ETH DApp : 69 hack event(s)

• 2021-03-19

  Hacked target: SIL.Finance

  Description of the event: DeFi gathers reasonable financial services SIL.Finance contract has high-risk loopholes. Later, SIL.Finance issued an article saying that the incident was caused by a vulnerability in the smart contract permissions, which in turn triggered a general preemptive trading robot to submit a series of transactions for profit. After discovering that the smart contract could not be withdrawn due to high-risk loopholes, after 36 hours of efforts such as SlowMist, it has successfully recovered USD 12.15 million.SIL.Finance stated that if any user assets are damaged in this incident, the team decided to use its own funds to launch a compensation plan: all users who suffered losses will receive 2 times the compensation, which will be issued in SIL.

  Amount of loss: 0 Attack method: Permission vulnerability

• 2021-03-17

  Hacked target: Iron Finance

  Description of the event: Recently, Iron Finance, a stablecoin mortgage platform based on Binance Chain, was attacked. Two vFarm liquidity pools (50% IRON—50% SIL pool; 50% IRON—50% BUSD pool) lost a total of 170,000 US dollars. Later, the official publication of the incident stated that: 1. The cause of the attack was due to the upgrade of the cloud service (FaaS) and the change in the reward rate integer, but the official team was not aware of the problem. Later, an attacker made a profit of 170,000 U.S. dollars by selling all the local token SIL rewards. 2. The Iron Finance smart contract has no loopholes. 3. vFarms will be restarted on March 18th, and SIL tokens will be restarted to sIRON. 4. Users should not sell or exchange IRON tokens for the time being. When the new pool is restarted, the full amount of BUSD can be redeemed. The Iron Finance agreement was launched on the BSC in early March. The IRON stablecoin is pegged to the U.S. dollar, partly backed by collateral such as BUSD and USDT, and partly backed by the SIL algorithm.

  Amount of loss: $ 170,000 Attack method: Change the reward rate integer

• 2021-03-15

  Hacked target: 多个 DeFi 协议

  Description of the event: Many DeFi protocol websites on BSC (Binance Smart Chain) were attacked by DNS, including Cream Finance and BSC header DEX PancakeSwap. The attacker requested users to submit personal private keys or mnemonics through the website. The relevant project team has passed Twitter Remind users not to visit the website and do not submit information such as private keys. Later PancakeSwap and Cream Finance both stated that they had regained access to DNS.

  Amount of loss: 0 Attack method: DNS attack

• 2021-03-05

  Hacked target: Curve

  Description of the event: Curve Finance tweeted that a vulnerability was found in the Pool Factory v1 version of the fund pool, and it is recommended that v1 users use crv.finance to withdraw funds immediately. Curve.fi and Pool Factory v2 fund pools do not respond. But it only affects the v1 pool, and hackers cannot use it to steal user funds.

  Amount of loss: 0 Attack method: Vulnerability

• 2021-03-04

  Hacked target: Meerkat Finance

  Description of the event: It is said that the official community information of Meerkat Finance shows that its vault contract was hacked, and the hacker used the intrusion to steal all the funds in the vault.

  Amount of loss: $ 31,000,000 Attack method: Scam

• 2021-02-28

  Hacked target: Furucombo

  Description of the event: The agent of the DeFi platform Furucombo was attacked and the amount stolen amounted to more than 15 million U.S. dollars. The DeFi aggregation platform Furucombo officially released a tweet, saying: "The root cause has been found and the vulnerability has been patched. The funds are now safe. We are investigating the stolen funds and organizing follow-up actions. The follow-up will continue to be updated."Later, Furucombo stated that it would issue 5 million iouCOMBO tokens to affected users

  Amount of loss: $ 15,000,000 Attack method: Over-authorization

• 2021-02-28

  Hacked target: Armor

  Description of the event: DeFi Insurance Agreement The Armor team claimed that some team members were scammed by OTC and were defrauded of 1.2 million ARMOR tokens. The scammers have already dumped all tokens for a profit of 600 ETH (approximately US$850,000). The Armor team disclosed that the scammers pretended to be strategic investors on social media, falsely claiming to purchase tokens from the team through OTC, defrauded 1.2 million ARMOR tokens in OTC transactions, and then sold them. According to the Armor team, "No hacking, the project is still safe."

  Amount of loss: $ 850,000 Attack method: OTC Scam

• 2021-02-27

  Hacked target: Yeld.finance

  Description of the event: The DAI pool of Yeld.finance, the DeFi revenue aggregator, was attacked by a lightning loan, resulting in a loss of 160,000 DAI, involving more than 10 users. Tether, TrueUSD and USDC were not affected. According to reports, Yeld’s problem is consistent with the previous Yearn.Finance DAI pool vulnerability problem. The official also stated that the affected users will be repaid with tokens, which will be rewarded with income from the DAI pool to make up for some of their losses. Later, Yeld.finance officially stated that the 160,000 DAI caused by the lightning loan attack has been returned. This event is suspected to be the work of a white hat, and the official will further update the details.

