1722 hack event(s)
Description of the event: Pancake Hunny, the DeFi protocol on BSC, was attacked by lightning loans, and HUNNY tokens fell by about 70% in a short time. The hacked transactions included 513 transfers, and Gas consumption reached 19 million, of which a large number of transfers were related to Alpaca tokens.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Glide Finance, a DeFi protocol built on the Elastos ecosystem, tweeted that a contract loophole was exploited to siphon money out of the matching contract for a loss of approximately $300,000 because the team changed the fee parameters after an audit but did not update the number on the contract from 1,000 to 10,000. The team is now contacting the exchange to block the transfer of funds and reminding users who have money in Glide's liquidity pool to withdraw funds.
Amount of loss: $300,000 Attack method: Contract Vulnerability
Description of the event: Indexed Finance, a passive income agreement, was attacked, and the affected fund pools included DEFI5 and CC10. After the vulnerability was discovered, it triggered protection measures including DEGEN, NFTP, and FFF (including DEFI5 and CC10) fund pools, and was frozen. About half an hour ago, Indexed Finance officially stated that the root cause of the attack has been determined. The two index token fund pools, DEGEN and NFTP, have resumed normal operation, while the FFF pool is still in a frozen state. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Amount of loss: $16,000,000 Attack method: Pricing mechanism issues
Description of the event: The report released by Sophos stated that the crypto fraud application CryptoRom stole 1.4 million U.S. dollars through the use of "super signature service" and Apple's developer enterprise plan. It is reported that fraudsters gain the trust of victims through Facebook and dating platforms (such as Tinder, Grindr, Bumble, etc.), and then lure them to install a fake cryptocurrency application CryptoRom and invest. The victim installs apps, invests, makes a profit, and is allowed to withdraw funds. After being encouraged, they were forced to invest more, but once they deposited a larger amount, they could no longer withdraw cash. To date, Bitcoin addresses related to the scam have sent more than 1.39 million U.S. dollars, and there may be more addresses related to the scam. According to the report, most of the victims are iPhone users. The report stated that CryptoRom bypassed all security checks in the App Store and remained active every day. The report also stated that Apple “should warn users about installing apps through temporary distribution or through the enterprise configuration system that these apps have not been reviewed by Apple.”
Amount of loss: $ 1,400,000 Attack method: Scam
Description of the event: According to news, the security research company discovered that there is a serious security vulnerability in OpenSea in the NFT market, which may cause hackers to steal the user's entire encrypted wallet. Then OpenSea responded that a repair was implemented within one hour of discovering the problem, and other measures will be taken to strengthen community safety education.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: Quantitative trading company mgnr stated on Twitter that StarkWare has an urgent security issue, but did not disclose the specific details. Louis Guthmann, the head of ecology of the StarkWare team, confirmed that there is indeed a problem. “This is not a security vulnerability on dYdX. ) Is only related to a specific user." mgnr said he has contacted the StarkWare and Solana teams.
Amount of loss: - Attack method: Unknown
Description of the event: The official Twitter account and website of the NFT project Evolved Apes, the project developer "Evil Ape" disappeared last week, and took away 798 ETH worth US$2.7 million.
Amount of loss: 798 ETH Attack method: Rug Pull
Description of the event: My Farm Pet was suspected of being attacked by lightning loans, and today fell 79.86%.
Amount of loss: $ 31,424 Attack method: Flash loan attack
Description of the event: The Bitcoin sidechain Liquid Network launched by Blockstream encountered block signature-related issues after the recent upgrade, resulting in no block generation for more than 7 hours. According to Liquid Network's block explorer, the last block is 1517039, and it was generated 7 hours ago. Liquid Network said on Twitter, "It is investigating a block signature issue related to a recent feature upgrade, but user funds are safe and will not be affected."
Amount of loss: - Attack method: Block signature problem
Description of the event: Staking liquidity solution Lido Finance discovered a loophole through the Lido vulnerability bounty program, which can be used by whitelisted node operators to steal a small portion of user funds. Approximately 20,000 ETH were exposed to risk at the time of the vulnerability report. At present, the team has taken short-term remedial measures. The white hat for reporting the vulnerability is Dmitri Tsumak, the founder of StakeWise, who is expected to receive the highest reward of the vulnerability bounty program of $100,000.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: While the decentralized lending agreement Compound tried to fix the loopholes in the liquidity mining token distribution contract through the No. 63 or No. 64 community proposal, another COMP token worth US$68.8 million (a total of 202,472 COMP) was due to The call of the drip() function was entered into the liquidity mining token distribution contract that has existing loopholes.
