Topic: DeFi hacks [history] - page 12. (Read 19389 times)

https://www.theverge.com/2022/4/18/23030754/beanstalk-cryptocurrency-hack-182-million-dao-voting
Beanstalk cryptocurrency project robbed after hacker votes to send themself $182 million

https://decrypt.co/98118/ethereum-defi-protocol-beanstalk-hacked-182-million-what-you-need-know
Ethereum DeFi Protocol Beanstalk Hacked for $182 Million—What You Need to Know
Beanstalk got jacked by a giant flash attack.

https://etherscan.io/tx/0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7

As a result of the exploit, Beanstalk Farms lost about $182 million from the Defi project, in total, the hacker managed to withdraw funds for about $80 million using the Tornado Cash mixer.

https://twitter.com/PeckShieldAlert/status/1515715931963801603
https://twitter.com/PeckShieldAlert/status/1515715931963801603

The Defi team of the Elephant Money project reports that it suffered from an exploit as a result of which hackers managed to withdraw 27,416 BNB and 30 billion Elephant tokens worth ~ $22 million from the project.

https://twitter.com/ElephantStatus/status/1514007291116199936
https://medium.com/elephant-money/reserve-exploit-52fd36ccc7e8

did not find this topic earlier, there is so many DeFi hacks

it is good to see that there are white hackers as well, that find breaches and share with projects, for bounties, projects find it hard to deploy on-chain, without audit, to be fast and grab the market, and that leads to code that is not polished, which leads to hacks
hopefully, numbers will go down in the future, but with more people in the industry, it does seem as inevitable to see more hacks

Starstream Finance $4M
Starstream Finance Hacked, Around $4M Stolen
Starstream Finance had their treasury drained in an exploit and has advised anyone holding funds in AgoraDefi to withdraw them. The Team has announced this incident on their official Discord.

WonderHero game disabled after hackers steal $320,000 in cryptocurrency
The operators of cryptocurrency play-to-earn game WonderHero have disabled the service after hackers stole about $320,000 worth of Binance Coin (BNB).
The attack caused the price of WonderHero’s own coin, WND, to plummet more than 90%.

https://therecord.media/wonderhero-game-disabled-after-hackers-steal-320000-in-cryptocurrency/

New scam SberCoin.Finance
https://coinmarketcap.com/currencies/sber/
Trading in the SBER token has been launched under the guise of the official stablecoin of Sberbank.

Account suspended
https://twitter.com/SberCoinBsc
https://forklog.com/neizvestnye-zapustili-fejkovyj-sberkoin-na-birzhe-pancakeswap/

Crypto 2022: Hackers have nabbed $1.22 billion already

Hackers so far are focusing on decentralized finance (DeFi) projects to steal crypto this year, a new report found, a reversal from 2021 when they used scams and online fraud for most of their exploits.
So far, investors have lost over $1.22 billion to hackers in the first three months of the year, nearly eight times more than the $154 million lost in the first quarter of 2021, according to crypto security firm Immunefi. Ninety-nine percent of those losses were from software exploits, the report found, specifically the hacks against Wormhole and Ronin.

source
https://finance.yahoo.com/news/crypto-hackers-stolen-173940395.html

https://blog.openzeppelin.com/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved/
 $15 Billion Rugpull Vulnerability in Convex Finance protocol Uncovered and Resolved
APRIL 4, 2022

"TLDR: In late 2021, as part of a security audit for a client, OpenZeppelin conducted a security review of the Convex Finance protocol. As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion. Convex documentation specifically stated such control was not possible. This vulnerability has since been patched by the Convex Team."

This is how scammers steal NFT tokens

Don't click on stealth mints, and especially don't approve "SET APPROVAL FOR ALL" transactions. They have a script that gets your most valuable NFTs and requests token approval access for them, then transfers it to the scammer's wallet.

https://twitter.com/serpentau/status/1509785117577064448?

Inverse Finance  $15.6 million
https://www.coindesk.com/tech/2022/04/02/defi-lender-inverse-finance-exploited-for-156-million/
DeFi Lender Inverse Finance Exploited for $15.6M
It is the third multimillion-dollar crypto attack to make headlines in recent days.

https://twitter.com/bertcmiller/status/1510284763332071427?s=21
"The attack is a little more nuanced than I / others thought. Brief thread."

