1991 hack event(s)
Description of the event: THORChain, a decentralized cross-chain transaction protocol, tweeted that a malicious attack against THORChain was discovered. THORChain nodes have responded and isolated defenses. The capital loss caused by this attack was US$140,000, but THORChain stated that user funds will not be affected. The fund pool will be used to make up for the leaked funds. The team stated that the path of the attack was that EthBifrost had a logical error in processing the same symbol as ETH. THORChain claimed that it repaired Bifrost within 30 minutes and adopted node defense to stop Bifrost and THORNode. The team said it will also invest funds for ongoing code reviews and monitoring.
Amount of loss: $ 140,000 Attack method: False top-up
Description of the event: The algorithmic stablecoin project SafeDollar on Polygon is suspected of being hacked, and an unconfirmed contract seems to have taken away 250,000 USD in USDC and USDT.
Amount of loss: $ 250,000 Attack method: Flash loan attack
Description of the event: The hacking of the revenue aggregator Merlin Lab stems from a logical loophole in MerlinStrategyAlpacaBNB. The contract mistakenly uses the BNB transferred by the beneficiary as mining revenue, which makes the contract issue more MERL as a reward. After repeated operations, the attacker made a profit of 300,000 US dollars.
Amount of loss: $ 300,000 Attack method: Logic Vulnerability
Description of the event: European Union legal body Europol has cracked down on the Belgian Ponzi scheme Vitae. Europol raided 17 locations associated with the site, which were advertised as social media sites with their own cryptocurrencies, confiscating German currency and luxury cars totalling over 1 million euros. The company operates in Switzerland under the name VITAE AG.
Amount of loss: $ 1,119,810 Attack method: Scam
Description of the event: The DeFi protocol xWin Finance based on Binance Smart Chain was attacked by lightning loans. The xWin Finance token XWIN has fallen by nearly 90% in 24 hours. The attacker used xWin Finance's "reward mechanism" to continuously add and remove liquidity to obtain rewards. Under normal circumstances, due to the small amount of users added, the gains may be small, or even not enough to pay the handling fees; but in the face of huge amounts of funds, the rewards will become abnormally high.
Amount of loss: $ 281,599 Attack method: Flash Loan Attack
Description of the event: The BSC on-chain project StableMagnet ran away and lost USD 24 million. On August 12, the Greater Manchester Police Department announced that it had arrested the suspects of the StableMagnet Finance team who had previously taken away $22 million of users on the BSC. The police found a large amount of stolen Ethereum in the encrypted U disk. According to statistics, this money accounted for 90%($ 22,250,000) of the stolen cryptocurrency, and it is now beginning to reconnect with the legitimate owner.
Amount of loss: $ 1,750,000 Attack method: Rug Pull
Description of the event: The Ethereum 2.0 staking solution SharedStake released an attacked report, stating that the reason the SharedStake token was minted before the official launch was due to the use of vulnerabilities in time-locked contracts (that is, smart contracts that perform certain operations at a fixed time) by internal personnel. The vulnerability was submitted to the team by the white hat Lucash-dev on April 26. Because a team member had permission to view the vulnerability, he used the vulnerability to cast a value of about 50 on the main network four times on June 19 and 23. Ten thousand USD tokens were sold and mortgaged after the official launch. Although there is not enough evidence, the core members of SharedStake suspect that it was the work of a new team member.
Amount of loss: $ 500,000 Attack method: Contract Vulnerability
Description of the event: Nerve Finance, a stablecoin trading platform based on the Binance Smart Chain (BSC), tweeted that the Nerve-related machine gun pool in the revenue aggregator Eleven Finance have been attacked by sparks. After analysis, the reason for the exploit is that the emergencyBurn() function does not calculate the balance correctly and does not execute the destruction. On September 30th, hackers have returned approximately $4.5 million in stolen funds.
Amount of loss: $ 300,000 Attack method: Flash loan attack
Description of the event: According to Bloomberg News, the founder of the cryptocurrency investment platform Africrypt lost contact and 69,000 bitcoins (currently valued at approximately US$2.3 billion) on the platform were transferred. At 4 o'clock, Ameer Cajee, chief operating officer of Africrypt, told the client that the platform was hacked and asked them not to report the lost funds to the authorities. The investor has since hired a lawyer to conduct an investigation, but the lawyer has not been able to contact the founder of the company and has notified the South African Criminal Investigation Department. In addition, the lawyer found that funds on the Africrypt platform were transferred from their accounts and customer wallets, and made it untraceable through the Bitcoin mixer.
Amount of loss: $ 2,300,000,000 Attack method: Scam
Description of the event: Impossible Finance, the DeFi protocol on the BSC chain, was attacked by a lightning loan, and the attacker made a profit of 1,510.75 WBNB (a total of US$497,000). On June 25, the attackers refunded approximately $252,000. The core of this attack is that the K value check is not performed in the cheapSwap function, which causes the attacker to obtain additional tokens by performing multiple exchange operations in one exchange process.
