1486 hack event(s)
Description of the event: Multi-chain lending protocol FilDA released a vulnerability exploit statement saying that it was attacked earlier today on the Elastos Smart Chain (ESC) and REI networks, causing losses of approximately $700,000. No other FilDA deployments were affected. Vulnerabilities identified and attack vectors isolated.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: Wayne, the co-founder of the NFT game Tales of Elleria, tweeted early this morning: "The bridge contract of Tales of Elleria was exploited, causing its LP to be depleted and losing more than $280,000. The attacker seems to have generated his own signature , and extracted a large amount of ELM tokens, draining the LP. The current findings suspect that the hacker exploited the ecrecover function and was able to generate authorized signatures without our private key."
Amount of loss: $ 280,000 Attack method: Contract Vulnerability
Description of the event: Sealaunch, an NFT data and research platform, has monitored that the MEV Bot named jaredfromsubway.eth recently carried out "sandwich attacks" on buyers and sellers of Meme coins such as WOJAK and PEPE, earning more than $1.4 million in profits. Additionally, Sealaunch stated that MEV Bots spent 7% of Ethereum’s gas fees during the 24-hour period between April 18 and 19. A sandwich attack occurs when the attacker "sandwiches" the victim's transaction between two of his own to profit from the user by manipulating prices.
Amount of loss: $ 1,400,000 Attack method: Sandwich Attack
Description of the event: The Discord server of the cross-chain trading platform zkLink has been hacked, and some hackers posted phishing links. Do not click on any links until the team confirms that they have regained control of the server.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The Arbitrum ecological Arbtomb project is suspected of Rug Pull. The scammer has bridged 54 ETH (approximately $110,000) to Ethereum, then transferred 52 ETH to Tornado Cash, and transferred 2.4 ETH to Binance.
Amount of loss: $ 110,000 Attack method: Rug Pull
Description of the event: KyberSwap, a DEX aggregator and liquidity platform, tweeted that they discovered a potential loophole in KyberSwap Elastic, and hoped that liquidity providers could extract liquidity as soon as possible. No user assets have been lost so far.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The loss of today's HundredFinance hack is ~$7m.The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.
Amount of loss: $ 7,000,000 Attack method: Contract Vulnerability
Description of the event: Bitrue tweeted: We have identified a brief exploit in one of our hot wallets on 07:18 (UTC), 14 April 2023. We were able to address this matter quickly and prevented the further exploit of funds. The attackers were able to withdraw assets worth approximately 23M USD in ETH, QNT, GALA, SHIB, HOT and MATIC. The affected hot wallet only holds less than 5% of our overall funds. The rest of our wallets remain secure and have not been compromised.To conduct additional security checks, Bitrue will temporarily suspend all withdrawals and will reopen withdrawals on 18 April 2023. We seek your understanding and patience at this time. All identified users who are affected by this incident will be compensated in full.
Amount of loss: $ 23,000,000 Attack method: Wallet Stolen
Description of the event: Zksync era mainnet SyncDex project has exited with a rugpull, resulting in over $370,000 USD in losses.
Amount of loss: $370,000 Attack method: Rug Pull
Description of the event: The decentralized revenue aggregation platform Yearn Finance was attacked, and the hackers made more than $10 million in profits. According to the analysis of SlowMist, the reason for this attack is that the attacker used the yUSDT contract to set the fulcrum address by mistake, thereby manipulating the stablecoin reserve balance in the yUSDT contract, and depositing USDT in yUSDT to obtain a large amount of unexpected yUSDT Tokens for profit.
Amount of loss: $ 10,000,000 Attack method: Contract Vulnerability
Description of the event: MetaPoint ($POT) on BSC was hacked with a loss of $920K. The root cause is that users will create a new contract to hold their funds each time they deposit $POT, but the contract has a public approve function to transfer all users' assets.
Amount of loss: $ 920,000 Attack method: Contract Vulnerability
Description of the event: Paribus, the first cross-chain lending platform on Cardano, was attacked and lost about $100,000. The reason for the attack is that it uses a fork of an old version of Compound V2, which has a known reentrancy vulnerability.
