98 hack event(s)
Description of the event: According to the intelligence of the slow fog area, the Vesting contract of DAO Maker was attacked by hackers. DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker's distribution system, and the DAO Maker contract is attacked when the holder is issued (SHO) in DAO Maker , That is, there is a loophole in the distribution system of SHO participants: init is not initialized protection, the attacker initializes the key parameters of init, and changes the owner at the same time, and then steals the target token through emergencyExit and exchanges it into DAI, attacking The final profit of nearly 4 million U.S. dollars.
Amount of loss: $ 4,000,000 Attack method: Initialize unauthenticated
Description of the event: A flash loan attack occurred in Cream Finance, a mortgage lending platform. In its post-mortem analysis report of the flash loan attack, it stated that a total of 460 million AMP tokens and 2804 ETH (worth approximately US$34 million at the time) were stolen due to the omission. Commit to repay 20% of all agreed fees until they are fully repaid. This security incident has a major vulnerability attacker and an imitator. Cream Finance will forward all relevant information to law enforcement agencies and prosecute within the scope permitted by law.
Amount of loss: $ 34,000,000 Attack method: Flash loan attack
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: The administrator's private key leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Initialize function does not do repeated initialization check
Description of the event: Poly Network, a cross-chain interoperability protocol, said it was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. Among them, the funds transferred to Binance smart chain addresses starting with 0x0D6e2 exceeded 250 million US dollars, and they were transferred to the ether starting with 0xC8a65. There are over 270 million U.S. dollars in workshop addresses, and over 85 million U.S. dollars in transfers to Polygon addresses. Affected by this, the large amount of assets in the O3 Swap cross-chain pool was transferred out, and the official is investigating.With the efforts of many parties, the hackers have now returned tokens worth 342 million U.S. dollars.
Amount of loss: $ 613,062,100.7 Attack method: The keeper of the EthCrossChainData contract is modified
Description of the event: Popsicle Finance, a multi-chain revenue optimization platform, was attacked. The core of this vulnerability is that the same PLP certificate can bring benefits to multiple holders at the same time node due to the defect in the reward update record.
Amount of loss: $ 20,000,000 Attack method: Reward update record defect
Description of the event: THORChain (RUNE), a decentralized cross-chain transaction protocol, claims that hackers airdrop UniH tokens to Ethereum addresses as bait to steal RUNE tokens in users' wallets. Hackers have airdropped UniH tokens with malicious contracts to at least 76,000 Ethereum addresses. Once receiving users sell their newly received UniH tokens (or even just approve the sale) on decentralized trading platforms such as Uniswap, the hackers will They can steal any RUNE tokens they have in their wallets. This is because the RUNE token uses a non-standard token contract called "tx.origin". According to Thorchain’s RUNE token contract code “Beware of phishing contracts that may steal tokens by intercepting tx.origin”, it knows that this type of attack may occur. In just a few hours, hackers have stolen USD 76,000 worth of tokens. currency.
Amount of loss: $ 76,000 Attack method: Scam
Description of the event: THORChain (RUNE), a decentralized cross-chain transaction protocol, said it was attacked again, and many ERC20 tokens including XRUNE were affected. This attack targeted ETH routing and lost 8 million U.S. dollars. The attacker "intentionally limited the impact of the attack, which seems to be done by a white hat."
Amount of loss: $ 8,000,000 Attack method: Unknown
Description of the event: Using the mechanism of deflation token KEANU to attack the reward vulnerabilities in the Memestake contract deployed by Sanshu Inu, the attacker finally made a profit of about 56 ETH.
Amount of loss: 56 ETH Attack method: Contract reward vulnerabilities
Description of the event: The DeFi project Array Finance was attacked by a lightning loan. The attacker used Array Finance's pricing mechanism to rely on aBPT's totalSupply to attack Array Finance. Officials stated that the attacker made a profit of about 272.94 ETH, worth about $515,000.
Amount of loss: 272.94 ETH Attack method: Flash loan attack
Description of the event: The decentralized cross-chain transaction protocol THORChain (RUNE) updated the attack situation, claiming that the amount of lost assets was about 4000 ETH. The initial assessment is that the attack was a logical vulnerability when Eth Bifrost used the routing contract to capture ERC-20 tokens. The attacker use. Not long ago, THORChain updated Eth Bifrost to allow the routing contract to be "encapsulated" by the contract. The attacker uses this to send a transaction with msg.value = 200 ETH and immediately uses the contract to transfer it back to itself, while Bifrost will report msg. value = 200 instead of depositAmount = 0, so as to realize the profit of calling the routing contract with the amount of 0 ETH.