  Amount of loss: 0 Attack method: Unknown

• 2021-02-22

  Hacked target: Primitive Finance

  Description of the event: A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners. The official said that the post-mortem analysis of the vulnerability, the timetable for actions taken to protect user funds, and the next step to immediately return user funds will be introduced soon.

  Amount of loss: 0 Attack method: Smart contract vulnerabilities

• 2021-02-13

  Hacked target: Cream.Finance

  Description of the event: Defi Cream.Finance officials tweeted that the protocol may have been used by hackers, and the developers are fully investigating. According to EtherScan data, hackers stole 13,244.63 pieces of ETH. The hackers then transferred 1000 ETH to each of the Cream.Finance and Alpha.Finance developer authentication addresses. The rest of the stolen money goes into the A3CRV Gauge pool of Defi mixtures Tornado.Cash and Curve.Finance.

  Amount of loss: 13244.63 ETH Attack method: Flash loan attack

• 2021-02-09

  Hacked target: BT.Finance

  Description of the event: DeFi revenue aggregator BT.Finance tweeted, "It was hacked. The attacked strategies include ETH, USDC and USDT. Other strategies are not affected. BT.Finance withdrawal fee protection has reduced the loss of this attack by nearly 140,000 US dollars." BT.Finance expressed the hope that hackers can return the funds and will use BT tokens to thank its bug test. According to ICO Analytics, the affected funds are approximately US$1.5 million.

  Amount of loss: $ 1,500,000 Attack method: Flash Loan Attack

• 2021-02-05

  Hacked target: YFI

  Description of the event: Yearn v1 yDAI vault was attacked and the attackers stole 2.8 million US dollars. Banteg, the core developer of Yearn finance, subsequently stated that the attacker received 2.8 million US dollars and vault lost 11 million US dollars. During the investigation period, deposits into v1 DAI, TUSD, USDC, USDT vault will be prohibited. "

  Amount of loss: $ 11,000,000 Attack method: Flash Loan Attack

• 2021-02-01

  Hacked target: Multi Financial

  Description of the event: It is said that Binance Smart Chain investors reported that on February 1, another "earth dog" project, Multi Financial, ran away on BSC, and it took about 5000 BNB in ​​just one day. The compromised investor stated that it had reported that Binance had blocked the address of the project party and reported to the police. Recently, there have been many running incidents on BSC. The popcornswap project has approached 48,000 BNB. In a few days, three other projects (Zap Finance and Tin Finance, SharkYield) ran away. The current SharkYield ran away is suspected to have taken away 6000 BNB. Binance said that BSC is the same public chain as Ethereum and should not be responsible for the above projects. It hopes that users will manually intervene in investment and select high-quality projects to participate.

  Amount of loss: 5000 BNB Attack method: Scam

• 2021-01-31

  Hacked target: popcornswap

  Description of the event: Weibo user "Super Bitcoin" stated that another DeFi mine popcornswap on the Binance Smart Chain has gone. It is reported that some users said in the community that the project used cake's LP, the contract was open source but there was no audit, and the LP was run in less than two hours. Currently, there are more than 40,000 BNB in ​​the wallet and no action is taken.

  Amount of loss: 48000 BNB Attack method: Scam

• 2021-01-27

  Hacked target: refi.finance

  Description of the event: Weibo user “CryptoBlanker” broke the news: the refi.finance project party directly used the reserved setBoardroom() function to change the Boardroom address to the address it deployed. Light BAS was taken away 2,600, worth 111 ETH (about 144,000 US dollars).

  Amount of loss: 111 ETH Attack method: Scam

• 2021-01-27

  Hacked target: SushiSwap

  Description of the event: On January 27, 2021, according to SlowMist Zone Intelligence, SushiSwap was attacked again.

  Amount of loss: 81 ETH Attack method: Manipulate the initial transaction price

• 2020-12-28

  Hacked target: Cover Protocol

  Description of the event: Twitter netizens said that due to a loophole in the award contract, the coverage agreement lost $3 million. Conversion, the data on the chain shows that attackers (0xf05Ca...943DF) have used the cover contract to issue a total of about 10,000 COVER, and have replaced them with assets such as WBTC and DAI. Later, the blockchain browser showed that the attacker (address label Grap Finance: Deployer) who made a profit of 3 million US dollars by issuing additional COVER returned 4350 ETH to the address labelled YieldFarming.insure: Deployer. CoverProtocol officially tweeted announcing that it will provide a new COVER token based on the snapshot before the breakthrough was repeated. And the 4350 ETH returned by the attacker will also be returned to LP token holders through snapshot processing. The official said that it is still under investigation and do not buy COVER.

