1722 hack event(s)
Description of the event: Dharma Wallet officially tweeted that there was a downtime. After Dharma updated Twitter, it said that it has returned to normal and all funds are safe.
Amount of loss: - Attack method: Downtime
Description of the event: According to the official announcement, some ERC-20, BSC and Polygon tokens of AscendEX were abnormally transferred out of the hot wallet of the exchange, and the cold wallet of AscendEX was not affected by this incident. It is estimated that Pinnacle AscendEX’s losses totaled US$77.7 million (of which US$60 million was on Ethereum, US$9.2 million was on BSC, and US$8.5 million was on Polygon).
Amount of loss: $ 77,700,000 Attack method: Wallet Stolen
Description of the event: Smart contract automation tool Gelato Network tweeted: "We have been alerted to a critical vulnerability in Sorbet Finance's G-UNI router contract. This vulnerability only affects users interacting with the Sorbet UI." Gelato Network released a security incident investigation report, saying that white hat hackers transferred a total of $27 million in assets to ensure the safety of user assets, but there were still $744,000 of funds that were maliciously attacked by MEV. The project stated that the vulnerability that emerged this time is similar to the previous dydx vulnerability, and the smart contract at risk can make arbitrary low-level calls aimed at executing transactions on 1inch, making potential exploits possible.
Amount of loss: $ 744,000 Attack method: Contract Vulnerability
Description of the event: The payment system of ONUS, the largest cryptocurrency trading platform in Vietnam, running a vulnerable version of Log4j suffered a cyber attack. Cyclos notified ONUS to repair the system on December 13, but it was too late. Although ONUS has fixed the security loopholes in the Cyclos instance, the window of loopholes allowed attackers to successfully steal data from sensitive databases. The stolen database contained nearly 2 million user data, including KYC (Know Your Customer) data, hashed passwords, etc. Subsequently, the attacker asked ONUS to pay a ransom of 5 million, otherwise the stolen data would be made public. On December 25, because ONUS did not pay the full ransom, the attackers sold customer data on the dark web data exchange market.
Amount of loss: - Attack method: Ransomware
Description of the event: At 8 pm on December 8, the hacker account itsspiderman used an overflow vulnerability to issue additional tripool market-making certificates in eCurve out of thin air, pledged and loaned most of the tokens in the agreement in PIZZA. Afterwards, hackers created more than 1.3 million accounts and dispersed the stolen assets. The loss of the PIZZA protocol in this attack is equivalent to about 5 million U.S. dollars. After negotiations, the hackers agreed to a ransom of $500,000.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: 8ight Finance on the Harmony chain was hacked, and $1.75 million was stolen due to the leak of the private key due to google doc. The platform tweeted about the loss yesterday, and in its discord server provided an explanation for the loss of funds: "Two developers on the team have the keys and they were sent via Facebook group chat and google drive. This is our first project, so we have to admit that our opsec is low.”
Amount of loss: $ 1,750,000 Attack method: Private Key Leakage
Description of the event: BitMart founder and CEO Sheldon Xia tweeted to admit that a large-scale security breach occurred on the platform, and hackers were able to extract assets worth about US$150 million. The affected ETH hot wallet and BSC hot wallet carry a small amount of assets on BitMart, and the other wallets are safe and undamaged.
Amount of loss: $ 150,000,000 Attack method: Wallet Stolen
Description of the event: On December 3, a group of white hat hackers notified Polygon’s vulnerability bounty agency Immunefi of a vulnerability in the Polygon PoS creation contract. The Polygon core team contacted the organization and Immunefi's expert team and immediately launched a repair procedure. Validators and the full-node community are notified to upgrade 80% of the network without interruption within 24 hours. The upgrade was performed on December 5th at block #22156660, which did not affect the activity and performance of the network. The vulnerability has been fixed and the damage has been mitigated, with no substantial damage to the agreement and its end users. All Polygon contracts and node implementations remain fully open source. Polygon paid a total of approximately $3.46 million in bounty to the two white hats who helped discover the vulnerability. Despite our best efforts, malicious hackers were able to use this vulnerability to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.
Amount of loss: 801,601 MATIC Attack method: Contract Vulnerability
Description of the event: The decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident.
Amount of loss: $ 120,000,000 Attack method: Malicious Code Injection Attack
Description of the event: The automatic market maker protocol MonoX was hacked. In this attack, approximately US$18.2 million worth of WETH and 10.5 million US dollars of MATIC were stolen. Other stolen tokens included WBTC, LINK, GHST, DUCK, MIM and IMX. The total loss was approximately 31 million U.S. dollars.
