35 hack event(s)
Description of the event: The cross-chain protocol pNetwork released an analysis report in response to the previous attack that resulted in the theft of 277 BTC, stating that at 17:20 UTC on September 19, 2021, the pNetwork system was attacked by hackers who attacked multiple pToken bridges. Including pBTC-on-BSC, TLOS-on-BSC, PNT-on-BSC, pBTC-on-ETH, TLOS-on-ETH and pSAFEMOON-on-ETH. However, hackers only cross-chain bridges in pBTC-on-BSC The attack was successful and 277 BTC were stolen from the pBTC-on-BSC collateral. Other pToken bridges were not affected and the funds were safe. In addition, since the hacker address has been reported to the exchange, the stolen funds are still on the hacker BTC address, and no transfer has occurred.
Amount of loss: 277 BTC Attack method: Code vulnerabilities
Description of the event: Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.5 million.
Amount of loss: 3,500,000 PCT Attack method: Deflationary tokens are not compatible with mortgage models
Description of the event: On August 17, the DeFi project XSURGE on BSC suffered a lightning loan attack. On August 16, local time, XSURGE officially issued a statement about the SurgeBNB vulnerability before the attack. Since the SurgeBNB contract cannot be changed and has been abandoned, the vulnerability cannot be patched. XSURGE said that it did not disclose any specific details about the nature of this vulnerability, but strongly recommends that users migrate out of SurgereBnb as soon as possible. The vulnerability may be triggered by an attacker at any time. After the announcement, XSURGE was subsequently attacked, and the attacker stole $5 million from SurgeBNB.
Amount of loss: $ 5,000,000 Attack method: Flash loan attack
Description of the event: The Neko Network, a lending protocol on the Binance Smart Chain (BSC), was attacked. The attacker used vulnerabilities in the protocol to mortgage assets in the name of the user and sent the borrowed funds directly to the attacker’s own address. All asset pools on the Neko Network have been frozen to avoid changes. Multiple attacks occur. Due to the setting of the time lock, it takes 24 hours to develop the fund pool and allow users to raise funds in the pool. Neko Network is a product developed by the Zero Coupon Money Market Protocol Maze Protocol team.
Amount of loss: $ 2,200,000 Attack method: Protocol vulnerabilities
Description of the event: Wault Finance on the BSC chain was attacked, and the attacker made a profit of 930,000 US dollars. Attackers due to design flaws in the economic model can carry out arbitrage attacks on the pool of WaultSwapPair (BSC_USDT-WEX).
Amount of loss: $ 930,000 Attack method: Flash loan attack
Description of the event: Levyathan, the encryption index protocol on the BSC chain, was attacked. According to the official event update, the hacker minted 100,000,000,000,000,000,0 billion LEV tokens, which caused the price of LEV to return to zero. The loss of this attack was approximately USD 1.5 million. The official attributed the accident to the leak of the developer's private key.
Amount of loss: $ 1,500,000 Attack method: Developer private key leaked
Description of the event: ApeRocket, the DeFi revenue mining aggregator and optimizer, released the lightning loan attack details and compensation plan. ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000.
Amount of loss: $ 1,260,000 Attack method: flash loan attack
Description of the event: The hacking of the revenue aggregator Merlin Lab stems from a logical loophole in MerlinStrategyAlpacaBNB. The contract mistakenly uses the BNB transferred by the beneficiary as mining revenue, which makes the contract issue more MERL as a reward. After repeated operations, the attacker made a profit of 300,000 US dollars. MERL was cut short, falling from $16.23 to $6.09.
Amount of loss: $ 300,000 Attack method: Logical error
Description of the event: The DeFi protocol xWin Finance based on Binance Smart Chain was attacked by lightning loans. The xWin Finance token XWIN has fallen by nearly 90% in 24 hours. The attacker used xWin Finance's "reward mechanism" to continuously add and remove liquidity to obtain rewards. Under normal circumstances, due to the small amount of users added, the gains may be small, or even not enough to pay the handling fees; but in the face of huge amounts of funds, the rewards will become abnormally high.
