1057 hack event(s)
Description of the event: DD Coin was attacked and lost about 126,000 USDT. The attacker initially received 1 BNB of funds from Tornado Cash about 17 days ago. DD Coin has lost 21%.
Amount of loss: $ 126,000 Attack method: Unknown
Description of the event: The Cellframe Network, a blockchain network based on sharding architecture, is suspected of being attacked by a flash loan. The attacker made a profit of 245 BNB (approximately 74,000 US dollars), and the token CELL has fallen by more than 65%. According to MistTrack analysis, the attacker's address (0x252...079) on Ethereum had withdrawn 1.37 ETH from Binance.
Amount of loss: $ 74,000 Attack method: Flash Loan Attack
Description of the event: The LSDFi protocol unshETH stated that at around 22:00 on May 31, one of the deployment private keys of the unshETH contract was leaked. For the sake of caution, the official has urgently suspended the withdrawal of unshETH's ETH. According to the security model, unshETH's ETH deposit (TVL up to 35 million US dollars) is protected by multi-signature + time lock and is not at risk.
Amount of loss: $ 23,8000 Attack method: Private Key Leaked
Description of the event: On-chain detective ZachXBT tweeted that a Rug Pull occurred on Pixel Penguin, a charity project created by Hopeexist1, which claimed to raise funds to help him fight cancer. At present, the social accounts of Hopeexist1 and Pixel Penguin have been deleted, and the Pixel Penguin contract is worth only $117,000 (61.686 ETH).
Amount of loss: $ 117,000 Attack method: Rug Pull
Description of the event: Twitter user @ChrisONCT cited on-chain data to expose a suspected scam Meme coin project Waifu AI World (WFAI). The token economics announced by the project stated that 95% of the supply was allocated to LPs. However, shortly after WFAI went online, 4 new wallets spent a total of 14.4 ETH in four transactions to purchase 647 trillion WFAI, accounting for approximately 83.2% of supply (777 trillion). At present, the project party has blacklisted the wallets that purchased 457 trillion WFAI, and now the total supply of WFAI is 320 trillion, which means that 190 trillion tokens are held by insiders, accounting for 60% of the total token supply. And DWF Labs spent about 20 ETH to purchase 624.9 billion WFAI yesterday afternoon; DEXTools trust score changed from extremely low to extremely high within a few hours.
Amount of loss: - Attack method: Scam
Description of the event: Perpetual DEX El Dorado Exchange (EDE) was suspected of being attacked and lost about $580,000. An address has been sending small amounts of funds to Arbitrum's ELP-1 pool and withdrawing large amounts of funds immediately afterwards. According to monitoring, the attacker has returned 334,000 USDC.
Amount of loss: $ 580,000 Attack method: Unknown
Description of the event: The Rug Pull of the BSC project BlockGPT occurred, involving assets of over 816 BNB (about 256,000 US dollars), and 800 BNB have been transferred to Tornado Cash so far.
Amount of loss: $ 256,000 Attack method: Rug Pull
Description of the event: DWallet Labs discovered a zero-day vulnerability in TRON multi-signature accounts that put more than $500 million in digital assets at risk. What about the threshold and number of signers defined in the account. The bug has now been disclosed and fixed, so no user assets are now at risk.
Amount of loss: - Attack method: Multi-Signature Vulnerability
Description of the event: Blockchain security researcher iczc tweeted that a vulnerability was found in Polygon zkEVM and received a bug bounty from Immunefi L2. The vulnerability prevents asset migration from L1 to L2 by preventing assets bridged from L1 to Polygon zkEVM (L2) from being properly claimed in L2. iczc found in the code logic of processing claim tx pre-execution results that malicious attackers can bypass the "isReverted" pre-execution check on claim transactions by setting the gas fee to non-zero, allowing them to send a large number of Low-cost claims DoS attacks on sequencers and validators, increasing computational overhead. Also, transactions are not immediately removed from the pool after execution. The status is updated from Pending to Selected and continues to exist in the PostgreSQL database. Currently, there is only one trusted sequencer capable of fetching transactions from the transaction pool and executing them. Therefore, another vulnerability is to maliciously mark any deposit amount by sending a failed transaction. This will cause claim transactions that correctly use credits to be rejected because the credits are already used. This makes the L2 network unusable for new users. The Polygon zkEVM team fixed this vulnerability by removing the specific gas logic for claiming transactions, with no funds at risk.
Amount of loss: - Attack method: Code Logic Vulnerabilities
Description of the event: Fede's Intern, a contributor to the venture capital studio LambdaClass, said on Twitter that it found that Aleo, a programmable privacy network, had an inflation loophole and used the first loophole to stop block production, and contacted the Aleo team by email. Following an open discussion on the Zero Knowledge Podcast, Aleo CEO and Zero Knowledge Podcast contributor Alex Pruden stepped in and the bug is now fixed.
