1950 hack event(s)
Description of the event: A user claimed on Twitter that he had mistakenly entered an NFT auction scam and was taken away by an art website worth 336,000 US dollars of Ethereum. However, the development of the story is somewhat unexpected, because the other party returned 100 ETH in full. In this scam, the victim reported that he inquired about the NFT auction on Monday from a certain population on Discord, and then he thought he was lucky enough to win the bid for the first NFT on the website and paid 100 ETH (about 336,000 US dollars) for this. ). However, according to a BBC report on Tuesday, a hacker exploited a security hole in the artist Banksy's website and set up a web page (banksy.co.uk/NFT) to sell so-called non-fungible tokens (NFT). In the end, although the hacker returned the money, the user still lost $5,000 in transaction fees.
Amount of loss: $ 5,000 Attack method: Phishing attack
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen.
Amount of loss: - Attack method: Fee Collection Mechanism Flaw
Description of the event: OpenZeppelin released a bug fix analysis. Whitehat Zb3 submitted a serious reentrant vulnerability in OpenZeppelin's TimelockController contract on August 21, 2021, which affected a project hosted on the Immunefi vulnerability bounty platform. The project chose to remain anonymous and has paid an undisclosed amount (including an anonymous bonus) to White Hat. OpenZeppelin paid White Hat a bonus of $25,000 to recognize their contribution to community security and released a patch. As far as it knows, this is the only serious vulnerability that OpenZeppelin has in its open source smart contract library. The vulnerability has been patched in the affected projects, and OpenZeppelin has released an updated contract version to fix the vulnerability. All projects that use TimelockController should be migrated.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The mortgage lending platform Cream Finance had a flash loan attack. In its post-mortem analysis report on the flash loan attack, it stated that a total of 460 million AMP tokens and 2804 ETH (worth approximately US$34 million at the time) were stolen from the vulnerability and promised 20% of all agreed fees will be used for repayment until it is fully repaid. This security incident has a major vulnerability attacker and an imitator. On October 4, according to a Cointelegraph report, DeFi security agency Lossless has assisted in recovering the stolen 5152.6 ETH worth nearly $16.7 million.
Amount of loss: $ 2,300,000 Attack method: Flash loan attack
Description of the event: The Bilaxy exchange tweeted that the hot wallet was hacked and lost approximately 296 tokens (including ETH).
Amount of loss: $ 21,709,378 Attack method: Wallet Stolen
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: Polkadot Eco DeFi revenue aggregator Dot.Finance suffered a lightning loan attack. Dot.Finance's token PINK plummeted 35% in a short time, from 0.77 USD to approximately 0.5 USD. The attacker made a profit of 900.89 BNB (approximately $429,724 in total).
Amount of loss: $429,724 Attack method: Flash loan attack
Description of the event: In May of this year, the SEC filed a lawsuit against five people suspected of promoting BitConnect. The SEC believes that BitConnect is an unregistered digital asset securities product, and the program has raised more than $2 billion from retail investors through the promoter network. BitConnect is a cryptocurrency investment plan with the characteristics of a Ponzi scheme launched in 2017. Its token BCC was one of the 20 most valuable cryptocurrencies at the time, with a market value of more than 2.6 billion U.S. dollars. In September, the founder of BitConnect, Glenn Arcaro, admitted to participating in a fraud scheme, which was allegedly amounting to US$2 billion.
Amount of loss: $ 2,000,000,000 Attack method: Scam
Description of the event: Sentinel, a Cosmos ecological dVPN project, stated on Twitter that the $40 million DVPN tokens were stolen due to the leak of the mnemonic phrase on the HitBTC exchange. Sentinel stated that the user's own DVPN was safe, and HitBTC had the problem. They reported the hacking incident to Sentinel one hour after the incident. So Sentinel hopes that HitBTC will take action to return DVPN to users. HitBTC responded that Sentinel was trying to shirk responsibility for its technical defects and deceive everyone. HitBTC believes that Sentinel’s technology has vulnerabilities that can easily cause user mnemonics to be publicly disclosed. Such vulnerabilities are common in the Sentinel network, and the blockchain and software have not been thoroughly tested, and the company has not invested enough Time and resources to protect users. Therefore, HitBTC recommended that Sentinel fix the security vulnerabilities in the software, conduct more tests, and restart the current centralized system.
