621 hack event(s)
Description of the event: SashimiSwap was attacked because of a logical error in the swap function.
Amount of loss: - Attack method: logical error
Description of the event: On December 28th, according to Twitter user coby.eth, a fake MetaMask governance token was created and launched on the DEXTools platform. The creator of the token used malicious code to make users browse the token information, and a pop-up interface showed that the MASK Token was verified and displayed A forged platform verification mark (blue certification symbol) is displayed. coby.eth stated that after the transaction volume exceeded US$1 million, the token was transformed into a "Pixiu plate", and users could only buy but not sell. According to browser data, the total transaction volume of this "Pixiu Pan" MASK Token is close to 10 million U.S. dollars, with a total of 642 related transactions and close to 400 addresses.
Amount of loss: - Attack method: Scam
Description of the event: The MetaSwap on-chain project on the BSC transferred its running assets. A total of 1,100 BNB of stolen funds were transferred to the Tornado.cash wallet (BSC version), and the price of MGAS tokens fell by 46.99%.
Amount of loss: 1,100 BNB Attack method: Scam
Description of the event: According to news, METADAO took a Rug Pull, took away the funds (800 ETH, about 3.25 million US dollars), and has been transferred to Tornado.cash mixed currency.
Amount of loss: 800 ETH Attack method: Scam
Description of the event: The NFT project Monkey Kindom stated that hackers stole $1.3 million in SOL from the community through a security breach in discord. The hacker first attacked Grape, the solution to authenticate users on Solana, and took advantage of the vulnerability to take over an administrative account that posted a phishing link in the announcement channel of Monkey Kindom discord.
Amount of loss: $ 1,300,000 Attack method: Phishing attack
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract vulnerabilities
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: Bent Finance, a pledge and income farming platform, tweeted that a possible loophole has been discovered, claiming has been disabled, and rewards are currently unavailable. Bent Finance is investigating the curve LP pool, and users can withdraw funds.
Amount of loss: - Attack method: The contract is implanted with the backdoor code
Description of the event: A Discord server run by Fractal in the recently launched game NFT market was hacked. The hacker defrauded 373 members of 800 Solana cryptocurrencies worth US$150,000. The startup said in its announcement that it will compensate the victims in full.
Amount of loss: $ 150,000 Attack method: Phishing attack
Description of the event: According to official sources, GrimFinance, a compound income platform on the Fantom chain, suffered a lightning loan attack, and the current loss has exceeded 30 million U.S. dollars. The attacker uses the function named "beforeDeposit()" in GrimFinance's vault strategy to attack and enter the malicious Token contract. At present, GrimFinance has suspended all vaults, reminding users to immediately withdraw all assets.
Amount of loss: $ 30,000,000 Attack method: Flash loan attack
Description of the event: The data on CoinMarketCap's website flashed bugs, and the quotes of multiple cryptocurrencies were wrong.
Amount of loss: - Attack method: Data flash bug
Description of the event: Gelato was attacked by hackers.
Amount of loss: - Attack method: Unknown
Description of the event: The chain game project Vulcan Forged officially tweeted that 148 wallets holding PYR were hacked and more than 4.5 million PYR had been stolen. Then it said: 1. We cannot prevent the attacker from withdrawing funds from the wallet where the PK has been stolen and the funds have not been transferred; 2. We are moving to a fully decentralized wallet setup; 3. All stolen PYR will be compensated by its treasury . The official also stated that all exchanges have been contacted to blacklist the addresses of the hackers. It seems that the hackers have conducted KYC on one of the exchanges we contacted.
Amount of loss: $ 102,820,974 Attack method: Private key leak
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle attack
Description of the event: The Ethereum wallet Dharma updated its Twitter and said that it has returned to normal. Dharma previously tweeted that there was a downtime. The official has determined the solution and it is expected to resume soon. All funds are safe.
Amount of loss: - Attack method: Downtime
Description of the event: According to the official announcement, at 6 o’clock on December 12th, Beijing time, the internal security audit report of AscendEX found that some ERC-20, BSC and Polygon tokens were abnormally transferred out of the exchange’s hot wallet, and the AscendEX cold wallet was not affected by this incident. . It is estimated that Pinnacle AscendEX’s losses totaled US$77.7 million (of which US$60 million was on Ethereum, US$9.2 million was on BSC, and US$8.5 million was on Polygon).
Amount of loss: $ 77,700,000 Attack method: Stolen hot wallet
Description of the event: The payment system of ONUS, the largest cryptocurrency trading platform in Vietnam, running a vulnerable version of Log4j suffered a cyber attack. Cyclos notified ONUS to repair the system on December 13, but it was too late. Although ONUS has fixed the security loopholes in the Cyclos instance, the window of loopholes allowed attackers to successfully steal data from sensitive databases. The stolen database contained nearly 2 million user data, including KYC (Know Your Customer) data, hashed passwords, etc. Subsequently, the attacker asked ONUS to pay a ransom of 5 million, otherwise the stolen data would be made public. On December 25, because ONUS did not pay the full ransom, the attackers sold customer data on the dark web data exchange market.
Amount of loss: $ 5,000,000 Attack method: Blackmail
Description of the event: At 8 pm on December 8, the hacker account itsspiderman used an overflow vulnerability to issue additional tripool market-making certificates in eCurve out of thin air, pledged and loaned most of the tokens in the agreement in PIZZA. Afterwards, hackers created more than 1.3 million accounts and dispersed the stolen assets. The loss of the PIZZA protocol in this attack is equivalent to about 5 million U.S. dollars.
Amount of loss: $ 5,000,000 Attack method: Overflow vulnerability
Description of the event: 8ight Finance on the Harmony chain was stolen $1.75 million due to the leak of the private key.
Amount of loss: $ 1,750,000 Attack method: Private key leak
Description of the event: BitMart founder and CEO Sheldon Xia tweeted to admit that a large-scale security breach occurred on the platform, and hackers were able to extract assets worth about US$150 million. The affected ETH hot wallet and BSC hot wallet carry a small amount of assets on BitMart, and the other wallets are safe and undamaged. Currently, BitMart has suspended withdrawals.
Amount of loss: $ 150,000,000 Attack method: Stolen hot wallet