|
ASKACR Token
|
21/03/2023
|
85 BNB
|
|
Logic Error
|
|
|
The ASKACR token on the BNB chain was exploited, resulting in a loss of approximately 85 BNB worth $28,400. The vulnerability is caused by the improper reward distribution mechanism in the transfer function, which operates without checking the transfer amount.
|
|
BNQ Token
|
20/03/2023
|
$72K
|
|
Rug Pull
|
|
|
The BNQ token on BNB Chain was identified as a rug pull, which resulted in a loss of approximately $72,000. The price of the $BNQ token dropped by more than 99% following the attack.
|
|
Harvest Keeper
|
19/03/2023
|
$933K
|
|
Rug Pull
|
|
|
The Harvest Keeper project on BNB Chain was identified as a rug pull, in which a malicious actor transferred user funds worth approximately $933,000. The attacker used the owner's authority from a privileged function to transfer the USDT pledged by the user in the HarvestKeeper contract and deplete them.
|
|
ParaSpace NFT
|
17/03/2023
|
2909 ETH
|
|
Smart Contract Vulnerability
|
|
|
BlockSec announced that they had stopped an attack on the ParaSpace NFT project and saved approximately 2900 ETH. The root cause of the vulnerability is due to the existence of a flaw in their contract, which is used to compute the user collateral. An attacker was able to manipulate the Ape coin number in one of the contract's functions, resulting in very large collateral that may be utilized to borrow more assets. However, due to the gas constraint, the attack failed three times and was effectively caught by the security audit company.
|
|
Block Chain Games
|
13/03/2023
|
128.45 BNB
|
|
Rug Pull
|
|
|
Block Chain Games, a project on the BNB chain, was identified to be a rug pull. The owner of the protocol called a privileged function in order to mint a massive amount of BCGA tokens, before swapping them for approximately 128.45 BNB Wirth $39,092.
|
|
Poolz Finance
|
15/03/2023
|
$550K
|
|
Smart Contract Vulnerability
|
|
|
Poolz Finance was exploited on Ethereum, Polygon, and BNB Chain, resulting in a total loss of approximately $550,000. The root cause of the exploit is due to the existence of a classic integer overflow vulnerability in its Vesting contract.
|
|
Euler Finance
|
13/03/2023
|
$200M
|
|
Logic Error
|
|
|
Euler Finance was exploited in a series of transactions, resulting in a total loss of approximately $200 million. The vulnerability occurred because Euler Finance permitted donations without having an account health check. The exploit lies in the change made to the EToken implementation, specifically in the donateToReserves function. The Liquidation module will try to pay off the full debt of the violator. However, the protocol will default to whatever collateral the user has if their collateral doesn't meet the expected repayment yield. This was possible when a borrower had multiple collaterals, and taking them all away won't make the violator solvent again.
|
|
PeopleDAO
|
11/03/2023
|
$120K
|
|
Social Engineering Attack
|
|
|
A social-engineering attack was carried out on the multi-signature wallet of the PeopleDAO community treasury on Safe in order to steal 76 ETH, worth approximately $120,000. PeopleDAO uses a Google Form to gather information about contributor rewards every month. The accounting lead accidentally shared a link with edit access in a public Discord channel, which the hacker took advantage of. After gaining access to the sheet, the hacker inserted 76 ETH worth of payment to themselves and set it to become invisible. Since this field was hidden, the team lead didn't find it when they checked, so they quickly sent the file to the CSV Airdrop tool in Safe to distribute the reward. Six of the nine multisignature signers didn't notice the malicious transfer because there were 80 other transactions going on at the same time. As a result, the transaction involving 76 ETH was signed and executed without their knowledge.
|
|
Hedera
|
09/03/2023
|
$600K
|
|
Smart Contract Vulnerability
|
|
|
Hedera stated that they had noticed network irregularities impacting their dApp and users. An exploiter attacked the smart contract service code of the Hedera network to transfer the Hedera Token Service tokens held by many user accounts into their controlled accounts. The attacker targeted accounts used as liquidity pools on multiple DEXs that use Uniswap v2-derived contract code that was ported over to use the Hedera Token Service, including Pangolin Hedera, Heli Swap, and Saucer Swap. The impacted tokens during the attack were moved to the Hashport Network bridge, which was later frozen by the bridge operator. The team turned off mainnet proxies, removing user access to the mainnet, in order to prevent the attacker from stealing more tokens.