Amount of loss: $ 68,800,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain was attacked by lightning loans. The main reason was that the exchange mining function was used by hackers in a series of transactions. Hackers could use lightning loans to occupy most of the mining pool (to make up for exchange losses/fees) ), at the same time, the exchange fee reward was obtained, and a total profit of 3.18 million FINS was obtained. Afterwards, the hacker exchanged FINS for 1,388 BNB (approximately US$580,000).
Amount of loss: 3,180,000 FINS Attack method: Flash loan attack
Description of the event: According to a notification letter submitted by Coinbase to the California Attorney General’s Office to affected customers, a vulnerability that allows hackers to bypass Coinbase’s multi-factor authentication SMS option has affected at least 6,000 Coinbase users between March and May 2021. During the 20th day, hackers took advantage of this omission to access the accounts of affected users and transfer user funds from Coinbase. After Coinbase learned of this issue, it immediately updated its SMS account recovery agreement to prevent hackers from further bypassing the authentication process. In addition, Coinbase will deposit funds of the same value into the accounts of affected users. Coinbase has also been working closely with law enforcement agencies and is conducting an internal investigation into the incident.
Amount of loss: - Attack method: Security Mechanism Issue
Description of the event: POAP, the proof of attendance badge protocol, stated that its minting system was hacked on September 29, and several POAPs of XCOPY and Polygonal Mind were fraudulently issued and sold. At the request of the artist, POAP has burned down the relevant NFT.
Amount of loss: - Attack method: Minting Attack
Description of the event: Iconics, an NFT project on Solana, was accused of being a “Rug pull.” The 17-year-old artist behind Iconics made about $140,000 before disappearing. The project developers also deleted Iconics’ Twitter account and disabled Discord channel chat.
Amount of loss: $ 140,000 Attack method: Rug Pull
Description of the event: Compound, a decentralized lending protocol, confirmed through Twitter that after the implementation of Proposal 062, the liquidity mining of the protocol has an abnormal distribution of COMP tokens. Compound Labs and community members are investigating. Compound said that deposits and borrowed funds have not been found to be at risk. Compound founder Robert Leshner stated that the problem appeared to be an error in the initial setting of the distribution rate of COMP tokens based on Proposal 062, resulting in too much COMP tokens being distributed; however, modification of the corresponding code must go through governance , It takes at least 7 days.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The non-custodial exchange DeversiFi released a post-mortem analysis report for the previous gas transaction that included 7676.62 ETH, saying that the potential problems in the EthereumJS library are combined with the gas fee changes related to the EIP-1559 upgrade in some cases, and the Ledger hardware wallet may exist The display problem of, may lead to extremely high transaction fees. When this happens, only wallets with very large funds will be affected, and other users will display transaction failures during transactions. In addition, after Bitfinex negotiated with the miners, the miners had returned 7,626 ETH, and the remaining 50 ETH was provided to the miners as a refund fee. It was previously reported that a major wallet on the Bitfinex exchange made a $100,000 USDT transfer with a total of 7676.62 ETH (approximately US$23.54 million) in Gas fees. The final recipient was a non-custodial spin-off from Bitfinex in 2019. Exchange DeversiFi.
Amount of loss: 50.62 ETH Attack method: Handle inventory defects with fixed precision and extended value range
Description of the event: The Bitcoin.org website has activities to give back to the community, and it is suspected that the website has been hacked. The homepage of the website shows a Bitcoin address and states that any first 10,000 users who pay to this address will receive double the amount in return. Cobra, the co-owner of the Bitcoin.org website, tweeted that Bitcoin.org has been hacked and is investigating how hackers set up fraud patterns on the website. It is expected that operations will be suspended for a few days. According to reports, the attackers stole more than 17,000 U.S. dollars.
Amount of loss: $ 17,000 Attack method: Malicious Code Injection Attack
Description of the event: The cross-chain protocol pNetwork released an analysis report in response to the previous attack that resulted in the theft of 277 BTC, stating that at 17:20 UTC on September 19, 2021, the pNetwork system was attacked by hackers who attacked multiple pToken bridges. Including pBTC-on-BSC, TLOS-on-BSC, PNT-on-BSC, pBTC-on-ETH, TLOS-on-ETH and pSAFEMOON-on-ETH. However, hackers only cross-chain bridges in pBTC-on-BSC The attack was successful and 277 BTC were stolen from the pBTC-on-BSC collateral. Other pToken bridges were not affected and the funds were safe.
Amount of loss: 277 BTC Attack method: Contract Vulnerability
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Contract Vulnerability