1978 hack event(s)
Description of the event: According to PeckShieldAlert, the stablecoin project USPD has suffered a major security breach, resulting in approximately $1 million in losses. The USPD team later confirmed that the protocol had been exploited, with the attacker minting tokens without authorization and draining liquidity. The official team has urgently advised users to revoke all token approvals granted to the USPD contract. According to the project’s confirmation, the incident was identified as a “CPIMP” attack. During the deployment phase, the attacker used Multicall3 to preemptively initialize the proxy and seize administrator privileges, while disguising the malicious implementation as an audited contract. The hidden logic remained dormant for several months before being activated, allowing the attacker to upgrade the proxy, mint approximately 98 million USPD tokens, and transfer around 232 stETH. The USPD team has disclosed the attacker addresses (Infector: 0x7C97…9d83, Drainer: 0x0833…215A) and stated that they are working with law enforcement and white-hat partners to trace the funds. The team has also offered a 10% bounty if the attacker returns the stolen assets.
Amount of loss: $ 1,000,000 Attack method: "CPIMP" (Clandestine Proxy In the Middle of Proxy) attack
Description of the event: According to cybersecurity firm Blockaid, the official website of the meme coin PEPE was compromised by attackers, who modified the website’s front-end code, causing users visiting the site to be redirected to a malicious page.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: The on-chain private fund Goldfinch’s old contract on Ethereum (0x0689) contained a vulnerability. Because the user deltatiger.eth did not revoke the authorization in time, they were exploited and lost approximately USD 330,000. The attacker has already sent 118 ETH (around USD 329,000) into the privacy mixer Tornado Cash.
Amount of loss: $ 330,000 Attack method: contract vulnerability
Description of the event: According to PeckShieldAlert on X, Yearn Finance suffered an attack in which the hacker drained the liquidity pool by infinitely minting yETH, causing losses of roughly $9 million. Approximately 1,000 ETH (about $3 million) was transferred to Tornado Cash, while the attacker’s address still holds around $6 million worth of crypto assets. On December 1, according to PeckShield’s monitoring, Yearn recovered 2.4 million USD by burning the pxETH held by the hacker. An equivalent amount of pxETH has been re-minted and returned to the Redacted Cartel multisig wallet.
Amount of loss: $ 9,000,000 Attack method: Contract Vulnerability
Description of the event: Upbit CEO Lee Seok-woo issued a public statement apologizing to users for the recent network intrusion incident, acknowledging that the breach stemmed from shortcomings in Upbit’s internal security management. He emphasized that user assets will not incur any losses. Upbit has reported the incident to the relevant regulators in accordance with applicable laws and is currently investigating the cause and scope of the breach. Upbit discovered abnormal withdrawals from its Solana-based wallets on the morning of the 27th, immediately conducted a comprehensive inspection of the affected networks and wallet systems, and, during the analysis of multiple on-chain transactions involving Upbit wallets, identified a security vulnerability that could potentially expose private keys. The issue has since been fixed. Upbit stated that it will continue to closely cooperate with regulators and will provide transparent updates to users as permitted. To protect user funds, Upbit has suspended deposits and withdrawals of digital assets and has begun tracing and freezing the outflowing assets. According to current statistics, the affected assets amount to approximately 44.5 billion KRW (around 30.3 million USD), of which about 38.6 billion KRW (around 26.33 million USD) belong to users. Roughly 2.3 billion KRW (around 1.57 million USD) of these assets have been frozen. Upbit’s own assets were impacted by approximately 5.9 billion KRW (around 4.02 million USD).
Amount of loss: $ 30,300,000 Attack method: -
Description of the event: BasisOS disclosed on X: “Due to a security breach, the Agentic FoF was compromised, resulting in approximately USD 531,000 in leaked funds. All vaults have now been suspended, and withdrawals from the Agentic FoF have also been paused pending the results of an internal investigation.”
