SlowMist Hacked - SlowMist Zone

ETH DApp total loss money by hacked is about

$ 1,217,768,171.55

ETH DApp : 90 hack event(s)

2021-06-10

Hacked target: EvoDefi

Description of the event: EvoDefi, the project revenue farm on the BSC chain, was attacked, and the price of its token GEN dropped from US$2.1/piece to US$0.9/piece, a short-term drop of 57%. Loss of 455,576.85 GEN worth approximately USD 1 million.

Amount of loss: $ 1,000,000 Attack method: Unknown
2021-06-05

Hacked target: BurgerSwap

Description of the event: BurgerSwap, an automated market maker on the Binance Smart Chain, was once again attacked by flashing loan.

Amount of loss: 0 Attack method: flash loan attack
2021-06-03

Hacked target: PancakeHunny

Description of the event: According to official sources, PancakeHunny on BSC was attacked by hackers, and the hackers made 43 ETH (a total of more than 100,000 US dollars). PancakeHunny forked from PancakeBunny, and the attack suffered this time was similar to PancakeBunny. Hackers obtained a large amount of HUNNY tokens and threw them to the market, causing the price of HUNNY tokens to plummet.

Amount of loss: 43 ETH Attack method: flash loan attack
2021-05-30

Hacked target: Belt Finance

Description of the event: According to official sources, Belt Finance on the Binance Smart Chain (BSC) suffered a lightning loan attack and lost US$6.2 million. The attacker used flash loans to obtain more than 6.2 million US dollars of funds from the Belt Finance agreement through 8 transactions, and has converted most of the funds into anyETH and withdrawn to Ethereum.

Amount of loss: $ 6,200,000 Attack method: flash loan attack
2021-05-28

Hacked target: BurgerSwap

Description of the event: BurgerSwap, an automatic market maker on the BSC chain, suffered a lightning loan attack, stolen more than 432,874 Burgers, about 3.3 million U.S. dollars. At present, the attacker has made profits through 1inch, and there are still 200,000 Burgers. The official said that the generation of swap and BURGER has been suspended to avoid further losses. An investor named EdisonOh stated that he invested USD 1 million and pledged the xBURGER pool. The current liquidity has dropped from USD 1 million to only USD 10,000, a 97% loss.

Amount of loss: 432,874 Burger Attack method: flash loan attack
2021-05-28

Hacked target: JulSwap

Description of the event: The JulSwap of the DEX protocol and the automated liquidity protocol on the BSC chain was attacked by lightning loans, and $JULB fell more than 95% in a short time.

Amount of loss: 0 Attack method: flash loan attack
2021-05-26

Hacked target: MerlinLabs

Description of the event: MerlinLabs, the DeFi revenue aggregator, was attacked. The attack method was similar to that of PancakeBunny, which was attacked by lightning loan 5 days ago, and lost US$6.8 million.

Amount of loss: $ 6,800,000 Attack method: flash loan attack
2021-05-24

Hacked target: AutoShark Finance

Description of the event: The DeFi protocol AutoShark Finance on the Binance Smart Chain (BSC) was attacked by a lightning loan, and the currency price suffered a flash crash, with a drop of more than 99% at one time, loss of 750,000 USD.

Amount of loss: $ 750,000 Attack method: flash loan attack
2021-05-23

Hacked target: DeFi100

Description of the event: The official website of the DeFi protocol DeFi100 on Binance Smart Chain (BSC) is no longer accessible. Previously, Twitter user "Mr. Whale" pointed out that the project may be a scam. "About 32 million US dollars of user funds were swept away by the team. road". About 10 hours ago, the words "We lied to you, you can't do anything with us" appeared on the DeFi100 official website, and the page was subsequently deleted. The DeFi100 project website was no longer accessible. It is not yet certain whether the website was hacked or the project team itself Close the website. DeFi100 is a decentralized flexible synthetic asset index product on the Binance Smart Chain, developed by an anonymous team.

Amount of loss: $ 32,000,000 Attack method: Scam
2021-05-23

Hacked target: Bogged Finance

Description of the event: The DeFi protocol Bogged Finance officially stated that hackers carried out a lightning loan attack on the staking function vulnerability of BOG token contracts and withdrew 3 million US dollars from the liquidity pool. The hackers used the Pancake Pair Swap code to withdraw the pledge before the contract verification was completed. income. The official team stated that the remaining 8 million US dollars in the current liquidity pool is safe. The vulnerabilities used by hackers have been "blocked" and cannot be reused. The tools provided by Bogged Finance are still safe to use, and the team is repairing the front end. Display the problem.

Amount of loss: $ 3,000,000 Attack method: flash loan attack
2021-05-20

Hacked target: PancakeBunny

Description of the event: PancakeBunny, the DeFi revenue aggregator on Binance Smart Chain (BSC), suffered a lightning loan attack and lost 114,631.5421 WBNB and 697,245.5699 BUNNY, totaling approximately US$45 million. The price of the token BUNNY crashed from 240 US dollars at around 6:35, and once fell below 2 US dollars, with the highest drop of more than 99% at one time. The official response stated that the hacker used PancakeSwap to borrow a large amount of BNB from a flash loan attack from an external developer, and then continued to manipulate the USDT/BNB and BUNNY/BNB prices to obtain a large amount of BUNNY and sell it, resulting in a flash crash of the BUNNY price. Hackers exchanged back to BNB through PancakeSwap.

Amount of loss: $ 45,000,000 Attack method: Flash Loan Attack
2021-05-18

Hacked target: Venus

Description of the event: On the evening of May 18, the BSC-based DeFi lending platform Venus token XVS was doubled by the giant whale. After that, XVS was used as collateral to borrow and transfer BTC and ETH worth hundreds of millions of dollars. Since then, the price of collateral XVS is large. It fell and faced liquidation, but due to insufficient liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge shortfall of hundreds of millions of dollars in Venus. On the 30th, Venus officially released an article that disclosed the process and results of the incident. The survey showed that the liquidator made a profit of about 20 million U.S. dollars, and the seller made a profit of about 55 million U.S. dollars; the "scalper" made a profit of about 2 million U.S. dollars; the 0xef044 address account had a net loss of about 66 million U.S. dollars. Secondly, its address attribution is based on the Swipe escrow address used on Binance, so there is no insider trading. The agreement lost approximately $77 million due to market fluctuations. VGP will recover approximately US$77 million from the distribution fund, and formulate a community recovery plan for XVS holders and others in the form of airdrops from the distribution fund and agreement income.

