128 hack event(s)
Description of the event: According to Rugdoc, AFKSystem rug all of their vaults for a combined profit of around $12 million. Although AFKSystem has severely cut their governance authority. But they still retain an important privilege - changing the routers that sell the harvested tokens.
Amount of loss: $ 12,000,000 Attack method: Scam
Description of the event: The cross-chain bridge Multichain said that an important vulnerability affecting six tokens of WETH, PERI, OMT, WBNB, MATIC, and AVAX was officially discovered. Now the vulnerability has been successfully repaired, and all users' assets are safe and cross-chain. Transactions will not be affected. However, if the user has authorized these six assets, he needs to log in as soon as possible to revoke the authorization, otherwise the assets may be at risk. It was later reported that the vulnerability appeared to have been exploited, with more than 450 ETH worth about $1.43 million in stolen funds.
Amount of loss: 450 ETH Attack method: Contract vulnerabilities
Description of the event: CityDAO, an Ethereum-based community blockchain city project, has posted that the CityDAO Discord administrator account has been hacked. 29.67 ETH ($95,000) funds were stolen by hackers using stolen admin accounts to post fake land airdrop messages. The attacked administrator, "Lyons800," tweeted that the attack was a "ridiculous security breach from Discord."
Amount of loss: 29.67 ETH Attack method: Discord admin account hacked
Description of the event: According to a tweet from Float Protocol, the FLOAT/USDC UniV3 pool has approximately $1 million in funding due to the Float Protocol Pool 90 on the RariCapital pool being affected by the lack of liquidity of the Uniswap V3 FLOAT/USDC oracle, leading to severe price manipulation. It was stolen, leaving about $550,000 in FLOAT/USDC in Uniswap V3. The hackers then returned $250,000 of the stolen funds.
Amount of loss: $ 200,000 Attack method: price manipulation
Description of the event: NFT project Bored Bunny is suspected of being a Rug Pull project. Some netizens said that 2,000 ETH raised have been transferred out, and some of them have been transferred to Binan. In addition, this address had similar behavior 1-2 months ago, associated with 2 NFT items that almost went to zero. Currently Bored Bunny's Discord has turned off all people all channels to speak.
Amount of loss: 2,000 ETH Attack method: Scam
Description of the event: Vesper Finance tweeted that its No. 23 lending pool Vesper Lend beta launched on the interest rate agreement Fuse has been attacked again. The attacker manipulated an oracle and depleted the beta test borrowing pool of DAI, ETH, WBTC, and USDC of approximately $1 million. This is not an attack on the Vesper contract, no VSP or VVSP is threatened. Vesper has banned the lending of all tokens in Beta Vesper Lend Rari Pool #23, and also switched the oracle from VUSD/USDC to VUSD/ETH (Uni v3). Prior to this, the Vesper Lend loan pool on Rari Fuse was attacked, and the attacker made a profit of 3 million US dollars.
Amount of loss: $ 1,000,000 Attack method: Manipulate the oracle
Description of the event: SashimiSwap was attacked because of a logical error in the swap function.
Amount of loss: - Attack method: logical error
Description of the event: Uniswap V3 liquidity management protocol Visor Finance was hacked again. Hackers took advantage of the loopholes to withdraw more than 8.8 million VISRs and sold them on Uniswap, causing the VISR tokens to plummet by nearly 95% and profit over 120 ETH through Tornado Cash. Money laundering. According to SlowMist analysis, this attack is due to a flaw in the RewardsHypervisor contract when checking the permissions of the user's recharge, causing the attacker to construct a malicious contract to arbitrarily cast mortgage credentials. Prior to this June, Visor Finance was also hacked and lost more than US$500,000.
Amount of loss: 120 ETH Attack method: Contract vulnerabilities
Description of the event: At 5:21 (UTC+8) on December 15, 2021, the WePiggy-OEC agreement made a short-term error in the CHE oracle, which caused the price of CHE in WePiggy to be much higher than the market price, resulting in abnormal liquidation for users who borrowed CHE assets. Calculated at the price at the time of the incident, the total loss of user assets is approximately US$400,000.
Amount of loss: $ 400,000 Attack method: Abnormal liquidation
Description of the event: Bent Finance, a pledge and income farming platform, tweeted that a possible loophole has been discovered, claiming has been disabled, and rewards are currently unavailable. Bent Finance is investigating the curve LP pool, and users can withdraw funds.
