1939 hack event(s)
Description of the event: A MEME coin called BALD, built on the Coinbase Base test network, appears to have pulled in at least $25.6 million. Although the Base network was intended to be used for developer testing, an anonymous cryptocurrency user named "Bald" announced that they would be selling BALD tokens on the Base network, and the token's price skyrocketed. However, token deployers emptied liquidity pools of around $25.6 million worth of tokens just two days after launch, clearly pulling the market. The token price quickly plummeted by around 90%.
Amount of loss: $ 25,600,000 Attack method: Rug Pull
Description of the event: The NFT lending platform JPEG'd was hacked, and JPEG tokens fell by 40% in a short period of time, with a loss of at least about $10 million. The root cause is re-entry. When the attacker calls the remove_liquidity function to remove liquidity, he adds liquidity by re-entering the add liquidity function. Because the balance update is before re-entering the add_liquidity function, the price calculation is wrong. JPEG'd tweeted that the PETH-ETH curve pool was attacked. The vault contract that allows NFTs to be borrowed is safe and still functioning. NFT and treasury fund security. The JPEG'd contract has not been hacked and is safe. On August 5, JPEG'd tweeted that the DAO multi-signature address confirmed receipt of 5494.4 WETH, and the address owner who recovered funds from the pETH vulnerability received a 10% white hat bounty, which is 610.6 WETH.
Amount of loss: $ 11,363,266 Attack method: Reentrancy Attack
Description of the event: Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome.
Amount of loss: $ 25,123,594 Attack method: Affected by Vyper Vulnerability
Description of the event: DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds.
Amount of loss: $ 35,315,843 Attack method: Affected by Vyper Vulnerability
Description of the event: On August 6, the Ethereum compiler Vyper released an analysis report on last week's vulnerability incidents: Prior to July 30, due to potential vulnerabilities in the Vyper compiler, multiple Curve liquidity pools were exploited. While the bug was identified and patched, the impact on protocols using the vulnerable compiler was not recognized at the time, nor were they explicitly notified. The vulnerability itself is an improperly implemented reentrancy prevention, and the affected Vype versions are v0.2.15, v0.2.16, v0.3.0. Vulnerability fixed and tested in v0.3.1, v0.3.1 and later are safe.
Amount of loss: - Attack method: Compiler Bug
Description of the event: Kannagi Finance has rug pulled, making away with up to $2.13 million in investor funds. The platform runs o the zkSync Era, which is in the race for the best Ethereum Layer 2 network. The network has deleted its official website, including social media and communication accounts.
Amount of loss: $ 2,130,000 Attack method: Rug Pull
Description of the event: DefiLabs on the BNB chain has run away, taking about $1.6 million. The privileged address 0xee08 drains user funds by exploiting the backdoor function withdrawFunds() in the vPoolv6 contract. DeFiLabs claimed on Twitter that the platform had “experienced unexpected issues” while it was “going through maintenance and updates.”
Amount of loss: $ 1,600,000 Attack method: Rug Pull
Description of the event: A serious flaw in Pond0x, the Pepe the Frog-branded MEME coin launched by Pauly0x, caused traders to lose at least $2.2 million after it was discovered that anyone could transfer tokens belonging to someone else. People quickly started scrambling to steal money from each other. Pauly0x responded by blaming traders who were buying and selling tokens, with various Twitter posts the next day saying he was teaching people a lesson that it wasn’t his fault that people lost money. He wrote to angry traders accusing him of rug pulling. He added a message to the website: "GREED KILLS".
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: The BSC ecology Carson was attacked and lost about $145,000. At present, the price of Carson tokens has dropped by 96%, and the attacker has exchanged the stolen assets for 600 BNB and transferred them to Tornado Cash. The attacker repeatedly called the swapExactTokensForTokensSupportingFeeOnTransferTokens function in the 0x2bdf...341a contract (not open-source) through flash loans, swapped for BUSD and burned Carson in the pair, then repeatedly inflated the price of Carson for profit.
Amount of loss: $ 145,000 Attack method: Flash Loan Attack
Description of the event: According to SlowMist, IEGT tokens were created on BSC on July 13. Its creators "secretly minted a large number of tokens in preparation for pulling the rug". Although the project’s token supply is only 5 million tokens, this enabled the team to sell 1 billion tokens, cashing out approximately $1.14 million in USDT stablecoins. According to SlowMist, the project party modified the balance of the specified address through inline assembly when the contract was initialized, and secretly issued a large number of tokens that were not known to other users, causing users to be Rug when participating in the project.