Amount of loss: $ 145,000,000 Attack method: due to insufficient liquidity in the XVS market, the system failed to liquidate in time
2021-05-17

Hacked target: FinNexus

Description of the event: According to community feedback and data on the chain, the token FNX of the on-chain option agreement FinNexus has been minted, transferred or sold in a large amount in a short period of time, involving more than 300 million FNX tokens (approximately US$7 million) in BSC and Ethereum , Some users reported that the owner authority of the project contract was previously modified. The FinNexus team stated that it is currently investigating this issue.

Amount of loss: $ 7,000,000 Attack method: The owner authority of the contract has been modified
2021-05-16

Hacked target: bEarn Fi

Description of the event: The DeFi protocol bEarnFi stated that on May 16, its bVaults BUSD-Alpaca strategy was attacked, and nearly 10.86 million BUSD in the pool was exhausted. However, the remaining bvault and other pools of the platform are not at risk. At the same time, bEarnFi released a rough compensation plan, which will create a compensation fund, which will consist of the remaining savings funds, development funds, DAO funds, and part of the expenses incurred by the agreement. After that, a snapshot of the balance will be taken to deploy compensation contracts. Affected users will receive an additional 5% of their deposit amount.

Amount of loss: $ 11,000,000 Attack method: Asset denominations do not match
2021-05-08

Hacked target: Rari Capital

Description of the event: DeFi robo-advisor agreement Rari Capital stated on Twitter that its ETH fund pool had a vulnerability caused by the integration of the Alpha Finance Lab protocol, which was attacked. The rebalancer has now removed all funds from Alpha. The team stated that it is still investigating and evaluating, and a full report will be released in the future. Data shows that about 14 million U.S. dollars of funds were transferred by the attackers. The Alpha Finance team stated that the funds on Alpha Homora are safe. In this attack, the address of Rari Capital had previously attacked Value DeFi on the Binance Smart Chain.

Amount of loss: $ 14,000,000 Attack method: DeFi protocol compatibility
2021-05-07

Hacked target: Value DeFi

Description of the event: DeFi protocol ValueDeFi is suspected of being hacked again after being hacked on the 5th. IRONFinance, a part of the collateralized stablecoin project on the Binance Smart Chain, stated that ValueDeFi was hacked on May 7th, and some of IRONFinance’s pools and products were attacked. The STEELLP tokens may be exhausted. However, the STEEL and STEEL pledged in Foundry (IronFinance) The DND pledged in Castle (DiamondHand) is not stored in ValueDeFi, so it is not affected. The affected machine gun pools are IRON-STEEL 60%-40% vFarm and STEEL-BUSD70%-30% vFarm. DeFi project Harvest Finance also stated that it seems that many vswapAMM pools have been exhausted.

Amount of loss: 0 Attack method: Contract vulnerability
2021-05-06

Hacked target: Value DeFi

Description of the event: Value DeFi stated that at 11:22 on May 5th, the attacker reinitialized the fund pool and set the operator role to himself, and _stakeToken was set to HACKEDMONEY. The attacker controlled the pool and called governmentRecoverUnsupported (), which was exhausted. The original pledge token (vBWAP/BUSD LP). Then, the attacker removes 10839.16 vBWAP/BUSD LP and liquidity, and obtains 7342.75 vBSWAP and 205659.22 BUSD. Subsequently, the attacker sells all 7342.75 vBSWAP at 1inch to obtain 8790.77 BNB, and buys BNB and BUSD renBTC through renBridge. Converted to BTC. The attacker made a total of 205,659.22 BUSD and 8,790.77 BNB. The 2802.75 vBSWAP currently in the reserve fund and the 205,659.22 BUSD of the ValueDeFi deployer will be used to compensate all users in the pool. The remaining 4540 vBSWAP can be compensated in the following two ways. The first option is to cast 4540 vBSWAP to immediately compensate all affected users, and the other option is to cast 2270 vBSWAP to immediately compensate, and the rest will be returned to the contract within 3 months. Value DeFi emphasized that only the vStake profit sharing pool of vBSWAP in bsc.valuedefi.io has received the impression, and other fund pools and funds are in a safe state.

Amount of loss: $ 5,817,780 Attack method: Vulnerability
2021-05-02

Hacked target: Spartan Protocol

Description of the event: According to the SlowMist Intelligence, the Binance smart chain project Spartan Protocol was hacked and the loss amounted to about 30 million U.S. dollars.

Amount of loss: $ 30,000,000 Attack method: Use slippage correction mechanism
2021-04-28

Hacked target: Uranium Finance

Description of the event: A vulnerability in the BSC ecosystem Uranium Finance resulted in the theft of US$50 million in funds. Currently, the official Twitter said that the team is in contact with the Binance security team.

Amount of loss: $ 50,000,000 Attack method: Vulnerability
2021-04-20

Hacked target: EasyFi

Description of the event: Ankitt Gaur, founder and CEO of Layer 2 DeFi lending protocol EasyFi (EASY), said, “On April 19, team members reported that a large number of EASY tokens were transferred from the official EasyFi wallet to the Ethereum network and several unknowns on the Polygon network. Wallet. Someone may have attacked the management key or mnemonic. The hacker successfully obtained the administrator key and transferred $6 million of existing liquid funds in the form of USD/DAI/USDT from the protocol pool, and transferred 298 Ten thousand EASY tokens (approximately 30% of the total supply of EASY tokens, currently valued at 40.9 million U.S. dollars) were transferred to the wallet of the suspected hacker (0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37)."

Amount of loss: $ 46,900,000 Attack method: Private key preset
2021-04-12

Hacked target: PancakeSwap

Description of the event: According to sources, since April 12, 2021, a person who has access to Binance Smart Chain account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1 (PancakeSwap administrator account) has stolen 59,765 Cakes (approximately US$1,800,000) from the PancakeSwap lottery pool. After hackers exploited the vulnerability several times, PancakeSwap banned the account.

