22 hack event(s)
Description of the event: In October 2024, Cryptobottle on Polygon suffered three separate attacks, with total losses amounting to approximately $527,000. The attack on October 24 was the largest of the three, where the attacker exploited a critical vulnerability to disable the balance check in the swap() method after a callback. This allowed them to make arbitrary swaps to acquire a large amount of NAS tokens, which they then sold, resulting in a loss of around $490,000 for the project.
Amount of loss: $ 527,000 Attack method: Contract Vulnerability
Description of the event: Mudit Gupta, the Chief Information Security Officer of Polygon, stated on the X platform that the Polygon Community Discord has been compromised. He advised users not to click on any links within the server as the team is working to regain control.
Amount of loss: - Attack method: Account Compromise
Description of the event: On June 24, the UAE-based blockchain gaming studio Farcana tweeted that one of their FAR wallets was hacked. On the same day, Farcana tweeted a clarification stating that it was a third-party market maker that was attacked, and the official wallet and FAR smart-contract had not experienced any exploits.
Amount of loss: - Attack method: Third-party Vulnerability
Description of the event: The PI (PI) on Polygon is suspected of a rug pull, and the current token price has dropped by 100%, causing losses exceeding $490,000.
Amount of loss: $ 490,000 Attack method: Rug Pull
Description of the event: The blockchain gaming platform GMEE has announced via Twitter that the GMEE token contract on Polygon experienced unauthorized GitLab access a few hours ago, resulting in the theft of 600 million GMEE tokens. Subsequently, the attacker exchanged the tokens for ETH and MATIC.
Amount of loss: $ 7,000,000 Attack method: Authorization Attack
Description of the event: The LibertiVault contract was attacked, losing about 123 ETH and 56,234 USDT on Polygon, worth about $290,000; 35 ETH and 96,223 USDT on Ethereum, worth about $160,000. Total damages exceeded $450,000. Attackers exploited a reentrancy vulnerability in the LibertiVault contract to repeatedly call the deposit function, manipulate the contract balance, and mint tokens based on incorrect balance calculations.
Amount of loss: $ 450,000 Attack method: Reentrancy Attack
Description of the event: Polygon ecological project LunaFi was attacked. The attacker obtained initial funds from TornadoCash on BSC, the root cause was a flaw in reward calculation, and many other issues in the contract.
Amount of loss: $ 35,000 Attack method: Reward Mechanism Flaw
Description of the event: About 110 million USD in WETH, USDT, WBTC, WMATIC in Aave V2 on Polygon cannot be withdrawn, nor can it be borrowed and repaid. This is because the interest rate strategy contract is only compatible with Ethereum, not Polygon. At present, Aave has submitted a patch to fix this problem, which will be deployed after voting. Funds are not at risk, but it takes at least a week for funds to be unfrozen.
Amount of loss: - Attack method: Compatibility issues
Description of the event: DeFi protocol 0VIX on the Polygon chain was exploited for around $2 million. The attack was carried out by an attacker manipulating the oracle, who then performed a flash loan attack on the project. The agreement was suspended after the attack.
Amount of loss: $ 2,000,000 Attack method: Oracle Attack
Description of the event: Non-custodial lending platform BonqDAO and crypto infrastructure platform AllianceBlock were hacked due to a bug in BonqDAO's smart contracts, resulting in losses of approximately $120 million. Among them, hackers removed approximately 114 million WALBT ($11 million), AllianceBlock’s wrapped native token, and 98 million BEUR tokens ($108 million) from a BonqDAO vault. According to the analysis of SlowMist, the root cause of the attack is that the attacker uses the oracle machine to quote the required collateral, which is much lower than the profit obtained by the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. In addition, AllianceBlock stated that the incident has nothing to do with the BonqDAO vault, no smart contracts were breached, and both teams are working on eliminating liquidity to mitigate hackers converting stolen tokens into other assets.
Amount of loss: $ 120,000,000 Attack method: Price Manipulation
Description of the event: Due to the read-only-reentrancy problem (read-only-reentrancy) when interacting with the Curve liquidity pool, the cross-chain money market solution Midas Capital was attacked and exploited in the Polygon liquidity pool of the stablecoin protocol Jarvis, and has lost $650,000.
Amount of loss: $ 650,000 Attack method: Reentrancy Attack
Description of the event: According to SlowMist, the GenomesDAO project on MATIC was attacked by hackers, resulting in the unexpected withdrawal of funds in its LPSTAKING contract. This incident is because the LPSTAKING contract of GenomesDAO can be arbitrarily repeatedly initialized and set key parameters, resulting in the malicious exhaustion of the collateral in the contract.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Decentralized exchange Quickswap has come under attack for a vulnerability in its hosting provider GoDaddy. The hijackers gained access to QuickSwap's DNS through a vulnerability in GoDaddy, where QuickSwap domains were hosted. Some DEX users lost around $107,600 through platform swaps before QuickSwap was able to regain control of our domain.
Amount of loss: $ 107,600 Attack method: DNS Hijacking Attack
Description of the event: Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission.
Amount of loss: $ 2,000,000 Attack method: Double Spend Attack
Description of the event: The profit farming agreement PolyYeld Finance was attacked. The project contract was used to mint 4.9 trillion YELD tokens and dump them in the secondary market.
Amount of loss: 4,900,000,000,000 YELD Attack method: Compatibility Issue
Description of the event: DeFi revenue aggregator PancakeBunny tweeted that its version on Polygon was attacked by outsiders and has suspended all Polygon Sushi Vaults. According to officials, Polygon vaults, BSC PancakeBunny vaults, and BUNNY are currently safe. The attacker made a profit of 1281 WETH.
Amount of loss: $ 2,402,462 Attack method: Flash loan attack
Description of the event: The Polygon Space Token (pSPACE) of the Polygon platform suffered a lightning loan attack. It is reported that this is a profit-inflation bug.
Amount of loss: - Attack method: Flash loan attack
Description of the event: DeFi project helios on Polygon rug pull. (0x8eb6ead701b7d378cf62c898a0a7b72639a89201)
Amount of loss: $ 1,446,704 Attack method: Rug Pull
Description of the event: The algorithmic stablecoin project SafeDollar on Polygon is suspected of being hacked, and an unconfirmed contract seems to have taken away 250,000 USD in USDC and USDT.
Amount of loss: $ 250,000 Attack method: Flash loan attack
Description of the event: The Polygon ecological project PolyDEX had a hacking incident. The hackers carried out a reentry attack on the Token Locker smart contract and stole about $500,000 worth of funds from the project.
Amount of loss: $ 500,000 Attack method: ERC777 Reentrancy Attack