1861 hack event(s)
Description of the event: According to Calcalist, the cryptocurrency company StakeHound has filed a lawsuit against the institutional security company Fireblocks, claiming that ETH worth 245.5 million Israeli new shekels (approximately US$75 million) was lost due to Fireblocks’ mistakes. StakeHound stated that as Fireblocks deleted the key for no reason without backing up the key, 38,178 ETH were lost.
Amount of loss: $ 75,000,000 Attack method: Operation error
Description of the event: The Polygon ecological project PolyDEX had a hacking incident. The hackers carried out a reentry attack on the Token Locker smart contract and stole about $500,000 worth of funds from the project.
Amount of loss: $ 500,000 Attack method: ERC777 Reentrancy Attack
Description of the event: The Visor Finance smart contract, a DeFi liquidity protocol based on Uniswap V3, was withdrawn with 230 ETH in an emergency, and the attacker gained access to an account that manages certain Hypervisor management functions, and then transferred the funds to Tornado.cash.
Amount of loss: $ 504,845 Attack method: Permission Stolen
Description of the event: The DeFi lending agreement Alchemix alETH pool is suspected to have a loophole, and users can raise collateralized ETH when they have outstanding alETH debts. Alchemix released an alETH pool accident report stating that due to an error in the deployment of the alETH pool script, users have borrowed alETH at a 4:1 mortgage ratio but have no debt to be repaid, and the debt ceiling of nearly 2000 ETH has been released and new ones can be minted again. alETH, combined with Alchemix's use of the wrong index in the vault array, forced the transmuter to support the agreement mechanism to completely send the funds to repay the user's debt. The team has stopped the mortgage lending of the pool. As of the time of the report, alETH currently has a gap of -2,688.634, which is about 6.53 million U.S. dollars. Alchemix stated that there was no loss of user funds, and Yearn did not suffer any loss.
Amount of loss: $ 6,530,000 Attack method: Contract Vulnerability
Description of the event: EvoDefi, the project revenue farm on the BSC chain, was attacked, and the price of its token GEN dropped from US$2.1/piece to US$0.9/piece, a short-term drop of 57%. Loss of 455,576.85 GEN worth approximately USD 1 million. Due to the design flaws in the update logic of the function in the MasterChef contract, the part of the reward that needs to be deducted is not updated, which leads to arbitrage by the attacker.
Amount of loss: $ 1,000,000 Attack method: Flash loan attack
Description of the event: JBS USA Holdings Inc. paid an $11 million ransom to cybercriminals last week that temporarily destroyed a plant that handles about a fifth of the nation's meat supply, the chief executive said. . Andre Nogueira, CEO of the U.S. division of Brazilian meat company JBS SA, said the bitcoin ransom was to protect the JBS meat plant from further damage and limit the potential impact on restaurants, grocery stores and farmers that depend on JBS.
Amount of loss: $ 11,000,000 Attack method: Ransomware
Description of the event: At around 4:00 a.m. on June 8, the GainSwap project, which had been online for less than 12 hours, suddenly swept away nearly $8 million in digital assets pledged by users, closed the website access, and then entered a state of losing contact and running away. This is also Heco. One of the projects with the largest amount of running away on the show. In January 2022, according to the public security information of Chizhou City, Anhui Province, the police in Chizhou City recently cracked a case of illegally obtaining virtual currency data from a computer system using blockchain technology, involving a value of about 50 million yuan. After the cooperation of the police in Guangdong, Sichuan and Hunan, all eight suspects were arrested. The police seized and seized the assets involved in the case, such as villas and luxury cars worth tens of millions purchased by the suspect with the full amount of the stolen money, and frozen about 6 million virtual assets.
Amount of loss: $ 8,000,000 Attack method: Rug Pull
Description of the event: BurgerSwap, an automated market maker on the Binance Smart Chain, was once again attacked by lightning loans. The attacker took advantage of the re-entry vulnerability in the contract, repeated the swap operation many times, controlled the price through re-entry and counterfeit currency, and finally realized the purpose of attack arbitrage.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Siastats tweeted that the Sia network, a decentralized storage project, has been under continuous DDoS attacks in the past two days. The targets of the attacks are network hosts and storage providers. The attacks have caused about 30% of host connections to be interrupted. Siastats stated that network functions were not affected. Only some of the host operators indicated that the Internet connection was interrupted. The affected operators can contact the Sia Foundation to mitigate the negative impact of the attack. The attack did not cause huge losses, and the network will continue to operate normally.
Amount of loss: - Attack method: DDoS Attack
Description of the event: On June 5, 2021, PolyButterfly, a decentralized financial protocol based on Polygon, disappeared. Its website has been closed, and its Twitter account and Telegram chat history have been deleted. Before this mysterious disappearance, it was revealed that the PolyButterfly code had a dangerous backdoor that allowed the product team to remove customer liquidity. According to RugDoc, the scammers stole more than 600 ether, or more than $1,500,000.