Amount of loss: $ 1,800,000 Attack method: Contract vulnerability
2021-03-19

Hacked target: SIL.Finance

Description of the event: DeFi gathers reasonable financial services SIL.Finance contract has high-risk loopholes. Later, SIL.Finance issued an article saying that the incident was caused by a vulnerability in the smart contract permissions, which in turn triggered a general preemptive trading robot to submit a series of transactions for profit. After discovering that the smart contract could not be withdrawn due to high-risk loopholes, after 36 hours of efforts such as SlowMist, it has successfully recovered USD 12.15 million.SIL.Finance stated that if any user assets are damaged in this incident, the team decided to use its own funds to launch a compensation plan: all users who suffered losses will receive 2 times the compensation, which will be issued in SIL.

Amount of loss: 0 Attack method: Permission vulnerability
2021-03-17

Hacked target: Iron Finance

Description of the event: Recently, Iron Finance, a stablecoin mortgage platform based on Binance Chain, was attacked. Two vFarm liquidity pools (50% IRON—50% SIL pool; 50% IRON—50% BUSD pool) lost a total of 170,000 US dollars. Later, the official publication of the incident stated that: 1. The cause of the attack was due to the upgrade of the cloud service (FaaS) and the change in the reward rate integer, but the official team was not aware of the problem. Later, an attacker made a profit of 170,000 U.S. dollars by selling all the local token SIL rewards. 2. The Iron Finance smart contract has no loopholes. 3. vFarms will be restarted on March 18th, and SIL tokens will be restarted to sIRON. 4. Users should not sell or exchange IRON tokens for the time being. When the new pool is restarted, the full amount of BUSD can be redeemed. The Iron Finance agreement was launched on the BSC in early March. The IRON stablecoin is pegged to the U.S. dollar, partly backed by collateral such as BUSD and USDT, and partly backed by the SIL algorithm.

Amount of loss: $ 170,000 Attack method: Change the reward rate integer
2021-03-15

Hacked target: 多个 DeFi 协议

Description of the event: Many DeFi protocol websites on BSC (Binance Smart Chain) were attacked by DNS, including Cream Finance and BSC header DEX PancakeSwap. The attacker requested users to submit personal private keys or mnemonics through the website. The relevant project team has passed Twitter Remind users not to visit the website and do not submit information such as private keys. Later PancakeSwap and Cream Finance both stated that they had regained access to DNS.

Amount of loss: 0 Attack method: DNS attack
2021-03-05

Hacked target: Curve

Description of the event: Curve Finance tweeted that a vulnerability was found in the Pool Factory v1 version of the fund pool, and it is recommended that v1 users use crv.finance to withdraw funds immediately. Curve.fi and Pool Factory v2 fund pools do not respond. But it only affects the v1 pool, and hackers cannot use it to steal user funds.

Amount of loss: 0 Attack method: Vulnerability
2021-03-04

Hacked target: Meerkat Finance

Description of the event: It is said that the official community information of Meerkat Finance shows that its vault contract was hacked, and the hacker used the intrusion to steal all the funds in the vault.

Amount of loss: $ 31,000,000 Attack method: Scam
2021-02-28

Hacked target: Furucombo

Description of the event: The agent of the DeFi platform Furucombo was attacked and the amount stolen amounted to more than 15 million U.S. dollars. The DeFi aggregation platform Furucombo officially released a tweet, saying: "The root cause has been found and the vulnerability has been patched. The funds are now safe. We are investigating the stolen funds and organizing follow-up actions. The follow-up will continue to be updated."Later, Furucombo stated that it would issue 5 million iouCOMBO tokens to affected users

Amount of loss: $ 15,000,000 Attack method: Over-authorization
2021-02-28

Hacked target: Armor

Description of the event: DeFi Insurance Agreement The Armor team claimed that some team members were scammed by OTC and were defrauded of 1.2 million ARMOR tokens. The scammers have already dumped all tokens for a profit of 600 ETH (approximately US$850,000). The Armor team disclosed that the scammers pretended to be strategic investors on social media, falsely claiming to purchase tokens from the team through OTC, defrauded 1.2 million ARMOR tokens in OTC transactions, and then sold them. According to the Armor team, "No hacking, the project is still safe."

Amount of loss: $ 850,000 Attack method: OTC Scam
2021-02-27

Hacked target: Yeld.finance

Description of the event: The DAI pool of Yeld.finance, the DeFi revenue aggregator, was attacked by a lightning loan, resulting in a loss of 160,000 DAI, involving more than 10 users. Tether, TrueUSD and USDC were not affected. According to reports, Yeld’s problem is consistent with the previous Yearn.Finance DAI pool vulnerability problem. The official also stated that the affected users will be repaid with tokens, which will be rewarded with income from the DAI pool to make up for some of their losses. Later, Yeld.finance officially stated that the 160,000 DAI caused by the lightning loan attack has been returned. This event is suspected to be the work of a white hat, and the official will further update the details.

Amount of loss: 0 Attack method: Unknown
2021-02-22

Hacked target: Primitive Finance

Description of the event: A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners. The official said that the post-mortem analysis of the vulnerability, the timetable for actions taken to protect user funds, and the next step to immediately return user funds will be introduced soon.

Amount of loss: 0 Attack method: Smart contract vulnerabilities
2021-02-13

Hacked target: Cream.Finance

Description of the event: Defi Cream.Finance officials tweeted that the protocol may have been used by hackers, and the developers are fully investigating. According to EtherScan data, hackers stole 13,244.63 pieces of ETH. The hackers then transferred 1000 ETH to each of the Cream.Finance and Alpha.Finance developer authentication addresses. The rest of the stolen money goes into the A3CRV Gauge pool of Defi mixtures Tornado.Cash and Curve.Finance.

