DeFi and Cryptocurrency Hacks

Yiedl was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of 260 BNB, worth approximately $160,000. The root cause of the exploit is due to insufficient parameter validation.

ZKasino, the betting platform, was identified as a rug pull, in which the team misappropriated approximately $33 million worth of users and investors' funds. More than 10,515 ETH were bridged by over 10,000 participants to ZKasino's network, hoping to score extra ZKAS alongside the possibility to withdraw their initially staked ETH on a 1:1 ratio when the protocol launched. However, the funds were automatically vested into ZKAS tokens in order to provide a seamless transition and superior user experience. The Telegram channel of the project has since been closed, and their social moderators have been banning their Discord community members after raising their concerns.

Hedgey Finance was exploited across a series of transactions, which resulted in a loss of $2.1 million on the Ethereum Mainnet and $42.6 million worth of assets on the Arbitrum network, totaling approximately $44.7 million. The root cause of the exploit is the lack of input validation on users' parameters, which allowed the attacker to manipulate and gain unauthorized token approvals.

The GFA token was exploited on the BNB chain, which resulted in a loss of assets worth approximately $15,000. The root cause of the exploit is a lack of access control. The vulnerable contracts had functions for calculating rewards, for which anyone could invoke a call to them. The hacker was able to manually calculate and generate the rewards and drain the tokens. The exploiter has already laundered the stolen assets into Tornado Cash.

Grand Base was exploited on the Base chain, which resulted in a loss of 808.57 ETH worth of assets, amounting to approximately $2.5 million. The root cause of the exploit is the compromise of the private keys of their deployer wallet.

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

The Zest Protocol was exploited, and the hacker took away funds worth approximately 324,000 STX from the protocol, amounting to roughly $972,000. The attack took place on the day the protocol was launched to the public, in which an attacker artificially inflated the value of their collateral to borrow an amount exceeding the value of their position. The team stated that their protocol will remain frozen until further notice. User positions will be unaffected until the protocol relaunches. 

Sumer Money was exploited on the Base chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $310,000. The root cause of the exploit is a lack of reentrancy protection, which led to the manipulation of the underlying assets.

xBlast, an omnichain-web3 ecosystem built inside Telegram, took to Twitter to announce that they had been hacked. The root cause of the exploit is unknown at the moment. The exploiter transferred XBL tokens from the main wallet of the project to their wallet and sold them for approximately 22 ETH. The team will deploy a new XBL token and restore liquidity, thereby providing fair compensation for all of the affected users.

The SQUID Game Coin was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $87,000. The root cause of the exploit is a faulty logic design within their swap contract, allowing for arbitrage opportunities.

Fixed Float was the target of an exploit on the Ethereum Mainnet and TRON networks, which resulted in a loss of assets worth approximately $2.8 million. The root cause of the exploit is a vulnerability in one of the third-party services used by them. The stolen funds were withdrawn from their hot wallets and then directed to a suspicious address, which subsequently received various digital assets, including ETH, USDT, WETH, DAI, and USDC. The suspicious address then swapped these assets into ETH via DEX before funneling these funds into the eXch and Binance exchanges. Following the exploit, Tether added multiple different addresses to their blacklist, which supported the rescue of $400,000 worth of USDT involved in this exploit.

Open Leverage was exploited across multiple transactions on the BNB chain and the Arbitrum network due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $260,000. The root cause of the exploit is an inconsistency in the accounting process. According to the team, the accumulated insurance and buyback funds would be able to cover all aspects of their loss. The exploit caused a loss of approximately $220,000 on BNB Chain and $40,000 on Arbitrum. Following the exploit, the team decided to discontinue the OpenLeverage trading and lending protocol. 

The project Avolend Finance in the Blast ecosystem is suspected to be a rug pull, in which funds worth approximately $253,000 have been taken away. The official website, the X (formerly Twitter) account, and the associated server of the project cannot be accessed at this moment. One of the victims nearly lost roughly $100,000 worth of his assets.

Solana-based memecoin CONDOM token from the project CondomSOL conducted a presale exit scam in which funds worth 4,965 SOL amounting to approximately $922,000 were misappropriated. The team subsequently deleted their X (formerly Twitter) account after stealing the investor's funds.

Munchables was exploited on the Blast network across a series of transactions, which resulted in a loss of 17,400 ETH, worth approximately $62.3 million. The attack was carried out by a rogue developer who had admin-level access to the smart contracts of the protocol. Using this privilege, the individual was able to upgrade the contract implementation and transfer funds to different addresses. 

The Solareum trading bot was reportedly exploited due to the likely compromise of the Telegram bot tokens, which resulted in a loss of assets worth approximately $1 million. According to the team, due to a combination of insufficient funds and evolving market trends, the team has taken steps to work on the closure of their project. The team has already deleted their website. The lack of investigation into the attack could conclude that the team has orchestrated an exit scam.

Lava Lending was the target of a flash loan attack on the Arbitrum chain, which resulted in a loss of assets worth approximately $340,000. The stolen assets include 60,349 USDT, 8.5 wstETH, 96,215 UDSC_e, and 77,477 USDC.

The email newsletter account of Decrypt was compromised, and a phishing scam email was sent to all of their subscribers citing the fake airdrop of the DECRYPT token. Users who fell victim to the scam collectively lost around $3,000 worth of assets.