1949 hack event(s)
Description of the event: CS Token was hacked and a total of 714,000 USDT was stolen. The hacker initially transferred 1 BNB from Tornado Cash, and then transferred 383 ETH to Tornado Cash.
Amount of loss: $ 714,000 Attack method: Contract Vulnerability
Description of the event: The team behind Fintoch, a blockchain financial platform, is suspected of being a Ponzi scheme. It defrauded users of 31.6 million USDT on BNB Chain, and the funds were bridged to multiple addresses on Tron and Ethereum. Users reported that they could not withdraw funds. Fintoch advertises that it is a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team page on the Fintoch website refers to "Bobby Lambert" as its CEO, when in fact he doesn't exist and is a paid actor. Earlier, the Singapore government and Morgan Stanley both issued warnings about the investment plan.
Amount of loss: $ 31,600,000 Attack method: Scam
Description of the event: Cross-chain interoperability protocol Celer Network reported Wednesday that it has patched a code vulnerability first discovered by Jump Crypto, The Block reported. In a blog post published by Celer and Jump Crypto, a vulnerability in the State Guardian Network (SGN), Celer's proof-of-stake (PoS) blockchain, was disclosed. If implemented, the vulnerability could allow a malicious validator to submit a large number of fraudulent "votes", resulting in a change in the state of the network. Celer emphasized that the breach did not result in any financial loss. The vulnerability was not publicly accessible and no funds were directly at risk when it was discovered. Celer said it would propose a bug bounty for Jump Crypto as a result of the discovery.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Polygon ecological project LunaFi was attacked. The attacker obtained initial funds from TornadoCash on BSC, the root cause was a flaw in reward calculation, and many other issues in the contract.
Amount of loss: $ 35,000 Attack method: Reward Mechanism Flaw
Description of the event: At 15:25 on May 20, Tornado Cash encountered a governance attack. The attacker granted himself 1.2 million votes through a malicious proposal, exceeding the number of legal votes (about 700,000), and gained full governance control. An attacker could withdraw all locked votes and drain all tokens in the governance contract, disabling routers, though the attacker would still not be able to drain individual pools. Tornado Cash governance attackers obtained a total of 483,000 TORN from governance vaults.
Amount of loss: $ 2,173,500 Attack method: Governance Attack
Description of the event: The Swap-LP contract on BNB Chain (0xe0c352c56af65772ac7c9ab45b858cb43d22f28f) has been attacked with a loss of approximately $1.1 million. The attacker (0xdead) transferred the stolen funds to Tornado Cash. specifically, the attacker manipulated a low-level call in the Swap-LP factory address to trigger the 0x33604058 function of the SwapLP pair. This causes all WDZD tokens in the pair to be transferred to the factory address. As a result, the attacker is able to use fewer WDZDs to obtain more SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743 and subsequently destroy the LPs for profit.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: A Nevada man has been charged in connection with his alleged involvement in CoinDeal, an investment fraud scheme that defrauded more than 10,000 victims of more than $45 million, the U.S. Department of Justice announced. According to court documents, Lee allegedly conspired with Neil Chandran and others to defraud investors of companies controlled by Chandran. Operating under the name "ViRSE," these companies include Free Vi Lab, Studio Vi Inc., ViDelivery Inc., ViMarket Inc., and Skalex USA Inc., among others. Presumably, these companies are developing virtual world technology, including their own cryptocurrency, for use in virtual worlds. Chandran allegedly misled investors by falsely promising extremely high returns on the premise that his company was about to be acquired by a syndicate of wealthy buyers. As further alleged, Lee was the nominal owner and director of ViMarket and was instructed by Chandran on how to transfer received investor funds into ViMarket's bank accounts.
Amount of loss: $ 45,000,000 Attack method: Scam
Description of the event: About 110 million USD in WETH, USDT, WBTC, WMATIC in Aave V2 on Polygon cannot be withdrawn, nor can it be borrowed and repaid. This is because the interest rate strategy contract is only compatible with Ethereum, not Polygon. At present, Aave has submitted a patch to fix this problem, which will be deployed after voting. Funds are not at risk, but it takes at least a week for funds to be unfrozen.
Amount of loss: - Attack method: Compatibility issues
Description of the event: The Arbitrum ecological Swaprum project has a Rug Pull, the price of SAPR has dropped by 100%, Swaprum has deleted the social account, and the scammer bridged 1628 ETH (about 2.94 million US dollars) to Ethereum and transferred it to Tornado Cash.
Amount of loss: $ 3,000,000 Attack method: Rug Pull
Description of the event: On May 19, Blockworks Research stated on Twitter that the Bitcoin Layer 2 network Stacks has experienced several obstacles in the past few months: 1. There is a serious loophole in the STX "stacking" mechanism; 2. Confused review It becomes common during Stacks mining; 3. Stacks chain block reorganization is more common.
Amount of loss: - Attack method: Block Reorganization
Description of the event: The DeFi protocol WDZD Swap on BSC was exploited and lost about $1.1 million. The attackers made nine malicious transactions that drained 609 Binance-Pegged ETH from contracts related to the WDZD project.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: Alexpf.eth, co-founder and CEO of NFT exchange EZswap, tweeted: "OpenSea is suspected of having a royalty loophole. Recently, OpenSea seems to have changed the owner's identification standard, which means that NFT projects cannot set or change royalties. This error is very serious. Seriously, it's been around for 2 days."
Amount of loss: - Attack method: Royalty Vulnerability
Description of the event: The EOS Network Foundation tweeted that the EOS EVM has released version v0.4.2, which fixes a serious security vulnerability found in the EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented by the EOS mainnet all need to be upgraded.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The Web3 content publishing platform Mirror application is currently experiencing an outage under load.
Amount of loss: - Attack method: Load
Description of the event: The DeFi protocol land was suspected of being attacked and lost about 150,000 US dollars. The reason for the attack was the lack of mint permission control.
Amount of loss: $ 150,000 Attack method: Contract Vulnerability
Description of the event: The LW token on BSC was attacked, with a loss of 48,415 USDT, and the price of LW token plummeted by 69%. The attackers have transferred about 150 BNB to Tornado Cash.
Amount of loss: $ 48,415 Attack method: Contract Vulnerability
Description of the event: The SNK project was attacked. The hacker used SNK's invitation reward mechanism to make a profit of 190,000 US dollars.
Amount of loss: $ 190,000 Attack method: Reward Mechanism Flaw
Description of the event: The WEEB project was attacked by price manipulation. The hacker used the performUpkeep function in the WEEB token to burn the balance of a large number of WEEB tokens in the pair, thereby increasing the price of WEEB and making a profit of 16 ETH.
Amount of loss: 16 ETH Attack method: Price Manipulation
Description of the event: The ethereum-based meme cryptocurrency FLOKI has suffered a lightning loan attack with a loss of over $50,000. Stolen TX: https://etherscan.io/tx/0x118b7b7c11f9e9bd630ea84ef267b183b34021b667f4a3061f048207d266437a
Amount of loss: $ 50,000 Attack method: Flash Loan Attack
Description of the event: Hakuna Matata ($HAKUNA) Rugged. The scammer initially obtained 2.76 ETH from Orbiter Finance Bridge and added 2 ETH liquidity, then exchanged 4,999T HAKUNA for 17 ETH ($31,683.11), and mortgaged 13.5 ETH to Lido.
Amount of loss: $ 31,683.11 Attack method: Rug Pull