Topic: DeFi hacks [history] - page 13. (Read 19470 times)

The Fantasy Finance project was subjected to an exploit, as a result of which $ 2.6 million was withdrawn, hackers used a protocol error that allowed XFTM to be minted using a small number of FSM Fantasm tokens, instead of using both of these tokens. The hackers started with 50 FTM, gradually using more and more amounts to exchange so they managed to take over a total of more than 2,800,000 XFTM.

The stolen funds were later exchanged for more than 1,007 ETH of about $2.6 million at current prices using the Tornado Cash privacy protocol.
The developers of Fantasm stated that not the entire pool was emptied and there are still 1,820,012 FTM in it, and also that they are developing a compensation plan for affected users.

Fantasm Finance Team report on the incident: https://medium.com/@fantasmfinance/fantasm-finance-post-mortem-exploit-09-march-2022-daf48ead016f

---

It is reported that the DeFi protocol Deus Finance DAO was subjected to an exploit due to which. the hacker was able to withdraw about $3 million, including 200,000 DAI and 1101.8 ETH.


The developers reported that they are aware of exploits that relate to a loan contract worth $10 million.
And as they themselves stated that the contract was closed, both $DEUS and $DEI are not affected and they are working on a brief description of the hack that will be published after a full assessment of what happened.

---

It seems that after a slight lull, a band of hacking of Defi projects began, it is reported that hackers managed to withdraw $11 million from the DeFi protocols Agave and Hundred Finance, for the attack, the attackers used an exploit on the Gnosis Chain network that allowed them to use re-entry and instant loans.

Sorce: https://www.theblockcrypto.com/post/137932/defi-protocols-agave-and-hundred-finance-exploited-on-gnosis-chain-for-11-million

[moderator's note: consecutive posts merged]

I use decentralized exchanges 1 inch and uniswap and they have proven to be safe. And I don’t often see news about decentralized exchange hacks. So far, most of the news tells us about hacks of decentralized projects, but 2022 has just begun, and the results will need to be analyzed in December of this year.

The hacker exploited the Treasure DAO vulnerability and managed to steal more than 100 NFT, worth 426,511 MAGIC about $1.44 million, the bug allowed buying NFT for zero MAGIC tokens used on the Treasure platform.

The list of hacks is quite impressive, although everyone says that decentralized exchanges are safe, and statistics say the opposite, there are hackers who withdraw huge amounts, so there is no 100% confidence anywhere in the crypto world.

Crypto-Related Crime Hit Record $14B in 2021—But Shrank by Volume: Chainalysis
Crypto scammers bagged a whopping $14 billion last year. Still, crime is becoming a much smaller part of the industry.
Andrew Asmakov(C)
https://decrypt.co/89854/crypto-related-crime-hit-record-high-14b-2021-chainalysis
"As Chainalysis reported last month, revenues from crypto scams in 2021 were up 81% on the previous year (corrected to 82% in today’s report) to $7.8 billion.

Of this total, so-called rug pulls—a malicious practice where developers build a seemingly legitimate crypto project only to get away with investors' money—accounted for 37% of all crypto scam revenue, or more than $2.8 billion.

“Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit—or if [decentralized exchanges] required code audits before listing tokens,” Chainalysis said.

Cryptocurrency theft grew even more, according to the report, with about $3.2 billion worth of crypto stolen in 2021—a staggering 516% increase compared to 2020."


Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity
https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/


Crypto Scam Revenue Up 81% in 2021, Hits $7.7 Billion: Chainalysis
DeFi rug pulls accounted for 37% of all crypto scam revenue in 2021, up from 1% in 2020, according to the blockchain data platform.
https://decrypt.co/88453/crypto-scam-revenue-hit-7-7-billion-2021-chainalysis

Over 4,000 ‘Criminal Whales’ Hold $25 Billion Worth of Crypto: Report
Criminal crypto balances surged from $3 billion to $11 billion, mostly due to the crypto market's rise in 2021 but also an increase in hacks.
https://decrypt.co/92995/over-4000-criminal-whales-hold-25-billion-worth-crypto-report
"New Chainalysis data has found that 4,068 “criminal whales” hold $25 billion worth of cryptocurrency. The firm defines criminal crypto whales as any private wallet that holds $1 million or more of cryptocurrency and has received 10% or more of those funds through illicit addresses. (In other words, not all of that $25 billion is illicit.)"

The DeFi team of the Dego protocol reports the hacking of its address providing liquidity on UniSwap and PancakeSwap and the liquidity for Dego pairs has been withdrawn, the team reports that the incident is being investigated and the amount of losses is being determined.

Here is another message about the attack, it seems that the DeFi QiDao Protocol project lost tokens for a total of $13 million, thanks to the exploit, hackers managed to withdraw tokens QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC. Although the project team itself recognizes the fact of the exploit, but claims that users' funds are safe, but analysts see a different picture.

The DeFi Meter project lost about $4.3 million as a result of a hacker attack, 1391 ETH and 2.74 BTC were withdrawn from the project, as the developers said, the hacker used the vulnerability of the automatic unpacking of gas tokens in the protocol, such as ETH and BNB.

DeFi the KLAYswap project announced a hacking incident, as a result of which the project lost about 2.2 billion KRW, or about $1.83 million, the hacker managed to create a third-party js link on the KLAYswap external interface, as a result of which the user was sent to a fake KLAYswap page.

