vulnerability
Description of the event: Yuga Labs tweeted that the Twitter account of the company's new CEO, Daniel Alegre, was hacked and is now under hacker control. Yuga Labs reminds users not to click on any minting links, nor to interact with any twitter accounts named Daniel Alegre until the official update notice is released, the Yuga Labs team is working with twitter to regain control of the account .
Amount of loss: - Attack method: Twitter was hacked
Description of the event: XIRTAM, a project built on the Arbitrum ecology, is a reputation building platform that does not require KYC. It advocates building digital reputation step by step through the XIRTAM system in an anonymous and decentralized manner. At the same time, users can get rewards for participating in activities on XIRTAM. The project party is on the 3rd Rug Pull. However, unlike the usual practice of the Rug Pull project, the runaway XIRTAM project party did not transfer the raised 1909 ETH to the currency mixing service to hide the identity and the direction of the funds, but deposited all the funds in Binance. In this regard, Binance stated that the funds involved in the XIRTAM project have been frozen and will cooperate with law enforcement agencies to investigate.
Amount of loss: 1,909 ETH Attack method: Rug Pull
Description of the event: Bobie, the founder of 0xScope, the Web3 knowledge graph protocol, tweeted that the liquidity of the zkSync ecological DEX Merlin was exhausted, and hackers stole $1.82 million in funds and bridged to Ethereum. According to analysis, this is an internal Rug Pull, and Merlin internal members maliciously used the privileges of the owner's wallet.
Amount of loss: $ 1,820,000 Attack method: Rug Pull
Description of the event: UniSat Wallet tweeted: “Due to a vulnerability in our code base, the UniSat Marketplace that just launched has suffered a lot of double-spend attacks. In the test last week, we simulated different double-spend attack methods and improved the code. and enhancements. Unfortunately, certain issues were still exposed in the initial public release. Currently, we have preliminary findings, and out of a total of 383 transactions, 70 transactions have been identified as affected. We will report on In the next few days, we will further investigate and compensate the losses of users related to this incident.” It is reported that UniSat Marketplace is an inscription market based on PSBT and supporting BRC-20 assets on the Bitcoin chain.
Amount of loss: - Attack method: Double Spend Attack
Description of the event: Multi-chain lending protocol FilDA released a vulnerability exploit statement saying that it was attacked earlier today on the Elastos Smart Chain (ESC) and REI networks, causing losses of approximately $700,000. No other FilDA deployments were affected. Vulnerabilities identified and attack vectors isolated.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: Sealaunch, an NFT data and research platform, has monitored that the MEV Bot named jaredfromsubway.eth recently carried out "sandwich attacks" on buyers and sellers of Meme coins such as WOJAK and PEPE, earning more than $1.4 million in profits. Additionally, Sealaunch stated that MEV Bots spent 7% of Ethereum’s gas fees during the 24-hour period between April 18 and 19. A sandwich attack occurs when the attacker "sandwiches" the victim's transaction between two of his own to profit from the user by manipulating prices.
Amount of loss: $ 1,400,000 Attack method: Sandwich Attack
Description of the event: The Arbitrum ecological Arbtomb project is suspected of Rug Pull. The scammer has bridged 54 ETH (approximately $110,000) to Ethereum, then transferred 52 ETH to Tornado Cash, and transferred 2.4 ETH to Binance.
Amount of loss: $ 110,000 Attack method: Rug Pull
Description of the event: The loss of today's HundredFinance hack is ~$7m.The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.
Amount of loss: $ 7,000,000 Attack method: Contract Vulnerability
Description of the event: The total loss of Paribus hack is ~$100K. The root cause turns out to a known reentrancy issue from the forked old version of CompoundV2.
Amount of loss: $ 100,000 Attack method: Reentry Attack
Description of the event: Terraport, a decentralized finance project launched by TerraCVita, an independent development team of Terra Classic, was hacked and all its liquidity was exhausted. Data shows that nearly $4 million worth of LUNC, USTC and TERRA tokens have been emptied. The attacker withdrew 9,148,426 TERRA and 15.1 billion LUNC in the first transaction, and 576,736 TERRA and 5,487,381 USTC in the second transaction.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: On April 9th, a rug pull occurred on the ZkSync ecological project CoreHunter, and the scammers made a profit of about 510,000 US dollars.
Amount of loss: $ 510,000 Attack method: Rug Pull
Description of the event: The DeFi lending agreement Sentiment said that the team discovered abnormal lending activities. This malicious use led to the theft of about $1 million from Sentiment on the Arbitrum network. The root cause is the read-only reentrancy of Balancer. On April 6, on-chain data showed that Sentiment’s attackers had returned 250 ETH (approximately $480,000) of stolen funds.
Amount of loss: $ 1,000,000 Attack method: Read-only reentrancy