DeFi exploits total $680 million so far in 2021
https://www.theblockcrypto.com/post/123030/defi-exploits-total-680-million-so-far-in-2021
"Quick Take
There have been 70 DeFi attacks this year across four blockchain platforms.
Around $1.4 billion was initially stolen but $760 million has been returned."
Topic: DeFi hacks [history] - page 14. (Read 19119 times)
Elliptic analytical company.released a study according to which users have suffered losses in excess of $12 billion since 2020 due to fraud and theft on DeFi platforms, of which $10.5 billion falls in 2021.
$721 million of the $12 billion was subsequently reimbursed. The most frequent targets of cybercriminals were the Ethereum and BSC blockchains.
The main reasons for attacks on decentralized projects in Elliptic are called errors in the code and architectural flaws.
https://www.elliptic.co/resources/defi-risk-regulation-and-the-rise-of-decrime
$721 million of the $12 billion was subsequently reimbursed. The most frequent targets of cybercriminals were the Ethereum and BSC blockchains.
The main reasons for attacks on decentralized projects in Elliptic are called errors in the code and architectural flaws.
https://www.elliptic.co/resources/defi-risk-regulation-and-the-rise-of-decrime
https://twitter.com/nomorebear/status/1453413216172740609
"Quick explanation of
@CreamdotFinance(C)
>$100M exploit:
1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"
Information disclosure and analysis of major hacks in the DeFe ecosystem
https://github.com/yearn/yearn-security/tree/master/disclosures
Very good analysis of the latest CREAM Finance hack.
Incident Disclosure 2021-10-27
https://github.com/yearn/yearn-security/blob/master/disclosures/2021-10-27.md
Crypto Wallets MetaMask, Phantom Targeted in $500K Phishing Attack: Report
Check Point Research has discovered a “massive” phishing campaign that has seen funds stolen from MetaMask and Phantom users.
https://decrypt.co/85253/crypto-wallets-metamask-phantom-targeted-500k-phishing-attack-report
"Check Point Research has discovered a crypto phishing scam that has stolen at least half a million dollars.
Metamask and Pancake websites have both been mimicked in the scam."
bZx -$55M
Ethereum DeFi Project bZx Hacked Again—For a Reported $55 Million
The project says Ethereum contracts and treasury funds are unaffected.
https://decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
"bZx is a DeFi lending protocol.
It's investigating an exploit of a private key linked to its Binance Smart Chain and Polygon deployments."
https://creamdotfinance.medium.com/moving-forward-post-exploit-next-steps-for-c-r-e-a-m-finance-1ad05e2066d5
"The Path Forward
We will distribute 1,453,415 CREAM tokens to impacted users. We are utilizing remaining CREAM tokens within the treasury, and removing the project team’s remaining CREAM token allocation. There will be no further CREAM allocations to the team."
[moderator's note: consecutive posts merged]
"Quick explanation of
@CreamdotFinance(C)
>$100M exploit:
1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"
Information disclosure and analysis of major hacks in the DeFe ecosystem
https://github.com/yearn/yearn-security/tree/master/disclosures
Very good analysis of the latest CREAM Finance hack.
Incident Disclosure 2021-10-27
https://github.com/yearn/yearn-security/blob/master/disclosures/2021-10-27.md
Crypto Wallets MetaMask, Phantom Targeted in $500K Phishing Attack: Report
Check Point Research has discovered a “massive” phishing campaign that has seen funds stolen from MetaMask and Phantom users.
https://decrypt.co/85253/crypto-wallets-metamask-phantom-targeted-500k-phishing-attack-report
"Check Point Research has discovered a crypto phishing scam that has stolen at least half a million dollars.
Metamask and Pancake websites have both been mimicked in the scam."
bZx -$55M
Ethereum DeFi Project bZx Hacked Again—For a Reported $55 Million
The project says Ethereum contracts and treasury funds are unaffected.
https://decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
"bZx is a DeFi lending protocol.
