13 hack event(s)
Description of the event: In response to an attack, Raydium tweeted that a patch has been put in place so far to prevent further attacks. This attack has nothing to do with the escalated privileges of the program itself. The vulnerability seems to stem from a Trojan horse attack and the leakage of the private key of the liquidity pool owner account. The attacker gained access to the pool owner account and was then able to call the withdraw pnl function, which is used to collect transaction/protocol fees earned on swaps in the pool. The affected pools include SOL-USDC, SOL-USDT, RAY-USDC, RAY-USDT, RAY-SOL, stSOL-USDC, ZBC-USDC, UXP-USDC, and whETH-USDC, with a total loss of approximately $4.395 million.
Amount of loss: $ 4,395,000 Attack method: Private Key Leaked
Description of the event: Solend, a lending protocol on Solana, tweeted that an oracle attack against USDH affecting Stable, Coin98, and Kamino’s isolated pools was detected, resulting in $1.26 million in bad debt. Additionally, Solend claims that all other pools, including the Main pool, are safe.
Amount of loss: $ 1,260,000 Attack method: Oracle attack
Description of the event: Mango, the Solana ecological decentralized financial platform, tweeted: “A hacker is currently investigating an incident in which a hacker extracted funds from Mango through price manipulation through oracle machines.” According to a detailed report, the protocol was encountered at approximately 6:00 on October 12, Beijing time. Attack, 2 accounts funded by USDC held excessive positions in MNGO-ERP, the underlying price of MNGO/USD on various exchanges (FTX, Ascendex) saw a 5-10 times price increase within a few minutes, Caused Switchboard and Pyth oracles to update their MNGO benchmark prices above $0.15, further causing unrealized profits to increase account value to market long MNGO-ERP, allowing accounts to borrow and withdraw BTC from the Mango protocol (sollet) , USDT, SOL, mSOL, USDC, which made the loan amount of the equivalent deposit of USD 190 million on the platform reached the maximum value, and the net value withdrawn from the account at that time was about USD 100 million.
Amount of loss: $ 100,000,000 Attack method: Flash loan attack
Description of the event: Tulip Protocol, a Solana ecological income aggregator and leveraged income farming platform, stated that its exposure to the Mango attack was limited to a portion of the USDC/RAY strategic treasury, namely 2,465,841.497167 USDC and 66,721.925355 RAY, and the funds affected by the Mango attack were about $2.5 million.
Amount of loss: $ 2,500,000 Attack method: Affected by the Mango attack
Description of the event: The total amount of funds affected by the Solana ecological algorithm stablecoin protocol UXD Protocol in the Mango attack is $19,986,134.9037. UXD Protocol stated: “Our insurance fund is sufficient to cover losses. UXD is fully secured and will be redeemable by users once Mango Markets recovers from the exploit. The total insurance fund is $53,527,304.7757. UXD Protocol has suspended UXD minting for Risk minimization. Minting will be re-enabled once we confirm the issue with Mango Markets has been resolved.”
Amount of loss: $ 20,000,000 Attack method: Affected by the Mango attack
Description of the event: Solana’s ecological derivative OptiFi tweeted that at around 6:00 UTC on August 29th, team members tried to update and upgrade on Solana, but the OptiFi mainnet program was shut down due to an operation error and could not be recovered, of which 661,000 USDC Locked (95% of funds are owned by team members), all user funds will be compensated.
Amount of loss: 661,000 USDC Attack method: Operation error
Description of the event: According to SlowMist Intelligence, Nirvana, a stablecoin project on the Solana chain, was attacked by a flash loan. The attacker used a flash loan to borrow 10,250,000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract buy3 method to buy a large amount of ANA tokens. Nirvana contract swap method to sell part of ANA, get USDT and USDC, after repaying the flash loan, a total profit of 3,490,563.69 USDT, 21,902.48 USDC and 393,230.32 ANA tokens, then the hacker sold ANA tokens and passed all the dirty money through the cross-chain bridge transfer.
Amount of loss: $ 3,500,000 Attack method: Flash loan attack
Description of the event: The centralized liquidity DeFi application Crema Finance on the Solana chain announced its shutdown due to a hacker attack. The official Twitter of the protocol quoted information from the on-chain browser SolanaFM, saying that the value of the lost encrypted assets was $8.782 million. Early this morning, Crema Finance disclosed the attacked thread, saying that hackers bypassed contract checks by creating a fake price change data account (Tickaccount), and then used fake price data and flash loans to steal huge fees from the fund pool. On July 7, Crema Finance said on Twitter that after a long negotiation, Crema Finance attackers agreed to collect 45,455 SOL (about $1.682 million) as a white hat bounty, and had returned 6,064 Ethereum and 23,967.9 SOL (approximately $8.1 million).
Amount of loss: $ 1,682,000 Attack method: Flash loan attack
Description of the event: Castle Finance developer Charlie You discovered a critical vulnerability in Solana's ecological lending protocol, Jet Protocol, that could allow attackers to withdraw tokens from arbitrary accounts. It is reported that Charlie You was discovered in January this year, but it has existed since the code update on December 15, 2021. Charlie You said that the vulnerability may cause up to 20 million US dollars in financial losses. For now, the Jet Protocol team has fixed it.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The stablecoin project Cashio on Solana has been hacked. According to the preliminary analysis of the SlowMist security team, hackers illegally issued 2 billion CASH tokens by bypassing an unverified account, and converted CASH tokens into 8,646,022.04 UST, 17,041,006.5 USDC and 26,340,965.68 USDT-USDC through multiple applications. LP, total profit value: 52027994.22 USD (more than 50 million USD). At present, the official announcement has been issued to allow users to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.
Amount of loss: $ 52,027,994.22 Attack method: Contract vulnerabilities
Description of the event: The SolFire Finance project owner stole all investor funds and moved them to the ETH chain via a cross-chain bridge. The project's GitHub account and Twitter account have been deleted and the site is no longer accessible.
Amount of loss: $ 10,000,000 Attack method: Rug Pull
Description of the event: The Solana chain has experienced its first carpet pull. Luna Yield ($LUNY) is a revenue aggregator launched through the Solana launchpad "SolPad", which has disappeared and is a variety of digital currencies worth about 6.7 million U.S. dollars. Luna Yield advertises itself as a legal project that can aggregate and optimize yield agriculture for its users; it is even supported by the famous Solana-based project launchpad "SolPad", which enables projects that submit "qualified documents" Raise funds through its initial DEX product (IDO) on the Solana-based decentralized platform. Although Luna Yield submitted "qualified documents", its attitude towards investors was indifferent. Before the August 16 fundraising, Luna Yield appeared to be legitimate. Three days after its IDO, Luna Yield sent the funds it raised to the hybrid service Tornado Cash to make it untraceable, and then it closed its website and all social media accounts-no one was able to contact the Luna Yield team.
Amount of loss: $ 6,700,000 Attack method: Rug Pull
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: Contract Vulnerability