16 hack event(s)
Description of the event: Polygon ecological project LunaFi was attacked. The attacker obtained initial funds from TornadoCash on BSC, the root cause was a flaw in reward calculation, and many other issues in the contract.
Amount of loss: $ 35,000 Attack method: Reward Calculation Flaw
Description of the event: About 110 million USD in WETH, USDT, WBTC, WMATIC in Aave V2 on Polygon cannot be withdrawn, nor can it be borrowed and repaid. This is because the interest rate strategy contract is only compatible with Ethereum, not Polygon. At present, Aave has submitted a patch to fix this problem, which will be deployed after voting. Funds are not at risk, but it takes at least a week for funds to be unfrozen.
Amount of loss: - Attack method: Compatibility issues
Description of the event: DeFi protocol 0VIX on the Polygon chain was exploited for around $2 million. The attack was carried out by an attacker manipulating the oracle, who then performed a flash loan attack on the project. The agreement was suspended after the attack.
Amount of loss: $ 2,000,000 Attack method: Flash Loan Attack
Description of the event: Non-custodial lending platform BonqDAO and crypto infrastructure platform AllianceBlock were hacked due to a bug in BonqDAO's smart contracts, resulting in losses of approximately $120 million. Among them, hackers removed approximately 114 million WALBT ($11 million), AllianceBlock’s wrapped native token, and 98 million BEUR tokens ($108 million) from a BonqDAO vault. According to the analysis of SlowMist, the root cause of the attack is that the attacker uses the oracle machine to quote the required collateral, which is much lower than the profit obtained by the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. In addition, AllianceBlock stated that the incident has nothing to do with the BonqDAO vault, no smart contracts were breached, and both teams are working on eliminating liquidity to mitigate hackers converting stolen tokens into other assets.
Amount of loss: $ 120,000,000 Attack method: Price Manipulation
Description of the event: Due to the read-only-reentrancy problem (read-only-reentrancy) when interacting with the Curve liquidity pool, the cross-chain money market solution Midas Capital was attacked and exploited in the Polygon liquidity pool of the stablecoin protocol Jarvis, and has lost $650,000.
Amount of loss: $ 650,000 Attack method: Reentry Attack
Description of the event: According to SlowMist, the GenomesDAO project on MATIC was attacked by hackers, resulting in the unexpected withdrawal of funds in its LPSTAKING contract. This incident is because the LPSTAKING contract of GenomesDAO can be arbitrarily repeatedly initialized and set key parameters, resulting in the malicious exhaustion of the collateral in the contract.
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: Decentralized exchange Quickswap has come under attack for a vulnerability in its hosting provider GoDaddy. The hijackers gained access to QuickSwap's DNS through a vulnerability in GoDaddy, where QuickSwap domains were hosted. Some DEX users lost around $107,600 through platform swaps before QuickSwap was able to regain control of our domain.
Amount of loss: $ 107,600 Attack method: Domain name hijacking
Description of the event: Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission.
Amount of loss: $ 2,000,000 Attack method: Double Spend
Description of the event: The profit farming agreement PolyYeld Finance was attacked. The project contract was used to mint 4.9 trillion YELD tokens and dump them in the secondary market.
Amount of loss: 4,900,000,000,000 YELD Attack method: Deflationary token compatibility issues
Description of the event: DeFi revenue aggregator PancakeBunny tweeted that its version on Polygon was attacked by outsiders and has suspended all Polygon Sushi Vaults. According to officials, Polygon vaults, BSC PancakeBunny vaults, and BUNNY are currently safe. The attacker made a profit of 1281 WETH.
Amount of loss: $ 2,402,462 Attack method: Flash loan attack
Description of the event: The Polygon Space Token (pSPACE) of the Polygon platform suffered a lightning loan attack. It is reported that this is a profit-inflation bug.
Amount of loss: - Attack method: Flash loan attack
Description of the event: DeFi project helios on Polygon rug pull. (0x8eb6ead701b7d378cf62c898a0a7b72639a89201)
Amount of loss: $ 1,446,704 Attack method: Rug Pull
Description of the event: The algorithmic stablecoin project SafeDollar on Polygon is suspected of being hacked, and an unconfirmed contract seems to have taken away 250,000 USD in USDC and USDT.
Amount of loss: $ 250,000 Attack method: Flash loan attack
Description of the event: The Polygon ecological project PolyDEX had a hacking incident. The hackers carried out a reentry attack on the Token Locker smart contract and stole about $500,000 worth of funds from the project.
Amount of loss: $ 500,000 Attack method: ERC777 Reentry Attack
Description of the event: On June 5, 2021, PolyButterfly, a decentralized financial protocol based on Polygon, disappeared. Its website has been closed, and its Twitter account and Telegram chat history have been deleted. Before this mysterious disappearance, it was revealed that the PolyButterfly code had a dangerous backdoor that allowed the product team to remove customer liquidity. According to RugDoc, the scammers stole more than 600 ether, or more than $1,500,000.
Amount of loss: $ 1,500,000 Attack method: Rug Pull
Description of the event: Ankitt Gaur, founder and CEO of Layer 2 DeFi lending protocol EasyFi (EASY), said, “On April 19, team members reported that a large number of EASY tokens were transferred from the official EasyFi wallet to the Ethereum network and several unknowns on the Polygon network. Wallet. Someone may have attacked the management key or mnemonic. The hacker successfully obtained the administrator key and transferred $6 million of existing liquid funds in the form of USD/DAI/USDT from the protocol pool, and transferred 298 Ten thousand EASY tokens (approximately 30% of the total supply of EASY tokens, currently valued at 40.9 million U.S. dollars) were transferred to the wallet of the suspected hacker (0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37)."
Amount of loss: $ 46,900,000 Attack method: Private key leak