Amount of loss: $ 1,500,000 Attack method: Rug Pull
Description of the event: According to official sources, PancakeHunny on BSC was attacked by hackers, and the hackers made 43 ETH (a total of more than 100,000 US dollars). PancakeHunny forked from PancakeBunny, and the attack suffered this time was similar to PancakeBunny. Hackers obtained a large amount of HUNNY tokens and threw them to the market, causing the price of HUNNY tokens to plummet.
Amount of loss: 43 ETH Attack method: Flash loan attack
Description of the event: According to official sources, Belt Finance on the Binance Smart Chain (BSC) suffered a lightning loan attack and lost US$6.2 million. The attacker used flash loans to obtain more than 6.2 million US dollars of funds from the Belt Finance agreement through 8 transactions, and has converted most of the funds into anyETH and withdrawn to Ethereum.
Amount of loss: $ 6,200,000 Attack method: Flash loan attack
Description of the event: BurgerSwap, an automatic market maker on the BSC chain, suffered a lightning loan attack and lost nearly 7 million U.S. dollars. This attack is a problem in the BurgerSwap architecture. Since the Pair layer completely trusts the data of the PaltForm layer, it did not perform another check on its own, which led to the attack.
Amount of loss: $ 7,000,000 Attack method: Flash loan attack
Description of the event: The JulSwap of the DEX protocol and the automated liquidity protocol on the BSC chain was attacked by lightning loans, and $JULB fell more than 95% in a short time.
Amount of loss: 1,500,000 Attack method: Flash loan attack
Description of the event: MerlinLabs, the DeFi revenue aggregator, was attacked. The attack method was similar to that of PancakeBunny, which was attacked by lightning loan 5 days ago, and lost US$6.8 million.
Amount of loss: $ 6,800,000 Attack method: Flash loan attack
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain (BSC) was attacked by a lightning loan, and the currency price suffered a flash crash, with a drop of more than 99% at one time, loss of 750,000 USD.
Amount of loss: $ 750,000 Attack method: Flash loan attack
Description of the event: The official website of the DeFi protocol DeFi100 on Binance Smart Chain (BSC) is no longer accessible. Previously, Twitter user "Mr. Whale" pointed out that the project may be a scam. "About 32 million US dollars of user funds were swept away by the team. road". About 10 hours ago, the words "We lied to you, you can't do anything with us" appeared on the DeFi100 official website, and the page was subsequently deleted. The DeFi100 project website was no longer accessible. It is not yet certain whether the website was hacked or the project team itself Close the website. DeFi100 is a decentralized flexible synthetic asset index product on the Binance Smart Chain, developed by an anonymous team.
Amount of loss: $ 32,000,000 Attack method: Rug Pull
Description of the event: The DeFi protocol Bogged Finance officially stated that hackers carried out a lightning loan attack on the staking function vulnerability of BOG token contracts and withdrew 3 million US dollars from the liquidity pool. The hackers used the Pancake Pair Swap code to withdraw the pledge before the contract verification was completed. income. The official team stated that the remaining 8 million US dollars in the current liquidity pool is safe. The vulnerabilities used by hackers have been "blocked" and cannot be reused. The tools provided by Bogged Finance are still safe to use, and the team is repairing the front end. Display the problem.
Amount of loss: $ 3,000,000 Attack method: Flash loan attack
Description of the event: PancakeBunny, the DeFi revenue aggregator on Binance Smart Chain (BSC), suffered a lightning loan attack and lost 114,631.5421 WBNB and 697,245.5699 BUNNY, totaling approximately US$45 million. The price of the token BUNNY crashed from 240 US dollars at around 6:35, and once fell below 2 US dollars, with the highest drop of more than 99% at one time. The official response stated that the hacker used PancakeSwap to borrow a large amount of BNB from a flash loan attack from an external developer, and then continued to manipulate the USDT/BNB and BUNNY/BNB prices to obtain a large amount of BUNNY and sell it, resulting in a flash crash of the BUNNY price. Hackers exchanged back to BNB through PancakeSwap.
Amount of loss: $ 45,000,000 Attack method: Flash loan attack
Description of the event: On the evening of May 18, the BSC-based DeFi lending platform Venus token XVS was doubled by the giant whale. After that, XVS was used as collateral to borrow and transfer BTC and ETH worth hundreds of millions of dollars. Since then, the price of collateral XVS is large. It fell and faced liquidation, but due to insufficient liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge shortfall of hundreds of millions of dollars in Venus. On the 30th, Venus officially released an article that disclosed the process and results of the incident. The survey showed that the liquidator made a profit of about 20 million U.S. dollars, and the seller made a profit of about 55 million U.S. dollars; the "scalper" made a profit of about 2 million U.S. dollars; the 0xef044 address account had a net loss of about 66 million U.S. dollars. Secondly, its address attribution is based on the Swipe escrow address used on Binance, so there is no insider trading. The agreement lost approximately $77 million due to market fluctuations. VGP will recover approximately US$77 million from the distribution fund, and formulate a community recovery plan for XVS holders and others in the form of airdrops from the distribution fund and agreement income.
Amount of loss: $ 145,000,000 Attack method: Lack of Liquidity