  Amount of loss: $ 3,000,000 Attack method: Contract vulnerability

• 2020-12-18

  Hacked target: Warp Finance

  Description of the event: DeFi portal DefiPrime said on Twitter this morning that at 06:34 on December 18th, Beijing time, the liquidity LP token mortgage loan DeFi agreement Warp Finance suffered a lightning loan attack and about 8 million US dollars were stolen. In addition, Warp Finance officials also tweeted that they are investigating illegal stablecoin loans that were lent in the last hour, and recommend not to deposit stablecoins until the official finds out the violation.Afterwards, Warp Finance issued a statement regarding the lightning loan attack. It is said that lightning loan attackers can steal up to US$7.7 million worth of stablecoins, but the Warp Finance team has formulated a plan to recover approximately US$5.5 million worth of stablecoins still in the mortgage vault. The US$5.5 million will be The proportion is distributed to users who have suffered losses.

  Amount of loss: $ 7,700,000 Attack method: Flash Loan Attack

• 2020-12-14

  Hacked target: 以太坊 DeFi 空间

  Description of the event: Last Friday, there were 3 scams in the Ethereum DeFi space, causing a total of 1.2 million US dollars in losses to unfortunate investors. These scams make people participate in "pre-sales", but when the project needs to release the tokens that investors bought in the pre-sale, these funds go into an external wallet and are sold. The projects that perform these operations are DeFiB, iBase/YFFS and DeTrade Fund. According to reports, DeTrade Fund was the biggest scam last Friday. The platform allowed any user to make a profit by investing money in its arbitrage system and defrauded more than 1,400 Ethereum raised in the pre-sale. Twitter user Artura discovered that DeTrade Fund is actually run by Lithuanians. Soon after Artura tweeted, the affiliated address of the scam distributed hundreds of Ethereum to pre-sale participants, and the returned funds accounted for about 65-70% of the initial stolen funds. DeFiB also issued a "partial refund". However, the hundreds of thousands of dollars worth of Ethereum that investors invested in iBase/YFFS has not been returned.

  Amount of loss: $ 1,200,000 Attack method: Scam

• 2020-12-01

  Hacked target: Compounder.Finance

  Description of the event: At 3 pm on December 1, Beijing time, the CertiK security technical team discovered through Skynet that the Compounder.Finance project was located at the address 0x0b283b107f70d23250f882fbfe7216c38abbd7ca with multiple large transactions. After verification by the CertiK security technical team, it was found that these transactions were internal operations by the owner of the Compounder.Finance project, and a large number of tokens were transferred to their account. According to statistics, Compounder.Finance eventually lost a total of 80 million yuan worth of tokens.

  Amount of loss: $ 80,000,000 Attack method: Project owner internal operations

• 2020-11-30

  Hacked target: Saffron Finance

  Description of the event: DeFi asset mortgage platform Saffron Finance issued an announcement stating that Epoch 1 redemption errors caused by contract loopholes resulted in 50 million DAI deposits deposited by Epoch 1 being locked for 8 weeks. The team is currently working on an emergency fix to solve this problem and will transition to Epoch 2. Saffron Finance is a DeFi asset mortgage platform released by an anonymous team. The token is SFI, allowing liquidity providers to select customized risk exposures to obtain returns. In each cycle, users can choose different risk-return combinations (A, AA, S) on Saffron to provide liquidity. A cycle of 14 days (LP locks within 14 days). After the cycle ends, users can remove liquidity and obtain Interest and prorated SFI.

  Amount of loss: $ 50,000,000 Attack method: Epoch 1 redemption errors

• 2020-11-30

  Hacked target: SushiSwap

  Description of the event: The liquidity mining project SushiSwap (SUSHI) community governor 0xMaki announced in the Discord group that the SushiSwap vulnerability has been fixed, and the lost funds (approximately US$10,000) will be compensated from the SUSHI asset library. Previously, SushiSwap was attacked by a liquidity provider. The attacker obtained between 10,000 and 15,000 US dollars in a transaction. However, after this operation was discovered by 0xMaki, 0xMaki sent a transaction to the attacker with a message saying "I found you and we are working hard to fix it. Contact me on Discord to get bug bounty-0xMaki".

  Amount of loss: $ 15,000 Attack method: Unknown

• 2020-11-30

  Hacked target: Rari Capital

  Description of the event: DeFi robo-advisor Rari Capital released an official Twitter saying that contract vulnerabilities have been fixed with the cooperation of Quantstamp and no funds have been lost. Previously, due to loopholes in the RGT Distributor contract, RGT token application and deposit and withdrawal operations have been suspended. Rari Capital is currently reviewing the code update to confirm that there are no other vulnerabilities in the entire code.

