1513 hack event(s)
Description of the event: SUSHI RouteProcessor2 was attacked and lost about 1800 ETH, about $3.34 million. According to the analysis of SlowMist, the root cause is that ProcessRoute does not perform any checks on the route parameters passed in by the user, which leads the attacker to use this problem to construct a malicious route parameter so that the Pool read by the contract is created by the attacker. On April 19, SushiSwap released a postmortem analysis report stating that due to 18 replayed transactions, the 1,800 WETH initially depleted from the first user’s wallet ended up in multiple wallets. A total of 885 ETH have been refunded so far. Of these, approximately 685 ETH were sent to Sushi core contributors to operate the multisig, 190 ETH were sent to affected users, and 10 ETH were sent to the Sushi rescue contract.
Amount of loss: $ 3,340,000 Attack method: Unchecked Input Data
Description of the event: South Korean cryptocurrency exchange GDAC said on its official website that it was hacked and lost nearly $13 million. On April 9, the hackers moved nearly $13 million, or 23 percent of their total custody assets, from the GDAC hot wallet to an unidentified wallet. Hackers stole nearly 61 bitcoins (BTC), 350.5 ethers (ETH), 10 million wemix tokens (WEMIX), and 220,000 USDT.
Amount of loss: $ 13,000,000 Attack method: Wallet Stolen
Description of the event: On April 9th, a rug pull occurred on the ZkSync ecological project CoreHunter, and the scammers made a profit of about 510,000 US dollars.
Amount of loss: $ 510,000 Attack method: Rug Pull
Description of the event: The DeFi lending agreement Sentiment stated that the team discovered abnormal lending activities. This malicious use led to the theft of about $966,000 from Sentiment on the Arbitrum network. The root cause is the read-only reentrancy of Balancer. On April 7, Sentiment announced that it had successfully recovered more than $900,000 of the stolen funds, leaving the remaining $95,000 as a reward for the attackers.
Amount of loss: $ 966,000 Attack method: Contract Vulnerability
Description of the event: On April 3, MEV bots suffered a malicious sandwich attack that cost them around $25 million. Data on the chain shows that the malicious verifier who attacked the MEV bots today has been punished by Slash and kicked out of the verifier queue. According to SlowMist analysis, the reason why the MEV bots was attacked was that even if the beacon block was incorrect, the relay still returned the payload to the proposer, which resulted in the proposer being able to access the content of the block before another block was finalized. The attacker takes advantage of this problem to maliciously construct an invalid block, so that the block cannot be verified, and the relay cannot broadcast (the status code is 202) to obtain the transaction content in advance. mev-boost-relay has urgently released a new version to alleviate this problem, and it is recommended that relay operators upgrade the relay in time.
Amount of loss: $ 25,000,000 Attack method: Sandwich Attack
Description of the event: According to a Telegram announcement, the DAO Maker project Degen Zoo is suspected to have been hacked on Binance Oracle. At present, the project team has suspended the game and launched an investigation. No loopholes have been found yet, and better animals cannot be hatched through smart contract errors.
Amount of loss: - Attack method: Unknown
Description of the event: The cross-chain bridge Allbridge was hacked and lost about $570,000 (including about 280,000 BUSD and about 290,000 USDT). The root cause appears to be manipulation of the Swap price of the pool. The hacker played the dual role of liquidity provider and trader, draining the funds in the pool. On April 4, Allbridge tweeted: "The owner of address 0xC578 contacted us and refunded 1,500 BNB (approximately $463,600), and the remaining funds will be considered a white hat bounty for this individual.
Amount of loss: $ 570,000 Attack method: Price Manipulation
Description of the event: According to official news, the zkSync team announced the cause of the downtime on Twitter. Block generation stopped due to a block queue database failure. Despite this, the server API was not affected. Transactions continue to be added to the mempool, and queries are served normally. Although all components had comprehensive monitoring, logging, and alerting, no alerts were triggered because the API was functioning properly.
Amount of loss: - Attack method: Downtime
Description of the event: The address of Patricio Worthalter, founder of POAP, was attacked by phishing. The attacker transferred 85,898 RPL (approximately $3.83 million) from Worthalter’s address to DEX, and sold all RPL at a price of 1,802 ETH (approximately $3.25 million). price drop.