Amount of loss: - Attack method: Inflation Vulnerability
Description of the event: The Arbitrum ecological project Jimbos Protocol was attacked, and about 4,090 ETH were stolen (about $7.5 million). This attack was due to the lack of slippage control on the liquidity transfer operation, which resulted in the protocol owned liquidity being invested in a skewed/imbalanced price range, which was used in reverse swaps for profit.
Amount of loss: $ 7,500,000 Attack method: Lack of slippage control
Description of the event: The Sandbox tweeted that the Twitter account of its CEO and co-founder Arthur Madrid was hacked, and the hackers posted a scam/phishing link for a fake SAND token airdrop. The Sandbox reminds users not to click on the link, but to report the post so it can be blocked.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Nigerian gift card and cryptocurrency trading platform Patricia revealed on May 26 that hackers compromised its retail trading app, resulting in an undisclosed amount of BTC and naira assets being compromised, News.bitcoin reported. Other cryptocurrency balances were not affected and assets belonging to their customers and merchants remained safe. Patricia said it had stopped processing withdrawals and was "undergoing internal restructuring".
Amount of loss: - Attack method: Retail transaction app is compromised
Description of the event: According to The Block, cybersecurity firm Unciphered claims it was able to hack into hardware-encrypted wallets powered by Trezor T models. In a YouTube demo, Unciphered showed exploiting the wallet vulnerability to extract the mnemonic private key from the wallet, saying the attack is only feasible if the attacker has physical access to the hardware wallet. Trezor CTO Tomáš Sušánka responded: "This appears to be a vulnerability called an RDP downgrade attack, which requires extremely sophisticated technical knowledge and advanced equipment. Even with the above conditions, Trezor can pass a powerful passphrase, making RDP downgrade attacks ineffective.” Trezor added that they have taken the important step of developing a new secure element for hardware wallets with their sister company Tropic Square to solve future problems.
Amount of loss: - Attack method: RDP downgrade attack
Description of the event: Multichain tweeted that although most of the cross-chain routes of the Multichain protocol are operating normally, due to force majeure, some cross-chain routes cannot be used, and the time to restore services is unknown. After service is restored, pending transactions will be credited automatically. Multichain will compensate users affected during this process, and the compensation plan will be announced later. According to previous reports from multiple community users, there is an abnormal delay in the arrival of Multichain cross-chain funds. Markets show that the Multichain token MULTI has fallen 24.1% in the past 24 hours and is currently trading at $5.36.
Amount of loss: - Attack method: Unknown
Description of the event: CS Token was hacked and a total of 714,000 USDT was stolen. The hacker initially transferred 1 BNB from Tornado Cash, and then transferred 383 ETH to Tornado Cash.
Amount of loss: $ 714,000 Attack method: Contract Vulnerability
Description of the event: The team behind Fintoch, a blockchain financial platform, is suspected of being a Ponzi scheme. It defrauded users of 31.6 million USDT on BNB Chain, and the funds were bridged to multiple addresses on Tron and Ethereum. Users reported that they could not withdraw funds. Fintoch advertises that it is a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team page on the Fintoch website refers to "Bobby Lambert" as its CEO, when in fact he doesn't exist and is a paid actor. Earlier, the Singapore government and Morgan Stanley both issued warnings about the investment plan.
Amount of loss: $ 31,600,000 Attack method: Scam
Description of the event: Cross-chain interoperability protocol Celer Network reported Wednesday that it has patched a code vulnerability first discovered by Jump Crypto, The Block reported. In a blog post published by Celer and Jump Crypto, a vulnerability in the State Guardian Network (SGN), Celer's proof-of-stake (PoS) blockchain, was disclosed. If implemented, the vulnerability could allow a malicious validator to submit a large number of fraudulent "votes", resulting in a change in the state of the network. Celer emphasized that the breach did not result in any financial loss. The vulnerability was not publicly accessible and no funds were directly at risk when it was discovered. Celer said it would propose a bug bounty for Jump Crypto as a result of the discovery.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Polygon ecological project LunaFi was attacked. The attacker obtained initial funds from TornadoCash on BSC, the root cause was a flaw in reward calculation, and many other issues in the contract.
Amount of loss: $ 35,000 Attack method: Reward Calculation Flaw
Description of the event: At 15:25 on May 20, Tornado Cash encountered a governance attack. The attacker granted himself 1.2 million votes through a malicious proposal, exceeding the number of legal votes (about 700,000), and gained full governance control. An attacker could withdraw all locked votes and drain all tokens in the governance contract, disabling routers, though the attacker would still not be able to drain individual pools. Tornado Cash governance attackers obtained a total of 483,000 TORN from governance vaults.
Amount of loss: $ 2,173,500 Attack method: Governance Attack