1997 hack event(s)
Description of the event: According to an official announcement by PMX, its Polycule trading bot was exploited by hackers last night due to a vulnerability, resulting in the theft of user funds. The source of the vulnerability has now been identified, and a fix along with a security audit will be released later this weekend. PMX stated that only about $230,000 of user funds were affected. Once the system is restored, the team will compensate affected users on the Polygon network through its treasury, restoring their balances to the levels prior to the attack.
Amount of loss: $230,000 Attack method: Contract Vulnerability
Description of the event: According to CertiK Alert, a vulnerability involving a contract related to TMX on Arbitrum has been detected, with estimated losses of around $1.4 million. During the exploit loop, the attacker minted and staked TMX LP tokens using USDT, then swapped USDT for USDG, unstaked, and sold even more USDG.
Amount of loss: $ 1,400,000 Attack method: Contract vulnerability
Description of the event: Fusion has released a security update stating that its IPOR USDC Fusion Optimizer contains a vulnerability in the Arbitrum Vault. The IPOR team was notified and confirmed on January 6 that the vulnerability had resulted in a loss of approximately $336,000 USDC. This exploit only affected a specific older version of the Fusion Vault, and due to its unique configuration, it was the only vault susceptible to this particular attack vector. According to further analysis by SlowMist, the root cause of the incident lies in the underlying contract delegated by the EOA account controlled via EIP‑7702, which contained a security flaw allowing arbitrary external calls. The attacker exploited this flaw to create and configure a malicious circuit-breaker contract targeting the Plasma Vault, thereby illicitly extracting funds from the vault. The official statement noted that the loss represents less than 1% of the total funds secured by Fusion. The team is currently working with Security Alliance to track the funds and attempt recovery. IPOR DAO will cover the deficit from its treasury, and all affected depositors will receive full compensation. Additionally, according to CertiK, approximately $267,000 of the stolen funds have been cross‑chain transferred to the Ethereum network and subsequently moved into Tornado Cash. On January 7, the IPOR team announced on X that the funds have been recovered, and a 10% bounty agreement has been reached with the white-hat party, which will be covered by the IPOR DAO. The incident has now been concluded as a good-faith white-hat security event.
Amount of loss: $ 336,000 Attack method: Contract Vulnerability
Description of the event: The X (formerly Twitter) account of Bitlight Labs, a Bitcoin RGB protocol and Lightning Network stablecoin payment infrastructure provider, was suspected of being compromised and posted content related to a meme token.
Amount of loss: - Attack method: Account Compromise
Description of the event: Multiple suspicious transactions involving proxy contracts were detected on Arbitrum (ARB), with estimated losses of approximately $1.5 million. Preliminary analysis indicates that the sole deployer of the USDGambit and TLP projects may have lost access to their account. Subsequently, the attacker deployed a new contract and updated the ProxyAdmin permissions to seize control. The stolen funds were then bridged to the Ethereum network and deposited into Tornado Cash.
Amount of loss: $ 1,500,000 Attack method: Access control vulnerability
Description of the event: According to TenArmorAlert, a sandwich attack involving OLY has been detected on BSC, causing estimated losses of around $63,400.
Amount of loss: $ 63,400 Attack method: Sandwich attack
Description of the event: SlowMist team has issued a security advisory stating that it has identified a potentially critical vulnerability on the HitBTC exchange platform. The issue has been responsibly disclosed to HitBTC in advance via private channels; however, no response has been received so far. The team urges HitBTC to make contact as soon as possible to coordinate follow-up remediation efforts.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: The Unleash Protocol project deployed on Story Protocol suffered an unauthorized contract upgrade, followed by the malicious transfer of user assets. The attacker manipulated the project’s multisig governance privileges to perform the upgrade, resulting in the theft and cross-chain transfer of assets including WIP, USDC, WETH, stIP, and vIP to external addresses. The currently confirmed loss is approximately USD 3.9 million. Unleash has suspended all operations and initiated a full investigation and audit process, urging users to refrain from interacting with its contracts. Story Protocol itself remains unaffected.
Amount of loss: $ 3,900,000 Attack method: Privilege compromise
Description of the event: On the BSC network, an unknown smart contract MSCST suffered a flash loan attack, resulting in an estimated loss of approximately $130,000. The root cause of the exploit lies in the lack of access control (ACL) within the releaseReward() function of the MSCST contract, which allowed the attacker to manipulate the price of the GPC token in the PancakeSwap liquidity pool (address: 0x12da).
Amount of loss: $130,000 Attack method: flash loan attack
Description of the event: SlowMist founder Cos stated on the X platform that the team is currently following up on the DeBot incident and monitoring on-chain activity. According to him, users’ private keys associated with DeBot have been compromised, and the hacker has so far profited approximately $255,000, with theft still ongoing. Previously, in response to community claims that the DeBot wallet may have been hacked and user funds stolen, the DeBot official team said that the secure wallet addresses are operating normally and have not been affected. They added that they have noticed the issue concerning certain addresses and are actively following up and handling the matter. On December 30, all compensation applications for Debot were fully processed and issued. The team stated that if any security issues occur in the future, they will continue to uphold a 100% compensation commitment.
