507 hack event(s)
Description of the event: The Bitcoin.org website has activities to give back to the community, and it is suspected that the website has been hacked. The homepage of the website shows a Bitcoin address and states that any first 10,000 users who pay to this address will receive double the amount in return. Cobra, the co-owner of the Bitcoin.org website, tweeted that Bitcoin.org has been hacked and is investigating how hackers set up fraud patterns on the website. It is expected that operations will be suspended for a few days.
Amount of loss: - Attack method: Phishing attack
Description of the event: The cross-chain protocol pNetwork released an analysis report in response to the previous attack that resulted in the theft of 277 BTC, stating that at 17:20 UTC on September 19, 2021, the pNetwork system was attacked by hackers who attacked multiple pToken bridges. Including pBTC-on-BSC, TLOS-on-BSC, PNT-on-BSC, pBTC-on-ETH, TLOS-on-ETH and pSAFEMOON-on-ETH. However, hackers only cross-chain bridges in pBTC-on-BSC The attack was successful and 277 BTC were stolen from the pBTC-on-BSC collateral. Other pToken bridges were not affected and the funds were safe. In addition, since the hacker address has been reported to the exchange, the stolen funds are still on the hacker BTC address, and no transfer has occurred.
Amount of loss: 277 BTC Attack method: Code vulnerabilities
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacked Vee.Finance transaction contract address is: 0xd1F855ceF146D36CC5851E2139c54524420797f2. The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Utilizes cToken forgery issues and precision processing issues
Description of the event: The DONA token auction of the Jay Pegs Auto Mart project on the SushiSwap Launchpad platform MISO was attacked. The attacker inserted malicious code into the MISO front end and changed the auction wallet address to his own wallet address. The loss has now reached 865 ETH (approximately 3.07 million). Dollar). Joseph Delong, CTO of SushiSwap, said on Twitter that the vulnerability has been fixed and that FTX and Binance have been asked to provide the attacker's KYC information, but both exchanges refused to cooperate. In addition, Joseph Delong also stated that he has reported the case to the FBI through his lawyer and reminded the project party to check whether there are similar front-end vulnerabilities. According to the Ethereum block explorer Etherscan, the attacker returned all ETH to SushiSwap. The operation was divided into two transactions, the first return 100 ETH, the second return 700 ETH, and the third return 65 ETH.
Amount of loss: - Attack method: Insert malicious code at the front end
Description of the event: Defibox discovered an abnormal exchange situation of the EOS-EMOON trading pair at 22:00 on September 16th. After an emergency investigation, the swap contract was suspended at 0:00 on September 17th, and it was reopened on the morning of September 17th after auditing and multiple signings were completed. Swap contract. This exchange abnormality is caused by the incompatibility between the Defibox Swap contract and the EMOON contract. Before the event, the number of pots was 482636464535179.88 EMOON/4866.1494 EOS. When the contract was suspended, the EMOON pot was 5790970803030.11 EMOON/3.4553EOS, resulting in about 4863 EOS. loss. At present, the Defibox team has eliminated this type of risk caused by other burning tokens, and has upgraded the Swap contract to further improve the security of the contract. The Defibox Foundation will activate the risk reserve and pay 4863 EOS to the EMOON community.
Amount of loss: 4,863 EOS Attack method: The incompatibility of mutual calling between Swap contract and EMOON contract
Description of the event: The private public chain Secret Network stated on Twitter that the main network has undergone an unplanned upgrade, from secret-2 to secret-3, to prevent major network security issues from causing financial losses. The team stated that neither the native token SCRT nor the cross-chain bridge contract were affected. Only a single smart contract was affected. The contract came from SecretSwap. A vulnerability was exploited, allowing the attacker to take away the pledged SEFI contract. funds. At present, the cross-chain bridge is still closed, and the deposit function of the exchange is also closed.
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: Nowswap, a decentralized exchange on Ethereum, was attacked by a flash loan. The attacker emptied Nowswap’s liquidity pool. The liquidity pool was reduced from US$1,069,197 to US$24.15. The attacker made a profit of 536,000 USDT and 158 WETH. A total of more than 1 million US dollars. The attacker used the K value verification vulnerability in the Nowswap USDT/WETH transaction pair contract to perform multiple exchanges, and each exchange obtained multiple times the normal due assets, until the assets in the trading pair pool were exhausted.
Amount of loss: $ 1,000,000 Attack method: K value verification vulnerability
Description of the event: The expansion of the Ethereum network, Arbitrum One, released a report on network failures. Beginning at 10:14 on September 14th, EST, Arbitrum One was out of service for 45 minutes, during which time the Arbitrum Sequencer was offline, and funds were never at risk. The root cause of the downtime was a bug that caused the Sequencer to get stuck when receiving a large number of transactions in a short period of time. The Arbitrum team has located the problem and deployed a fix. The team also stated that even if the Sequencer fails, it will not affect the continuous operation of the network. Users can bypass the Sequencer and submit transactions directly to Ethereum.
Amount of loss: - Attack method: Unknown
Description of the event: The beta version of the mainnet of the public chain Solana has been unstable since 19:52 Beijing time last night, and it has been 12 hours since the Solana chain application has not been able to operate normally. According to information released by Solana Status, the Solana validator community chose to restart the network cooperatively, and the snapshot height is slot 96542804. Solana Status recommends that the verification node be updated to Mainnet-Beta 1.6.24 version. On September 21, Solana officially released a preliminary overview of the network outage on September 14. It is reported that on September 14, Solana’s network was offline for 17 hours. There was no financial loss, and the network resumed full functionality within 24 hours. The cause of network stagnation is denial of service attacks. At 12:00 UTC time, Grape Protocol launched IDO on Raydium, and transactions generated by robots congested the network. These transactions caused a memory overflow, causing many validating nodes to crash, forcing the network to slow down and eventually stop. When the verification node network cannot agree on the current state of the blockchain, the network will go offline, preventing the network from confirming new blocks.
