1525 hack event(s)
Description of the event: A vulnerability has been detected in the unverified Ember Sword NFT auction that allowed the extraction of 60 WETH, equivalent to approximately $195,000, from 159 victims who approved the contract.
Amount of loss: $ 195,000 Attack method: Contract Vulnerability
Description of the event: According to feedback from multiple community members, the zkSync ecosystem lending platform @xBankFinance is suspected of a rug pull. Currently, the official account displays that it has been frozen, and the platform's liquidity is reduced to single-digit assets.
Amount of loss: - Attack method: Rug Pull
Description of the event: The cross-chain lending protocol Pike Finance tweeted that the USDC pool on Pike Beta has been exploited by a hacker. The total amount of USDC exploited is 299,127. The root cause is led by forged CCTP message to drain USDC on Ethereum, Arbitrum and Optimism chain.
Amount of loss: $ 299,127 Attack method: CCTP Integration Contract Vulnerability
Description of the event: io.net founder and CEO Ahmad Shadid announced on social media that io.net's metadata APIs recently experienced a security incident. A malicious party exploited accessible mappings of User IDs to Device IDs, leading to unauthorized metadata updates. This breach did not compromise GPU access but did affect the metadata displayed to users on the frontend.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: According to intelligence from the SlowMist Security Team, the YIEDL project on the BSC chain was attacked, with the attacker stealing approximately $300,000. In this incident, the reason lies in the contract’s failure to adequately validate the external parameter(dataList) provided by the user during the processing of the redeem function call. This parameter is critical data for controlling asset exchanges, typically containing specific transaction instructions or routing information. The attacker maliciously constructed this external parameter, enabling unauthorized asset transfers.
Amount of loss: $ 300,000 Attack method: Contract Vulnerability
Description of the event: Shortly after the deployment of the FENGSHOU (NGFS) token, it was attacked, resulting in a loss of approximately $191,000. The vulnerability lies in a public `delegateCallReserves` function which allows the attacker to set an arbitrary address to a UniSwapV2 proxy.
Amount of loss: $ 191,000 Attack method: Contract Vulnerability
Description of the event: According to community feedback, the official Discord server of Merlin Chain appears to have been targeted in a hacker attack, where a management account posted a notification containing a phishing link.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The cross-chain bridge X Bridge has experienced multiple suspicious transactions, which are still ongoing. A suspicious address was recently funded by Tornado Cash on BNBChain, then bridged to ETH, and subsequently deposited 0.15 ETH into 'OwnedUpgradeabilityProxy.' Shortly after, a withdrawal of 482M STC totaling $824K was made from your 'OwnedUpgradeabilityProxy' contract.
Amount of loss: $ 824,000 Attack method: Unknown
Description of the event: The decentralized liquidity aggregation protocol Magpie Protocol was attacked due to a contract vulnerability, resulting in $129,000 being stolen from 221 wallets. The root cause is due to unchecked call data. The attacker called the contract's swap() function and passed in data which included a list of users to transfer tokens from.
Amount of loss: $ 129,000 Attack method: Contract Vulnerability
Description of the event: Users reported abnormal activity on the trading platform of the DeFi asset management protocol Velvet Capital on April 23rd. When attempting to connect to the frontend, users were prompted to approve their wallet's access permissions for the protocol.
Amount of loss: - Attack method: Frontend Attack
Description of the event: Z123 on BSC was attacked by a hacker due to a contract vulnerability, resulting in a loss of approximately $136k. The .update() function of Z123 was repeatedly called which burned extra tokens and inflated the price.
Amount of loss: $ 136,000 Attack method: Contract Vulnerability
Description of the event: The decentralized betting platform ZKasino is suspected to have exited. Recently, users on Twitter reported that ZKasino removed the message "Ethereum will be returned and can be bridged back" from the Bridge Funds interface, causing users to be unable to withdraw. Subsequently, the project team transferred the ETH assets deposited by users to the 0x791 multi-signature address, and then deposited them into the staking protocol Lido for yield farming.
Amount of loss: $ 33,000,000 Attack method: Rug Pull
Description of the event: Hedgey Finance suffered two exploits, one on the Ethereum and another on the Arbitrum network. The ETH attack resulted in a loss of $1.9 million, while the Arbitrum exploit led to a theft of $42.8 million in ARB tokens.
Amount of loss: $ 44,700,000 Attack method: Flash Loan Attack
Description of the event: The Twitter account of the cross-chain bridge Meson Finance posted a tweet containing a phishing link. Meson Finance tweeted that the relevant content has been deleted and confirmed that the issue originated from a third-party API rather than a direct attack on the account.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Fake PRCL on the BNB Chain appears to have exit scammed, resulting in a 100% price drop and causing losses exceeding $100,000.
Amount of loss: $ 100,000 Attack method: Rug Pull
Description of the event: Token issuance protocol Mars was attacked and lost about 1M MARS 和 137 个 WBNB.
Amount of loss: - Attack method: Unknown
Description of the event: Grand Base, a real world assets platform built on the Base layer-2 blockchain, the team behind the project claimed that the deployer wallet had been compromised, allowing an attacker to drain the project's liquidity pool. Altogether, 615 ETH (~$2 million) was taken from the project. On April 20th, Grand Base tweeted that during the token reboot process, the team had managed to retrieve our veNFTs from the hacked address and transferred them to a multi-sig wallet. The veNFT position represents and amount of $225,000 and will be used to build robust liquidity when the time comes.
Amount of loss: $ 2,000,000 Attack method: Unknown
Description of the event: The Fake JILLBODEN on BNBChain is suspected to be Rugpull, and the current token price has dropped by 100%.
Amount of loss: $ 335,339 Attack method: Rug Pull
Description of the event: The Fake VDZ on BNBChain is suspected to be Rugpull, and the current token price has dropped by 100%.
Amount of loss: $ 323,088 Attack method: Rug Pull
Description of the event: According to on-chain analyst ZachXBT's monitoring, the group of scammers who stole 8 figs with Magnate, Kokomo, Lendora, Solfire, etc is back with a new project on Blast @Leaperfinance. Last week they funded an address on Blast with ~$1M of laundered funds from the previous rugs and have begun adding liquidity to bait people in. Over time, the fraudulent team increased their TVL to over a million dollars, then stole all user funds deposited into the protocol, and forged KYC documents using low-level auditing companies. Currently, this fraudulent group has initiated scams on platforms such as Base, Solana, Scroll, Optimism, Arbitrum, Ethereum, and Avalanche.
Amount of loss: - Attack method: Scam