2041 hack event(s)
Description of the event: The Mango INU (MNGO) project has been confirmed to be an exit scam, and the currency price has dropped by more than 80%. This token project was deployed by attackers at Mango Market and has made a profit of about $48,500.
Amount of loss: $ 48,500 Attack method: Scam
Description of the event: According to Cointelegraph, a vulnerability in the Ethereum Alarm Clock service (Ethereum Alarm Clock) has been exploited, and the hacker has so far made about $260,000 in profit. According to the analysis, hackers managed to exploit a loophole in the scheduled transaction process to profit from the refund of gas fees for canceled transactions. According to Etherscan transaction history, the hackers have obtained 204 ETH, worth about $259,800. It is reported that the Ethereum alarm clock service is to allow users to schedule future transactions by pre-determining the recipient address, sending amount and transaction time.
Amount of loss: $ 260,000 Attack method: Contract Vulnerability
Description of the event: On October 19, the Moola protocol on Celo was attacked, and the hackers made a profit of about $9 million. This attack is a price manipulation attack. The attackers returned about 93.1% of the proceeds to the Moola Market project, donating 500,000 CELO to the impact market. Left a total of 650,000 CELO as a bounty.
Amount of loss: $ 9,000,000 Attack method: Price Manipulation
Description of the event: Metaverse data platform Dataverse tweeted that it has detected hackers attacking the GEO BSC contract, and reminded users not to buy GEO in BSC, any code purchased on BNB Chian from October 19th to 22nd UTC Coins are invalid. It may be caused by the "allow unlimited minting" vulnerability in the minting function of BGEO (Binance GeoDB Coin).
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: As reported by Cointelegraph, the BitBTC team has now fixed the bug after Twitter user @PlasmaPower0 disclosed a “fake minting” bug that existed in the cross-chain bridge between BitBTC and Optimism. It is reported that the vulnerability allows an attacker to fake tokens on one side of the bridge and exchange them for real tokens on the other side. Attackers have tried to extract 200 billion BitBTC tokens from Optimism through this vulnerability, but it is only a test.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The PLTD project was attacked by hackers, all BUSD in its trading pool was sold out, and the attackers gained a total of 24,497 BUSD. This attack mainly exploits the code loopholes in the PLTD contract, reduces the PLTD token balance in Cake-LP (0x4397c7) to 1 through a flash loan attack, and then uses the PLTD in hand to exchange all BUSD into the attack contract .
Amount of loss: 24,497 BUSD Attack method: Flash Loan Attack
Description of the event: According to the official news of the wallet BitKeep, BitKeep Swap was attacked by hackers, and the development team has carried out urgent processing. The hacker's attack has been stopped. The attack was concentrated on the BNB Chain, resulting in a loss of about 1 million US dollars. According to SlowMist MistTrack monitoring, Bitkeep Swap attackers have transferred 4,300 BNB (about $1.18 million) stolen funds to Tornado Cash in the form of 100 BNB each.
Amount of loss: $ 1,180,000 Attack method: Contract Vulnerability
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leakage
Description of the event: The unopened contract 0xFaC064847aB0Bb7ac9F30a1397BebcEdD4879841 of the MTDAO project party was attacked by a flash loan, and the affected tokens were MT and ULM, with a total profit of 487,042.615 BUSD. The attacker used the functions 0xd672c6ce and 0x70d68294 in the unopened contract to call the sendtransfer function in the MT and ULM token contracts to profit (because they are both deployed by the project party, the unopened contract 0xFaC06484 has minter permission).
Amount of loss: 487,042.615 BUSD Attack method: Flash Loan Attack
Description of the event: The EFLeverVault contract of Earning.Farm was attacked twice by flash loans. The first attack was intercepted by MEV bot, causing the contract to lose 480 ETH; the second hacker completed the attack, and the hacker made a profit of 268 ETH. After analysis, the vulnerability is caused by the contract’s flash loan callback function not verifying the flash loan initiator. The attacker can trigger the contract’s flash loan callback logic by itself: repay the Aave stETH debt in the contract and withdraw cash, and then exchange stETH for ETH. Then the attacker can call the withdraw function to withdraw the ETH balance in all contracts.
Amount of loss: 268 ETH Attack method: Flash Loan Attack
Description of the event: According to the X-explore blog, the hacker address starting with 0x1d37 is stealing GAS by exploiting the FTX vulnerability, minting XEN tokens 17,000 times at zero cost. The reason for this attack is that FTX does not limit the gas limit of the withdrawal transaction while the withdrawal fee is free. Instead, the estimateGas method is used to evaluate the handling fee. This method causes the GAS LIMIT to be mostly 500,000, which exceeds the default value of 21,000 by 24%. times.
