CoinStats, the crypto portfolio app, was the target of a security incident that affected 1,590 wallets, or roughly 1.3% of all of the CoinStats wallets. The mobile application available on both the Play Store and App Store sent out scam notifications, falsely informing users of a reward, and then redirected them to log into the CoinStats AirScout wallet. The link directed users to a drainer website, which was promoted via a push notification from the app as well as the official in-app notification on the home screen of the application. The total loss caused by the incident is around $2 million. The root cause of the issue is unknown at the moment. However, it is speculated that the private keys were likely stored on their server, which the attacker gained access to by phishing a privileged individual from within the company. The randomness of the wallet generated wasn't strong enough to likely have been exploited by an attacker, allowing them to recreate the private keys of the old wallets.

The NFT aggregator of OKX was hacked due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $14,000. The root cause of the exploit is an access control issue. The vulnerability existed for over a year, but the hacker exploited the vulnerable contracts roughly 2 months ago, but then finally drained funds from the victims, likely to cash out more profits at a later point in time.

Just three days after the original exploit, UwU Lend was exploited by the same attacker, which resulted in a further $3.72 loss for the protocol. This second exploit was not the result of the same vulnerability as the original exploit but rather a consequence of the initial attack vector. The original exploiter held a significant amount of USDE tokens from the first attack. Despite the protocol reportedly being paused, USDE was still considered legitimate collateral for the protocol. This allowed the exploiter to take advantage of the remaining funds in USDE and drain other UwU lending pools. The second attack drained funds from several asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen assets were converted to ETH and then sent to three different addresses, likely controlled by the attacker.

The Holograph protocol was exploited due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $14.4 million. According to the team, a former contractor exploited an infinite mint vulnerability in their smart contract to release an additional 1 billion HLG tokens, which were further dumped. This malicious actor, who had funded the operator contract roughly 26 days before the attack, deployed an unverified contract on Mantle, which was used to mint the additional tokens caused by a function that exploited the protocol's verification method.

JokInTheBox, the MEV Bot service provider, was exploited on the Ethereum Mainenet, which resulted in a loss of assets worth approximately $34,000. The attacker was able to steal 109 billion JOK tokens and then swap them for roughly 9.12 ETH. The root cause of the exploit is a badly implemented unstake function in the staking contract. This function didn't account for the state of the unstake variable, allowing the exploiter to unstake the assets multiple times before ultimately draining them.

Yolo Games was exploited due to a smart contract vulnerability, which resulted in a loss of 392 ETH, worth approximately $1.4 million. The liquidity pool of the protocol had gone live on Baazar in the Blast network just a day prior to the exploit. The root cause of the exploit is a lack of permission checks in the exit pool function of the smart contract, which allowed anyone to impersonate the liquidity providers. The exploiter has already returned 90% of the stolen assets.

UwU Lend was exploited across three different transactions on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of over 5272 ETH, totaling approximately $23 million. The root cause of the exploit is due to the manipulation of the price oracle. The vulnerable and exploited contract is actually a fork of AAVE v2, but the UwU protocol made some changes to the fallback oracle, allowing for price manipulation of the underlying assets.

Loopring issued a community alert stating that their smart contract wallets with only one Guardian, specifically the Loopring Official Guardian, were exploited, resulting in a loss of 1373 ETH, worth approximately $5 million. The hacker reportedly initiated a recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets. The attack succeeded by compromising their 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the recovery from the Official Guardian. The hacker set approval for most of the listed tokens, including LRC, IMX, UNI, USDC, and PEPE, and then sold them all for ETH. The attacker then transferred these assets from the compromised wallets to the address they likely controlled.

Gemholic, the zkSync-based project, was suspected of orchestrating a rug pull, thereby taking away roughly 921 ETH, which were worth approximately $3.5 million. The protocol had its funds locked up for more than a year because of a mistake in the sales contract. After a scheduled v24 upgrade of zksync, the issue was then fixed, allowing the team to access the locked funds. Following this upgrade, the project withdrew all of the assets from the contract and then transferred them to an address on the Ethereum Mainnet. The team subsequently deleted their X (formerly Twitter) account, and all of the messages on their Telegram channel have also been deleted.

