Topic: DeFi hacks [history] - page 12. (Read 19119 times)

Crypto 2022: Hackers have nabbed $1.22 billion already

Hackers so far are focusing on decentralized finance (DeFi) projects to steal crypto this year, a new report found, a reversal from 2021 when they used scams and online fraud for most of their exploits.
So far, investors have lost over $1.22 billion to hackers in the first three months of the year, nearly eight times more than the $154 million lost in the first quarter of 2021, according to crypto security firm Immunefi. Ninety-nine percent of those losses were from software exploits, the report found, specifically the hacks against Wormhole and Ronin.

source
https://finance.yahoo.com/news/crypto-hackers-stolen-173940395.html

https://blog.openzeppelin.com/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved/
 $15 Billion Rugpull Vulnerability in Convex Finance protocol Uncovered and Resolved
APRIL 4, 2022

"TLDR: In late 2021, as part of a security audit for a client, OpenZeppelin conducted a security review of the Convex Finance protocol. As part of the audit, the Security Research Team uncovered a vulnerability that, if exploited by two of three anonymous multi-signature wallet (multisig) signers, would have given the Convex multisig direct control over Convex’s locked value—then approximately $15 billion. Convex documentation specifically stated such control was not possible. This vulnerability has since been patched by the Convex Team."

This is how scammers steal NFT tokens

Don't click on stealth mints, and especially don't approve "SET APPROVAL FOR ALL" transactions. They have a script that gets your most valuable NFTs and requests token approval access for them, then transfers it to the scammer's wallet.

https://twitter.com/serpentau/status/1509785117577064448?

Inverse Finance  $15.6 million
https://www.coindesk.com/tech/2022/04/02/defi-lender-inverse-finance-exploited-for-156-million/
DeFi Lender Inverse Finance Exploited for $15.6M
It is the third multimillion-dollar crypto attack to make headlines in recent days.

https://twitter.com/bertcmiller/status/1510284763332071427?s=21
"The attack is a little more nuanced than I / others thought. Brief thread."

Bored Ape Yacht Club (BAYC) Discord Hacked, NFT Stolen
https://coingape.com/bored-ape-bayc-discord-hacked-nft-stolen/
Separately, Taiwanese singer Jay Chou said his tokens were stolen in a phishing attack. The stolen goods included a BAYC, a Mutant Ape Yacht Club, two Doodles, and 169 ETH ($549,000), according to data from Etherscan

The huge compromise because of very low validators on a very centralized network like Ronin is undirectly convincing me that Ethereum is bigger and better than Binance Smart Chain.

People should know how big Ethereum network is in their total hashrate and how many validators on Ethereum network. Let's compare it to total validators on Binance Smart Chain. I am sure they will see how Ethereum is much safer and more healthy than Binance Smart Chain.

About Axie Infinity, I don't know why their team naively or carelessly to set up too low number of validators to approve transactions on Ronin chain.

Rare Bears Discord phishing attack nabs $800K in NFTs
https://cointelegraph.com/news/rare-bears-discord-phishing-attack-nabs-800k-in-nfts

https://twitter.com/BearsRare/status/1504293859467350019?
"Discord has unfortunately been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our discord. Our team are working on the situation as we speak 🙏🏼"

_____________
$622M Ronin sidechain hack

Axie Infinity Tokens AXS, SLP Reeling After $622M Ronin Hack
https://decrypt.co/96433/axie-infinity-tokens-axs-slp-reeling-622m-ronin-hack
A day after Sky Mavis disclosed that a hacker stole 173,600 ETH worth $622 million from the Ronin sidechain, the Axie Infinity Shards (AXS) and Smooth Love Potion (SLP) tokens are still reeling.

Community Alert: Ronin Validators Compromised
https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=r

The OneRing Finance DeFi protocol was subjected to a hacker attack, as a result of which the attacker managed to seize funds worth about $2 million. The hacker used a script to execute an instant loan, which had a self-destruct mechanism and, as the developers stated, this makes it very difficult to find the vulnerabilities used. To perform the exploit, the attacker placed a special smart contract on the Fantom platform.

Source: https://medium.com/oneringfinance/onering-finance-exploit-post-mortem-after-oshare-hack-602a529db99b

Li Finance protocol loses $600,000 in latest DeFi exploit
https://cointelegraph.com/news/li-finance-protocol-loses-600-000-in-latest-defi-exploit

The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.
https://twitter.com/lifiprotocol/status/1505738407938387971?

The Rare Bears project team reported that on March 16, a hacker using a phishing attack on users of the Rare Bears Discord channel was able to seize 179 NFT Bears tokens, thus emptying the project on 286 ETH.

The Fantasy Finance project was subjected to an exploit, as a result of which $ 2.6 million was withdrawn, hackers used a protocol error that allowed XFTM to be minted using a small number of FSM Fantasm tokens, instead of using both of these tokens. The hackers started with 50 FTM, gradually using more and more amounts to exchange so they managed to take over a total of more than 2,800,000 XFTM.