  Amount of loss: 0 Attack method: Unknown

• 2020-11-26

  Hacked target: Compound

  Description of the event: Compound's price feed error caused the liquidation of $90 million in assets. According to DeBank founder hongbo, the huge liquidation of Compound was caused by the dramatic fluctuations in the DAI price of the oracle information source Coinbase Pro. It is a typical oracle attack to manipulate the information source that the oracle relies on to perform short-term price manipulation to achieve misleading prices on the chain.

  Amount of loss: 0 Attack method: Feed error

• 2020-11-22

  Hacked target: Pickle Finance

  Description of the event: The DeFi protocol Pickle Finance lost nearly $20 million in DAI in a loophole on Saturday. The exploit involves Pickle Finance's DAI pJar product, which uses the Compound protocol to reap revenue through DAI deposits. The funds from the vulnerability have been transferred to the address 0x70178102AA04C5f0E54315aA958601eC9B7a4E08, which is the current location of the vulnerability. It is not yet clear why this vulnerability occurred.

  Amount of loss: $ 20,000,000 Attack method: Unknown

• 2020-11-19

  Hacked target: 88mph

  Description of the event: The DeFi fixed-rate generation agreement 88mph (MPH) disclosed the processing progress of "attackers exploiting the vulnerability to mint US$100,000 MPH tokens" and has completed testing the ETH airdrop user interface activities. Currently, liquidity providers can claim the website (88mph.app/ claim-eth) Claim your own ETH. 88mph will redeploy MPH later and then distribute it. Chain Wen previously reported that on November 18, an attacker used the vulnerability to obtain $100,000 in MPH tokens. Afterwards, 88mph discovered a vulnerability in MPHMinter, the MPH token minting contract, which could allow potential attackers to steal all ETH in the Uniswap fund pool. With the help of the well-known white hat samczsun, ETH has been withdrawn into the governance multi-signature, so all funds are safe. In addition, 88mph stated that because the attacker placed $100,000 in the LP pool (liquid capital pool), the funds have been transferred to the governance wallet, and they have decided to allocate these funds to generations including MPH and ETH. Coin holders.

  Amount of loss: 0 Attack method: Unknown

• 2020-11-17

  Hacked target: OUSD

  Description of the event: Matthew Liu, co-founder of Origin Protocol (OGN), a decentralized sharing economy protocol, wrote an article to disclose the details of the lightning loan attack on the US dollar stable currency Origin Dollar (OUSD). So far, the attack has caused about 7 million U.S. dollars in losses, including more than 1 million U.S. dollars deposited by Origin and its founders and employees. Currently, Origin is determining the cause of the vulnerability and whether it can recover the funds. Origin reminded, "Vault deposits are currently disabled. Please do not purchase OUSD on Uniswap or Sushiswap."

  Amount of loss: $ 7,000,000 Attack method: Flash Loan Attack

• 2020-11-16

  Hacked target: Cheese Bank

  Description of the event: Cheese Bank, a decentralized autonomous digital banking platform based on Ethereum, suffered a loss of USD 3.3 million due to a hacker attack. Hackers conducted a series of malicious lending operations on platforms such as dYdX and Uniswap by using automatic market maker (AMM)-based oracles, resulting in a total loss of over US$3.3 million, including US$2 million in USDC.

  Amount of loss: $ 3,300,000 Attack method: Flash Loan Attack

• 2020-11-14

  Hacked target: Value DeFi

  Description of the event: The Value DeFi protocol was attacked by a flash loan on Saturday. It is reported that the attacker borrowed 80,000 ETH from the Aave protocol, executed a lightning loan attack, and arbitrage between DAI and USDC. After the attacker used $7.4 million DAI, he refunded $2 million to Value DeFi and retained $5.4 million. In addition, the attacker left a mocking message to the Value DeFi team: "Do you really understand lightning loans?" Value DeFi claimed on Twitter on Friday that it has the function of preventing lightning loan attacks. After inquiry, the tweet no longer exists. Subsequently, the Value DeFi team tweeted to confirm that its MultiStables vault had been subjected to "a complex attack with a net loss of 6 million US dollars." It is currently conducting post-event analysis and is exploring ways to reduce the impact on users. According to CoinGecko's market data, its VALUE token has now fallen below US$2 and temporarily reported US$1.98, a 24-hour drop of 28.5%.

