1875 hack event(s)
Description of the event: A Rug Pull occurred in the NFT metaverse game project Pokemoney on BNBChian, its Token PMY has dropped by 99.98%%, and about 11,800 BNB (about 3.5 million US dollars) have been withdrawn and transferred.
Amount of loss: $ 3,500,000 Attack method: Rug Pull
Description of the event: Terra research forum member FatMan tweeted that the Mirror Protocol, a synthetic asset protocol developed by Terraform Labs, has a longstanding vulnerability. Since October 2021, attackers have exploited this vulnerability for multiple attacks within a period of 7 months, and the highest single profit exceeded $4 million ($4.3 million using $10,000), none of which was recovered by Terraform Labs Or the Mirror team found out. By the time the bug was fixed, the attacker's total profit from exploiting the bug could have exceeded $30 million. FatMan said the bug was discovered and questioned by Mirror forum members 11 days ago and has since been fixed, but the Mirror team has not made any statement on the matter.
Amount of loss: $ 90,000,000 Attack method: Contract Vulnerability
Description of the event: DecentraWorld’s DEWO token price plummeted, the founding team of DecentraWorld drained the project’s funds and stole 3,127 BNB (about $1 million), and the project’s official website and Twitter account were deleted.
Amount of loss: 3,127 BNB Attack method: Rug Pull
Description of the event: The first algorithmic stablecoin project on Binance Smart Chain, bDollar, suffered a price manipulation attack, and the attacker made a profit of 2,381 WBNB (worth about $730,000). This attack mainly exploits the design loophole of the claimAndReinvestFromPancakePool function in the DAO fund proxy contract CommunityFund when adding liquidity. It does not fully consider that after the price is maliciously raised, the project party will passively use the funds in its own contract when adding liquidity. The situation of high-level connection.
Amount of loss: 2381 WBNB Attack method: Price Manipulation
Description of the event: The project behind the Llamaverse, the Llamascape NFT series, was hacked. Hackers targeted their Discord server and scammers took around 30-40 ETH.
Amount of loss: 30-40 ETH Attack method: Account Compromise
Description of the event: According to Pinpoint News, Klaytn-based DeFi project Kronos DAO misappropriated users’ DAI pledged in its vaults to invest in Kairos Cash and lost 6 million DAI. The 6 million DAI staked by users turned into 6 million Kairos Cash in the Kronos Dao Vault, which Kronos Dao explained was “used as a strategic investment.” Investors, however, questioned that the explanation was insufficient and that no advance notice was given. At present, Kronos Dao has closed Kakao Talk and Telegram communication channels, leaving only Discord as a communication channel.
Amount of loss: 6,000,000 DAI Attack method: Insider Manipulation
Description of the event: The American actor SethGreen suffered from a phishing attack resulting in the loss of 4 NFTs. This includes 1 BAYC, 2 MAYC and 1 Doodle. The scammer sold all 4 NFTs for nearly 160 ETH (about $330,000).
Amount of loss: 160 ETH Attack method: Phishing attack
Description of the event: Axie Infinity says the Mee6 bot on its main server was hacked. Hackers use Mee6 bot to add permissions to fake Jiho account to post fake announcements about mint. MEE6 is a Discord bot that allows admins to automatically assign and remove roles and send messages. The fake announcement has now been removed.
Amount of loss: - Attack method: Account Compromise
Description of the event: The Feminist Metaverse project on BNB Chain was attacked. The attackers have transferred 1838 BNB to Tornado.cash, about $540,000.
Amount of loss: 1,838 BNB Attack method: Flash Loan Attack
Description of the event: On May 18, QANX Bridge was attacked between 15:01:40 and 18:20:25 UTC. Developers can withdraw 100,450,000 QANX from QANX Bridge and sell it on Uniswap for 325 ETH, then transfer it to Tornado Cash. By May 26, the hackers had sold all the stolen QANX tokens.
Amount of loss: 100,450,000 QANX Attack method: Private Key Leakage
Description of the event: Discord for NFT series Lazy Lions was hacked. Notably, this attack appears to infiltrate many other large NFT projects throughout the day, seemingly due to MEE6 staff being able to use MEE6 remotely to give themselves roles in any server.
Amount of loss: - Attack method: Account Compromise
Description of the event: NFT project Alien Frens tweeted that Discord had been attacked. Users are asked not to click on any MINT links.