The stolen funds were later exchanged for more than 1,007 ETH of about $2.6 million at current prices using the Tornado Cash privacy protocol.
The developers of Fantasm stated that not the entire pool was emptied and there are still 1,820,012 FTM in it, and also that they are developing a compensation plan for affected users.

Fantasm Finance Team report on the incident: https://medium.com/@fantasmfinance/fantasm-finance-post-mortem-exploit-09-march-2022-daf48ead016f

---

It is reported that the DeFi protocol Deus Finance DAO was subjected to an exploit due to which. the hacker was able to withdraw about $3 million, including 200,000 DAI and 1101.8 ETH.


The developers reported that they are aware of exploits that relate to a loan contract worth $10 million.
And as they themselves stated that the contract was closed, both $DEUS and $DEI are not affected and they are working on a brief description of the hack that will be published after a full assessment of what happened.

---

It seems that after a slight lull, a band of hacking of Defi projects began, it is reported that hackers managed to withdraw $11 million from the DeFi protocols Agave and Hundred Finance, for the attack, the attackers used an exploit on the Gnosis Chain network that allowed them to use re-entry and instant loans.

Sorce: https://www.theblockcrypto.com/post/137932/defi-protocols-agave-and-hundred-finance-exploited-on-gnosis-chain-for-11-million

[moderator's note: consecutive posts merged]

I use decentralized exchanges 1 inch and uniswap and they have proven to be safe. And I don’t often see news about decentralized exchange hacks. So far, most of the news tells us about hacks of decentralized projects, but 2022 has just begun, and the results will need to be analyzed in December of this year.

The hacker exploited the Treasure DAO vulnerability and managed to steal more than 100 NFT, worth 426,511 MAGIC about $1.44 million, the bug allowed buying NFT for zero MAGIC tokens used on the Treasure platform.

The list of hacks is quite impressive, although everyone says that decentralized exchanges are safe, and statistics say the opposite, there are hackers who withdraw huge amounts, so there is no 100% confidence anywhere in the crypto world.

Crypto-Related Crime Hit Record $14B in 2021—But Shrank by Volume: Chainalysis
Crypto scammers bagged a whopping $14 billion last year. Still, crime is becoming a much smaller part of the industry.
Andrew Asmakov(C)
https://decrypt.co/89854/crypto-related-crime-hit-record-high-14b-2021-chainalysis
"As Chainalysis reported last month, revenues from crypto scams in 2021 were up 81% on the previous year (corrected to 82% in today’s report) to $7.8 billion.

Of this total, so-called rug pulls—a malicious practice where developers build a seemingly legitimate crypto project only to get away with investors' money—accounted for 37% of all crypto scam revenue, or more than $2.8 billion.

“Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit—or if [decentralized exchanges] required code audits before listing tokens,” Chainalysis said.

Cryptocurrency theft grew even more, according to the report, with about $3.2 billion worth of crypto stolen in 2021—a staggering 516% increase compared to 2020."


Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity
https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/


Crypto Scam Revenue Up 81% in 2021, Hits $7.7 Billion: Chainalysis
DeFi rug pulls accounted for 37% of all crypto scam revenue in 2021, up from 1% in 2020, according to the blockchain data platform.
https://decrypt.co/88453/crypto-scam-revenue-hit-7-7-billion-2021-chainalysis

Over 4,000 ‘Criminal Whales’ Hold $25 Billion Worth of Crypto: Report
Criminal crypto balances surged from $3 billion to $11 billion, mostly due to the crypto market's rise in 2021 but also an increase in hacks.
https://decrypt.co/92995/over-4000-criminal-whales-hold-25-billion-worth-crypto-report
"New Chainalysis data has found that 4,068 “criminal whales” hold $25 billion worth of cryptocurrency. The firm defines criminal crypto whales as any private wallet that holds $1 million or more of cryptocurrency and has received 10% or more of those funds through illicit addresses. (In other words, not all of that $25 billion is illicit.)"

The DeFi team of the Dego protocol reports the hacking of its address providing liquidity on UniSwap and PancakeSwap and the liquidity for Dego pairs has been withdrawn, the team reports that the incident is being investigated and the amount of losses is being determined.

Here is another message about the attack, it seems that the DeFi QiDao Protocol project lost tokens for a total of $13 million, thanks to the exploit, hackers managed to withdraw tokens QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC. Although the project team itself recognizes the fact of the exploit, but claims that users' funds are safe, but analysts see a different picture.

The DeFi Meter project lost about $4.3 million as a result of a hacker attack, 1391 ETH and 2.74 BTC were withdrawn from the project, as the developers said, the hacker used the vulnerability of the automatic unpacking of gas tokens in the protocol, such as ETH and BNB.