  Amount of loss: $ 6,000,000 Attack method: Flash Loan Attack

• 2020-11-13

  Hacked target: Akropolis

  Description of the event: Hackers took advantage of the storage asset verification flaws in the Akropolis project to launch multiple consecutive reentry attacks on the contract, causing the Akropolis contract to issue a large number of pooltokens out of thin air without new asset injection, and then use these pooltokens from YCurve and Withdrawal of DAI from the sUSD pool eventually led to the loss of 2.03 million DAI in the project contract.

  Amount of loss: $ 2,030,000 Attack method: Reentry attack

• 2020-11-04

  Hacked target: PercentFinance

  Description of the event: DeFi lending platform PercentFinance wrote in a blog on November 4 that some currency markets encountered problems that could cause users' funds to be permanently locked. The team frozen currency markets specifically for USDC, ETH, and WBTC. A total of 446,000 USDC, 28 WBTC and 313 ETH have been frozen, valued at approximately US$1 million. The article stated that half of these fixed funds belonged to PercentFinance's "community improvement team." Withdrawals in other markets have already begun, but the team urges users not to borrow money from any of PercentFinance's markets during this period. It is reported that PercentFinance is a fork of Compound Finance.

  Amount of loss: $ 1,000,000 Attack method: Unknown

• 2020-11-02

  Hacked target: Axion Network

  Description of the event: Cointelegraph reported that on November 2, a project called Axion Network launched the token AXN and was hacked a few hours after it was hacked. 79 billion AXN were minted and sold to the market. The token price was almost zero. The hacker made a profit of 1,300 ETH, or about $500,000.

  Amount of loss: $ 500,000 Attack method: Using the unstake function of the Axion Staking contract, we managed to mint approximately 80 billion AXN tokens

• 2020-10-26

  Hacked target: Harvest Finance

  Description of the event: Data on the chain shows that a large amount of funds in the Harvest Finance fund pool were transferred, and about 24 million US dollars （Specifically, approximately USD 34 million）were successfully cashed out through multiple contract transactions, most of which were cashed out through renBTC. The initial ETH source used by the hacker this time was the Ethereum anonymous transfer platform Tornado.cash. The Hash for this operation is: 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877. It can be seen from the Ethereum browser that the hacker transferred 20 WETH to the Harvest Finance contract (address: 0xc6028a9fa486f52efd2b95b949ac630d287ce0af), and finally transferred the 20 ETH back to his address. Harvest Finance updated its Twitter saying that, like other arbitrage economic attacks, this time it originated from a huge flash loan and manipulated the price of one currency Lego (Curve y Pool) many times to deplete another currency Lego (fUSDT, fUSDC) Of funds. The attacker then converted the funds into renBTC and cashed out. Like other lightning loan attacks, the attacker did not give a response time, and attacked end-to-end for 7 minutes. The attacker returned $2,478,549.94 to Deployer in the form of USDT and USDC. On December 7, Harvest Finance officially announced the launch of GRAIN, USDC and USDT claim portals. Officials said that according to the previous hacker's refund of $2.5 million in funds, this reduced user losses to 13.5%. Officials are using USDC, USDT, and GRAIN tokens for mixed compensation to help users who were previously affected by the attack to make claims. Users will receive GRAIN tokens in proportion to their deposits, and the $2.5 million returned by hackers will be distributed proportionally.

  Amount of loss: $ 33,800,000 Attack method: Flash Loan Attack

• 2020-10-12

  Hacked target: WLEO

  Description of the event: The WLEO contract of the Ethereum project was hacked late yesterday, resulting in the theft of $42,000 worth of funds. The hackers stole Ethereum from the pool of the decentralized exchange Uniswap by casting WLEO to themselves and replacing it with Ethereum. After the hacker attack, the price of WLEO dropped by 99%.

  Amount of loss: $ 42,000 Attack method: Casting WLEO

• 2020-10-10

  Hacked target: UniCats

  Description of the event: Encrypted wallet ZenGo researcher Alex Manuskin revealed that UniCats, a so-called "yield farming platform" based on the Ethereum network, is suspected of stealing at least $200,000 in encryption from several users, including the governance token UNI of the decentralized financial platform Uniswap assets. A backdoor in the smart contract allows UniCats to retain control of its user tokens even if these tokens have been withdrawn from the user pool. Previous attacks against Bancor also used similar vulnerabilities.

  Amount of loss: $ 200,000 Attack method: Scam

• 2020-10-08

  Hacked target: DeFi Saver

  Description of the event: The decentralized wallet imToken tweeted that users reported that 310,000 DAI had been reduced, which conflicted with DeFi Saver Exchange. imToken recommends that the automated management system of collateralized bond warehouses (CDP) imi stated that its security team is investigating the incident and trying to troubleshoot all user wallets that hit and issue warnings. DeFiSaver responded that this part of the funds is safe and is contacting users. DeFiSaver admitted that this was related to the foreign exchange benefits reported in June.