Amount of loss: - Attack method: Account Compromise
Description of the event: The multi-chain DeFi protocol FEG was attacked again, and the flash loan attack suffered on the BNB chain lost about $1.3 million in assets. The subsequent flash loan attack on Ethereum caused a loss of about $590,000, with a total loss of about $1.9 million in assets. This attack is similar to yesterday's attack and is caused by a vulnerability in the "swapToSwap()" function. This function directly uses the "path" entered by the user as a trusted party without screening and validating the incoming parameters. Additionally, the function will allow an unverified "path" parameter (address) to use the current contract's assets. Therefore, by calling "depositInternal()" and "swapToSwap()", the attacker can obtain permission to use the assets of the current contract, thereby stealing the assets within the contract.
Amount of loss: $ 1,900,000 Attack method: Flash Loan Attack
Description of the event: There was an abnormality on the Tianqiong Digital Collection platform. The price of its collections on the secondary market skyrocketed thousands of times, and collections with a price of nearly 10 million yuan were sold in seconds. The Tianqiongshuzang announcement stated that the platform was maliciously attacked by hackers and used false balances to purchase and steal player collections.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: The multi-chain DeFi protocol FEG was suspected of being attacked, and a total of 143 Ethereum and 32,747 BNB were lost, about $1.3 million.
Amount of loss: $ 1,300,000 Attack method: Flash Loan Attack
Description of the event: Fantom-based DeFi lending protocol Scream caused $35 million in bad debt after failing to adjust the price of two de-pegged USD stablecoins. The two stablecoins are Fantom USD (FUSD) and Dei (DEI). Both stablecoins are still quoted at $1, according to data from the Scream dashboard. However, their trading prices have been severely de-pegged. Among them, FUSD fell to $0.69, and DEI fell to a low of $0.52. Whale players took advantage of this situation to deposit large amounts of FUSD and DEI at a discount, and siphoned all other stablecoins from the Scream platform. Stablecoins such as Fantom USDT, FRAX, DAI, MIM, and USDC have all been withdrawn from the platform. As a result, users who originally had deposits in these stablecoins would not be able to withdraw from Scream.
Amount of loss: $ 35,000,000 Attack method: Stablecoin prices de-anchor
Description of the event: SpiritSwap tweeted that the front-end server placed on AWS was compromised by hackers, the website was tampered with parameters, and $18,000 was currently stolen. According to official postmortem analysis, the attackers contacted GoDaddy and began a social engineering attack on one of its employees. After gaining access to the account, the attackers proceeded to modify DNS settings and change all credentials, effectively hijacking access and Take ownership for yourself. After securing access to the SpiritSwap domain, the attackers then proceeded to deploy a phishing site tricked into appearing to be SpiritSwap. The attacker then uses the "send to" function in the exchange contract to reroute any funds exchanged by the user to the attacker's address.
Amount of loss: $ 18,000 Attack method: Malicious Code Injection Attack
Description of the event: Decentralized exchange Quickswap has come under attack for a vulnerability in its hosting provider GoDaddy. The hijackers gained access to QuickSwap's DNS through a vulnerability in GoDaddy, where QuickSwap domains were hosted. Some DEX users lost around $107,600 through platform swaps before QuickSwap was able to regain control of our domain.
Amount of loss: $ 107,600 Attack method: DNS Hijacking Attack
Description of the event: Popular cryptocurrency websites including Etherscan, CoinGecko, and DeFi Pulse have reported incidents of malicious pop-ups prompting users to connect their MetaMask wallets. CoinGecko founder Bobby Ong said he believes the culprit is a malicious ad script from a crypto ad network called Coinzilla. The ad appears to be from a website parodying the popular Bored Apes Yacht Club NFT project, which was taken down after the scam was discovered.
Amount of loss: - Attack method: Phishing attack
Description of the event: Venus Protocol issued a statement saying that Chainlink’s suspension of LUNA price updates after extreme volatility in LUNA prices caused the price of LUNA on the Venus lending market to remain at $0.107, while the market price of LUNA had dropped to $0.01 at that time. After the price update was suspended, two addresses lent about $13.5 million in assets by staking 230 million LUNA (worth about $2.3 million at the time), resulting in a loss of about $11.2 million to the protocol. At present, the LUNA lending market has been suspended, and this loss will be made up by the risk fund.
Amount of loss: $ 11,200,000 Attack method: Oracle Attack