Amount of loss: $ 255,000 Attack method: Private Key Leakage
Description of the event: The Flow Foundation announced that an attacker exploited a vulnerability in the Flow execution layer, transferring approximately $3.9 million in assets off the network before validators were able to coordinate and halt operations. The incident did not affect existing user balances, and all user deposits remain intact.
Amount of loss: $ 3,900,000 Attack method: Execution Layer Vulnerability
Description of the event: Trust Wallet has issued an official notice confirming that version 2.68 of its browser extension contains a security vulnerability, and advised all users running version 2.68 to immediately disable it and upgrade to version 2.69. According to SlowMist’s analysis, this backdoor incident originated from a malicious modification of Trust Wallet’s internal codebase (analytics service logic), rather than the introduction of a compromised third-party package (e.g., a malicious npm package). The attacker directly tampered with the application’s own code, using the legitimate PostHog library to redirect analytics data to a malicious server. As of December 31, the incident has been confirmed to affect 2,520 wallet addresses, with a total loss of approximately USD 8.5 million. Preliminary investigation indicates that this attack is related to the Sha1-Hulud industry-level supply chain incident that occurred in November. Trust Wallet has now rolled back the extension to the secure version 2.69 and initiated a compensation process for affected users.
Amount of loss: $ 8,500,000 Attack method: Malicious Code Injection Attack
Description of the event: According to monitoring by SlowMist’s MistEye security monitoring system, potential suspicious activities related to @futureswapx have been detected. Further analysis indicates that the root cause lies in an attacker creating a malicious proposal and leveraging flash loans to vote, ultimately granting privileges to the attack contract and enabling it to transfer tokens from other users.
Amount of loss: $830,000 Attack method: Governance Attack
Description of the event: SlowMist has issued a security alert to the cryptocurrency exchange ICRYPEX Global, stating that a potentially critical vulnerability has been identified.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: According to monitoring by Paidun, Yearn Finance V1 suffered a hacker attack, resulting in a total loss of approximately USD 300,000. The attacker has converted the stolen funds into 103 ETH, which are currently held at the address: 0x0F21...4066.
Amount of loss: $ 300,000 Attack method: Unknown
Description of the event: SlowMist sent a security alert to the cryptocurrency exchange Azbitm, stating that a potential vulnerability has been detected.
Amount of loss: - Attack method: Unknown
Description of the event: On December 14, Aevo announced that a vulnerability introduced during a smart contract upgrade led to an attack on the legacy Ribbon DOV vault on December 12, resulting in losses of approximately $2.7 million.
Amount of loss: $ 2,700,000 Attack method: contract vulnerability
Description of the event: According to SlowMist founder Yu Cos and ZEROBASE officials, a malicious contract on the BSC chain, “Vault” (0x0dd2…2396), impersonated the ZEROBASE frontend to trick users into authorizing USDT. The incident is suspected to have occurred due to a compromise of the ZEROBASE frontend and was not an issue with the Binance Web3 wallet itself. So far, hundreds of addresses have been affected, with the largest single loss reaching $123,000. The stolen funds have been transferred to the Ethereum address 0x4a57…fc84. ZEROBASE has enabled an authorization monitoring mechanism, and the community is urging users to quickly revoke risky authorizations via revoke.cash.
Amount of loss: $ 123,000 Attack method: Frontend Attack
Description of the event: The 0G Foundation posted on X that a targeted attack on December 11 resulted in a breach of their reward contract. The attacker exploited the emergency withdrawal function of the 0G reward contract, which is used for distributing alliance rewards, stealing 520,010 $0G tokens, 9.93 ETH, and $4,200 worth of USDT. These tokens were subsequently bridged and dispersed through Tornado Cash. Due to a critical vulnerability in Next.js (CVE-2025-66478) exploited on December 5, the attacker moved laterally via internal IP addresses, affecting services including the Alignment service, Validator nodes, Gravity NFT service, Node Sales service, Compute, Aiverse, Perpdex, Ascend, and others. However, the core chain infrastructure and user funds remained unaffected.
Amount of loss: $ 520,000 Attack method: Private Key Leakage
Description of the event: According to an announcement by Almanak, during today’s airdrop, operational errors and a DDoS attack caused delays in claims and failures in wallet deployment. The claim function was originally scheduled to open at 12:15 UTC, but was actually delayed until 12:35 UTC. About 1,100 users encountered a “PENDING” status issue while creating wallets.The team has restored the system, cleared the backlog, and confirmed that users’ tokens remain safe and intact.
Amount of loss: - Attack method: DDoS Attack