10 hack event(s)
Description of the event: Solana’s ecological derivative OptiFi tweeted that at around 6:00 UTC on August 29th, team members tried to update and upgrade on Solana, but the OptiFi mainnet program was shut down due to an operation error and could not be recovered, of which 661,000 USDC Locked (95% of funds are owned by team members), all user funds will be compensated.
Amount of loss: 661,000 USDC Attack method: Operation error
Description of the event: According to SlowMist Intelligence, Nirvana, a stablecoin project on the Solana chain, was attacked by a flash loan. The attacker used a flash loan to borrow 10,250,000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract buy3 method to buy a large amount of ANA tokens. Nirvana contract swap method to sell part of ANA, get USDT and USDC, after repaying the flash loan, a total profit of 3,490,563.69 USDT, 21,902.48 USDC and 393,230.32 ANA tokens, then the hacker sold ANA tokens and passed all the dirty money through the cross-chain bridge transfer.
Amount of loss: $ 3,500,000 Attack method: Flash loan attack
Description of the event: The centralized liquidity DeFi application Crema Finance on the Solana chain announced its shutdown due to a hacker attack. The official Twitter of the protocol quoted information from the on-chain browser SolanaFM, saying that the value of the lost encrypted assets was $8.782 million. Early this morning, Crema Finance disclosed the attacked thread, saying that hackers bypassed contract checks by creating a fake price change data account (Tickaccount), and then used fake price data and flash loans to steal huge fees from the fund pool. On July 7, Crema Finance said on Twitter that after a long negotiation, Crema Finance attackers agreed to collect 45,455 SOL (about $1.682 million) as a white hat bounty, and had returned 6,064 Ethereum and 23,967.9 SOL (approximately $8.1 million).
Amount of loss: $ 1,682,000 Attack method: Flash loan attack
Description of the event: Castle Finance developer Charlie You discovered a critical vulnerability in Solana's ecological lending protocol, Jet Protocol, that could allow attackers to withdraw tokens from arbitrary accounts. It is reported that Charlie You was discovered in January this year, but it has existed since the code update on December 15, 2021. Charlie You said that the vulnerability may cause up to 20 million US dollars in financial losses. For now, the Jet Protocol team has fixed it.
Amount of loss: - Attack method: Permission verification problem
Description of the event: The stablecoin project Cashio on Solana has been hacked. According to the preliminary analysis of the SlowMist security team, hackers illegally issued 2 billion CASH tokens by bypassing an unverified account, and converted CASH tokens into 8,646,022.04 UST, 17,041,006.5 USDC and 26,340,965.68 USDT-USDC through multiple applications. LP, total profit value: 52027994.22 USD (more than 50 million USD). At present, the official announcement has been issued to allow users to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.
Amount of loss: $ 52,027,994.22 Attack method: Contract vulnerabilities
Description of the event: Attackers exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana, worth over $326 million.
Amount of loss: 120,000 ETH Attack method: Signature verification vulnerability
Description of the event: The SolFire Finance project owner stole all investor funds and moved them to the ETH chain via a cross-chain bridge. The project's GitHub account and Twitter account have been deleted and the site is no longer accessible.
Amount of loss: $ 10,000,000 Attack method: Scam
Description of the event: Kingfund Finance had a Rug Pull and lost over 300 WBNB. Upon inquiry, the official Twitter of the project has been cancelled.
Amount of loss: 300 WBNB Attack method: Scam
Description of the event: The Solana chain has experienced its first carpet pull. Luna Yield ($LUNY) is a revenue aggregator launched through the Solana launchpad "SolPad", which has disappeared and is a variety of digital currencies worth about 6.7 million U.S. dollars. Luna Yield advertises itself as a legal project that can aggregate and optimize yield agriculture for its users; it is even supported by the famous Solana-based project launchpad "SolPad", which enables projects that submit "qualified documents" Raise funds through its initial DEX product (IDO) on the Solana-based decentralized platform. Although Luna Yield submitted "qualified documents", its attitude towards investors was indifferent. Before the August 16 fundraising, Luna Yield appeared to be legitimate. Three days after its IDO, Luna Yield sent the funds it raised to the hybrid service Tornado Cash to make it untraceable, and then it closed its website and all social media accounts-no one was able to contact the Luna Yield team.
Amount of loss: $ 6,700,000 Attack method: Scam
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: The insecure identity check in the UpdateReserveConfig function is cracked