1513 hack event(s)
Description of the event: FixedFloat, a decentralized exchange, tweeted that they have encountered another attack, with hackers exploiting vulnerabilities in their third-party services. The company assured that both company and user funds remain unaffected.
Amount of loss: - Attack method: Third-party Vulnerability
Description of the event: The DeFi protocol OpenLeverage has been attacked, resulting in a loss of approximately $260,000. In light of this, OpenLeverage has decided to discontinue the OpenLeverage trading and lending protocol. OpenLeverage is initiating processes for users to close trades/borrowings and withdraw funds safely. All protocol actions will remain paused until withdrawal processes begin early next week.
Amount of loss: $ 260,000 Attack method: Unknown
Description of the event: The founder of yield-trading protocol Pendle Finance tweeted that the team has confirmed being unable to access the official Pendle Twitter account and is currently investigating to resolve the issue. During this period, hackers used the Pendle official Twitter account to post phishing links. On the same day, the Pendle founder tweeted that the team had regained control of the official Pendle Twitter account.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The Solana ecosystem is grappling with a spate of drained wallets. A cause has yet to be definitively determined, but some of the thefts were linked to the use of trading bots like Solareum. According to security researcher Plum, the Solareum Telegram trading bot vulnerability obtained approximately $1 million worth of SOL from victims.
Amount of loss: $ 1,000,000 Attack method: Unknown
Description of the event: Lava suffered a flash loan attack, resulting in approximately $340,000 in losses. All lending markets are reportedly paused as the investigation is ongoing.
Amount of loss: $ 340,000 Attack method: Flash Loan Attack
Description of the event: Decentralized lending protocol Prisma Finance was hacked, with a loss of approximately 3,257.7 ETH (equivalent to around $11.6 million USD). The protocol has currently been suspended for investigation. Officials remind vault owners to disable authorization for related LST and LRT contract delegations.
Amount of loss: $ 11,600,000 Attack method: Contract Vulnerability
Description of the event: The Blast ecosystem project Munchables was attacked, resulting in the theft of 17,400 ETH (approximately $62.3 million). The Blast ecosystem project Munchables was attacked, resulting in a loss of approximately $62.5 million. On the same day, Blast founder Pacman tweeted: "$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required.."
Amount of loss: $ 62,500,000 Attack method: Insider Manipulation
Description of the event: The email newsletter account of Web3 media company Decrypt has been compromised, and a phishing scam email has been sent to all of our subscribers. Please do not click on any links. Currently, the attacker has profited $3,000 through phishing.
Amount of loss: $ 3,000 Attack method: Account Compromised
Description of the event: The project ZongZiFa on BSC was exploited through a flash loan, resulting in a loss of approximately $229,000. The attacker manipulated the price of ZongZi to gain invitation rewards.
Amount of loss: $ 229,000 Attack method: Flash Loan Attack
Description of the event: The RWA infrastructure of the Curio Ecosystem suffered an attack, resulting in a loss of $16 million, involving smart contracts based on MakerDAO within its ecosystem. The attacker exploited a permission access logic vulnerability.
Amount of loss: $ 16,000,000 Attack method: Contract Vulnerability
Description of the event: The new blockchain game Super Sushi Samurai, based on the Blast layer-2, was attacked due to a vulnerability in its token contract, resulting in a loss of approximately $4.6 million. Shortly after the theft, the attacker contacted the project, claiming to be a whitehat. Later, Super Sushi Samurai confirmed that the funds had been returned, minus a 5% bounty.
Amount of loss: $ 4,600,000 Attack method: Contract Vulnerability
Description of the event: The astrology-based project Lucky Star Currency rug-pulled in October 2023, resulting in a loss of $1.1 million. On March 22, 2024, ownership of the project was transferred to a malicious smart contract, which then drained tokens valued at almost $300,000 from those who still held them.
Amount of loss: $ 300,000 Attack method: Rug Pull
Description of the event: The hackers gained access to AirDAO LP through a social engineering scam and drained the liquidity pool of AMB/ETH. The scam involved an email with a malicious attachment, impersonating one of their known partners. In total, the hackers stole 41,612,782.10627101 AMB and 126.5 ETH.
Amount of loss: $ 1,050,000 Attack method: Social Engineering
Description of the event: TICKER project developer steals $900,000. A developer brought on to run a presale for the TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.
Amount of loss: $ 900,000 Attack method: Insider Manipulation
Description of the event: Decentralized exchange (DEX) aggregator ParaSwap announced the discovery of a critical vulnerability affecting its approved aggregation smart contract Augustus V6. This vulnerability impacts users who have authorized the Augustus V6 contract. In response, ParaSwap has temporarily halted the V6 API and employed white-hat attack methods to ensure the safety of user funds. These funds have been securely transferred to a secure wallet starting with 0x66E90 and are slated to be returned to users promptly. Additionally, ParaSwap urges users to revoke authorization for the Augustus V6 contract to mitigate potential risks. Currently, it is known that 4 addresses have been affected by this vulnerability, resulting in a total loss of approximately $24,000. ParaSwap is taking measures to address and fix this vulnerability while ensuring the safety of user funds.
Amount of loss: $ 24,000 Attack method: Contract Vulnerability
Description of the event: On March 20th, Dolomite, a decentralized trading protocol in the Arbitrum ecosystem, was attacked due to a vulnerability in its old contracts on the Ethereum mainnet. Approximately 187 victims suffered asset losses totaling $1.8 million, including 1,245,271 USDC, 94,423 DAI, and 165.9 WETH. As of March 24th, Dolomite has recovered 90% of the assets taken by the attacker.
Amount of loss: $ 1,800,000 Attack method: Contract Vulnerability
Description of the event: The @GoDaddy account for the L2 cross-chain bridge LayerSwap's domain http://layerswap[.]io was compromised. The compromise of the domain led to a phishing site being displayed, resulting in approximately 50 users losing ~$100K worth assets. To address this, Layerswap is refunding the affected users in full plus and an additional 10% as a compensation for the caused inconvenience.
Amount of loss: $ 100,000 Attack method: DNS Hijacking Attack
Description of the event: The treasury of Remilia, the parent company of Milady, has been drained, with assets from multiple official Remilia wallets being transferred and sold. The hot wallet and multi-signature treasury of Remilia's parent company, Remilia, were hacked, with assets from multiple official Remilia wallets being transferred and sold. Charlotte Fang, the founder of Milady, claimed he was hacked and drained of ETH and NFTs potentially worth several million dollars. Although the project's treasury used a multi-signature model, the private keys were stored in one password manager, which Fang says was compromised. The attacker stole around 490 ETH (~$1.8 million) and $58,000 USDC, along with more than 130 Milady NFTs, 320 Remilio NFTs, and hundreds of derivative tokens issued on the NFTX platform. Based on floor prices, the assets are valued at north of $6 million.
Amount of loss: $ 6,000,000 Attack method: Unknown
Description of the event: According to blockchain investigator ZachXBT, an account impersonating Solana ecosystem KOL Ansem (@blknoiz06) capitalized on the recent meme coin craze to profit over $2.6 million through phishing.
Amount of loss: $ 2,600,000 Attack method: Social Engineering
Description of the event: The deployer wallet of the NFT marketplace Wilder World was attacked, and ownership was transferred to the attacker. Following a malicious upgrade, the attacker withdrew WILD and MEOW tokens and converted them into approximately $1.8 million.
Amount of loss: $ 1,800,000 Attack method: Private Key Leakage