1740 hack event(s)
Description of the event: The Twitter account of MicroStrategy, the largest public holder of BTC, appears to have been compromised, with phishing airdrop links being posted. According to on-chain detective ZachXBT, the incident has resulted in the theft of assets worth $440,000.
Amount of loss: $ 440,000 Attack method: Twitter was hacked
Description of the event: Aleo, a blockchain project that advertises it's a place for "fully private applications" with "built-in privacy" has just emailed private identification documents — including selfies and photographs of government identification cards — to the wrong users. Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".
Amount of loss: - Attack method: Information Leakage
Description of the event: SlowMist founder Cos tweeted that there is a backdoor code in the Tornado Cash IPFS version frontend that hijacks deposit certificates. A governance attack led to malicious proposals being passed, and the malicious code has been present for about two months.
Amount of loss: - Attack method: Governance Attack
Description of the event: RiskOnBlast, a gambling and trading platform on the new ethereum layer-2 Blast blockchain, appears to be a rug pull. On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform.
Amount of loss: $ 1,300,000 Attack method: Rug Pull
Description of the event: ZoomerCoin on Ethereum suffered a flash loan attack, resulting in a loss of 14.06 ETH (~ $41k).
Amount of loss: $ 41,000 Attack method: Flash Loan Attack
Description of the event: Axie Infinity co-founder Jihoz tweeted that his personal two addresses have been compromised. The attack is limited to his personal accounts and is unrelated to the validation or operation of the Ronin chain. Additionally, the leaked keys are unrelated to the operations of Sky Mavis. He reassured everyone that strict security measures have been taken for all related activities.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage
Description of the event: On February 23rd, the Avalanche mainnet experienced block production interruptions. Addressing this issue, Ava Labs co-founder Kevin Sekniqi stated on Twitter that the problem appears to be a gossip-related mempool management error, which is purely a code-related issue, not a performance handling problem. It seems that inscriptions have reached an edge case, but they did not affect performance. The mainnet downtime issue appears to be related to an edge-case bug in mempool processing, and bug fix testing is currently underway on the Avalanche testnet. On February 24th, Ava Labs engineering lead Patrick O'Grady tweeted that nodes need to be upgraded to AvalancheGo version 1.11.1, which disables the logic added in v1.10.18 that caused validators to send excessive amounts of gossip to each other. Avalanche Validators provision a stake-weighted bandwidth allocation for each peer, and this flawed logic led each node to saturate their allocation with useless transaction gossip. This dynamic prevented pull queries issued by validators from being processed in a timely manner and resulted in consensus stalling.
Amount of loss: - Attack method: Logic Vulnerability
Description of the event: BitForex, a cryptocurrency exchange headquartered in Hong Kong, has closed access to its platform after approximately $56.5 million in suspicious funds outflow occurred across multiple blockchains. Blockchain detective ZachXBT was the first to notice the withdrawals, noting that the exchange has halted withdrawals and has not responded to customer support inquiries. These fund outflows appear to be an exit scam rather than an external attack, especially considering the lack of communication and the exchange's questionable status. The company faced regulatory scrutiny in Japan in mid-2023 for operating without a license and was accused of inflating trading volumes. Its CEO resigned in January, promising a transition to a new team.
Amount of loss: $ 56,500,000 Attack method: Rug Pull
Description of the event: On the evening of February 23rd, UNI experienced a sudden price surge, causing Compound to fail in promptly updating UNI's price. As a result, the protocol used an incorrect price provided by Uniswap's TWAP (Time-Weighted Average Price). This allowed users to borrow UNI using collateral with a lower value than UNI's actual price, leading to $660,000 in bad debt.
Amount of loss: $ 660,000 Attack method: Protocol Vulnerability
Description of the event: DeFi leverage project Blueberry Protocol was exploited for approximately $1.35 million. However, the attack was intercepted by a white hat, c0ffeebabe.eth. 366 ETH has already been returned to Blueberry. The vulnerability stemmed from the incorrect handling of decimals by the lending contract. This attack occurred due to a faulty oracle deployment.
Amount of loss: $ 1,350,000 Attack method: Oracle Attack
Description of the event: The official Twitter account of ARPA, a permissionless threshold network based on the BLS signature scheme, has been compromised, and false token claiming links have been posted.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The ERC 404 project Rugged Art was attacked due to a reentrancy vulnerability, resulting in a loss of 11 ETH.
Amount of loss: $ 32,395 Attack method: Reentrancy Attack
Description of the event: On February 18th, Starcoin, a project within the Move ecosystem, tweeted that they detected abnormal activities on their network that required immediate attention to safeguard the integrity and security of the system. As a precautionary measure, Starcoin has temporarily suspended our network to conduct a thorough investigation together with SlowMist.
Amount of loss: - Attack method: Unknown
Description of the event: According to on-chain data, the cryptocurrency exchange FixedFloat appears to have been exploited, resulting in the theft of approximately $26.1 million worth of Bitcoin and Ethereum. On February 18th, FixedFloat tweeted: "We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon. We will provide details on this case a little later."
Amount of loss: $ 26,100,000 Attack method: Third-party Vulnerability
Description of the event: The CEO of SocialFi xPET tweeted that SocialFi was attacked due to vulnerabilities related to the newly launched PvP feature, resulting in hackers stealing 91.5 ETH (approximately $25,400).
Amount of loss: $ 254,000 Attack method: Contract Vulnerability
Description of the event: The ERC-X protocol Miner (MINER) has been attacked, please do not interact. According to the Miner team's analysis, the _update function of the contract was exploited. The root cause of this exploit is a double-transfer vulnerability caused by a lack of input validation.
Amount of loss: $ 466,000 Attack method: Contract Vulnerability
Description of the event: The hot wallet of the crypto gambling platform Duelbits was attacked, resulting in a loss of approximately $4.6 million.
Amount of loss: $ 4,600,000 Attack method: Private Key Leakage
Description of the event: The blockchain gaming platform PlayDapp was hacked, with the attacker's address being added as a minter, minting 200 million PLA tokens (valued at $36.5 million). Shortly after the incident, PlayDapp sent a message to the attacker through on-chain transactions, requesting the return of the stolen funds and offering a $1 million bug bounty reward, but negotiations ultimately failed. On February 12, the hacker minted an additional 1.59 billion PLA tokens, valued at $253.9 million, and began transferring them through cryptocurrency trading platforms. On February 13, PlayDapp announced on Twitter that the PLA smart contract had been paused, while also advising users to cease trading for migration snapshots and stating that every effort is being made to protect holders' assets.
Amount of loss: $ 290,000,000 Attack method: Private Key Leakage
Description of the event: Keith Grossman, the president of MoonPay, currently has a compromised X account distributing wallet drainer links.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The Not Found (404) project on ETH is suspected to have exited with losses of approximately $156,000, as the deployer withdrew a large amount of liquidity.
Amount of loss: $ 156,000 Attack method: Rug Pull