Amount of loss: $ 531,000 Attack method: -
Description of the event: The decentralized AI data network Port3 Network disclosed on X that its token PORT3 was maliciously minted by a hacker exploiting a cross-chain bridge vulnerability. According to on-chain analyst Yujin, the attacker used a contract flaw in the BridgeIn cross-chain bridge to mint 1 billion PORT3 tokens. The hacker then sold 162.75 million of these tokens on-chain, receiving 199.5 BNB (approximately USD 166,000) and causing the PORT3 price to plunge by 76%. Port3 Network later released an incident report explaining that the root cause stemmed from its use of NEXA Network’s CATERC20 cross-chain token solution. CATERC20 contains a boundary-condition validation vulnerability: after token ownership is renounced, a key function returns a value of 0, which unintentionally satisfies the ownership check condition. This results in permission verification failure, allowing attackers to perform privileged operations—including unauthorized token minting—without proper authorization. Notably, this issue was not identified in the CATERC20 audit report. Since Port3 had previously renounced ownership of the token to achieve greater decentralization, it remained vulnerable to this flaw. Following the incident, the Port3 team urgently removed the remaining on-chain liquidity, and several centralized exchanges suspended PORT3 deposits. Unable to continue selling, the attacker burned the remaining 837.25 million unsold PORT3 tokens approximately 40 minutes earlier.
Amount of loss: $ 166,000 Attack method: Contract Vulnerability
Description of the event: Aerodrome, a DEX built on Base, posted on X that the centralized domains of Velodrome and Aerodrome were hijacked on November 21 due to an internal security vulnerability at NameSilo, resulting in redirection to malicious content. With the rapid response from security partners including Blockaid, Groom Lake, Security Alliance, and FTI Consulting, MetaMask and Coinbase Wallet displayed warnings within two minutes, and the issue was fully mitigated within four hours. The incident resulted in approximately $700,000 in losses.
Amount of loss: $ 700,000 Attack method: Domain Hijacking
Description of the event: GoPlus has issued a security alert: Users who claimed the DMT airdrop from @dexmaxai are advised to revoke approvals immediately or transfer their assets to a secure wallet. Multiple victims reported today that they were tricked into granting approvals for other tokens during the DMT airdrop process, resulting in over a thousand users being compromised and more than USD 130,000 in assets stolen via cross-chain transfers. The official website and Twitter account of @dexmaxai are now offline, indicating a possible rug pull. Investigations show that attackers prompted users to sign additional transactions during the airdrop claim, thereby obtaining malicious token approvals and subsequently transferring the approved assets. After stealing funds, attackers bridged the assets to Ethereum, with most of the stolen funds flowing into HitBTC, while a smaller portion remains on-chain.
Amount of loss: $ 130,000 Attack method: Phishing Attack
Description of the event: According to on-chain security analyst ZachXBT, the payment project GANA Payment on the BSC chain was attacked a few hours ago, resulting in an estimated loss of $3.1 million. The attacker has deposited 1,140 BNB (around $1.04 million) into Tornado Cash on BSC, and transferred funds to Ethereum via a cross-chain bridge. Of these funds, 346.8 ETH (around $1.05 million) has also been deposited into Tornado Cash on Ethereum. Currently, another 346 ETH (about $1.046 million) remains idle in an Ethereum address starting with 0x7a.
Amount of loss: $ 3,100,000 Attack method: -
Description of the event: According to a WLFI announcement, prior to the platform’s official launch, some user wallets were compromised due to phishing attacks or mnemonic phrase leaks. WLFI emphasized that the incident was not caused by any platform or smart contract vulnerability, but originated from third-party security issues. The team has developed new smart contract logic that allows assets to be reassigned to secure new wallets after completing KYC verification. Wallets that have not submitted a request or failed verification will remain frozen, though users can initiate the recovery process through customer support. According to Emmett Gallic, World Liberty Fi burned a total of 166.67 million WLFI tokens (worth approximately $22.14 million) from a suspected compromised wallet and reallocated an equal amount of tokens to a new secure address.
Amount of loss: - Attack method: Phishing Attack & Private Key Leakage
Description of the event: SlowMist founder Cos reminded users of the NOFX AI open-source automated trading system to be aware of potential security risks. Although the NOFX AI open-source work has shown good intentions, real theft incidents have already occurred, and some users’ wallet private keys as well as CEX/DEX API keys have been leaked as a result. Cos confirmed that this vulnerability also affects the wallet private key security of Aster users. He stated that SlowMist has collaborated with relevant security teams to notify affected users as much as possible to help reduce risks, and advised users to stay vigilant and take timely security measures.