Amount of loss: $ 40,000,000 Attack method: Affected by the HitBTC event
Description of the event: The founder of one of Russia's largest cryptocurrency scams has been in jail for allegedly defrauding US$100 million from its investors. Finiko was established in Kazan in 2019 and pretended to be a legitimate BTC investment company. In December 2020, Finiko released its native digital currency FNK. According to local reports, the founders will take BTC from investors and reward them with FNK tokens.
Amount of loss: $ 100,000,000 Attack method: Scam
Description of the event: Liquid, a Japanese-based cryptocurrency exchange, said its hot wallet was attacked and it was transferring assets to cold wallets. It is currently investigating and has suspended its deposit and withdrawal services.
Amount of loss: $ 91,350,000 Attack method: Wallet Stolen
Description of the event: Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.53 million.
Amount of loss: 3,530,000 PCT Attack method: Compatibility Issue
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: Contract Vulnerability
Description of the event: The Solana chain has experienced its first carpet pull. Luna Yield ($LUNY) is a revenue aggregator launched through the Solana launchpad "SolPad", which has disappeared and is a variety of digital currencies worth about 6.7 million U.S. dollars. Luna Yield advertises itself as a legal project that can aggregate and optimize yield agriculture for its users; it is even supported by the famous Solana-based project launchpad "SolPad", which enables projects that submit "qualified documents" Raise funds through its initial DEX product (IDO) on the Solana-based decentralized platform. Although Luna Yield submitted "qualified documents", its attitude towards investors was indifferent. Before the August 16 fundraising, Luna Yield appeared to be legitimate. Three days after its IDO, Luna Yield sent the funds it raised to the hybrid service Tornado Cash to make it untraceable, and then it closed its website and all social media accounts-no one was able to contact the Luna Yield team.
Amount of loss: $ 6,700,000 Attack method: Rug Pull
Description of the event: On August 17, the DeFi project XSURGE on BSC suffered a lightning loan attack. On August 16, local time, XSURGE officially issued a statement about the SurgeBNB vulnerability before the attack. Since the SurgeBNB contract cannot be changed and has been abandoned, the vulnerability cannot be patched. XSURGE said that it did not disclose any specific details about the nature of this vulnerability, but strongly recommends that users migrate out of SurgereBnb as soon as possible. The vulnerability may be triggered by an attacker at any time. After the announcement, XSURGE was subsequently attacked, and the attacker stole $5 million from SurgeBNB.
Amount of loss: $ 5,000,000 Attack method: Flash loan attack
Description of the event: The NEAR ecological decentralized exchange Ref.Finance team tweeted that at around 2 pm UTC on August 14th, the Ref team noticed the abnormal behavior of the REF-NEAR trading pair, and then discovered that the patch of the recently deployed contract An error, which has been exploited by multiple users, affected approximately 1 million REFs and 580,000 NEARs.
Amount of loss: $ 3,202,539 Attack method: Fix bug
Description of the event: According to Reuters, a High Court judge in London granted artificial intelligence firm Fetch.ai’s request, ordering Binance to track down the hackers who stole $2.6 million in assets from Fetch.ai’s Binance account and freeze the stolen assets. Fetch.ai, founded in the U.K. and Singapore to develop artificial intelligence projects for blockchain databases, claims fraudsters hacked into their cryptocurrency accounts on the Binance exchange on June 6. A Binance spokesperson said that to protect users’ property, Binance regularly freezes accounts identified as having suspicious activity.
Amount of loss: $ 2,600,000 Attack method: Hacked account
Description of the event: The Neko Network, a lending protocol on the Binance Smart Chain (BSC), was attacked. The attacker used vulnerabilities in the protocol to mortgage assets in the name of the user and sent the borrowed funds directly to the attacker’s own address. All asset pools on the Neko Network have been frozen to avoid changes. Multiple attacks occur. Due to the setting of the time lock, it takes 24 hours to develop the fund pool and allow users to raise funds in the pool. Neko Network is a product developed by the Zero Coupon Money Market Protocol Maze Protocol team.
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: Private Key Leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Contract Vulnerability