Bored Ape Yacht Club (BAYC) Discord Hacked, NFT Stolen
https://coingape.com/bored-ape-bayc-discord-hacked-nft-stolen/
Separately, Taiwanese singer Jay Chou said his tokens were stolen in a phishing attack. The stolen goods included a BAYC, a Mutant Ape Yacht Club, two Doodles, and 169 ETH ($549,000), according to data from Etherscan

The huge compromise because of very low validators on a very centralized network like Ronin is undirectly convincing me that Ethereum is bigger and better than Binance Smart Chain.

People should know how big Ethereum network is in their total hashrate and how many validators on Ethereum network. Let's compare it to total validators on Binance Smart Chain. I am sure they will see how Ethereum is much safer and more healthy than Binance Smart Chain.

About Axie Infinity, I don't know why their team naively or carelessly to set up too low number of validators to approve transactions on Ronin chain.

Rare Bears Discord phishing attack nabs $800K in NFTs
https://cointelegraph.com/news/rare-bears-discord-phishing-attack-nabs-800k-in-nfts

https://twitter.com/BearsRare/status/1504293859467350019?
"Discord has unfortunately been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our discord. Our team are working on the situation as we speak 🙏🏼"

_____________
$622M Ronin sidechain hack

Axie Infinity Tokens AXS, SLP Reeling After $622M Ronin Hack
https://decrypt.co/96433/axie-infinity-tokens-axs-slp-reeling-622m-ronin-hack
A day after Sky Mavis disclosed that a hacker stole 173,600 ETH worth $622 million from the Ronin sidechain, the Axie Infinity Shards (AXS) and Smooth Love Potion (SLP) tokens are still reeling.

Community Alert: Ronin Validators Compromised
https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=r

The OneRing Finance DeFi protocol was subjected to a hacker attack, as a result of which the attacker managed to seize funds worth about $2 million. The hacker used a script to execute an instant loan, which had a self-destruct mechanism and, as the developers stated, this makes it very difficult to find the vulnerabilities used. To perform the exploit, the attacker placed a special smart contract on the Fantom platform.

Source: https://medium.com/oneringfinance/onering-finance-exploit-post-mortem-after-oshare-hack-602a529db99b

Li Finance protocol loses $600,000 in latest DeFi exploit
https://cointelegraph.com/news/li-finance-protocol-loses-600-000-in-latest-defi-exploit

The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.
https://twitter.com/lifiprotocol/status/1505738407938387971?

The Rare Bears project team reported that on March 16, a hacker using a phishing attack on users of the Rare Bears Discord channel was able to seize 179 NFT Bears tokens, thus emptying the project on 286 ETH.

The Fantasy Finance project was subjected to an exploit, as a result of which $ 2.6 million was withdrawn, hackers used a protocol error that allowed XFTM to be minted using a small number of FSM Fantasm tokens, instead of using both of these tokens. The hackers started with 50 FTM, gradually using more and more amounts to exchange so they managed to take over a total of more than 2,800,000 XFTM.

The stolen funds were later exchanged for more than 1,007 ETH of about $2.6 million at current prices using the Tornado Cash privacy protocol.
The developers of Fantasm stated that not the entire pool was emptied and there are still 1,820,012 FTM in it, and also that they are developing a compensation plan for affected users.

Fantasm Finance Team report on the incident: https://medium.com/@fantasmfinance/fantasm-finance-post-mortem-exploit-09-march-2022-daf48ead016f

---

It is reported that the DeFi protocol Deus Finance DAO was subjected to an exploit due to which. the hacker was able to withdraw about $3 million, including 200,000 DAI and 1101.8 ETH.


The developers reported that they are aware of exploits that relate to a loan contract worth $10 million.
And as they themselves stated that the contract was closed, both $DEUS and $DEI are not affected and they are working on a brief description of the hack that will be published after a full assessment of what happened.

---

It seems that after a slight lull, a band of hacking of Defi projects began, it is reported that hackers managed to withdraw $11 million from the DeFi protocols Agave and Hundred Finance, for the attack, the attackers used an exploit on the Gnosis Chain network that allowed them to use re-entry and instant loans.

Sorce: https://www.theblockcrypto.com/post/137932/defi-protocols-agave-and-hundred-finance-exploited-on-gnosis-chain-for-11-million

[moderator's note: consecutive posts merged]

I use decentralized exchanges 1 inch and uniswap and they have proven to be safe. And I don’t often see news about decentralized exchange hacks. So far, most of the news tells us about hacks of decentralized projects, but 2022 has just begun, and the results will need to be analyzed in December of this year.

The hacker exploited the Treasure DAO vulnerability and managed to steal more than 100 NFT, worth 426,511 MAGIC about $1.44 million, the bug allowed buying NFT for zero MAGIC tokens used on the Treasure platform.