Amount of loss: $ 281,599 Attack method: Manipulate the oracle
Description of the event: The BSC on-chain project StableMagnet ran away and lost USD 24 million. On August 12, the Greater Manchester Police Department announced that it had arrested the suspects of the StableMagnet Finance team who had previously taken away $22 million of users on the BSC. The police found a large amount of stolen Ethereum in the encrypted U disk. According to statistics, this money accounted for 90%($ 22,250,000) of the stolen cryptocurrency, and it is now beginning to reconnect with the legitimate owner.
Amount of loss: $ 1,750,000 Attack method: Scam
Description of the event: Nerve Finance, a stablecoin trading platform based on the Binance Smart Chain (BSC), tweeted that the Nerve-related machine gun pool in the revenue aggregator Eleven Finance have been attacked by sparks. After analysis, the reason for the exploit is that the emergencyBurn() function does not calculate the balance correctly and does not execute the destruction.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: Impossible Finance, the DeFi protocol on the BSC chain, was attacked by a lightning loan, and the attacker made a profit of 1,510.75 WBNB (a total of US$497,000). On June 25, the attackers refunded approximately $252,000. The core of this attack is that the K value check is not performed in the cheapSwap function, which causes the attacker to obtain additional tokens by performing multiple exchange operations in one exchange process.
Amount of loss: $ 245,000 Attack method: No K value check
Description of the event: EvoDefi, the project revenue farm on the BSC chain, was attacked, and the price of its token GEN dropped from US$2.1/piece to US$0.9/piece, a short-term drop of 57%. Loss of 455,576.85 GEN worth approximately USD 1 million. Due to the design flaws in the update logic of the function in the MasterChef contract, the part of the reward that needs to be deducted is not updated, which leads to arbitrage by the attacker.
Amount of loss: $ 1,000,000 Attack method: Flash loan attack
Description of the event: BurgerSwap, an automated market maker on the Binance Smart Chain, was once again attacked by lightning loans. The attacker took advantage of the re-entry vulnerability in the contract, repeated the swap operation many times, controlled the price through re-entry and counterfeit currency, and finally realized the purpose of attack arbitrage.
Amount of loss: - Attack method: Reentry attack
Description of the event: According to official sources, PancakeHunny on BSC was attacked by hackers, and the hackers made 43 ETH (a total of more than 100,000 US dollars). PancakeHunny forked from PancakeBunny, and the attack suffered this time was similar to PancakeBunny. Hackers obtained a large amount of HUNNY tokens and threw them to the market, causing the price of HUNNY tokens to plummet.
Amount of loss: 43 ETH Attack method: Flash loan attack
Description of the event: According to official sources, Belt Finance on the Binance Smart Chain (BSC) suffered a lightning loan attack and lost US$6.2 million. The attacker used flash loans to obtain more than 6.2 million US dollars of funds from the Belt Finance agreement through 8 transactions, and has converted most of the funds into anyETH and withdrawn to Ethereum.
Amount of loss: $ 6,200,000 Attack method: Flash loan attack
Description of the event: BurgerSwap, an automatic market maker on the BSC chain, suffered a lightning loan attack and lost nearly 7 million U.S. dollars. This attack is a problem in the BurgerSwap architecture. Since the Pair layer completely trusts the data of the PaltForm layer, it did not perform another check on its own, which led to the attack.
Amount of loss: $ 7,000,000 Attack method: Flash loan attack
Description of the event: The JulSwap of the DEX protocol and the automated liquidity protocol on the BSC chain was attacked by lightning loans, and $JULB fell more than 95% in a short time.
Amount of loss: 1,500,000 Attack method: Flash loan attack
Description of the event: MerlinLabs, the DeFi revenue aggregator, was attacked. The attack method was similar to that of PancakeBunny, which was attacked by lightning loan 5 days ago, and lost US$6.8 million.
Amount of loss: $ 6,800,000 Attack method: Flash loan attack
Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain (BSC) was attacked by a lightning loan, and the currency price suffered a flash crash, with a drop of more than 99% at one time, loss of 750,000 USD.
Amount of loss: $ 750,000 Attack method: Flash loan attack