Amount of loss: 81 ETH Attack method: Contract Vulnerability
Description of the event: Mango, the Solana ecological decentralized financial platform, tweeted: “A hacker is currently investigating an incident in which a hacker extracted funds from Mango through price manipulation through oracle machines.” According to a detailed report, the protocol was encountered at approximately 6:00 on October 12, Beijing time. Attack, 2 accounts funded by USDC held excessive positions in MNGO-ERP, the underlying price of MNGO/USD on various exchanges (FTX, Ascendex) saw a 5-10 times price increase within a few minutes, Caused Switchboard and Pyth oracles to update their MNGO benchmark prices above $0.15, further causing unrealized profits to increase account value to market long MNGO-ERP, allowing accounts to borrow and withdraw BTC from the Mango protocol (sollet) , USDT, SOL, mSOL, USDC, which made the loan amount of the equivalent deposit of USD 190 million on the platform reached the maximum value, and the net value withdrawn from the account at that time was about USD 100 million.
Amount of loss: $ 100,000,000 Attack method: Flash Loan Attack
Description of the event: Tulip Protocol, a Solana ecological income aggregator and leveraged income farming platform, stated that its exposure to the Mango attack was limited to a portion of the USDC/RAY strategic treasury, namely 2,465,841.497167 USDC and 66,721.925355 RAY, and the funds affected by the Mango attack were about $2.5 million.
Amount of loss: $ 2,500,000 Attack method: Affected by the Mango attack
Description of the event: The total amount of funds affected by the Solana ecological algorithm stablecoin protocol UXD Protocol in the Mango attack is $19,986,134.9037. UXD Protocol stated: “Our insurance fund is sufficient to cover losses. UXD is fully secured and will be redeemable by users once Mango Markets recovers from the exploit. The total insurance fund is $53,527,304.7757. UXD Protocol has suspended UXD minting for Risk minimization. Minting will be re-enabled once we confirm the issue with Mango Markets has been resolved.”
Amount of loss: $ 20,000,000 Attack method: Affected by the Mango attack
Description of the event: The Journey of Awakening (ATK) project suffered a flash loan attack. The attacker attacked the strategy contract of the ATK project (0x96bF2E6CC029363B57Ffa5984b943f825D333614) through a flash loan attack, and obtained a large amount of ATK tokens from the contract. The attackers have exchanged all of the obtained ATK tokens for approximately $120,000 in BSC-USD, and the stolen funds are currently being exchanged for BNB and all transferred to Tornado Cash.
Amount of loss: $ 120,000 Attack method: Flash Loan Attack
Description of the event: The Micro Elements (TME) project is an exit scam, with a drop of more than 95%, and about $548,600 has been stolen. BSC address 0xd631464f596e2ff3b9fe67a0ae10f6b73637f71e.
Amount of loss: $ 548,600 Attack method: Rug Pull
Description of the event: Layer1 blockchain QANplatform (QANX), which is resistant to quantum computing attacks, tweeted that its smart contract cross-chain bridge was attacked, and the attacker managed to extract tokens, reminding users not to perform any transactions related to QANX tokens. According to the findings, the hackers obtained the private keys to the bridge wallet and withdrew more than 1.4 billion QANX tokens worth more than $1 million in two transactions.
Amount of loss: $ 2,000,000 Attack method: Profanity Vulnerability
Description of the event: According to the official announcement of TokenPocket, the official website tokenpocket.pro is currently attacked by abnormal traffic, and the technical team is carrying out emergency maintenance. During the technical maintenance period, the TokenPocket website will not be accessible normally, and the security of user assets will not be affected.
Amount of loss: - Attack method: Abnormal traffic attack
Description of the event: DeBank plug-in wallet Rabby tweeted that its Rabby Swap smart contract has a vulnerability, and users who have used it should revoke Rabby Swap approvals on all chains as soon as possible. According to the analysis of the SlowMist security team, the Rabby Swap contract was attacked, and the token exchange function in the contract was directly called externally through the functionCallWithValue function in the OpenZeppelin Address library. The parameters passed in by the user are not checked, resulting in any external call problems. Attackers exploit this issue to steal funds from users authorized by this contract.
Amount of loss: $ 190,000 Attack method: Contract Vulnerability
Description of the event: The TempleDAO project was hacked, involving an amount of approximately $2.36 million. According to the analysis of the SlowMist security team, in this incident, because the migrateStake function did not check the oldStaking, the attacker could forge the oldStaking contract to add the balance arbitrarily.
Amount of loss: $ 2,360,000 Attack method: Contract Vulnerability