1950 hack event(s)
Description of the event: The DeFi ecological protocol ZEED was attacked and lost about $1 million. At present, the attacker's gains are all in the attack contract.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: The SlowMist security team found that funds from about 52 addresses were maliciously transferred to terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x30 from April 12 to April 21, with a total loss of about $4.31 million. The SlowMist security team stated that this attack was a phishing attack on batches of Google keyword advertisements. When a user searches for the well-known Terra project on Google, the first advertisement link (the domain name may be the same) on the Google search result page is actually a phishing website. When a user visits this phishing website and connects to the wallet, the phishing website will remind you to directly enter the mnemonic phrase. Once the user enters and clicks submit, the assets will be stolen by the attacker.
Amount of loss: $ 4,310,000 Attack method: Phishing Attack
Description of the event: A Rug Pull occurred in MaxAPY Finance, an automatic pledge protocol on BNB Chain, and its official Twitter account and Telegram group have been deleted. MaxAPY contract owners have transferred 1,042 BNB.
Amount of loss: 1042 BNB Attack method: Rug Pull
Description of the event: The Discord of NFT project Ugly People has been hacked, and attackers are spreading fake mint links.
Amount of loss: - Attack method: Account Compromise
Description of the event: The protocol loss caused by the flash loan attack of Ethereum-based algorithm stablecoin project Beanstalk Farms is about 182 million US dollars. The specific assets include 79238241 BEAN3CRV-f, 1637956 BEANLUSD-f, 36084584 BEAN and 0.54 UNI-V2_WETH_BEAN . The attackers made over $80 million, including about 24,830 ETH and 36 million BEAN. The main reason for this attack is that there is no time interval between the voting and execution of the proposal, so that the attacker can directly execute malicious proposals without community review after completing the voting.
Amount of loss: $ 182,000,000 Attack method: Flash loan attack
Description of the event: According to official sources, a large amount of FACE tokens were dumped on-chain, and the investigation turned out that one of the FACE tokens held by the team was transferred and sold by an unauthorized account.
Amount of loss: - Attack method: Phishing attack
Description of the event: The developer of Klaytn-based NFT project Metaconz tweeted that a malicious bot was installed on the administrator account of Metaconz’s Discord overseas team on Saturday, causing 79 users to lose 11.9 ETH (about $36,000), the team said. It promised to compensate all losses, and 53 users have so far been compensated. In addition, the developer reminded that if the user executes the setApprovalForAll function in Etherscan, please transfer the wallet unconditionally. Therefore, in this attack, the hacker used this function to deprive the victim of the wallet permission.
Amount of loss: 11.9 ETH Attack method: Account Compromise
Description of the event: Metaverse DeFi protocol Rikkei Finance was attacked because the attacker changed the oracle machine to a malicious contract. Rikkei Finance said users affected by the exploit will be fully compensated, and the team said the bug is being fixed and services have been fully restored. The total loss value is approximately $1.1 million (2671 BNB).
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: Elephant Money was attacked, resulting in the loss of 27,416.46 BNB. The attacker first used WBNB to buy a large amount of ELEPHANT, and then used BUSD to mint the TRUNK stablecoin. During the minting process, the Elephant contract will convert BUSD to WBNB and then back to ELEPHANT to drive up the ELEPHANT price. The attacker then sells ELEPHANT at a profit.
Amount of loss: 27,416.46 BNB Attack method: Flash loan attack
Description of the event: According to official news, Marvin Inu’s cross-chain bridge was hacked, and tokens worth 110 ETH were stolen and sold, causing a sharp drop in price. The project party has closed the cross-chain bridge and fixed the loopholes. At the same time, it has adjusted the purchase tax to 0%, and promised to repurchase and destroy the tokens to make up for this loss after the price fluctuations stabilize.
Amount of loss: 110 ETH Attack method: Contract Vulnerability
Description of the event: There is a fundamental vulnerability in the CF token contract that allows anyone to transfer someone else's CF balance. The losses so far are around $1.9 million, while the CF/USDT trading pair on pancakeswap has been affected.
Amount of loss: $ 1,900,000 Attack method: Contract Vulnerability
Description of the event: The Education Grants Council (UGC) of India was hacked, the hackers used the Twitter account to post a fake Azuki NFT airdrop link and changed the profile to the Azuki NFT co-creator, replacing the avatar with an Azuki-related image. The agency recovered the account after it was held hostage for six hours.
Amount of loss: - Attack method: Account Compromise
Description of the event: Starstream Finance and Agora DeFi projects under attack. Attackers exploited a vulnerability in Starstream to siphon tokens from the protocol, then used the tokens as collateral to obtain large loans from Agora. The Starstream hack was achieved through an unprotected execute function in its DistributorTreasury contract, which is marked as an external function and can be used to call external functions. In total, the attackers borrowed about $8.2 million worth of tokens from Agora.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: In 2022, the DeFi protocol Vires Finance on the Waves blockchain suffered losses exceeding $530 million, with its founder Sasha Ivanov facing allegations of fraud. Research suggests that his wallet may have been linked to the outflow of funds, though Ivanov has denied all accusations, calling them “baseless rumors.” The incident had major market and legal repercussions—Waves' native token (WAVES) plunged by 95%, and the stablecoin USDN also sharply depegged. Investors including Alameda Research and Avraham Eisenberg have filed lawsuits against Ivanov in efforts to recover their losses, with legal proceedings still ongoing.
Amount of loss: $ 530,000,000 Attack method: Unknown
Description of the event: According to the official news of each project, the Discord of NFT projects whose servers are currently under attack include BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz. In addition, the source code of the verification robot Captcha has been leaked, and the private message tool Ticket tool has been attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Ola Finance on the Fuse chain published a blog post on the hacking incident, stating that the attack lost approximately $4.67 million, including 216,964.18 USDC, 507,216.68 BUSD, 200,000 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. The attack uses a reentrancy vulnerability in the ERC677 token standard.
Amount of loss: $ 4,670,000 Attack method: Reentrancy Attack
Description of the event: According to BasketDAOOrg's official Twitter, there is a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.
Amount of loss: $ 1,200,000 Attack method: Contract Vulnerability
Description of the event: Castle Finance developer Charlie You discovered a critical vulnerability in Solana's ecological lending protocol, Jet Protocol, that could allow attackers to withdraw tokens from arbitrary accounts. It is reported that Charlie You was discovered in January this year, but it has existed since the code update on December 15, 2021. Charlie You said that the vulnerability may cause up to 20 million US dollars in financial losses. For now, the Jet Protocol team has fixed it.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: A Rug Pull occurred in BNB DEFI, and the DEFI token fell by 68% in a short time. At present, the project has closed the community, and DEFI tokens have been exchanged for about 255 BNB.
Amount of loss: 255 BNB Attack method: Rug Pull
Description of the event: Axie Infinity sidechain Ronin Network issued a community alert today. Ronin Network experienced a security breach. Ronin bridge 17.36w ETH and 25.5M USDC were stolen, with a loss of more than 610 million US dollars. As stated by the Ronin developers, the attacker used the hacked private key to forge fake withdrawals, pulling funds out of the Ronin bridge in just two transactions. It is reported that this incident is suspected to be related to the North Korean hacker group Lazarus Group.
Amount of loss: $ 610,000,000 Attack method: Private Key Leakage