Amount of loss: $ 3,830,000 Attack method: Phishing Attack
Description of the event: Safemoon, a DeFi protocol based on the BNB chain, was attacked, and its liquidity pool lost nearly $8.9 million. Safemoon CEO John Karony said on Twitter: "This security incident affected the SFM:BNB LP pool and other LP pools on DEX were not affected. We have located the suspected vulnerability and fixed it. " According to analysis, the recent update may have introduced a "public destruction vulnerability", which facilitated hacker attacks. The hacker was able to use code functionality to artificially inflate the price of SFM tokens, then sell enough tokens back to the liquidity pool in the same transaction, effectively draining WBNB from the contract. On April 20, the SafeMoon attacker returned 80% of the stolen funds, that is, transferred 21,804 BNB (approximately $7.2 million) to the SafeMoon vault wallet, leaving the remaining 20% as a bounty.
Amount of loss: $ 8,900,000 Attack method: Contract Vulnerability
Description of the event: Kokomo Finance conducted an exit scam and stole ~$4 million in user funds.
Amount of loss: $ 4,000,000 Attack method: Rug Pull
Description of the event: EC token deployer addresses withdrew approximately $43,800 from the liquidity pool.
Amount of loss: $ 43,800 Attack method: Rug Pull
Description of the event: Defunct Swerve Finance still subject of $1.3 million live governance hack
Amount of loss: $ 1,300,000 Attack method: Governance Attack
Description of the event: The FASTSWAP (FAST) project on BNB Chain was attacked by a flash loan and lost 26.77 BNB
Amount of loss: 26.77 BNB Attack method: Flash Loan Attack
Description of the event: Circle tweeted that the Circle Chief Strategy Officer's Twitter account (@ddisparte) has been taken over by a scammer. Any link to an offer is a scam. We are investigating this situation and taking appropriate action. Earlier, Circle’s Chief Strategy Officer tweeted that a loyalty rewards distribution program would be launched for USDC holders. However, the tweet has now been deleted.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: According to news, the NFT series "Archive of PEACEMINUSONE" released by Korean singer Quan Zhilong has the previously disclosed CVE-2022-38217 general vulnerability, and the possibility of being used by hackers cannot be ruled out.
Amount of loss: - Attack method: CVE-2022-38217 general vulnerability
Description of the event: Indexed Finance's ORCL5 Token contract was attacked by a flash loan and lost $9,925. Root cause preliminary analysis is that "calcSingleOutGivenPoolIn()" calculates wrong value of tokenAmountOut.
Amount of loss: $ 9,925 Attack method: Flash Loan Attack
Description of the event: According to news, the Harvest_Keeper project maliciously transferred user funds, involving an amount of about 933,000 US dollars. Through the data on the chain, it was found that the attacker used the owner authority to transfer the USDT pledged by the user in the HarvestKeeper contract by calling the getAmount function, and then the attacker used the user's token authorization to the EOA account to transfer the user's funds through the EOA multiple times.
Amount of loss: $ 933,000 Attack method: Insider Manipulation
Description of the event: ParaSpace is suspected to have been attacked and it appears that 2,900 WETH were transferred out, with many claiming inconsistent data on the number of loans, health factors and cAPE amounts. However, a security firm tweeted that it had stopped the attack on ParaSpace, saving 2900 ETH assets. ParaSpace tweeted that all user funds and assets on ParaSpace are currently safe, no NFTs were lost, and the financial loss of the protocol was minimal, between 50-150 ETH, due to hackers The slippage caused by the token exchange during the attack.
Amount of loss: 150 ETH Attack method: Contract Vulnerability
Description of the event: According to the official Twitter, the General Bytes encrypted currency ATM service was attacked on March 17 and 18. The attacker used the upload interface in the system to upload and run a malicious Java program, and then the attacker obtained the permissions of the database in the server and Hot wallet withdrawal API Key. According to SlowMist MistTrack, the loss was about $1.8 million.
Amount of loss: $ 1,800,000 Attack method: Malicious software