Amount of loss: 13244.63 ETH Attack method: Flash loan attack
2021-02-09

Hacked target: BT.Finance

Description of the event: DeFi revenue aggregator BT.Finance tweeted, "It was hacked. The attacked strategies include ETH, USDC and USDT. Other strategies are not affected. BT.Finance withdrawal fee protection has reduced the loss of this attack by nearly 140,000 US dollars." BT.Finance expressed the hope that hackers can return the funds and will use BT tokens to thank its bug test. According to ICO Analytics, the affected funds are approximately US$1.5 million.

Amount of loss: $ 1,500,000 Attack method: Flash Loan Attack
2021-02-05

Hacked target: YFI

Description of the event: Yearn v1 yDAI vault was attacked and the attackers stole 2.8 million US dollars. Banteg, the core developer of Yearn finance, subsequently stated that the attacker received 2.8 million US dollars and vault lost 11 million US dollars. During the investigation period, deposits into v1 DAI, TUSD, USDC, USDT vault will be prohibited. "

Amount of loss: $ 11,000,000 Attack method: Flash Loan Attack
2021-02-01

Hacked target: Multi Financial

Description of the event: It is said that Binance Smart Chain investors reported that on February 1, another "earth dog" project, Multi Financial, ran away on BSC, and it took about 5000 BNB in just one day. The compromised investor stated that it had reported that Binance had blocked the address of the project party and reported to the police. Recently, there have been many running incidents on BSC. The popcornswap project has approached 48,000 BNB. In a few days, three other projects (Zap Finance and Tin Finance, SharkYield) ran away. The current SharkYield ran away is suspected to have taken away 6000 BNB. Binance said that BSC is the same public chain as Ethereum and should not be responsible for the above projects. It hopes that users will manually intervene in investment and select high-quality projects to participate.

Amount of loss: 5000 BNB Attack method: Scam
2021-01-31

Hacked target: popcornswap

Description of the event: Weibo user "Super Bitcoin" stated that another DeFi mine popcornswap on the Binance Smart Chain has gone. It is reported that some users said in the community that the project used cake's LP, the contract was open source but there was no audit, and the LP was run in less than two hours. Currently, there are more than 40,000 BNB in the wallet and no action is taken.

Amount of loss: 48000 BNB Attack method: Scam
2021-01-27

Hacked target: refi.finance

Description of the event: Weibo user “CryptoBlanker” broke the news: the refi.finance project party directly used the reserved setBoardroom() function to change the Boardroom address to the address it deployed. Light BAS was taken away 2,600, worth 111 ETH (about 144,000 US dollars).

Amount of loss: 111 ETH Attack method: Scam
2021-01-27

Hacked target: SushiSwap

Description of the event: On January 27, 2021, according to SlowMist Zone Intelligence, SushiSwap was attacked again.

Amount of loss: 81 ETH Attack method: Manipulate the initial transaction price
2020-12-28

Hacked target: Cover Protocol

Description of the event: Twitter netizens said that due to a loophole in the award contract, the coverage agreement lost $3 million. Conversion, the data on the chain shows that attackers (0xf05Ca...943DF) have used the cover contract to issue a total of about 10,000 COVER, and have replaced them with assets such as WBTC and DAI. Later, the blockchain browser showed that the attacker (address label Grap Finance: Deployer) who made a profit of 3 million US dollars by issuing additional COVER returned 4350 ETH to the address labelled YieldFarming.insure: Deployer. CoverProtocol officially tweeted announcing that it will provide a new COVER token based on the snapshot before the breakthrough was repeated. And the 4350 ETH returned by the attacker will also be returned to LP token holders through snapshot processing. The official said that it is still under investigation and do not buy COVER.

Amount of loss: $ 3,000,000 Attack method: Contract vulnerability
2020-12-18

Hacked target: Warp Finance

Description of the event: DeFi portal DefiPrime said on Twitter this morning that at 06:34 on December 18th, Beijing time, the liquidity LP token mortgage loan DeFi agreement Warp Finance suffered a lightning loan attack and about 8 million US dollars were stolen. In addition, Warp Finance officials also tweeted that they are investigating illegal stablecoin loans that were lent in the last hour, and recommend not to deposit stablecoins until the official finds out the violation.Afterwards, Warp Finance issued a statement regarding the lightning loan attack. It is said that lightning loan attackers can steal up to US$7.7 million worth of stablecoins, but the Warp Finance team has formulated a plan to recover approximately US$5.5 million worth of stablecoins still in the mortgage vault. The US$5.5 million will be The proportion is distributed to users who have suffered losses.

Amount of loss: $ 7,700,000 Attack method: Flash Loan Attack
2020-12-14

Hacked target: 以太坊 DeFi 空间

Description of the event: Last Friday, there were 3 scams in the Ethereum DeFi space, causing a total of 1.2 million US dollars in losses to unfortunate investors. These scams make people participate in "pre-sales", but when the project needs to release the tokens that investors bought in the pre-sale, these funds go into an external wallet and are sold. The projects that perform these operations are DeFiB, iBase/YFFS and DeTrade Fund. According to reports, DeTrade Fund was the biggest scam last Friday. The platform allowed any user to make a profit by investing money in its arbitrage system and defrauded more than 1,400 Ethereum raised in the pre-sale. Twitter user Artura discovered that DeTrade Fund is actually run by Lithuanians. Soon after Artura tweeted, the affiliated address of the scam distributed hundreds of Ethereum to pre-sale participants, and the returned funds accounted for about 65-70% of the initial stolen funds. DeFiB also issued a "partial refund". However, the hundreds of thousands of dollars worth of Ethereum that investors invested in iBase/YFFS has not been returned.

Amount of loss: $ 1,200,000 Attack method: Scam
2020-12-01

Hacked target: Compounder.Finance

Description of the event: At 3 pm on December 1, Beijing time, the CertiK security technical team discovered through Skynet that the Compounder.Finance project was located at the address 0x0b283b107f70d23250f882fbfe7216c38abbd7ca with multiple large transactions. After verification by the CertiK security technical team, it was found that these transactions were internal operations by the owner of the Compounder.Finance project, and a large number of tokens were transferred to their account. According to statistics, Compounder.Finance eventually lost a total of 80 million yuan worth of tokens.

