308 hack event(s)
Description of the event: DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds.
Amount of loss: $ 35,315,843 Attack method: Affected by Vyper Vulnerability
Description of the event: On August 6, the Ethereum compiler Vyper released an analysis report on last week's vulnerability incidents: Prior to July 30, due to potential vulnerabilities in the Vyper compiler, multiple Curve liquidity pools were exploited. While the bug was identified and patched, the impact on protocols using the vulnerable compiler was not recognized at the time, nor were they explicitly notified. The vulnerability itself is an improperly implemented reentrancy prevention, and the affected Vype versions are v0.2.15, v0.2.16, v0.3.0. Vulnerability fixed and tested in v0.3.1, v0.3.1 and later are safe.
Amount of loss: - Attack method: Compiler Bug
Description of the event: This second attack was unrelated to the ETH Omnipool's re-entrancy exploit. The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool. We will share more updates as we continue to investigate.
Amount of loss: $ 300,000 Attack method: Flash Loan Attack
Description of the event: On July 21, Conic Finance ’s ETH omnipool was hit by a series of small hacks that cost around $3.2 million. Conic Finance issued an update on the attack, saying, “The root cause of the attack is due to an incorrect assumption about the address returned by the ETH’s Curve meta-registry in the Curve V2 pool, which enables reentrancy attacks and is deploying fixes for the affected contracts.
Amount of loss: $ 3,200,000 Attack method: Reentrancy Attack
Description of the event: Ethscriptions.com was hacked, and about 123 individual addresses lost a total of about 202 Ethscriptions. In terms of value, it is unclear how much the attack caused. Based on the current lowest price of $14, the loss is at least $2,828. Ethscriptions creator Tom Lehman stated that this is not a vulnerability in the Ethscriptions protocol. This is a vulnerability in a specific smart contract (0x3ca843b98a2fe8ef69bb0f169afad3812c275f5e). The protocol itself and other applications running on it are not affected in any way. Meanwhile, Lehman claimed responsibility for the attack, explaining that the vulnerability can be traced back to a smart contract he and Indelible Labs co-founder Michael Hirsch created. It is reported that a small piece of code included in it allows people to withdraw Ethscriptions that do not belong to them from the market. Lehman also said that the Ethscriptions.com marketplace will be relaunched and that he has been in touch with many users affected by the bug.
Amount of loss: $ 2,828 Attack method: Contract Vulnerability
Description of the event: Arcadia Finance has been attacked on Ethereum and Optimism, with total profits of $400K. The root cause is that in function vaultManagementAction, the attacker can first transfer all the asset to his own controlled contract and re-entry the function liquidateVault to liquidiate the vault. In this case, the global variable "isTrustedCreditorSet" will be set as false and the Collateral check can be bypassed.
Amount of loss: $ 455,000 Attack method: Contract Vulnerability
Description of the event: CivFund's ETH contract was attacked and lost $180,000. The attacker calls uniswapV3MintCallback to transfer funds approved by other users. Please revoke approval for the contract under attack as soon as possible.
Amount of loss: $ 180,000 Attack method: Contract Vulnerability
Description of the event: Mike Wazowski Monsters Inc $MIKE and Sid Ice Age $SID on the Ethereum chain have been rugged via a backdoor function that allows unlimited minting of tokens. The scammer has profited 87.9 $ETH, equivalent to about $171,000.
Amount of loss: $ 171,000 Attack method: Contract Vulnerability
Description of the event: The Smurfs Coin project is an exit scam, and the contract deployer sold the tokens on June 13 and removed a total of 227 ETH (approximately $423,000) of liquidity. The contract address is ETH: 0x5F250ed62CF3E5cF25F4F370d35D04782b0678a3, not to be confused with a project with a similar name.
Amount of loss: $ 423,000 Attack method: Rug Pull
Description of the event: Themis, a cryptographic lending protocol, has been subject to a prophecy machine manipulation attack, and the attackers have stolen approximately $370,000. The hack is due to a flawed oracle, exploited to inflate the B-wstETH-WETH-Stable-gauge price. Specifically, the deposit of 54.6 B-wstETH-WETH-Stable-gauge (obtained by joining the balancer pool w/ 55 WETH) is able to borrow 317 WETH, basically draining the lending funds.