  Amount of loss: 310,000 DAI Attack method: Exchange leak

• 2020-09-29

  Hacked target: Eminence

  Description of the event: According to bluekirbyfi twitter messages, yearn. Finance founder Andre Cronje, launched the game project Eminence (EMN) encounter "Flash" attack, hackers will return $8 million of funds to the yearn deployer contracts. Officials are investigating the situation and will redistribute the $8 million hit.

  Amount of loss: 0 Attack method: Flash Loan Attack

• 2020-09-26

  Hacked target: GemSwap

  Description of the event: On September 26, the SushiSwap imitation project named GemSwap was exposed and LP was taken away. The query found that the project posted a tweet at around 15:00 today and revealed that it was attacked by the developer of "whatitdobb". It is understood that the project completed the liquidity migration earlier today, but the developer who initiated the attack had The relevant permission was obtained and the tokens in the liquidity pool were able to be taken away. The specific losses caused by this attack are currently unclear.

  Amount of loss: 0 Attack method: Developer attack

• 2020-09-20

  Hacked target: Soda

  Description of the event: The financial blogger "Super Bitcoin" stated on Weibo that Mr. Huai (weibo username "crash X") participated in the liquidity mining project Soda, and suddenly discovered a loophole in which 20,000 ETH can be directly liquidated Drop. But he chose to tell the development team, but the development team did not pay attention. He had no choice but to liquidate an ETH, and sent a Weibo warning to inform the developers of the existence of this bug. One hour later, the parties to the Soda agreement responded by prompting the borrower to repay and the mortgager to withdraw, and at the same time indicated that they would fix the loopholes and suspend the front-end borrowing function. But as of the early morning of September 21st, more than 400 ETH in Soda's mortgage loan pool were still maliciously liquidated. In the morning of the same day, the agreement officially stated on Twitter that the vulnerability has been fixed, and the newly deployed smart contract is expected to take effect at 21:00 on September 22.

  Amount of loss: 446 ETH Attack method: Unknown

• 2020-09-20

  Hacked target: LV Finance

  Description of the event: According to the intelligence of the SlowMist Zone, the LV Finance project of the Ethereum mining project is suspected of running away within an hour and 4 million have been transferred away. Unlike previous projects, the project used fake audit websites and provided false audit information to trick investors into doing business. Invest and run away when the amount in the fund pool is large enough after a period of time. Currently, the project website lv.finance is no longer accessible.

  Amount of loss: $ 4,000,000 Attack method: Ponzi

• 2020-09-19

  Hacked target: Bantiample

  Description of the event: The Bantiample team, a project on the Binance Smart Chain, has cashed out 3000 BNB to run away. At present, the main developer of the team has deleted the Telegram account, and the project token BMAP has fallen by more than 90% in a single day. According to the project's description, BMAP is a kind of AMPL-like imitation. Every time a user participates in a transaction, the total amount is reduced by 1%. However, it is actually just a common token, and it does not have the functions described by the project party. It just uses the AMPL project hotspot to commit fraud.

  Amount of loss: 3,000 BNB Attack method: Fraud

• 2020-09-14

  Hacked target: bZx

  Description of the event: bZx officially tweeted that at 3:28 am Eastern time (15:30, September 13th, Beijing time), we began to study the decline in TVL of the agreement. By 6:18 AM EST (18:30, September 13th, Beijing time), we confirmed that several iTokens had repeated incidents. Lending is temporarily suspended. The duplicate method has been patched from the iToken contract code, and the agreement has resumed normal operation. According to the information of the founder of Compound, there are a total of US$2.6 million in LINK, US$1.6 million in ETH, and US$3.8 million in stablecoins, with a total of US$8 million in assets affected. 1inch co-founder Anton Bukov tweeted that the attacker had stolen about 4,700 ETH in this incident and attached the address of the stolen funds. In response, bZx said that the funds are currently not at risk. The funds listed have been deducted from our insurance fund. On September 16, bZx released an iToken repeat incident report, and the attacker has returned all funds.

  Amount of loss: $ 8,000,000 Attack method: Duplicate funding acquisition

• 2020-09-10

  Hacked target: SYFI

  Description of the event: Amplify, a user of DeFi, discovered a bug in SYFI, a smart contract for DeFi, and made 747 ETH on a single transaction, but from other users. The project crashed.

  Amount of loss: 747 ETH Attack method: Unknown

• 2020-09-09

  Hacked target: Soft Finance

  Description of the event: A user with a Twitter account named Amplify revealed that he made a profit of US$250,000 from a system vulnerability in the new DeFi project Soft Finance.