Amount of loss: $ 80,000,000 Attack method: Project owner internal operations
2020-11-30

Hacked target: Saffron Finance

Description of the event: DeFi asset mortgage platform Saffron Finance issued an announcement stating that Epoch 1 redemption errors caused by contract loopholes resulted in 50 million DAI deposits deposited by Epoch 1 being locked for 8 weeks. The team is currently working on an emergency fix to solve this problem and will transition to Epoch 2. Saffron Finance is a DeFi asset mortgage platform released by an anonymous team. The token is SFI, allowing liquidity providers to select customized risk exposures to obtain returns. In each cycle, users can choose different risk-return combinations (A, AA, S) on Saffron to provide liquidity. A cycle of 14 days (LP locks within 14 days). After the cycle ends, users can remove liquidity and obtain Interest and prorated SFI.

Amount of loss: $ 50,000,000 Attack method: Epoch 1 redemption errors
2020-11-30

Hacked target: SushiSwap

Description of the event: The liquidity mining project SushiSwap (SUSHI) community governor 0xMaki announced in the Discord group that the SushiSwap vulnerability has been fixed, and the lost funds (approximately US$10,000) will be compensated from the SUSHI asset library. Previously, SushiSwap was attacked by a liquidity provider. The attacker obtained between 10,000 and 15,000 US dollars in a transaction. However, after this operation was discovered by 0xMaki, 0xMaki sent a transaction to the attacker with a message saying "I found you and we are working hard to fix it. Contact me on Discord to get bug bounty-0xMaki".

Amount of loss: $ 15,000 Attack method: Unknown
2020-11-30

Hacked target: Rari Capital

Description of the event: DeFi robo-advisor Rari Capital released an official Twitter saying that contract vulnerabilities have been fixed with the cooperation of Quantstamp and no funds have been lost. Previously, due to loopholes in the RGT Distributor contract, RGT token application and deposit and withdrawal operations have been suspended. Rari Capital is currently reviewing the code update to confirm that there are no other vulnerabilities in the entire code.

Amount of loss: 0 Attack method: Unknown
2020-11-26

Hacked target: Compound

Description of the event: Compound's price feed error caused the liquidation of $90 million in assets. According to DeBank founder hongbo, the huge liquidation of Compound was caused by the dramatic fluctuations in the DAI price of the oracle information source Coinbase Pro. It is a typical oracle attack to manipulate the information source that the oracle relies on to perform short-term price manipulation to achieve misleading prices on the chain.

Amount of loss: 0 Attack method: Feed error
2020-11-22

Hacked target: Pickle Finance

Description of the event: The DeFi protocol Pickle Finance lost nearly $20 million in DAI in a loophole on Saturday. The exploit involves Pickle Finance's DAI pJar product, which uses the Compound protocol to reap revenue through DAI deposits. The funds from the vulnerability have been transferred to the address 0x70178102AA04C5f0E54315aA958601eC9B7a4E08, which is the current location of the vulnerability. It is not yet clear why this vulnerability occurred.

Amount of loss: $ 20,000,000 Attack method: Unknown
2020-11-19

Hacked target: 88mph

Description of the event: The DeFi fixed-rate generation agreement 88mph (MPH) disclosed the processing progress of "attackers exploiting the vulnerability to mint US$100,000 MPH tokens" and has completed testing the ETH airdrop user interface activities. Currently, liquidity providers can claim the website (88mph.app/ claim-eth) Claim your own ETH. 88mph will redeploy MPH later and then distribute it. Chain Wen previously reported that on November 18, an attacker used the vulnerability to obtain $100,000 in MPH tokens. Afterwards, 88mph discovered a vulnerability in MPHMinter, the MPH token minting contract, which could allow potential attackers to steal all ETH in the Uniswap fund pool. With the help of the well-known white hat samczsun, ETH has been withdrawn into the governance multi-signature, so all funds are safe. In addition, 88mph stated that because the attacker placed $100,000 in the LP pool (liquid capital pool), the funds have been transferred to the governance wallet, and they have decided to allocate these funds to generations including MPH and ETH. Coin holders.

Amount of loss: 0 Attack method: Unknown
2020-11-17

Hacked target: OUSD

Description of the event: Matthew Liu, co-founder of Origin Protocol (OGN), a decentralized sharing economy protocol, wrote an article to disclose the details of the lightning loan attack on the US dollar stable currency Origin Dollar (OUSD). So far, the attack has caused about 7 million U.S. dollars in losses, including more than 1 million U.S. dollars deposited by Origin and its founders and employees. Currently, Origin is determining the cause of the vulnerability and whether it can recover the funds. Origin reminded, "Vault deposits are currently disabled. Please do not purchase OUSD on Uniswap or Sushiswap."

Amount of loss: $ 7,000,000 Attack method: Flash Loan Attack
2020-11-16

Hacked target: Cheese Bank

Description of the event: Cheese Bank, a decentralized autonomous digital banking platform based on Ethereum, suffered a loss of USD 3.3 million due to a hacker attack. Hackers conducted a series of malicious lending operations on platforms such as dYdX and Uniswap by using automatic market maker (AMM)-based oracles, resulting in a total loss of over US$3.3 million, including US$2 million in USDC.

Amount of loss: $ 3,300,000 Attack method: Flash Loan Attack
2020-11-14

Hacked target: Value DeFi

Description of the event: The Value DeFi protocol was attacked by a flash loan on Saturday. It is reported that the attacker borrowed 80,000 ETH from the Aave protocol, executed a lightning loan attack, and arbitrage between DAI and USDC. After the attacker used $7.4 million DAI, he refunded $2 million to Value DeFi and retained $5.4 million. In addition, the attacker left a mocking message to the Value DeFi team: "Do you really understand lightning loans?" Value DeFi claimed on Twitter on Friday that it has the function of preventing lightning loan attacks. After inquiry, the tweet no longer exists. Subsequently, the Value DeFi team tweeted to confirm that its MultiStables vault had been subjected to "a complex attack with a net loss of 6 million US dollars." It is currently conducting post-event analysis and is exploring ways to reduce the impact on users. According to CoinGecko's market data, its VALUE token has now fallen below US$2 and temporarily reported US$1.98, a 24-hour drop of 28.5%.