Amount of loss: $ 370,000 Attack method: Oracle Attack
Description of the event: The project named "IPO" (Twitter handle @IPO_web3) is suspected to have suffered a Rug Pull, losing around 102,000 BSC-USD, the project's tokens are down 32%, and the stolen funds are now located in addresses beginning with 0x35fe.
Amount of loss: $ 102,000 Attack method: Rug Pull
Description of the event: DEP/USDT and LEV/USDC pools were stolen with 105,800 stablecoins worth (36,000 USDC and 69,960,000 USDT), and the attackers initially received 1 ETH of initial funding from Tornado Cash.
Amount of loss: $ 105,800 Attack method: Unknown
Description of the event: The DeFi lending protocol Sturdy is suspected to have been hacked, and information on the chain suggests that the attack may have been carried out through price manipulation. The attackers have transferred 442.6 ETH to Tornado Cash.
Amount of loss: $ 770,000 Attack method: Price Manipulation
Description of the event: The LSDFi protocol unshETH stated that at around 22:00 on May 31, one of the deployment private keys of the unshETH contract was leaked. For the sake of caution, the official has urgently suspended the withdrawal of unshETH's ETH. According to the security model, unshETH's ETH deposit (TVL up to 35 million US dollars) is protected by multi-signature + time lock and is not at risk.
Amount of loss: $ 375,000 Attack method: Private Key Leakage
Description of the event: On-chain detective ZachXBT tweeted that a Rug Pull occurred on Pixel Penguin, a charity project created by Hopeexist1, which claimed to raise funds to help him fight cancer. At present, the social accounts of Hopeexist1 and Pixel Penguin have been deleted, and the Pixel Penguin contract is worth only $117,000 (61.686 ETH).
Amount of loss: $ 117,000 Attack method: Rug Pull
Description of the event: Twitter user @ChrisONCT cited on-chain data to expose a suspected scam Meme coin project Waifu AI World (WFAI). The token economics announced by the project stated that 95% of the supply was allocated to LPs. However, shortly after WFAI went online, 4 new wallets spent a total of 14.4 ETH in four transactions to purchase 647 trillion WFAI, accounting for approximately 83.2% of supply (777 trillion). At present, the project party has blacklisted the wallets that purchased 457 trillion WFAI, and now the total supply of WFAI is 320 trillion, which means that 190 trillion tokens are held by insiders, accounting for 60% of the total token supply. And DWF Labs spent about 20 ETH to purchase 624.9 billion WFAI yesterday afternoon; DEXTools trust score changed from extremely low to extremely high within a few hours.
Amount of loss: - Attack method: Scam
Description of the event: A MEV bot (0xb2…2B96 is the MEV bot call contract, 0xb4…0343 is the single-use MEV bot) borrowed 95,000 WETH (worth nearly $180 million) via flash loan to attack Sashimi Swap. The bot swept away the last remaining money in Sashimi’s investment contract and slETH contract, but only about $3,500. It is reported that Sashimi Swap was attacked in December 2021 and lost $210,000, and the project was subsequently abandoned.
Amount of loss: $ 3,500 Attack method: Flash Loan Attack
Description of the event: The perpetual DEX El Dorado Exchange (EDE) is suspected to have been attacked with losses of about $580,000, and an address has been sending small amounts of money to Arbitrum's ELP-1 pool and withdrawing large amounts immediately afterwards. The attacker claimed that the protocol backdoor allowed the developer to force the liquidation of any positions and would return the funds if the developer admitted to price manipulation. 334,000 USDC were returned by the attacker on May 30. By May 31, the attackers had returned more than $400,000 in stolen funds. Dorado revealed that the attackers charged 10% of the stolen funds as a fee when returning them.
Amount of loss: $ 580,000 Attack method: Contract Vulnerability
Description of the event: The WEEB project was attacked by price manipulation. The hacker used the performUpkeep function in the WEEB token to burn the balance of a large number of WEEB tokens in the pair, thereby increasing the price of WEEB and making a profit of 16 ETH.
Amount of loss: 16 ETH Attack method: Price Manipulation
Description of the event: The ethereum-based meme cryptocurrency FLOKI has suffered a lightning loan attack with a loss of over $50,000. Stolen TX: https://etherscan.io/tx/0x118b7b7c11f9e9bd630ea84ef267b183b34021b667f4a3061f048207d266437a
Amount of loss: $ 50,000 Attack method: Flash Loan Attack