Amount of loss: - Attack method: Denial of service attack
Description of the event: Klondike Finance was attacked by hackers, with a total loss of approximately 35,281.71 KXUSD (6.5629 WETH).
Amount of loss: 35,281.71 KXUSD Attack method: Flash loan attack
Description of the event: According to the official Zabu Finance on the Avalanche chain, the attackers withdrew 4.5 billion ZABU tokens from Zabu Farm Contract, bringing the supply to 5 billion, and dumped them all to ZABU's Pangolin LPs and Trader Joe LPs, stealing about 600,000 U.S. dollars. The pledge of single currency assets is safe, and ZABU related pools are affected. The official will take a snapshot before the attack and distribute it in Zabu V2, restart V2 Farm and attach Zabu V1 Staking Pool. In addition, Zabu Finance stated that it will transfer all income from AutoFarm and IDO Launchpad back to Zabu holders. Earlier news, the Zabu Finance project on the Avalanche chain suffered a flash loan attack.
Amount of loss: 4,525,726,903 ZABU Attack method: Mortgage model is not compatible with tokens
Description of the event: Twitter netizen "mhonkasalo" stated that there was a bug in the dYdX pledge contract. The user received 0 stkDYDX when pledged, the front end was disabled, and there were 64 affected addresses. Later, dYdX released the "Pledge Contract Bug" incident report. During the deployment of the upgradeable smart contract, the dYdX security module made an error, which caused the ratio of DYDX to stkDYDX to change from 1 to 0, so that users who pledged DYDX did not receive stkDYDX. dYdX stated that the error was caused by an error in the smart contract deployment process. It believed that there was no error in the code itself. The security module was previously audited by the smart contract, and based on the liquidity module design, the design was also audited. The security module is thoroughly tested before deployment. At present, user funds are safely locked in the security module until the end of the 28-day epoch, and no security module rewards are distributed and no withdrawals are possible. In order to restore the contract function, an upgrade is required. The suggested solution is to restore the security module function, allow the pledged user to retrieve the funds, and compensate the user for the wrong reward for participating in the security module.
Amount of loss: - Attack method: Error in smart contract deployment
Description of the event: Ethereum Classic (ETC) tweeted that the ETC mainnet was forked due to previous vulnerabilities in the Ethereum client Geth. At present, most of the computing power is on the mainnet. Core-geth node operators should update to v1.12.1 or higher as soon as possible.
Amount of loss: - Attack method: Ethereum client Geth vulnerability
Description of the event: According to the intelligence of the slow fog area, the Vesting contract of DAO Maker was attacked by hackers. DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker's distribution system, and the DAO Maker contract is attacked when the holder is issued (SHO) in DAO Maker , That is, there is a loophole in the distribution system of SHO participants: init is not initialized protection, the attacker initializes the key parameters of init, and changes the owner at the same time, and then steals the target token through emergencyExit and exchanges it into DAI, attacking The final profit of nearly 4 million U.S. dollars.
Amount of loss: $ 4,000,000 Attack method: Initialize unauthenticated
Description of the event: A user claimed on Twitter that he had mistakenly entered an NFT auction scam and was taken away by an art website worth 336,000 US dollars of Ethereum. However, the development of the story is somewhat unexpected, because the other party returned 100 ETH in full. In this scam, the victim reported that he inquired about the NFT auction on Monday from a certain population on Discord, and then he thought he was lucky enough to win the bid for the first NFT on the website and paid 100 ETH (about 336,000 US dollars) for this. ). However, according to a BBC report on Tuesday, a hacker exploited a security hole in the artist Banksy's website and set up a web page (banksy.co.uk/NFT) to sell so-called non-fungible tokens (NFT). In the end, although the hacker returned the money, the user still lost $5,000 in transaction fees.
Amount of loss: $ 5,000 Attack method: Scam
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen. Tomb Finance explained that the team has disabled the Gatekeeper mechanism and is currently discussing future development plans. The developers have not given up on the project's plan.
Amount of loss: - Attack method: Service fee collection mechanism
Description of the event: A flash loan attack occurred in Cream Finance, a mortgage lending platform. In its post-mortem analysis report of the flash loan attack, it stated that a total of 460 million AMP tokens and 2804 ETH (worth approximately US$34 million at the time) were stolen due to the omission. Commit to repay 20% of all agreed fees until they are fully repaid. This security incident has a major vulnerability attacker and an imitator. Cream Finance will forward all relevant information to law enforcement agencies and prosecute within the scope permitted by law.
Amount of loss: $ 34,000,000 Attack method: Flash loan attack
Description of the event: The Bilaxy exchange tweeted that the hot wallet was hacked and lost approximately 296 tokens (including ETH). Users, please do not send any more funds to the Bilaxy account.
Amount of loss: $ 21,709,378 Attack method: Hot wallet was stolen
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: Polkadot Eco DeFi revenue aggregator Dot.Finance suffered a lightning loan attack. Dot.Finance's token PINK plummeted 35% in a short time, from 0.77 USD to approximately 0.5 USD. The attacker made a profit of 900.89 BNB (approximately $429,724 in total).
Amount of loss: $429,724 Attack method: Flash loan attack