Amount of loss: $ 6,000,000 Attack method: Flash Loan Attack
2020-11-13

Hacked target: Akropolis

Description of the event: Hackers took advantage of the storage asset verification flaws in the Akropolis project to launch multiple consecutive reentry attacks on the contract, causing the Akropolis contract to issue a large number of pooltokens out of thin air without new asset injection, and then use these pooltokens from YCurve and Withdrawal of DAI from the sUSD pool eventually led to the loss of 2.03 million DAI in the project contract.

Amount of loss: $ 2,030,000 Attack method: Reentry attack
2020-11-04

Hacked target: PercentFinance

Description of the event: DeFi lending platform PercentFinance wrote in a blog on November 4 that some currency markets encountered problems that could cause users' funds to be permanently locked. The team frozen currency markets specifically for USDC, ETH, and WBTC. A total of 446,000 USDC, 28 WBTC and 313 ETH have been frozen, valued at approximately US$1 million. The article stated that half of these fixed funds belonged to PercentFinance's "community improvement team." Withdrawals in other markets have already begun, but the team urges users not to borrow money from any of PercentFinance's markets during this period. It is reported that PercentFinance is a fork of Compound Finance.

Amount of loss: $ 1,000,000 Attack method: Unknown
2020-11-02

Hacked target: Axion Network

Description of the event: Cointelegraph reported that on November 2, a project called Axion Network launched the token AXN and was hacked a few hours after it was hacked. 79 billion AXN were minted and sold to the market. The token price was almost zero. The hacker made a profit of 1,300 ETH, or about $500,000.

Amount of loss: $ 500,000 Attack method: Using the unstake function of the Axion Staking contract, we managed to mint approximately 80 billion AXN tokens
2020-10-26

Hacked target: Harvest Finance

Description of the event: Data on the chain shows that a large amount of funds in the Harvest Finance fund pool were transferred, and about 24 million US dollars （Specifically, approximately USD 34 million）were successfully cashed out through multiple contract transactions, most of which were cashed out through renBTC. The initial ETH source used by the hacker this time was the Ethereum anonymous transfer platform Tornado.cash. The Hash for this operation is: 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877. It can be seen from the Ethereum browser that the hacker transferred 20 WETH to the Harvest Finance contract (address: 0xc6028a9fa486f52efd2b95b949ac630d287ce0af), and finally transferred the 20 ETH back to his address. Harvest Finance updated its Twitter saying that, like other arbitrage economic attacks, this time it originated from a huge flash loan and manipulated the price of one currency Lego (Curve y Pool) many times to deplete another currency Lego (fUSDT, fUSDC) Of funds. The attacker then converted the funds into renBTC and cashed out. Like other lightning loan attacks, the attacker did not give a response time, and attacked end-to-end for 7 minutes. The attacker returned $2,478,549.94 to Deployer in the form of USDT and USDC. On December 7, Harvest Finance officially announced the launch of GRAIN, USDC and USDT claim portals. Officials said that according to the previous hacker's refund of $2.5 million in funds, this reduced user losses to 13.5%. Officials are using USDC, USDT, and GRAIN tokens for mixed compensation to help users who were previously affected by the attack to make claims. Users will receive GRAIN tokens in proportion to their deposits, and the $2.5 million returned by hackers will be distributed proportionally.

Amount of loss: $ 33,800,000 Attack method: Flash Loan Attack
2020-10-12

Hacked target: WLEO

Description of the event: The WLEO contract of the Ethereum project was hacked late yesterday, resulting in the theft of $42,000 worth of funds. The hackers stole Ethereum from the pool of the decentralized exchange Uniswap by casting WLEO to themselves and replacing it with Ethereum. After the hacker attack, the price of WLEO dropped by 99%.

Amount of loss: $ 42,000 Attack method: Casting WLEO
2020-10-10

Hacked target: UniCats

Description of the event: Encrypted wallet ZenGo researcher Alex Manuskin revealed that UniCats, a so-called "yield farming platform" based on the Ethereum network, is suspected of stealing at least $200,000 in encryption from several users, including the governance token UNI of the decentralized financial platform Uniswap assets. A backdoor in the smart contract allows UniCats to retain control of its user tokens even if these tokens have been withdrawn from the user pool. Previous attacks against Bancor also used similar vulnerabilities.

Amount of loss: $ 200,000 Attack method: Scam
2020-10-08

Hacked target: DeFi Saver

Description of the event: The decentralized wallet imToken tweeted that users reported that 310,000 DAI had been reduced, which conflicted with DeFi Saver Exchange. imToken recommends that the automated management system of collateralized bond warehouses (CDP) imi stated that its security team is investigating the incident and trying to troubleshoot all user wallets that hit and issue warnings. DeFiSaver responded that this part of the funds is safe and is contacting users. DeFiSaver admitted that this was related to the foreign exchange benefits reported in June.

Amount of loss: 310,000 DAI Attack method: Exchange leak
2020-09-29

Hacked target: Eminence

Description of the event: According to bluekirbyfi twitter messages, yearn. Finance founder Andre Cronje, launched the game project Eminence (EMN) encounter "Flash" attack, hackers will return $8 million of funds to the yearn deployer contracts. Officials are investigating the situation and will redistribute the $8 million hit.

Amount of loss: 0 Attack method: Flash Loan Attack
2020-09-26

Hacked target: GemSwap

Description of the event: On September 26, the SushiSwap imitation project named GemSwap was exposed and LP was taken away. The query found that the project posted a tweet at around 15:00 today and revealed that it was attacked by the developer of "whatitdobb". It is understood that the project completed the liquidity migration earlier today, but the developer who initiated the attack had The relevant permission was obtained and the tokens in the liquidity pool were able to be taken away. The specific losses caused by this attack are currently unclear.

