394 hack event(s)
Description of the event: MEV Bot JokInTheBoxETH was attacked, lost ~$34K. The root cause of the exploit was poorly implemented unstake function fo the staking contract. Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets.
Amount of loss: $ 34,000 Attack method: Contract Vulnerability
Description of the event: Ethereum Layer 2 protocol Loopring posted on Twitter that the some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets. The attack succeeded by compromising Loopring's 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian. Subsequently, the attacker transferred assets out of the affected wallets.
Amount of loss: $ 5,000,000 Attack method: Security Vulnerability
Description of the event: Renzo's co-founder, Lucas Kozinski, posted a warning on Twitter stating that the @RenzoProtocol Twitter account has been compromised. He advised not to click any links and mentioned that the team is working with Twitter to resolve the issue.
Amount of loss: - Attack method: Account Compromise
Description of the event: On May 20, 2024, the Web3 gaming platform Gala Games was attacked, resulting in a loss of approximately $21.8 million. The attacker minted 5 billion GALA tokens, worth over $200 million, and quickly sold 592 million GALA, receiving 5,952 ETH. On May 22, according to on-chain records and a statement from Gala Games on Discord, the digital wallet associated with the Gala Games hacker transferred 5,913.2 ETH, which was the hacker returning the stolen funds.
Amount of loss: $ 21,800,000 Attack method: Private Key Leakage
Description of the event: Fake Notcoin on ETH is suspected of a rug pull, and the current token price has dropped by 100%.
Amount of loss: $ 281,300 Attack method: Rug Pull
Description of the event: Patton on the ETH appears to have exit scammed, resulting in a 100% price drop and causing losses exceeding $260,000.
Amount of loss: $ 266,000 Attack method: Rug Pull
Description of the event: The official Twitter account of the public chain project NEAR Protocol appears to have been compromised. Currently, its profile picture on Twitter has been changed to a solid black image, and its bio has been updated to display the word "Dark" with garbled characters. Around 4 AM, several strange tweets with garbled characters were posted, including "re claim your sovereig nty," "darkness," "take back your," and "The sun rises in the east." As of now, NEAR has not provided any explanation on its other official social media channels.
Amount of loss: - Attack method: Account Compromise
Description of the event: Fake Lifeform (LFT) on Ethereum is suspected of an exit scam. The deployer called removeLimits() backdoor to mint additional tokens and dump them on the dex pair to drain 81 ETH (~$243K).
Amount of loss: $ 243,000 Attack method: Rug Pull
Description of the event: The Social Fi project Perpy Finance was attacked. A hacker was able to update the contract and illicitly withdrew 58,489,594 PRY tokens. These were then transferred and exchanged for 41.895 ETH. According to Perpy Finance's incident analysis report, "this breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. We overconfidently chose not to audit this fork, incorrectly considering it risk-free, a decision that led to this exploit."
Amount of loss: $ 132,000 Attack method: Contract Vulnerability
Description of the event: NOVAMIND_ (NMD) on ETH is suspected of a rug pull. ~41 ETH (~$123k) was transferred to a multisig and the token price has dropped ~97%.
Amount of loss: $ 123,000 Attack method: Rug Pull
Description of the event: On April 30th, the cross-chain lending protocol Pike Finance tweeted that its Pike Beta protocol had been attacked, resulting in losses of 99,970.48 ARB, 64,126 OP, and 479.39 ETH. The exploit was caused by weak security measures in Pike's contract functions when handling CCTP transfers. On April 26th, Pike Finance's USDC pool was hacked, resulting in losses of approximately $300,000.
Amount of loss: $ 1,680,000 Attack method: Contract Vulnerability
Description of the event: The cross-chain lending protocol Pike Finance tweeted that the USDC pool on Pike Beta has been exploited by a hacker. The total amount of USDC exploited is 299,127. The root cause is led by forged CCTP message to drain USDC on Ethereum, Arbitrum and Optimism chain.
Amount of loss: $ 299,127 Attack method: Contract Vulnerability
Description of the event: Fake IO on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 289,097 Attack method: Rug Pull
Description of the event: The decentralized liquidity aggregation protocol Magpie Protocol was attacked due to a contract vulnerability, resulting in $129,000 being stolen from 221 wallets. The root cause is due to unchecked call data. The attacker called the contract's swap() function and passed in data which included a list of users to transfer tokens from.
Amount of loss: $ 129,000 Attack method: Contract Vulnerability
Description of the event: Fake Masa on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 502,000 Attack method: Rug Pull
Description of the event: The price of Empower AI (EMPAI) on Ethereum has dropped by 100%. A whale 0xE4808...f3bA has dumped 1,000,000,000,000 EMPAI for about 66.44 WETH (valued at around $23,750).
Amount of loss: $ 237,500 Attack method: Rug Pull
Description of the event: Fake Monad on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 266,000 Attack method: Rug Pull
Description of the event: Fake Truflation on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 256,600 Attack method: Rug Pull
Description of the event: Fake Oasis AI on ETH is suspected of a rug pull, with the deployer removing substantial liquidity, causing a 100% price decline.
Amount of loss: $ 301,600 Attack method: Rug Pull
Description of the event: The founder of yield-trading protocol Pendle Finance tweeted that the team has confirmed being unable to access the official Pendle Twitter account and is currently investigating to resolve the issue. During this period, hackers used the Pendle official Twitter account to post phishing links. On the same day, the Pendle founder tweeted that the team had regained control of the official Pendle Twitter account.
Amount of loss: - Attack method: Account Compromise