Amount of loss: - Attack method: Private Key Leakage
Description of the event: Sui’s official X account issued a reminder stating that the X account of Aftermath, a liquid staking protocol in the Sui ecosystem, has been compromised. Users are advised not to interact with the account until the team regains control.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to Arkham’s monitoring, an attacker allegedly carried out a deliberate exploit against HLP (Hyperliquidity Provider) on Hyperliquid. The attacker used 19 wallets and $3 million in principal to open a leveraged long position worth $20–30 million on POPCAT with 5× leverage, while placing large buy walls to support the price. Subsequently, the attacker suddenly removed the buy walls, causing a flash crash in POPCAT’s price and triggering the liquidation of their $3 million collateral to zero. Due to the lack of liquidity, HLP was forced to absorb the position, ultimately resulting in a bad debt loss of $4.9 million. Analyst @mlmabc noted that losing $3 million within seconds was not a mistake or negligence, but rather a deliberate attack targeting both HLP and Hyperliquid.
Amount of loss: $ 4,950,000 Attack method: Price Manipulation
Description of the event: According to a post by crypto trader @25usdc, hackers are exploiting the comment section of Polymarket to carry out scam activities, resulting in losses exceeding $500,000. The attackers post links to their phishing websites in an obfuscated, non-plain-text format. When users log in to these sites via email, malicious scripts are injected, leading to data breaches and the loss of funds.
Amount of loss: $ 500,000 Attack method: Phishing attack
Description of the event: According to CertiK’s monitoring, the Moonwell lending contract suffered multiple attack transactions. The attacker exploited an incorrect oracle price for wrst (around USD 5.8 million). By using a flash loan of only about 0.02 wrstETH and depositing it, the attacker repeatedly borrowed over 20 wstETH, gaining 295 ETH (approximately USD 1 million) in profit.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: The DeFi protocol Balancer V2 suffered a vulnerability exploit that affected its Composable Stable Pools. The root cause of the incident was an incorrect rounding direction in the Stable Pool’s “exact-out” swap path. This flaw was amplified under conditions of precision errors introduced by rate providers and extremely low liquidity, allowing the attacker to manipulate the invariant and distort the BPT price calculation. As a result, the attacker was able to withdraw large amounts of assets from the pool at a cost far below their real value.The attack caused a total loss of $121.1 million across Ethereum, Arbitrum, Base, Optimism, and Polygon. As of November 19, coordinated mitigation efforts enabled several security measures to be deployed promptly after the issue was discovered, resulting in approximately $45.7 million in user funds being protected or recovered.
Amount of loss: $ 121,100,000 Attack method: Logic Vulnerability
Description of the event: Berachain announced that approximately USD 12.8 million in funds lost due to the BEX/Balancer v2 vulnerability have been fully returned to the Berachain Foundation’s deployer address, and the blockchain has now resumed normal operations.
Amount of loss: $ 12,800,000 Attack method: Contract Vulnerability
Description of the event: According to CertiK Alert, the Garden attacker has transferred 501 BNB and 1,910 ETH (worth approximately $6.65 million) to Tornado Cash.The address starting with 0x98BC still holds around $910,000 in assets.It is reported that Garden Finance suffered an attack on October 31, resulting in a loss of about $10.8 million, after its solver was compromised.
Amount of loss: $ 10,800,000 Attack method: -
Description of the event: 402Bridge posted on X to alert users that a token theft incident had occurred. The technical team is investigating the entire process and advised all users to immediately revoke existing authorizations and transfer their assets out of their wallets. According to available information, the x402 cross-chain protocol 402Bridge was likely compromised after the contract ownership was transferred by the original creator to address 0x2b8F.... More than 200 users lost their remaining USDC due to excessive token approval amounts, with the attacker’s address (starting with 0x2b8F9) stealing a total of 17,693 USDC. The stolen funds were then swapped for ETH and bridged to Arbitrum through multiple cross-chain transactions. 402Bridge later confirmed that, due to a private key leak, several of the team’s test wallets and the main wallet were also compromised.
Amount of loss: $ 17,693 Attack method: Private Key Leakage