Amount of loss: $ 31,000,000 Attack method: Price Update Issue
Description of the event: The malicious contract attacked Visor's OHM-ETH 1% LP management contract. Funds in the targeted pool were recovered by Visor just hours after the attack. The funds deposited by users into Visor are not at risk.
Amount of loss: $ 975,720 Attack method: Flash Loan Attack
Description of the event: This weekend, the biggest rug pull in Avalanche history shocked the network and its users. SDOG is the first meme coin launched on Avalanche, with a price of up to 10 million U.S. dollars, and the team admitted that they "smashed it up." On the other hand, however, what they called a "game theory experiment" went wrong. Snowdog DAO is the protocol behind the SDOG token, and as of press time, its value has lost more than 90%. This is a complex plan that involves insiders using a "key" in a smart contract that only they can access.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Lever, a decentralized margin trading protocol based on AMM, was attacked by lightning loans. According to the official statement, Lever attacked contract A to borrow 2,100 BNB from PancakeSwap and deposit 2,000 BNB into Lever’s BNB vault. Then borrowed 1500 BNB from Lever’s BNB vault and transferred it to Lever Attack Contract B. Lever Attack Contract B deposited 1500 BNB and used it to consume 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89 DAI, 674,360 USDT. BTC , 1,930.01 CAKE, 463.0078 DOT and 332.9184 WBNB. (Calculated at the current market price, the total loss is equal to US$652,941.949.)
Amount of loss: $ 652941.949 Attack method: Flash Loan Attack
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract Vulnerability
Description of the event: SnowdogDAO, an Avalanche-based decentralized reserve memecoin, suffered a severe failure yesterday after only 8 days of operation. Snowdog created its own AMM based on Uniswap V2 to move all SDOG liquidity from DEX Avalanche Trader Joe. However, the redemption failed miserably within seconds of launch, with hundreds of users losing most of their funds.
Amount of loss: $ 30,000,000 Attack method: Rug Pull
Description of the event: Optics Bridge was attacked and ownership of the multi-signature wallet was transferred. cLabs engineer Tim Moreton said that the multi-signature permission of Optics, a cross-chain communication protocol on Celo, was replaced because someone activated the Optics recovery mode (recovery mode) on the Ethereum GovernanceRouter contract, which caused the recovery account to take over the Optics protocol and overwrite it. The original multi-signature permissions. Tim Moreton said that he believes that the funds on the current cross-chain bridge are not risky. Tim Moreton also said that the situation occurred within 15 minutes after cLabs expelled James Prestwich. The team is currently contacting James Prestwich to find a solution. The team is currently working to exit the recovery mode and restore the community's multi-signature governance. James Prestwich responded on Twitter that he had never had the right to activate the recovery mode and expressed regret for cLabs and Celo's damage to his reputation.
Amount of loss: - Attack method: Multi-signature permission vulnerability
Description of the event: Ploutoz Finance, the BSC loan agreement, was attacked. Hackers made a profit of 365,000 US dollars, and the agreement suffered even greater losses. The hacker manipulated the oracle price of DOP tokens and used DOP as collateral to lend assets such as CAKE, ETH, BTCB, etc. After that, the hackers used ParaSwap and PancakeSwap to trade for BNB and then transferred to Tornado.Cash.
Amount of loss: $ 365,000 Attack method: Price Manipulation
Description of the event: The administrator of OlympusDAO, a new algorithmic stablecoin protocol based on Ethereum, said on Discord, the administrator of Discord said that yesterday, someone bonds OHM/DAI bonds that are considered to be closed so that they can get a large discount and receive 1,697 OHM (over 1.4 million U.S. dollars) instead of 59 OHM (approximately US$50,000). After OlympusDAO discovered this incident, it immediately closed the bond contract.
Amount of loss: 1,697 OHM Attack method: Contract Vulnerability
Description of the event: DeFi protocol Formation.Fi was attacked by flash loans. The main reason for this incident is that the project party underestimated the impact of fee on totalTokens when designing the function swapIn, and ignored the impact of decimal point accuracy between different tokens.
Amount of loss: $ 100,000 Attack method: Flash Loan Attack
Description of the event: According to blockchain game developer Animoca Brands, on November 19, hackers successfully accessed the Discord account of the science fiction NFT game Phantom Galaxies and took over its server. The hacker subsequently issued a fraudulent statement claiming that the game was launching an NFT minting activity. The hacker directs the user to a website, charges the user 0.1 ETH, and then sends the funds to the hacker's Ethereum address. A total of 265 sent ETH, about 1.1 million US dollars. Animoca Brands pointed out that there is no evidence that smart contracts have been breached, and no funds have been stolen from the game or its developers or publishers.
Amount of loss: 265 ETH Attack method: Discord was hacked