Amount of loss: $ 7,600,000 Attack method: False top-up
Description of the event: DeFiPie (PIE), the lending protocol on the Ethereum and Binance smart chains, was hacked. It is recommended that all liquidity providers extract all liquidity from the application. PIE tokens fell by more than 66% in 24 hours. The attacker used a re-entry attack to over-borrow and lent a portion of valuable assets. Later, the counterfeit currency was used for liquidation operations and took away the mortgaged valuable assets, which led to the DeFiPie agreement not only lent assets, but also lost all mortgage assets, and liquidity was lost.
Amount of loss: 124,999 BUSD Attack method: Reentry attack
Description of the event: The cross-chain bridge project Anyswap issued an announcement stating that the newly launched V3 cross-chain liquidity pool was hacked in the early hours of yesterday, with a total loss of 2.39 million USDC and 5.5 million MIM. According to Etherscan, the hacker has sold all MIMs and obtained 548 Million DAI, which means that Anyswap's total loss is more than 7.87 million U.S. dollars. According to the explanation of the reason for the theft in the Anyswap announcement, two v3 router transactions were detected under the V3 router MPC account on the BSC. These two transactions have the same R value signature, and the hacker reversed the private key of this MPC account. At present, the team has fixed the code to avoid using the same R signature. Multi-chain router V3 will restart in about 48 hours. There is no security risk for v1 and v2. Anyswap stated that it has taken remedial measures to provide full compensation. Anyswap will refill the stolen liquidity within 48 hours, and the liquidity provider will be able to withdraw assets from the fund pool again without any loss.
Amount of loss: $ 7,870,000 Attack method: Same R value signature
Description of the event: The cross-chain bridge Chainswap announced the details of the stolen incident on its official blog. A total of 20 project assets were stolen, with a total value of approximately US$4 million. At present, the ChainSwap team has reached a consensus with the affected projects and initially formulated and implemented a compensation plan. According to the project investigation, due to the error in the token cross-chain quota code, the on-chain swap bridge quota is automatically increased by the signature node, the purpose of which is to be more decentralized without manual control. However, due to a logical flaw in the code, this led to a vulnerability that automatically increases the number of invalid addresses that are not whitelisted.
Amount of loss: $ 4,000,000 Attack method: Token cross-chain quota code error
Description of the event: According to official sources, the DeFi asset management platform DAO ventures was stolen 300,000 DVG tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge. DAOventures stated that it has taken snapshots of DVG holders and LPs before the attack, and stated that it will compensate the affected token holders. The DAOventures team stated that the user's assets in DAOventures are safe. Before the compensation plan is announced, DAOventures reminds users not to purchase the DVG of the transaction for the time being and pay attention to the latest developments of the team.
Amount of loss: 300,000 DVG Attack method: ChainSwap contract vulnerability
Description of the event: According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge.
Amount of loss: 3,000,000 UMB Attack method: ChainSwap contract vulnerability
Description of the event: Based on Monero’s privacy-centric DeFi protocol Haven Protocol (XHV), it released analysis reports and measures for three serious attacks related to it in late June. The chain rollback plan will be initiated and a hard fork will be implemented. Fix the known vulnerabilities in protocol minting. Regarding specific attacks, on June 24, 203,000 xUSD and 13.5 xBTC were minted in two attacks; on June 27, an unknown amount of XHV was minted due to a vulnerability in the conversion verification of xAsset; June 29 , The attacker exploited a vulnerability that allowed the minting of 9 million xUSD.
Amount of loss: $ 8,186,549 Attack method: Minting vulnerabilities
Description of the event: The DEX trading tool DEXTools (DEXT) tweeted that it was recently hacked and affected some DEXT holders. In this regard, the liquidity has been removed from Uniswap and Pancake and will be exchanged today (token swap). , This should refer to the issuance of new tokens), the snapshot has been taken. DEXTools reminds users not to purchase DEXT tokens for the time being, and more detailed measures will be announced soon.
Amount of loss: - Attack method: Unknown
Description of the event: THORChain, a decentralized cross-chain transaction protocol, tweeted that a malicious attack against THORChain was discovered. THORChain nodes have responded and isolated defenses. The capital loss caused by this attack was US$140,000, but THORChain stated that user funds will not be affected. The fund pool will be used to make up for the leaked funds. The team stated that the path of the attack was that EthBifrost had a logical error in processing the same symbol as ETH. THORChain claimed that it repaired Bifrost within 30 minutes and adopted node defense to stop Bifrost and THORNode. The team said it will also invest funds for ongoing code reviews and monitoring.
Amount of loss: $ 140,000 Attack method: False top-up