|
|
Tender Protocol
|
07/03/2023
|
$1.6M
|
|
Oracle Misconfiguration
|
|
|
Tender Protocol was a victim of a white-hat attack. The alleged hacker was able to drain approximately $1.6 million from their platform, forcing their services to halt completely while the team attempted to recover the stolen assets. The exploit occurred because their Oracle contract had an error that incorrectly multiplied the price of the tokens. This misconfiguration allowed the hacker to borrow $1.59 million in cryptocurrency assets with just a GMX token worth $70 as collateral. After the negotiation via on-chain messages, the two teams came to a stalemate, and a deal was carried out in which the Tender.fi team agreed to pay the hacker approximately $62 ETH, worth $96,500, as a bounty reward. The team later revealed that the hacker had completed the loan repayments and that the funds were safe.
|
|
MyAlgo
|
19/02/2023
|
$9.2M
|
|
Phishing Attack
|
|
|
Algorand ecological wallet MyAlgo stated that a targeted attack was launched against a group of high-profile MyAlgo accounts. According to them, all of the affected users had a significant amount of funds in their accounts, and were employing mnemonic wallets with the key stored in the browser. On-chain details revealed that the hack took place between February 19 and 21, and the stolen assets amount to $9.2 million, which includes 19.5 million ALGO and 3.5 million USDC. ChangeNow mentioned that they were able to freeze assets worth $1.5 million.
|
|
ArbiSwap
|
02/03/2023
|
68.47 ETH
|
|
Rug Pull
|
|
|
The ArbiSwap deployer minted 1 trillion $ARBI tokens before a rug pull, which were then converted into USDC. As a result, the price of the $ARBI token in the USDC/ARBI transaction pair dropped by almost 99 percent. The team made a profit of 68.47 ETH, which was worth approximately $109,000, by trading ETH for spatial arbitrage. The stolen funds were then transferred to Tornado Cash.
|
|
BitBNS
|
01/02/2023
|
$7.5M
|
|
Unknown
|
|
|
BitBNS revealed that they had been hacked on February 1, 2022. The Indian crypto exchange had suppressed the news of a possible $7.5 million heist, citing it as system maintenance and suggesting an issue with Amazon Web Services. However, after an investigation by Twitter user zachxbt, they admitted that they were advised by law enforcement agencies to hide the specifics of the hack from customers.
|
|
Launch Zone
|
27/02/2023
|
$700K
|
|
Price Manipulation
|
|
|
The Dungeon Swap attacker also exploited Launch Zone protocol to steal funds worth $ 700,000 respectively. The exploiter further attacked the $HAI protocol, causing a loss of approximately $18,940.
|
|
Dungeon Swap
|
27/02/2023
|
$728K
|
|
Price Manipulation
|
|
|
An attacker exploited Dungeon Swap to steal funds worth $ 728,000. The root cause of the exploit was excessive user permission, which led to the price manipulation of DND tokens.
|
|
Friendsies
|
21/02/2023
|
$5.3M
|
|
Rug Pull
|
|
|
Friendsies, an Ethereum NFT project, announced that all future plans for the project would be paused after raising more than $5.3 million in ETH in last year's mint. Some users who sought information on the news after the announcement discovered that they had been blocked on Twitter. After a short while, Friendsies removed its social media account, leading to a rug pull.
|
|
Hope Finance
|
21/02/2023
|
$1.86M
|
|
Rug Pull
|
|
|
Hope Finance, a Tomb-fork based in Arbitrum, published a tweet accusing a team member of rugging the project and stealing KYC information. The scammer changed the router address of the TradingHelper contract using a multisig wallet. The stolen funds totaling $1.86 million were bridged to Ethereum via Celer before being deposited into Tornado Cash.
|
|
NFT Cloud
|
24/02/2023
|
265 BNB
|
|
Logic Error
|
|
|
NFT Cloud was exploited because the staking contract didn't check the staking status of CloudNFT correctly, resulting in the loss of 265 BNB, worth approximately $81,000. The platform works in such a way that users can deposit CloudNFT and claim Cloud tokens as rewards, where one CloudNFT can only be deposited once. However, the staking contract didn't check the staking status of the first deposited token. Therefore, validations for NFT ownership and lockUntil checks are bypassed when only one token is deposited. The attacker deposited only one CloudNFT to bypass this validation and repeated this process multiple times to claim higher rewards.
|
|
Dynamic Finance
|
22/02/2023
|
$22.4K
|
|
Smart Contract Vulnerability
|
|
|
Dynamic Finance was exploited due to insufficient reentrancy protection, in which the protocol lost 73 BNB, worth approximately $22,400. The root cause of the attack is a reentrancy bug that tricked the deposit tracking system of the StakingDYNA contract.
|
|
Electrum
|
19/01/2020
|
2,000 BTC
|
|
Phishing Attack
|
|
|
Electrum suffers from phishing attack in its version older than 3.3.4, causing a loss of 2,000 BTC.
|