  Amount of loss: $ 250,000 Attack method: Unknown

• 2020-08-28

  Hacked target: Degen.Money

  Description of the event: Twitter users reported that DeFi's liquidity mining project Degen.Money exploited a double approval vulnerability to get users' Money. The first authorization gives the pledge contract, and the second authorization gives the right to transfer money, which will result in the user's funds being taken away by the attacker. YFI founder Andre Cronje says the project does have risks.

  Amount of loss: 0 Attack method: double approval

• 2020-08-25

  Hacked target: YFValue

  Description of the event: The DeFi project YFValue (YFV) officially released an announcement stating that the team found a loophole in the YFV pledge pool yesterday, and malicious participants used the vulnerability to reset the YFV timer in the pledge separately. There is a risk of being locked in $170 million in funds. Currently, a malicious participant is trying to blackmail the team using this vulnerability.

  Amount of loss: $ 170,000,000 Attack method: Reset the YFV timer in the pledge separately

• 2020-08-14

  Hacked target: BASED

  Description of the event: The DeFi liquidity farming anonymous project BASED officially announced that it would redeploy the pledge pool. The official tweeted that a hacker tried to freeze "Pool1" permanently, but the attempt failed, and "Pool1" will continue as planned. The mortgage funds and BASED tokens are currently safe.

  Amount of loss: 0 Attack method: Unknown

• 2020-08-13

  Hacked target: YAM

  Description of the event: On August 13, 2020, the well-known Ethereum DeFi project YAM officially posted on Twitter that it found loopholes in the contract. The price plummeted by 99% within 24 hours, resulting in the “permanent destruction” of the governance contract. Curve tokens worth 750,000 USD It is locked and cannot be used.

  Amount of loss: $ 750,000 Attack method: Unknown

• 2020-08-04

  Hacked target: Opyn

  Description of the event: On-chain options platform Opyn disclosed that its Ethereum put options were maliciously used by external participants. Opyn pointed out that all other Opyn contracts except Ethereum put options are not affected by this vulnerability. The attacker doubled the use of oToken and stole the pledged assets of the put option seller. According to Opyn statistics, a total of 371,260 USDC has been stolen so far. The Opyn team conducted a white hat hacking attack based on the Convexity Protocol and successfully recovered 439,170 USDC from the unpaid vault to further reduce the loss. Currently, the Opyn team has withdrawn its liquidity from Uniswap's Ethereum bearish capital pool and is investigating the situation.

  Amount of loss: 371,260 USDC Attack method: Double use oToken

• 2020-07-01

  Hacked target: VETH

  Description of the event: Coingecko researcher Daryllautk tweeted that VETH suffered a hacker attack on the decentralized exchange Uniswap. The hacker stole 919,299 VETH (worth $900,000) using only 0.9ETH. After the attack, VETH officially stated that the contract was used by the UX improvement it placed in transferForm(), which was their fault. They will redeploy vether4 and will compensate all affected Uniswap pledgers.

  Amount of loss: $ 900,000 Attack method: Unknown

• 2020-06-30

  Hacked target: Balancer

  Description of the event: According to DeBank Twitter, hackers once again used dYdX's lightning loan to attack the COMP trading pair in Balancer's part of the liquidity pool, and took away the unreceived COMP rewards from the pool to make a profit of 10.8 ETH, which is about $2408.

  Amount of loss: $ 2,408 Attack method: Flash Loan Attack

• 2020-06-29

  Hacked target: Balancer

  Description of the event: The Balancer liquidity pool was attacked by Lightning Loan and lost $500,000. The two losses suffered by Balacer are STA and STONK. At present, the liquidity of these two token pools has been exhausted. Both STA and STONK tokens are deflation tokens, which means that this attack only affects the liquidity pool of deflation tokens.

  Amount of loss: $ 500,000 Attack method: Unknown

• 2020-06-25

  Hacked target: Web3 DeFi

  Description of the event: The malicious Web3 applications "phishing dapps" were discovered in a recent study, they pretend to be legitimate applications or services to steal cryptocurrencies. For example, since MakerDAO officially closed the single-mortgage Sai system, such phishing tools have begun to appear, and they pretended to need a new tool to help users migrate from SAI to DAI. For example, a domain name provides a simple interface to start the migration from SAI to the new DAI at a 1:1 ratio, it seems like an official channel. However, the actual transaction to be signed simply sends the SAI to an address owned by the attacker. SAI, which has been traced to more than US$100,000, was transferred to the attacker's account.

  Amount of loss: $ 100,000 Attack method: phishing attack

• 2020-06-24

  Hacked target: Atomic Loans

  Description of the event: Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests. The decision shows that the security researcher samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents.oth vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances. Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2.

