1950 hack event(s)
Description of the event: The DeFi project Earning.Farm suffered a reentrancy attack and lost 286 ETH (approximately $530,000). According to the analysis of SlowMist, the attacker re-enters the transfer function of LP to transfer LP tokens when withdrawing money, making the balance of the account smaller than the previously calculated shares value, triggering the logic of updating the shares value, resulting in the number of manipulated LPs being updated to the desired value. In terms of the value of the burned shares, this resulted in the final amount of LP burned being much smaller than expected, and the user can withdraw the funds in the pool by withdrawing the transferred LP again.
Amount of loss: $ 530,000 Attack method: Reentrancy Attack
Description of the event: Steadefi, an automated yield leveraged strategy platform, tweeted: “Our protocol deployer wallet (which is also the owner of all vaults in the protocol) has been compromised. Attackers have transferred ownership of all vaults (borrows and strategies) to them in a wallet controlled by the user and continue to take various owner-only operations, such as allowing any wallet to be able to borrow any available funds from the lending vault. Currently, all available lending capacity on Arbitrum and Avalanche has been exhausted by the attackers, and the assets have been swapped for ETH and bridged to Ethereum. On-chain messages have been sent to the attacker wallet address for negotiation. Steadefi wants to discuss the bounty with parties involved in the exploit, offering a 10% reward on the stolen funds. " Steadefi has lost approximately $1.158 million in the incident. On August 8, the Steadefi team managed to recover approximately $540,000 in user funds from remaining vaults.
Amount of loss: $ 1,158,000 Attack method: Private Key Leakage
Description of the event: Legal authorities in the Indian state of Odisha have successfully busted a $120 million (Rs 1,000 crore) cryptocurrency Ponzi scheme. Two central figures in the fraudulent operation have been arrested. The project in question is called The Solar Techno Alliance (STA), using terms like green energy and solar technology. The investigation found that STA, with the assistance of online members, used various persuasive tactics and promises of profits in a short period of time to attract people to participate in the scheme, with more than 10,000 participants in Odisha alone. The investigation revealed that STA was not authorized by RBI, RBI or other regulators to accumulate deposits.
Amount of loss: $ 120,000,000 Attack method: Scam
Description of the event: On August 7, 2023, Cypher, a Solana-based decentralized exchange, tweeted that it had been attacked. The attacker exploited a bug related to the mechanism involving segregated margin sub-accounts to attack Cypher's main contract, causing it to eventually withdraw more funds than initially deposited, leading to a bad debt in the system. The attacker stole 15,452 SOL, 149,205 USDC, and other tokens for a loss of over $1 million. The attacker’s address is suspected to be HHm4wK91XvL3hhEC4hQHo544rtvkaKohQPc59TvZeC71. On August 18, Cypher stated that approximately $600,000 has been frozen on various centralized exchanges (CEXs), and the return of these funds will depend on the cooperation of these CEXs and seizure orders issued by law enforcement agencies.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: Bitlord (BITLORD) A lot of liquidity has been removed. The deployer removed about 309 WETH from LP, worth about $567,000. The token project is suspected to be a honeypot scam.
Amount of loss: $ 567,000 Attack method: Rug Pull
Description of the event: The Twitter account of Tim Beiko, the core developer of Ethereum, was suspected of being stolen. He posted two tweets about "ETH airdrop" within half an hour with a phishing link(ether.fo). Users are asked not to click on suspicious links to prevent funds from being stolen. According to the analysis of SlowMist, the mastermind behind the scenes is PinkDrainer.
Amount of loss: - Attack method: Account Compromise
Description of the event: A Rug Pull occurred on the Apache NFT SalesRoom (ASN) on the BNB Chain, and the deployer made a profit of about $680,000. The deployer transferred a large number of tokens to the address starting with 0xdc8, which has now dumped 1 million ASNs at a price of $680,000 in BSC-USD.
Amount of loss: $ 680,000 Attack method: Rug Pull
Description of the event: he Uwerx network was attacked and lost about 174.78 ETH. According to the analysis of SlowMist, the root cause is that when the receiving address is uniswapPoolAddress (0x01), it will burn off 1% more tokens of the transfer amount of the from address, so the attacker uses the skim function of the uniswapv2 pool to consume a large number of WERX tokens, and then calls the sync function to maliciously inflate the price of the token, and then reverses the swap to extract the ETH to gain profit.
Amount of loss: $ 324,000 Attack method: Price Manipulation
Description of the event: InsurAce, a DeFi insurance protocol, tweeted: "Our Discord server experienced a security breach. Our team discovered an unauthorized access to the server earlier today. We take this incident very seriously and are working hard to correct the situation. During this time, please do not interact with the server." According to the analysis of SlowMist, the phishing website is insurance.gift, and PinkDrainer is behind it.