Amount of loss: $ 245,000 Attack method: Flash Loan Attack
Description of the event: According to Calcalist, the cryptocurrency company StakeHound has filed a lawsuit against the institutional security company Fireblocks, claiming that ETH worth 245.5 million Israeli new shekels (approximately US$75 million) was lost due to Fireblocks’ mistakes. StakeHound stated that as Fireblocks deleted the key for no reason without backing up the key, 38,178 ETH were lost.
Amount of loss: $ 75,000,000 Attack method: Operation error
Description of the event: The Polygon ecological project PolyDEX had a hacking incident. The hackers carried out a reentry attack on the Token Locker smart contract and stole about $500,000 worth of funds from the project.
Amount of loss: $ 500,000 Attack method: ERC777 Reentrancy Attack
Description of the event: The Visor Finance smart contract, a DeFi liquidity protocol based on Uniswap V3, was withdrawn with 230 ETH in an emergency, and the attacker gained access to an account that manages certain Hypervisor management functions, and then transferred the funds to Tornado.cash.
Amount of loss: $ 504,845 Attack method: Permission Stolen
Description of the event: The DeFi lending agreement Alchemix alETH pool is suspected to have a loophole, and users can raise collateralized ETH when they have outstanding alETH debts. Alchemix released an alETH pool accident report stating that due to an error in the deployment of the alETH pool script, users have borrowed alETH at a 4:1 mortgage ratio but have no debt to be repaid, and the debt ceiling of nearly 2000 ETH has been released and new ones can be minted again. alETH, combined with Alchemix's use of the wrong index in the vault array, forced the transmuter to support the agreement mechanism to completely send the funds to repay the user's debt. The team has stopped the mortgage lending of the pool. As of the time of the report, alETH currently has a gap of -2,688.634, which is about 6.53 million U.S. dollars. Alchemix stated that there was no loss of user funds, and Yearn did not suffer any loss.
Amount of loss: $ 6,530,000 Attack method: Contract Vulnerability
Description of the event: EvoDefi, the project revenue farm on the BSC chain, was attacked, and the price of its token GEN dropped from US$2.1/piece to US$0.9/piece, a short-term drop of 57%. Loss of 455,576.85 GEN worth approximately USD 1 million. Due to the design flaws in the update logic of the function in the MasterChef contract, the part of the reward that needs to be deducted is not updated, which leads to arbitrage by the attacker.
Amount of loss: $ 1,000,000 Attack method: Flash loan attack
Description of the event: JBS USA Holdings Inc. paid an $11 million ransom to cybercriminals last week that temporarily destroyed a plant that handles about a fifth of the nation's meat supply, the chief executive said. . Andre Nogueira, CEO of the U.S. division of Brazilian meat company JBS SA, said the bitcoin ransom was to protect the JBS meat plant from further damage and limit the potential impact on restaurants, grocery stores and farmers that depend on JBS.
Amount of loss: $ 11,000,000 Attack method: Ransomware
Description of the event: At around 4:00 a.m. on June 8, the GainSwap project, which had been online for less than 12 hours, suddenly swept away nearly $8 million in digital assets pledged by users, closed the website access, and then entered a state of losing contact and running away. This is also Heco. One of the projects with the largest amount of running away on the show. In January 2022, according to the public security information of Chizhou City, Anhui Province, the police in Chizhou City recently cracked a case of illegally obtaining virtual currency data from a computer system using blockchain technology, involving a value of about 50 million yuan. After the cooperation of the police in Guangdong, Sichuan and Hunan, all eight suspects were arrested. The police seized and seized the assets involved in the case, such as villas and luxury cars worth tens of millions purchased by the suspect with the full amount of the stolen money, and frozen about 6 million virtual assets.
Amount of loss: $ 8,000,000 Attack method: Rug Pull
Description of the event: BurgerSwap, an automated market maker on the Binance Smart Chain, was once again attacked by lightning loans. The attacker took advantage of the re-entry vulnerability in the contract, repeated the swap operation many times, controlled the price through re-entry and counterfeit currency, and finally realized the purpose of attack arbitrage.
Amount of loss: - Attack method: Flash loan attack
Description of the event: Siastats tweeted that the Sia network, a decentralized storage project, has been under continuous DDoS attacks in the past two days. The targets of the attacks are network hosts and storage providers. The attacks have caused about 30% of host connections to be interrupted. Siastats stated that network functions were not affected. Only some of the host operators indicated that the Internet connection was interrupted. The affected operators can contact the Sia Foundation to mitigate the negative impact of the attack. The attack did not cause huge losses, and the network will continue to operate normally.
Amount of loss: - Attack method: DDoS Attack
Description of the event: On June 5, 2021, PolyButterfly, a decentralized financial protocol based on Polygon, disappeared. Its website has been closed, and its Twitter account and Telegram chat history have been deleted. Before this mysterious disappearance, it was revealed that the PolyButterfly code had a dangerous backdoor that allowed the product team to remove customer liquidity. According to RugDoc, the scammers stole more than 600 ether, or more than $1,500,000.
Amount of loss: $ 1,500,000 Attack method: Rug Pull