1957 hack event(s)
Description of the event: Yuga Labs tweeted that the Twitter account of the company's new CEO, Daniel Alegre, was hacked and is now under hacker control. Yuga Labs reminds users not to click on any minting links, nor to interact with any twitter accounts named Daniel Alegre until the official update notice is released, the Yuga Labs team is working with twitter to regain control of the account .
Amount of loss: - Attack method: Account Compromise
Description of the event: XIRTAM, a project built on the Arbitrum ecology, is a reputation building platform that does not require KYC. It advocates building digital reputation step by step through the XIRTAM system in an anonymous and decentralized manner. At the same time, users can get rewards for participating in activities on XIRTAM. The project party is on the 3rd Rug Pull. However, unlike the usual practice of the Rug Pull project, the runaway XIRTAM project party did not transfer the raised 1909 ETH to the currency mixing service to hide the identity and the direction of the funds, but deposited all the funds in Binance. In this regard, Binance stated that the funds involved in the XIRTAM project have been frozen and will cooperate with law enforcement agencies to investigate.
Amount of loss: 1,909 ETH Attack method: Rug Pull
Description of the event: LEVEL Finance, a project on BNB, was hacked and lost $1 million. The hackers created an unverified contract 7 days before the attack, used a delegate function to extract LVL tokens in 15,000 increments, converted 214,000 LVL tokens into 3,345 BNB and transferred them to Tornado Cash.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: The EOS project pcash was attacked and lost about $2 million.
Amount of loss: $ 2,000,000 Attack method: Unknown
Description of the event: DeFi protocol 0VIX on the Polygon chain was exploited for around $2 million. The attack was carried out by an attacker manipulating the oracle, who then performed a flash loan attack on the project. The agreement was suspended after the attack.
Amount of loss: $ 2,000,000 Attack method: Oracle Attack
Description of the event: Bobie, the founder of 0xScope, the Web3 knowledge graph protocol, tweeted that the liquidity of the zkSync ecological DEX Merlin was exhausted, and hackers stole $1.82 million in funds and bridged to Ethereum. According to analysis, this is an internal Rug Pull, and Merlin internal members maliciously used the privileges of the owner's wallet.
Amount of loss: $ 1,820,000 Attack method: Rug Pull
Description of the event: Ordinals Finance has been identified as an exit scam project that caused $1 million in losses. The deployer withdraws OFI tokens from the OEBStaking contract, exchanges them for ETH and transfers them to the EOA address (0x34e...25cCF), which in turn transfers 550 ETH (approximately $1 million) to Tornado Cash. All social media accounts and websites of the project have been deleted.
Amount of loss: $ 1,000,000 Attack method: Rug Pull
Description of the event: The crypto exchange Kucoin stated that its official Twitter account was stolen for about 45 minutes from 00:00 on April 24 (UTC+2) on the 24th, and the attacker posted false activities, causing multiple users to lose assets. As of 02:00 (UTC+2) on April 24, 22 transactions have been identified, including ETH/BTC related to fake activity, with a total value of 22,628 USDT. Kucoin will fully compensate all verified asset losses caused by social media leaks and fake activities.
Amount of loss: $ 22,628 Attack method: Account Compromise
Description of the event: UniSat Wallet tweeted: “Due to a vulnerability in our code base, the UniSat Marketplace that just launched has suffered a lot of double-spend attacks. In the test last week, we simulated different double-spend attack methods and improved the code. and enhancements. Unfortunately, certain issues were still exposed in the initial public release. Currently, we have preliminary findings, and out of a total of 383 transactions, 70 transactions have been identified as affected. We will report on In the next few days, we will further investigate and compensate the losses of users related to this incident.” It is reported that UniSat Marketplace is an inscription market based on PSBT and supporting BRC-20 assets on the Bitcoin chain.
Amount of loss: - Attack method: Double Spend Attack
Description of the event: Multi-chain lending protocol FilDA released a vulnerability exploit statement saying that it was attacked earlier today on the Elastos Smart Chain (ESC) and REI networks, causing losses of approximately $700,000. No other FilDA deployments were affected. Vulnerabilities identified and attack vectors isolated.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: Wayne, the co-founder of the NFT game Tales of Elleria, tweeted early this morning: "The bridge contract of Tales of Elleria was exploited, causing its LP to be depleted and losing more than $280,000. The attacker seems to have generated his own signature , and extracted a large amount of ELM tokens, draining the LP. The current findings suspect that the hacker exploited the ecrecover function and was able to generate authorized signatures without our private key."
Amount of loss: $ 280,000 Attack method: Contract Vulnerability
Description of the event: Sealaunch, an NFT data and research platform, has monitored that the MEV Bot named jaredfromsubway.eth recently carried out "sandwich attacks" on buyers and sellers of Meme coins such as WOJAK and PEPE, earning more than $1.4 million in profits. Additionally, Sealaunch stated that MEV Bots spent 7% of Ethereum’s gas fees during the 24-hour period between April 18 and 19. A sandwich attack occurs when the attacker "sandwiches" the victim's transaction between two of his own to profit from the user by manipulating prices.
Amount of loss: $ 1,400,000 Attack method: Sandwich Attack
Description of the event: The Discord server of the cross-chain trading platform zkLink has been hacked, and some hackers posted phishing links. Do not click on any links until the team confirms that they have regained control of the server.
Amount of loss: - Attack method: Account Compromise
Description of the event: The Arbitrum ecological Arbtomb project is suspected of Rug Pull. The scammer has bridged 54 ETH (approximately $110,000) to Ethereum, then transferred 52 ETH to Tornado Cash, and transferred 2.4 ETH to Binance.
Amount of loss: $ 110,000 Attack method: Rug Pull
Description of the event: KyberSwap, a DEX aggregator and liquidity platform, tweeted that they discovered a potential loophole in KyberSwap Elastic, and hoped that liquidity providers could extract liquidity as soon as possible. No user assets have been lost so far.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The loss of today's HundredFinance hack is ~$7m.The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.
Amount of loss: $ 7,000,000 Attack method: Contract Vulnerability
Description of the event: Bitrue tweeted: We have identified a brief exploit in one of our hot wallets on 07:18 (UTC), 14 April 2023. We were able to address this matter quickly and prevented the further exploit of funds. The attackers were able to withdraw assets worth approximately 23M USD in ETH, QNT, GALA, SHIB, HOT and MATIC. The affected hot wallet only holds less than 5% of our overall funds. The rest of our wallets remain secure and have not been compromised.To conduct additional security checks, Bitrue will temporarily suspend all withdrawals and will reopen withdrawals on 18 April 2023. We seek your understanding and patience at this time. All identified users who are affected by this incident will be compensated in full.
Amount of loss: $ 23,000,000 Attack method: Wallet Stolen
Description of the event: Zksync era mainnet SyncDex project has exited with a rugpull, resulting in over $370,000 USD in losses.
Amount of loss: $370,000 Attack method: Rug Pull
Description of the event: The decentralized revenue aggregation platform Yearn Finance was attacked, and the hackers made more than $10 million in profits. According to the analysis of SlowMist, the reason for this attack is that the attacker used the yUSDT contract to set the fulcrum address by mistake, thereby manipulating the stablecoin reserve balance in the yUSDT contract, and depositing USDT in yUSDT to obtain a large amount of unexpected yUSDT Tokens for profit.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: MetaPoint ($POT) on BSC was hacked with a loss of $920K. The root cause is that users will create a new contract to hold their funds each time they deposit $POT, but the contract has a public approve function to transfer all users' assets.
Amount of loss: $ 920,000 Attack method: Contract Vulnerability