Amount of loss: - Attack method: Account Compromise
Description of the event: The axlUSD/WETH pool in LeetSwap, the largest DEX on the Base chain, suffered a price manipulation attack and has suspended trading for investigation. It appears that 342.5 ETH (~$624,000) was exploited. On August 3, LeetSwap stated that it had withdrawn about 400 ETH from the risky liquidity pool. According to the analysis of SlowMist, the main cause of this attack was that the _transferFeesSupportingTaxTokens function in the Pair contract was externally callable. This function allowed the transfer of any specified tokens in the contract to the address that collects fees. The attacker initiated a normal small-swap operation first to acquire the necessary tokens for the next swap. Then, the attacker called the _transferFeesSupportingTaxTokens function to transfer almost all of the tokens of one of the Pair to the address collecting fees, causing an imbalance in the Pair's liquidity. Finally, the attacker called the sync function to balance the pool and performed a reverse swap to take more ETH than expected.
Amount of loss: $ 624,000 Attack method: Price Manipulation
Description of the event: Some community users reported that the encrypted exchange named ZT Global was suspected of running away. Since the announcement of system upgrade and maintenance on July 28, transactions on the platform have been disabled. The TG channel has been banned and the founder cannot be contacted. At 21:00 on July 31, the exchange announced that it had completed maintenance and resumed trading functions, but the trading page showed that only 0.0006 BTC ($17) of buying orders pushed up the price of BTC on the platform and maintained it at 60,000 The price of USD and ETH also fluctuated violently in the case of tens of dollars of trading volume.
Amount of loss: - Attack method: Rug Pull
Description of the event: A MEME coin called BALD, built on the Coinbase Base test network, appears to have pulled in at least $25.6 million. Although the Base network was intended to be used for developer testing, an anonymous cryptocurrency user named "Bald" announced that they would be selling BALD tokens on the Base network, and the token's price skyrocketed. However, token deployers emptied liquidity pools of around $25.6 million worth of tokens just two days after launch, clearly pulling the market. The token price quickly plummeted by around 90%.
Amount of loss: $ 25,600,000 Attack method: Rug Pull
Description of the event: The NFT lending platform JPEG'd was hacked, and JPEG tokens fell by 40% in a short period of time, with a loss of at least about $10 million. The root cause is re-entry. When the attacker calls the remove_liquidity function to remove liquidity, he adds liquidity by re-entering the add liquidity function. Because the balance update is before re-entering the add_liquidity function, the price calculation is wrong. JPEG'd tweeted that the PETH-ETH curve pool was attacked. The vault contract that allows NFTs to be borrowed is safe and still functioning. NFT and treasury fund security. The JPEG'd contract has not been hacked and is safe. On August 5, JPEG'd tweeted that the DAO multi-signature address confirmed receipt of 5494.4 WETH, and the address owner who recovered funds from the pETH vulnerability received a 10% white hat bounty, which is 610.6 WETH.
Amount of loss: $ 11,363,266 Attack method: Reentrancy Attack
Description of the event: Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome.
Amount of loss: $ 25,123,594 Attack method: Affected by Vyper Vulnerability
Description of the event: DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds.
Amount of loss: $ 35,315,843 Attack method: Affected by Vyper Vulnerability
Description of the event: On August 6, the Ethereum compiler Vyper released an analysis report on last week's vulnerability incidents: Prior to July 30, due to potential vulnerabilities in the Vyper compiler, multiple Curve liquidity pools were exploited. While the bug was identified and patched, the impact on protocols using the vulnerable compiler was not recognized at the time, nor were they explicitly notified. The vulnerability itself is an improperly implemented reentrancy prevention, and the affected Vype versions are v0.2.15, v0.2.16, v0.3.0. Vulnerability fixed and tested in v0.3.1, v0.3.1 and later are safe.
Amount of loss: - Attack method: Compiler Bug
Description of the event: Kannagi Finance has rug pulled, making away with up to $2.13 million in investor funds. The platform runs o the zkSync Era, which is in the race for the best Ethereum Layer 2 network. The network has deleted its official website, including social media and communication accounts.
Amount of loss: $ 2,130,000 Attack method: Rug Pull
Description of the event: DefiLabs on the BNB chain has run away, taking about $1.6 million. The privileged address 0xee08 drains user funds by exploiting the backdoor function withdrawFunds() in the vPoolv6 contract. DeFiLabs claimed on Twitter that the platform had “experienced unexpected issues” while it was “going through maintenance and updates.”
Amount of loss: $ 1,600,000 Attack method: Rug Pull
Description of the event: A serious flaw in Pond0x, the Pepe the Frog-branded MEME coin launched by Pauly0x, caused traders to lose at least $2.2 million after it was discovered that anyone could transfer tokens belonging to someone else. People quickly started scrambling to steal money from each other. Pauly0x responded by blaming traders who were buying and selling tokens, with various Twitter posts the next day saying he was teaching people a lesson that it wasn’t his fault that people lost money. He wrote to angry traders accusing him of rug pulling. He added a message to the website: "GREED KILLS".
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: The BSC ecology Carson was attacked and lost about $145,000. At present, the price of Carson tokens has dropped by 96%, and the attacker has exchanged the stolen assets for 600 BNB and transferred them to Tornado Cash. The attacker repeatedly called the swapExactTokensForTokensSupportingFeeOnTransferTokens function in the 0x2bdf...341a contract (not open-source) through flash loans, swapped for BUSD and burned Carson in the pair, then repeatedly inflated the price of Carson for profit.
Amount of loss: $ 145,000 Attack method: Flash Loan Attack