1939 hack event(s)
Description of the event: The INX Digital Company, a security token and digital asset trading platform, announced that on December 20, 2023, it learned of a cyberattack that occurred on the computer systems of a third-party vendor providing services to one of the Company's subsidiaries. As a result, a malicious actor managed to access the third-party vendor's servers and executed unauthorized trades which resulted in a loss of funds of the Company's subsidiary of approximately $1.6 million. The Company took immediate actions to remediate the security vulnerability and to investigate the nature and scope of the incident. The Company also notified relevant law enforcement in the appropriate jurisdictions and is working with the affected trading venue to investigate this incident and take appropriate legal action. INX customers were not affected by the incident, and the security breach at the third-party provider did not have any impact on the platforms and servers of INX. No personal information or other data of INX's customers was compromised, and INX.One remains fully operational.
Amount of loss: $ 1,600,000 Attack method: Third-party Vulnerability
Description of the event: @0xKofi's Twitter account has been hacked; please do not click on the scam link.
Amount of loss: - Attack method: Account Compromise
Description of the event: Metakey's Discord has been compromised. Do not click the link in announcements.
Amount of loss: - Attack method: Account Compromise
Description of the event: On December 17th, according to SlowMist Cos, Flooring Protocol may have been subjected to a hacker attack, and users are advised to promptly revoke contract authorizations. In a tweet on December 17th, Flooring Protocol announced that "We have determined the cause of exploit to be linked to FP's peripheral/multi-call contract. The team has deployed a fix 2 hours ago, patching the issue. While we continue to investigate and monitor, rest assured that the main contract is safe. Assets in vaults and safeboxes are not affected."
Amount of loss: $ 1,600,000 Attack method: Contract Vulnerability
Description of the event: On December 16, the SlowMist security team issued an alert that @NftTrader appeared to have been exploited due to a reentrancy issue. On December 17, the NFT Trader hacker claimed in on-chain messages that the original attack had been perpetrated by someone else, but that they were one of the many copycat attackers, describing themselves as someone who had "[come] here to pick up residual garbage". They requested victims send additional ETH to get their NFTs back. "If you want the monkey nft back, then you need to pay me a bouty, which is what I deserve", they wrote, asking for NFT holders to send them 10% of the Ape floor price. On December 17, Boring Security tweeted, "All 36 BAYC and 18 MAYC that the exploiter had are now in our possession. We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge."
Amount of loss: $ 3,000,000 Attack method: Reentrancy Attack
Description of the event: the Ledger Connect Kit suffered a supply chain attack, with attackers stealing at least $600,000. The SlowMist security team immediately initiated an analysis of the relevant code and discovered that the attackers implanted malicious JavaScript code in versions @ledgerhq/connect-kit=1.1.5/1.1.6/1.1.7. They directly replaced the normal window logic with a Drainer class, triggering not only a fake DrainerPopup popup but also handling the transfer logic for various assets. Attackers launched phishing attacks against cryptocurrency users through CDN.
Amount of loss: $ 600,000 Attack method: Malicious Code Injection Attack
Description of the event: According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue. After SlowMist's analysis, it was found that when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls, with its functionality being to invoke the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin. On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin. The new implementation contract's functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade. This attack may be a result of the Proxy Admin Owner's private key being leaked. Currently, the DEX Proxy has been removed from the trusted list.
Amount of loss: $ 2,700,000 Attack method: Private Key Leakage
Description of the event: On December 13th, Peapods Finance was hacked by white hat hackers due to a reentrancy vulnerability. On December 14th, Peapods Finance tweeted that the hackers returned 90% of the funds. On December 15th, the hacker, @0xaxxe, tweeted that he returned the white hat fee to the team.
Amount of loss: $ 230,000 Attack method: Reentrancy Attack
Description of the event: The perpetual contract on Osmosis, Levana, has been subjected to an attack resulting in a loss exceeding $1.14 million. A post-incident report provided by its team indicates that between December 13th and December 26th, attackers successfully drained 10% of Levana's liquidity pool. Levana states that efforts are underway to rectify the issue, assuring that existing trading positions and profits remain unaffected. Future plans involve compensating affected liquidity providers through airdrops and the distribution of protocol fees collected during the attack period.
Amount of loss: $ 1,140,000 Attack method: Oracle Attack
Description of the event: According to on-chain data, a user deposited 0.5 BNB into Venus and borrowed a series of assets, including stkBNB, ankrBNB, etc. The user then exchanged them for 116.45 ETH assets and transferred them to another account. In response to the attack on Venus, official personnel from the Venus Protocol addressed the issue on Telegram, stating, "The core pool and XVS are not affected. The attack occurred due to a price malfunction in Binance's oracle, involving the BNB price in a small independent pool. The snBNB team is currently addressing this issue. The cause has been identified, and it has been reported to the Binance oracle team."
Amount of loss: $ 270,000 Attack method: Oracle Attack
Description of the event: There is a price slippage on project stoic_DAO. 10% of the total Zeta token supply was swapped for ~91 ETH.
Amount of loss: $ 198,033 Attack method: Rug Pull
Description of the event: Xai, a Layer 3 solution for AAA gaming, has issued an alert for phishing impersonating Xai, where attackers have fraudulently obtained approximately $374 ETH, valued at approximately $845.8K.
Amount of loss: $ 845,800 Attack method: Phishing Attack
Description of the event: Abattoir of Zir (DIABLO) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 235,705 Attack method: Rug Pull
Description of the event: On December 7, 2023, Time on the ETH were attacked due to a security vulnerability in the thirdweb pre-built smart contracts, which resulted in approximately $190,000 in profits for the attacker.
Amount of loss: $ 190,000 Attack method: Contract Vulnerability
Description of the event: Strong Finance (STRONG) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 60,919 Attack method: Rug Pull
Description of the event: CKD Token (CKD) on BSC is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 539,000 Attack method: Rug Pull
Description of the event: On December 5, 2023, thirdweb, the Web3 base development platform, indicated that a security vulnerability was discovered in pre-built smart contracts. The impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20. Please see a full list of impacted smart contracts and mitigation steps at this link (https://blog.thirdweb.com/security-vulnerability/).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A Discord Mod on LayerZero has reported that a scammer who introduced a phishing link within a proposal vote on the Stargate Snapshot platform, enticing users to stake $STG tokens. Over 1K users took part in the vote, resulting in a loss of ~$43K
Amount of loss: $ 43,000 Attack method: Phishing Attack
Description of the event: MYX Finance (QMYX) on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 128,727 Attack method: Rug Pull
Description of the event: The FCN-TRUST (FCN) token On BSC was exploited for over $504k in a flash loan attack. The attack caused the token price to crash by 99%.
Amount of loss: $ 504,000 Attack method: Flash Loan Attack