Steam Swap was exploited across two different transactions on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $105,000. The root cause of the exploit is due to the price manipulation of the underlying assets.

Lykke, the zero-fee crypto exchange, was exploited, which resulted in a loss of assets worth over $22.4 million. The root cause of the exploit is unknown at the moment, and the team has yet to acknowledge the occurrence of the exploit. The stolen assets include roughly 158 BTC from the Bitcoin network and over 2161 ETH from the Ethereum Mainnet, among other assets. They, however, announced that their platform will undergo an unscheduled full system maintenance.

Velocore was exploited on zkSync and Linea due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $10 million. The root cause of the exploit is a logic bug leading to a faulty smart contract implementation. The exploiter converted a part of the stolen assets into ETH and then transferred approximately 1,807.38 ETH to the Ethereum Mainnet through a cross-chain bridge across two different transactions. The attacker has already laundered the stolen assets worth 1806.1 ETH, or approximately $6.9 million, to Tornado Cash.

The DMM exchange was exploited, which resulted in a loss of assets worth 4502.9 BTC, amounting to 48.2 billion yen or approximately $304,529,100. There can be two possible reasons for the attack vector to be successful. The transactions were directly transferred without compromising the system; therefore, it is possible that the attack involved the compromise of private keys or an exploitation of DMM's signature services. The compromised address of DMM wallet operators, which uses a multi-signature wallet, has a history of sending funds to a DMM management address. The attacker's address mimics this commonly used address in its starting and ending characters. This suggests the exchange wallet controller might have been tricked by an address-spoofing attack.

Scroll was exploited on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of 73.36 ETH, worth approximately $294,000. The attacker, who was funded by Tornado Cash, deployed two malicious contracts to interact with the affected protocol. All of the liquidity was drained from the associated Uniswap pool, causing the price of the underlying SCROLL token to drop by 100%. The attack is speculated to be a rug pull by abusing the Universal Router.

Meta Dragon was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $180,000. As a result of the attack, all of the Meta NFTs from the team were taken away.

The Orion protocol was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $645,000. The root cause of the exploit is likely to be double-counted collateral due to a flawed business logic within the staking mechanism, allowing for the manipulation of liability accounting.

NORMIE, the memecoin on the Base network, was exploited due to a smart contract vulnerability, which resulted in a loss of 224.98 ETH, worth approximately $881,686. The root cause of the exploit is a vulnerability in the smart contract logic that allowed the attacker to manipulate the contract into recognizing their address as privileged. This manipulation enabled the unauthorized minting of tokens, bypassing critical security checks and leading to a substantial financial loss.

The YON token was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of 190 BNB, worth approximately $118,000. The root cause of the exploit is a lack of regulated access control. The incident targeted the transfer function of the contract, which allowed the attack contact to directly transfer the YON tokens to the LP contract.

TonUP, the launchpad of the TON blockchain, was exploited, which resulted in a loss of assets worth 307,264 UP tokens. The root cause of the exploit is an error by the smart contract engineer in misconfiguring the script parameters, which allowed the users to mistakenly claim the staked UP assets. The team temporarily disabled the staking reward claim functionality while addressing the incident issue.

Gala Games was exploited on the Ethereum Mainnet, which resulted in the minting of 5 billion GALA tokens, which were worth approximately $219 million. The root cause of the exploit remains unknown or uncertain, but it is speculated to be a private key compromise. Eric Schiermeyer, the CEO of Gala Games, took to X (formerly Twitter) to highlight that the Gala contract on the Ethereum Mainnet is guarded by a multisignature wallet, which was never compromised. This incident was the result of loosely coupled internal controls within the team. The actual loss of assets suffered by the protocol stands at $21.8 million. The excess of 4,401,236,462 GALA tokens minted during the exploit will be burned by the team.