Amount of loss: $ 100,000 Attack method: Reentrancy Attack
Description of the event: Terraport, a decentralized finance project launched by TerraCVita, an independent development team of Terra Classic, was hacked and all its liquidity was exhausted. Data shows that nearly $4 million worth of LUNC, USTC and TERRA tokens have been emptied. The attacker withdrew 9,148,426 TERRA and 15.1 billion LUNC in the first transaction, and 576,736 TERRA and 5,487,381 USTC in the second transaction.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: SUSHI RouteProcessor2 was attacked and lost about 1800 ETH, about $3.34 million. According to the analysis of SlowMist, the root cause is that ProcessRoute does not perform any checks on the route parameters passed in by the user, which leads the attacker to use this problem to construct a malicious route parameter so that the Pool read by the contract is created by the attacker. On April 19, SushiSwap released a postmortem analysis report stating that due to 18 replayed transactions, the 1,800 WETH initially depleted from the first user’s wallet ended up in multiple wallets. A total of 885 ETH have been refunded so far. Of these, approximately 685 ETH were sent to Sushi core contributors to operate the multisig, 190 ETH were sent to affected users, and 10 ETH were sent to the Sushi rescue contract.
Amount of loss: $ 3,340,000 Attack method: Unchecked Input Data
Description of the event: South Korean cryptocurrency exchange GDAC said on its official website that it was hacked and lost nearly $13 million. On April 9, the hackers moved nearly $13 million, or 23 percent of their total custody assets, from the GDAC hot wallet to an unidentified wallet. Hackers stole nearly 61 bitcoins (BTC), 350.5 ethers (ETH), 10 million wemix tokens (WEMIX), and 220,000 USDT.
Amount of loss: $ 13,000,000 Attack method: Wallet Stolen
Description of the event: On April 9th, a rug pull occurred on the ZkSync ecological project CoreHunter, and the scammers made a profit of about 510,000 US dollars.
Amount of loss: $ 510,000 Attack method: Rug Pull
Description of the event: The DeFi lending agreement Sentiment stated that the team discovered abnormal lending activities. This malicious use led to the theft of about $966,000 from Sentiment on the Arbitrum network. The root cause is the read-only reentrancy of Balancer. On April 7, Sentiment announced that it had successfully recovered more than $900,000 of the stolen funds, leaving the remaining $95,000 as a reward for the attackers.
Amount of loss: $ 966,000 Attack method: Contract Vulnerability
Description of the event: On April 3, MEV bots suffered a malicious sandwich attack that cost them around $25 million. Data on the chain shows that the malicious verifier who attacked the MEV bots today has been punished by Slash and kicked out of the verifier queue. According to SlowMist analysis, the reason why the MEV bots was attacked was that even if the beacon block was incorrect, the relay still returned the payload to the proposer, which resulted in the proposer being able to access the content of the block before another block was finalized. The attacker takes advantage of this problem to maliciously construct an invalid block, so that the block cannot be verified, and the relay cannot broadcast (the status code is 202) to obtain the transaction content in advance. mev-boost-relay has urgently released a new version to alleviate this problem, and it is recommended that relay operators upgrade the relay in time.
Amount of loss: $ 25,000,000 Attack method: Sandwich Attack
Description of the event: According to a Telegram announcement, the DAO Maker project Degen Zoo is suspected to have been hacked on Binance Oracle. At present, the project team has suspended the game and launched an investigation. No loopholes have been found yet, and better animals cannot be hatched through smart contract errors.
Amount of loss: - Attack method: Unknown
Description of the event: The cross-chain bridge Allbridge was hacked and lost about $570,000 (including about 280,000 BUSD and about 290,000 USDT). The root cause appears to be manipulation of the Swap price of the pool. The hacker played the dual role of liquidity provider and trader, draining the funds in the pool. On April 4, Allbridge tweeted: "The owner of address 0xC578 contacted us and refunded 1,500 BNB (approximately $463,600), and the remaining funds will be considered a white hat bounty for this individual.
Amount of loss: $ 570,000 Attack method: Price Manipulation