Amount of loss: $ 1,140,000 Attack method: Rug Pull
Description of the event: The Palmswap project on the BSC chain was attacked, and the attacker made a profit of more than 900,000 US dollars. According to the analysis of SlowMist, this attack was due to the fact that the authority control function of the core function was not enabled, and the price calculation model of the liquidity token was designed too simply, depending only on the number of USDT tokens in the treasury and the total supply, resulting in the attacker can use flash loans to maliciously manipulate prices to obtain unexpected profits. On July 28, Palmswap tweeted that 80% of the stolen funds had been returned, and the remaining 20% was used as a bug bounty for hackers.
Amount of loss: $ 900,000 Attack method: Flash Loan Attack
Description of the event: MetaLabz tweeted: "In order to ensure the supply we hold, we deployed an unaudited contract (token locker), but the contract has been exploited. The situation was then exacerbated by the liquidity attack, resulting in a total loss of slightly more than 400 BNB." According to analysis, the reason is that the authorization check was bypassed.
Amount of loss: 400 BNB Attack method: Contract Vulnerability
Description of the event: On July 25th, according to reports from several users, Eralend, the lending protocol on Zksync, was attacked by lightning loans, and it is currently unable to borrow, but it can be proposed temporarily. On July 26, EraLend released the progress of the attack. EraLend stated that the attacker manipulated the price of the oracle machine, resulting in the USDC mining pool being used for about 2.76 million US dollars. All other pools remain safe and unaffected. The attackers used multiple bridges to spread the exploited funds across multiple wallets on various chains.
Amount of loss: $ 2,760,000 Attack method: Flash Loan Attack
Description of the event: Cryptocurrency payment service provider Alphapo's hot wallet stolen, $23 million lost. Alphapo client HypeDrop has disabled withdrawals. The stolen funds were first exchanged for ETH on Ethereum and then cross-chained to the Avalanche and BTC networks. Alphapo processes payments for many gaming services such as HypeDrop, Bovada, and Ignition. It is unclear how many bitcoins were stolen from Alphapo. On July 25, on-chain analyst ZachXBT tweeted that in the Alphapo hot wallet theft incident, an additional $37 million stolen on TRON and BTC due to this hack has been found. Now the total stolen from Alphapo has increased to $60 million. The hack was likely carried out by Lazarus.
Amount of loss: $ 60,000,000 Attack method: Wallet Stolen
Description of the event: On July 23, the CoinList Twitter account was hacked. Previously, CoinList tweeted that it would launch native tokens, and then Neon EVM tweeted that the CoinList account was stolen and reminded users not to click on any links. On July 25, CoinList has shut down the malicious website for the scam token sale, and the security team is actively investigating and working with all relevant parties, including Twitter's support staff, to regain control of the CoinList Twitter account. CoinList will notify the community as soon as the fix process is complete, currently CoinList still controls all other official social media channels.
Amount of loss: - Attack method: Account Compromise
Description of the event: This second attack was unrelated to the ETH Omnipool's re-entrancy exploit. The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool. We will share more updates as we continue to investigate.
Amount of loss: $ 300,000 Attack method: Flash Loan Attack
Description of the event: Recently, Estonian encrypted payment service provider CoinsPaid said it suffered a cyber attack and $37.3 million worth of cryptocurrency was stolen. Although the attack caused significant financial losses to the company and had many adverse effects on the usability of the payment platform, the company stated that customer funds are still safe and the incident will not have a significant impact on the company's business. CoinsPaid said the attack was initiated by the Lazarus hacking group, and their goal was to obtain higher cash. On July 26, SlowMist tweeted that CoinsPaid, Atomic and Alphapo attackers may all be the North Korean hacker organization Lazarus Group.
Amount of loss: $ 37,300,000 Attack method: Unknown
Description of the event: The Twitter account of Uniswap founder Hayden Adams was hacked, and the account sent multiple tweets containing links to scam websites. "Hayden's account has been hacked," the Uniswap Foundation said in a tweet. "Do not click on this link, or one that may appear in similar tweets."
Amount of loss: - Attack method: Account Compromise
Description of the event: On July 21, Conic Finance ’s ETH omnipool was hit by a series of small hacks that cost around $3.2 million. Conic Finance issued an update on the attack, saying, “The root cause of the attack is due to an incorrect assumption about the address returned by the ETH’s Curve meta-registry in the Curve V2 pool, which enables reentrancy attacks and is deploying fixes for the affected contracts.
Amount of loss: $ 3,200,000 Attack method: Reentrancy Attack
Description of the event: The official Twitter account of the DeFi platform Shell Protocol on Arbitrum is suspected of being stolen. It posted false news about the application of SHELL tokens and closed the comment area. Please do not interact with it. According to news, this attack seems to be due to the hacking of its founder’s SIM card, resulting in both personal Twitter and Shell Protocol’s Twitter being hacked, and the attacker is the PinkDrainer phishing gang.
Amount of loss: - Attack method: Account Compromise