Amount of loss: 0 Attack method: Developer attack
2020-09-20

Hacked target: Soda

Description of the event: The financial blogger "Super Bitcoin" stated on Weibo that Mr. Huai (weibo username "crash X") participated in the liquidity mining project Soda, and suddenly discovered a loophole in which 20,000 ETH can be directly liquidated Drop. But he chose to tell the development team, but the development team did not pay attention. He had no choice but to liquidate an ETH, and sent a Weibo warning to inform the developers of the existence of this bug. One hour later, the parties to the Soda agreement responded by prompting the borrower to repay and the mortgager to withdraw, and at the same time indicated that they would fix the loopholes and suspend the front-end borrowing function. But as of the early morning of September 21st, more than 400 ETH in Soda's mortgage loan pool were still maliciously liquidated. In the morning of the same day, the agreement officially stated on Twitter that the vulnerability has been fixed, and the newly deployed smart contract is expected to take effect at 21:00 on September 22.

Amount of loss: 446 ETH Attack method: Unknown
2020-09-20

Hacked target: LV Finance

Description of the event: According to the intelligence of the SlowMist Zone, the LV Finance project of the Ethereum mining project is suspected of running away within an hour and 4 million have been transferred away. Unlike previous projects, the project used fake audit websites and provided false audit information to trick investors into doing business. Invest and run away when the amount in the fund pool is large enough after a period of time. Currently, the project website lv.finance is no longer accessible.

Amount of loss: $ 4,000,000 Attack method: Ponzi
2020-09-19

Hacked target: Bantiample

Description of the event: The Bantiample team, a project on the Binance Smart Chain, has cashed out 3000 BNB to run away. At present, the main developer of the team has deleted the Telegram account, and the project token BMAP has fallen by more than 90% in a single day. According to the project's description, BMAP is a kind of AMPL-like imitation. Every time a user participates in a transaction, the total amount is reduced by 1%. However, it is actually just a common token, and it does not have the functions described by the project party. It just uses the AMPL project hotspot to commit fraud.

Amount of loss: 3,000 BNB Attack method: Fraud
2020-09-14

Hacked target: bZx

Description of the event: bZx officially tweeted that at 3:28 am Eastern time (15:30, September 13th, Beijing time), we began to study the decline in TVL of the agreement. By 6:18 AM EST (18:30, September 13th, Beijing time), we confirmed that several iTokens had repeated incidents. Lending is temporarily suspended. The duplicate method has been patched from the iToken contract code, and the agreement has resumed normal operation. According to the information of the founder of Compound, there are a total of US$2.6 million in LINK, US$1.6 million in ETH, and US$3.8 million in stablecoins, with a total of US$8 million in assets affected. 1inch co-founder Anton Bukov tweeted that the attacker had stolen about 4,700 ETH in this incident and attached the address of the stolen funds. In response, bZx said that the funds are currently not at risk. The funds listed have been deducted from our insurance fund. On September 16, bZx released an iToken repeat incident report, and the attacker has returned all funds.

Amount of loss: $ 8,000,000 Attack method: Duplicate funding acquisition
2020-09-10

Hacked target: SYFI

Description of the event: Amplify, a user of DeFi, discovered a bug in SYFI, a smart contract for DeFi, and made 747 ETH on a single transaction, but from other users. The project crashed.

Amount of loss: 747 ETH Attack method: Unknown
2020-09-09

Hacked target: Soft Finance

Description of the event: A user with a Twitter account named Amplify revealed that he made a profit of US$250,000 from a system vulnerability in the new DeFi project Soft Finance.

Amount of loss: $ 250,000 Attack method: Unknown
2020-08-28

Hacked target: Degen.Money

Description of the event: Twitter users reported that DeFi's liquidity mining project Degen.Money exploited a double approval vulnerability to get users' Money. The first authorization gives the pledge contract, and the second authorization gives the right to transfer money, which will result in the user's funds being taken away by the attacker. YFI founder Andre Cronje says the project does have risks.

Amount of loss: 0 Attack method: double approval
2020-08-25

Hacked target: YFValue

Description of the event: The DeFi project YFValue (YFV) officially released an announcement stating that the team found a loophole in the YFV pledge pool yesterday, and malicious participants used the vulnerability to reset the YFV timer in the pledge separately. There is a risk of being locked in $170 million in funds. Currently, a malicious participant is trying to blackmail the team using this vulnerability.

Amount of loss: $ 170,000,000 Attack method: Reset the YFV timer in the pledge separately
2020-08-14

Hacked target: BASED

Description of the event: The DeFi liquidity farming anonymous project BASED officially announced that it would redeploy the pledge pool. The official tweeted that a hacker tried to freeze "Pool1" permanently, but the attempt failed, and "Pool1" will continue as planned. The mortgage funds and BASED tokens are currently safe.

Amount of loss: 0 Attack method: Unknown
2020-08-13

Hacked target: YAM

Description of the event: On August 13, 2020, the well-known Ethereum DeFi project YAM officially posted on Twitter that it found loopholes in the contract. The price plummeted by 99% within 24 hours, resulting in the “permanent destruction” of the governance contract. Curve tokens worth 750,000 USD It is locked and cannot be used.

Amount of loss: $ 750,000 Attack method: Unknown
2020-08-04

Hacked target: Opyn

Description of the event: On-chain options platform Opyn disclosed that its Ethereum put options were maliciously used by external participants. Opyn pointed out that all other Opyn contracts except Ethereum put options are not affected by this vulnerability. The attacker doubled the use of oToken and stole the pledged assets of the put option seller. According to Opyn statistics, a total of 371,260 USDC has been stolen so far. The Opyn team conducted a white hat hacking attack based on the Convexity Protocol and successfully recovered 439,170 USDC from the unpaid vault to further reduce the loss. Currently, the Opyn team has withdrawn its liquidity from Uniswap's Ethereum bearish capital pool and is investigating the situation.

Amount of loss: 371,260 USDC Attack method: Double use oToken
2020-07-01

Hacked target: VETH

Description of the event: Coingecko researcher Daryllautk tweeted that VETH suffered a hacker attack on the decentralized exchange Uniswap. The hacker stole 919,299 VETH (worth $900,000) using only 0.9ETH. After the attack, VETH officially stated that the contract was used by the UX improvement it placed in transferForm(), which was their fault. They will redeploy vether4 and will compensate all affected Uniswap pledgers.