  Amount of loss: 0 Attack method: Unknown

• 2020-06-23

  Hacked target: DDM

  Description of the event: The official DeFi money market agreement DMM Twitter said that during $DMG public sale today, its telegram was unfortunately brigaded by malicious actors who impersonated the DMM Foundation with sole the intent of stealing funds. After digging through the on-chain transactions to find those affected, the official sent a total of $40k worth of DMG to those affected at an exchange rate of $0.40 per DMG, hoping to make sure everyone who lost funds were made whole.

  Amount of loss: $ 4,0000 Attack method: Unknown

• 2020-06-18

  Hacked target: Bancor

  Description of the event: Due to the unverified safeTransferFrom () function in the new Bancor network contract, user funds are about to be depleted. The Bancor team stated: 1. A security vulnerability was discovered in the new Bancor Network v0.6 contract released two days ago; 2. After the vulnerability was discovered, the team conducted a white hat attack to transfer funds to a secure address; 3. The audit of the smart contract has been completed.But there are still $135,229 preemptively traded by two unknown arbitrage robots.

  Amount of loss: $ 135,229 Attack method: Unknown

• 2020-05-18

  Hacked target: tBTC

  Description of the event: The tBTC team suspected it had found a major contract vulnerability, and it suspended the recharge service and re-audited it urgently. tBTC is an ERC-20 token that does not require trust and is guaranteed by redeemable BTC.

  Amount of loss: - Attack method: Unknown

• 2020-04-25

  Hacked target: Hegic

  Description of the event: Hegic: There are 152.2 ETH (about 28,537 USD) permanently locked in the contract pool of unexercised put / call options. Out of the 19 contracts, 16 are put options (DAI is locked) and 3 are call options (ETH is locked). Hegic said it will process a 100% refund for all involved users.

  Amount of loss: $28,537 Attack method: Unknown

• 2020-04-19

  Hacked target: Lendf.Me

  Description of the event: DeFi lending protocol Lendf.Me was hacked.

  Amount of loss: $24,696,616 Attack method: ERC777 Reentrancy Rick

• 2020-04-18

  Hacked target: Uniswap

  Description of the event: Uniswap was hacked and lost 1278 ETH.

  Amount of loss: $220,000 Attack method: ERC777 Reentrancy Rick

• 2020-03-12

  Hacked target: MakerDao

  Description of the event: Due to the congestion of Ethereum, the gas soared, and the liquidated ETH was sold at a price of 0 US dollars using the MakerDao auction loophole.

  Amount of loss: $ 7,900,000 Attack method: Abnormal liquidation mechanism

• 2020-02-18

  Hacked target: bZx

  Description of the event: bZx was attacked again with an estimated loss of $645,000 of ETH

  Amount of loss: $645,000 Attack method: The defect of risk control in economic model

• 2020-02-15

  Hacked target: bZx

  Description of the event: DeFi lending protocol bZx exploited, may lose up to $350,000.

  Amount of loss: $350,000 Attack method: The defect of risk control in economic model

• 2018-10-09

  Hacked target: SpankChain

  Description of the event: The attacker created a malicious contract masquerading as an ERC20 token, and the "transfer" function re-invokes the payment channel contract repeatedly, each time exhausting some ETH.

  Amount of loss: 165.38 ETH Attack method: reentrancy-attack-on-smart-contract

• 2018-08-01

  Hacked target: Fomo 3D

  Description of the event: Ethereum Fomo 3D was hacked and hacker used special attack techniques to take the bonus.

  Amount of loss: 10,469.66 ETH Attack method: Transaction Congestion Attack

• 2018-07-31

  Hacked target: Fomo 3D

  Description of the event: Ethereum Fomo 3D was hacked, Fomo 3D website 24-hour access reduced 21.95 percent, 24-hour flow decreased 38.32%

  Amount of loss: - Attack method: DDoS

• 2018-07-10

  Hacked target: Bancor

  Description of the event: The Bancor platform theft was related to the BancorConverter contract, and the attacker (hacker/mole) is very likely to get the private key of the 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c.

  Amount of loss: 24,984 ETH，3,236,967 BNT，229,356,645 NPXS， Attack method: Suspected private key stolen

• 2017-07-20

  Hacked target: Parity

  Description of the event: As reported by the startup, the issue is the result of a bug in a specific multi-signature contract known as wallet.sol., the attacker can take over the wallet immediately and absorb all the funds

  Amount of loss: ~30,000,000 USD Attack method: Unauthorized operation

• 2016-06-17

  Hacked target: The DAO

  Description of the event: The DAO smart contract running on the Ethereum suffered a reentrancy-attack-on-smart-contract.

  Amount of loss: ~60,000,000 USD Attack method: reentrancy-attack-on-smart-contract