Details are here: https://medium.com/klayswap/klayswap-incident-report-feb-03-2022-f20ba2d8e4dd

It looks like cross-blockchain bridge Wormhole was hacked as a result of the exploit and, according to preliminary estimates, lost more than $326 million. dev's Wormhole itself confirmed a total loss of 120,000 ETH and announced that funds would be added to the bridge to stop the wrapped ETH on Solana. This is one of the biggest hacks in the history of DeFi.
https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m/



UPD: The venture capital company Jump Crypto, which owns Certus One, which is the developer of the Wormhole cross-chain bridge, announced that it has invested 120,000 ETH in the Solana-Ethereum bridge.  All funds have been restored, Wormhole has been restored. The ETH contract is filled and all wETH are secured 1:1.

Qubit Finance,  X-Bridge $80M
Binance Smart Chain, Ethereum Crypto Bridge Hacked for $80 Million
https://decrypt.co/91447/binance-smart-chain-ethereum-crypto-bridge-hacked-80-million
"An exploit in decentralized finance (DeFi) protocol Qubit Finance enabled one hacker to walk away with $80 million in stolen crypto yesterday.
The specific smart contract flaw that enabled the attack was located in X-Bridge, a cross-chain bridge that facilitates easy token swaps between Ethereum and Binance Smart Chain. "

Animoca Brands’ Lympo NFT platform hacked for $18.7 million
https://cointelegraph.com/news/animoca-brands-lympo-nft-platform-hacked-for-18-7-million
"The sports NFT minting platform suffered a hot wallet security breach across several project wallets, losing $18 million worth of LMT.
Sports nonfungible token (NFT) minting platform and Animoca Brands subsidiary Lympo suffered a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack."

Because of developer incompetence, many DeFi projects get hacked.

Every day, a new hack now, on January 10, hackers managed to withdraw 165.2 million LMT tokens worth approximately $18.2 million from the hot wallets of the sports NFT platform Lympo (daughter of Animoca Brand), according to the developers , the following wallets were compromised:

https://etherscan.io/address/0x5D32b87A43a2bd1f7df209d2F475b165d2c09E24
https://etherscan.io/address/0x526232F70b97938E19394e57BC5eE1d5d929074e
https://etherscan.io/address/0xB0a60eBA24f6CF18CFDED0672c5C7a7529DcC342
https://etherscan.io/address/0x934dd62782BFe4a8E3f096E014266e5F5adc1b2a
https://etherscan.io/address/0x877eECC3Ae4Bb28f048c16CD65A44cDE025345a1
https://etherscan.io/address/0x36d97147cF8E1B75254748Cf0A102316fCc61697
https://etherscan.io/address/0xA432C0081307733e801Ea7877e725F4E0adfbBfF
https://etherscan.io/address/0x4b936321b0E3E2d919412502B6aDA09E9b7d484b
https://etherscan.io/address/0x75912Da145cA00092AF317F8c3A84073A5665256
https://etherscan.io/address/0x4C801611cdaB559861d4dB24155927F903DEa02A

source: https://twitter.com/Lympo_io/status/1480582931794083842
            https://medium.com/lympo-official/lympo-statement-to-the-community-914d6b453b1f

Some results of 2021

The Biggest DeFi Hacks of 2021 until May 2021
https://www.cybavo.com/blog/defi-hacks-2021/

DeFi Has Accounted for Over 75% of Crypto Hacks in 2021
https://finance.yahoo.com/news/defi-accounted-over-75-crypto-140000154.html

Biggest Defi Hack in 2021
Poly Network Suffers Record-Breaking $600.3 Million Hack
https://decrypt.co/78163/polynetwork-suffers-record-breaking-600-3m-hack

---

#RugPull PeckShield has detected that Metaswap Gas (MGAS) soft-rugged, the stolen funds (1,100 BNB) are transfered to TornadoCash
https://twitter.com/peckshield/status/1475331156459790336?

#RugPull PeckShield has detected that  METADAO rugged, the stolen funds (800 Ether) are transferred to @TornadoCash
(#Ethereum). DO NOT STAKE in this contract and if you've approved it, REVOKE
https://twitter.com/PeckShieldAlert/status/1475434691939520523?

Tinyman -  the amount of hacking is unknown
Official Announcement About the Incidents of 01.01.2022
https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19
"When the attack began, total liquidity in Tinyman was around 43 million USD, only to be reduced to around 20 million even hours after the attack. Following our advice, projects and users have begun removing their liquidities, which brought the total number down to 5 million USD. It is crucial to realize that the difference between the 43 million USD and the current number is not a lost amount, a huge portion of this amount was reclaimed by the users and is totally safe in their wallets."





[moderator's note: consecutive posts merged]

Polygon developers revealed a case of theft committed by a hacker on December 4 of 801,601 MATIC tokens worth more than $2 million, which was made possible thanks to an exploit in the smart contract Polygon, which was reported on December 3 by @leonspacewalker, which later received with another user, whose name is not called, a reward of $3.46 million for reporting a bug.
source: https://blog.polygon.technology/all-you-need-to-know-about-the-recent-network-upgrade/?utm_source=Twitter-Main&utm_medium=Tweet&utm_campaign=Tier-1-Announcement

$8.8M is not big but not small.

I wonder that will the Visor Finance team will do compensation for their users. If they seriously compensate for their users, they will have to sacrifice their income in many months and in the same time, they will have to pay cost for staffs, developments, operations, maintenance and other things to keep their DeFi platform up and run.

It is not a good thing and it's bad to see it happened around Christmas which should be a peaceful period for all.

Visor Finance -$8.8M
Visor Finance Suffers DeFi Hack: Lost 8.8 million VISR tokens
https://blog.coincodecap.com/visor-finance-suffers-defi-hack
VISOR Finance Suffers DeFi Hack $8.2M Lost | Bitcoin News
https://medium.com/coinmonks/visor-finance-suffers-defi-hack-8-2m-lost-bitcoin-news-4a80e99199f0