Amount of loss: $ 900,000 Attack method: Unknown
2020-06-30

Hacked target: Balancer

Description of the event: According to DeBank Twitter, hackers once again used dYdX's lightning loan to attack the COMP trading pair in Balancer's part of the liquidity pool, and took away the unreceived COMP rewards from the pool to make a profit of 10.8 ETH, which is about $2408.

Amount of loss: $ 2,408 Attack method: Flash Loan Attack
2020-06-29

Hacked target: Balancer

Description of the event: The Balancer liquidity pool was attacked by Lightning Loan and lost $500,000. The two losses suffered by Balacer are STA and STONK. At present, the liquidity of these two token pools has been exhausted. Both STA and STONK tokens are deflation tokens, which means that this attack only affects the liquidity pool of deflation tokens.

Amount of loss: $ 500,000 Attack method: Unknown
2020-06-25

Hacked target: Web3 DeFi

Description of the event: The malicious Web3 applications "phishing dapps" were discovered in a recent study, they pretend to be legitimate applications or services to steal cryptocurrencies. For example, since MakerDAO officially closed the single-mortgage Sai system, such phishing tools have begun to appear, and they pretended to need a new tool to help users migrate from SAI to DAI. For example, a domain name provides a simple interface to start the migration from SAI to the new DAI at a 1:1 ratio, it seems like an official channel. However, the actual transaction to be signed simply sends the SAI to an address owned by the attacker. SAI, which has been traced to more than US$100,000, was transferred to the attacker's account.

Amount of loss: $ 100,000 Attack method: phishing attack
2020-06-24

Hacked target: Atomic Loans

Description of the event: Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests. The decision shows that the security researcher samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents.oth vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances. Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2.

Amount of loss: 0 Attack method: Unknown
2020-06-23

Hacked target: DDM

Description of the event: The official DeFi money market agreement DMM Twitter said that during $DMG public sale today, its telegram was unfortunately brigaded by malicious actors who impersonated the DMM Foundation with sole the intent of stealing funds. After digging through the on-chain transactions to find those affected, the official sent a total of $40k worth of DMG to those affected at an exchange rate of $0.40 per DMG, hoping to make sure everyone who lost funds were made whole.

Amount of loss: $ 4,0000 Attack method: Unknown
2020-06-18

Hacked target: Bancor

Description of the event: Due to the unverified safeTransferFrom () function in the new Bancor network contract, user funds are about to be depleted. The Bancor team stated: 1. A security vulnerability was discovered in the new Bancor Network v0.6 contract released two days ago; 2. After the vulnerability was discovered, the team conducted a white hat attack to transfer funds to a secure address; 3. The audit of the smart contract has been completed.But there are still $135,229 preemptively traded by two unknown arbitrage robots.

Amount of loss: $ 135,229 Attack method: Unknown
2020-05-18

Hacked target: tBTC

Description of the event: The tBTC team suspected it had found a major contract vulnerability, and it suspended the recharge service and re-audited it urgently. tBTC is an ERC-20 token that does not require trust and is guaranteed by redeemable BTC.

Amount of loss: - Attack method: Unknown
2020-04-25

Hacked target: Hegic

Description of the event: Hegic: There are 152.2 ETH (about 28,537 USD) permanently locked in the contract pool of unexercised put / call options. Out of the 19 contracts, 16 are put options (DAI is locked) and 3 are call options (ETH is locked). Hegic said it will process a 100% refund for all involved users.

Amount of loss: $28,537 Attack method: Unknown
2020-04-19

Hacked target: Lendf.Me

Description of the event: DeFi lending protocol Lendf.Me was hacked.

Amount of loss: $24,696,616 Attack method: ERC777 Reentrancy Rick
2020-04-18

Hacked target: Uniswap

Description of the event: Uniswap was hacked and lost 1278 ETH.

Amount of loss: $220,000 Attack method: ERC777 Reentrancy Rick
2020-03-12

Hacked target: MakerDao

Description of the event: Due to the congestion of Ethereum, the gas soared, and the liquidated ETH was sold at a price of 0 US dollars using the MakerDao auction loophole.

Amount of loss: $ 7,900,000 Attack method: Abnormal liquidation mechanism
2020-02-18

Hacked target: bZx

Description of the event: bZx was attacked again with an estimated loss of $645,000 of ETH

Amount of loss: $645,000 Attack method: The defect of risk control in economic model
2020-02-15

Hacked target: bZx

Description of the event: DeFi lending protocol bZx exploited, may lose up to $350,000.

Amount of loss: $350,000 Attack method: The defect of risk control in economic model
2018-10-09

Hacked target: SpankChain

Description of the event: The attacker created a malicious contract masquerading as an ERC20 token, and the "transfer" function re-invokes the payment channel contract repeatedly, each time exhausting some ETH.

Amount of loss: 165.38 ETH Attack method: reentrancy-attack-on-smart-contract
2018-08-01

Hacked target: Fomo 3D

Description of the event: Ethereum Fomo 3D was hacked and hacker used special attack techniques to take the bonus.

Amount of loss: 10,469.66 ETH Attack method: Transaction Congestion Attack
2018-07-31

Hacked target: Fomo 3D

Description of the event: Ethereum Fomo 3D was hacked, Fomo 3D website 24-hour access reduced 21.95 percent, 24-hour flow decreased 38.32%

Amount of loss: - Attack method: DDoS
2018-07-10

Hacked target: Bancor

Description of the event: The Bancor platform theft was related to the BancorConverter contract, and the attacker (hacker/mole) is very likely to get the private key of the 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c.

Amount of loss: 24,984 ETH，3,236,967 BNT，229,356,645 NPXS， Attack method: Suspected private key stolen
2017-07-20

Hacked target: Parity

Description of the event: As reported by the startup, the issue is the result of a bug in a specific multi-signature contract known as wallet.sol., the attacker can take over the wallet immediately and absorb all the funds

Amount of loss: ~30,000,000 USD Attack method: Unauthorized operation
2016-06-17

Hacked target: The DAO

Description of the event: The DAO smart contract running on the Ethereum suffered a reentrancy-attack-on-smart-contract.

Amount of loss: ~60,000,000 USD Attack method: reentrancy-attack-on-smart-contract