Amount of loss: - Attack method: The contract is implanted with the backdoor code
Description of the event: Gelato was attacked by hackers.
Amount of loss: - Attack method: Unknown
Description of the event: The chain game project Vulcan Forged officially tweeted that 148 wallets holding PYR were hacked and more than 4.5 million PYR had been stolen. Then it said: 1. We cannot prevent the attacker from withdrawing funds from the wallet where the PK has been stolen and the funds have not been transferred; 2. We are moving to a fully decentralized wallet setup; 3. All stolen PYR will be compensated by its treasury . The official also stated that all exchanges have been contacted to blacklist the addresses of the hackers. It seems that the hackers have conducted KYC on one of the exchanges we contacted.
Amount of loss: $ 102,820,974 Attack method: Private key leak
Description of the event: On December 13, the DeFi platform Definer oracle was attacked. This incident was caused by the problem of Definer’s implementation of the oracle in OEC. It used the token balance of a single liquidity pool at a point in time as the price source, which led to the accident. The implementation of Ethereum used ChainLink’s The oracle does not have this problem.
Amount of loss: 30,765 CHE Attack method: Oracle attack
Description of the event: According to official Discord news, the decentralized organization Badger DAO was attacked by hackers, and user assets were transferred without authorization. According to the developer's initial inventory of damaged assets, 136,000 bcvxCRV, 64,000 bveCVX, 38 ibBTC/sBTC, 13 bibBTC/sBTC, and 19 DIGG have been lost in this incident. All transactions are currently suspended.
Amount of loss: $ 120,000,000 Attack method: Front end is attacked
Description of the event: Visor Finance, the DeFi liquidity protocol based on Uniswap V3, was attacked by hackers again.
Amount of loss: $ 975,720 Attack method: Flash loan attack
Description of the event: DeFi Derivatives Agreement dYdX released an investigation report on the deposit contract accident on November 27, stating that there has been a serious loophole in the agent smart contract that has been handling deposits to the dYdX exchange since November 24. At around 12:00 UTC on the 27th, dYdX The team performed a white hat hacking operation to save vulnerable user funds, totaling approximately US$2 million. These funds are sent to a non-custodial escrow contract, and only the original owner of these funds can retrieve them. However, when the dYdX team performed the white hat hacking operation, an estimated $211,000 of funds was used by the MEV robot, and the user has now been fully compensated.
Amount of loss: $ 211,000 Attack method: Contract vulnerabilities
Description of the event: The DeFi protocol Formation.Fi was attacked.
Amount of loss: $ 100,000 Attack method: Decimal point check problem
Description of the event: The stablecoin transaction protocol Curve caused losses to users who provided USDM liquidity due to the "governance attack" of the USDM stablecoin protocol Mochi. At present, Curve has dealt with urgently to avoid a wider range of losses. Previously, the Mochi project party purchased Convex's CVX tokens, voted to increase the USDM pool rewards to increase the liquidity of USDM and other assets, and then converted a large amount of USDM tokens owned by the project party into DAI after the liquidity increased. The team A total of 46 million USDM was exchanged for DAI. Based on the USDM to DAI exchange rate, the user loss that provides USDM liquidity to other stablecoins may be close to 30-40 million U.S. dollars.
Amount of loss: $ 30,000,000 Attack method: Use Convex to launch a governance attack on Curve
Description of the event: According to official sources, the No. 23 loan pool VesperLendbeta on the DeFi protocol RariFuse was attacked. The attacker consumed a large amount of VUSD liquidity in Uniswapv3, and created a VUSD/USDC liquidity pool to manipulate the oracle VUSD price feed function and raise the VUSD price. After lending a large amount of assets on VesperLend, the final profit was 3 million US dollars. At present, Vesper has officially suspended the borrowing of the functions of VUSD and vVSP on the RariFuse platform, and is working closely with Rari, Year and Uniswap to investigate the full impact of the attack. The investigation results and response measures will be updated in the future.
Amount of loss: $ 3,000,000 Attack method: Manipulate the oracle
Description of the event: According to The Block report, Cream Finance, the DeFi lending agreement, was attacked and lost approximately US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. It is reported that this is the third largest DeFi hacking in history (although the two larger hacking incidents have funds returned), in addition, Cream Finance has suffered multiple lightning loan attacks before, and lost 37.5 million US dollars in February. Another $19 million was lost.
Amount of loss: $ 130,000,000 Attack method: Flash loan attack