It's investigating an exploit of a private key linked to its Binance Smart Chain and Polygon deployments."
https://twitter.com/nomorebear/status/1453413216172740609
"Quick explanation of
@CreamdotFinance(C)
>$100M exploit:
1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"
Moving Forward: Post Exploit Next Steps for C.R.E.A.M. Finance"Quick explanation of
@CreamdotFinance(C)
>$100M exploit:
1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"
https://creamdotfinance.medium.com/moving-forward-post-exploit-next-steps-for-c-r-e-a-m-finance-1ad05e2066d5
"The Path Forward
We will distribute 1,453,415 CREAM tokens to impacted users. We are utilizing remaining CREAM tokens within the treasury, and removing the project team’s remaining CREAM token allocation. There will be no further CREAM allocations to the team."
[moderator's note: consecutive posts merged]
~
There have been a lot of hacks on Defi coins in the last few months, but I see where the weakness lies in the swap platform. They try to hack in various ways, including resembling core tokens. Some even tried to create fake swap platforms. When we give permission to access the wallet, of course they already have control over our wallet. The most dangerous are the platforms with the import private key system.
PancakeHunny on BSC on October 20 was attacked using a flash loan by a hacker, about $1.9 million was stolen, this is already happening for the second time, the first case of using a flash loan was in the month of June. In a preliminary report, the team assured users that their funds are safe. https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad
PancakeHunny- $1.9M"What happened?
On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times. This is the sequence of events.
Obtained a 53.25 BTC Flashloan from Cream Finance.
Used 53.25 BTC to get a 2,717,107 TUSD Loan from Venus.
Manipulated the price of BNB/TUSD Pool on PancakeSwap.
Used 50 different Wallet Addresses to Deposit 38,250 TUSD into HUNNY TUSD Vault.
Redeemed 2842.16TUSD and Minted 12,020.40 Hunny.
Sold Minted Hunny for 7.78 WBNB.
Steps Repeated for 50 wallets 26 times."
https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad
https://twitter.com/peckshield/status/1450801612901937152?
Cream Finance - $130M
https://decrypt.co/84590/cream-finance-suffers-third-hack-losing-over-130-million
Cream Finance Suffers Third Hack, Loses Over $130 Million
Cream Finance, a DeFi lending protocol, has been hacked for over $130 million—marking the third hack suffered by the protocol.
[moderator's note: consecutive posts merged]
Indexed Finance continuation of a story
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."
https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."
https://twitter.com/ZetaZeroes
This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."
https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."
https://twitter.com/ZetaZeroes
This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe
It's good that sometimes hackers are too arrogant to stay in the shadows, although the team says that he is quite young, that's why he made these statements, but the bad thing is that project teams do not pay due attention to security in order to avoid situations that harm both the image of the team and damage the community and people simply lose their funds as a result.
PancakeHunny on BSC on October 20 was attacked using a flash loan by a hacker, about $1.9 million was stolen, this is already happening for the second time, the first case of using a flash loan was in the month of June. In a preliminary report, the team assured users that their funds are safe. https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad
[moderator's note: consecutive posts merged]
Indexed Finance -$16 M
https://ndxfi.medium.com/indexed-attack-post-mortem-b006094f0bdc
"Today Indexed suffered its first hack since its deployment in December, and it was a pretty devastating one. About $16m worth of assets were stolen from the indices DEFI5 and CC10 by 0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe."
Indexed Finance continuation of a story
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."
https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."
https://twitter.com/ZetaZeroes
This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe
[moderator's note: consecutive posts merged]
https://ndxfi.medium.com/indexed-attack-post-mortem-b006094f0bdc
"Today Indexed suffered its first hack since its deployment in December, and it was a pretty devastating one. About $16m worth of assets were stolen from the indices DEFI5 and CC10 by 0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe."
Indexed Finance continuation of a story
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."
https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."
https://twitter.com/ZetaZeroes
This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe
[moderator's note: consecutive posts merged]
Something tells me this list is gonna be more populated before the year runs out. The truth is, the way DeFi is run, it is always easy draining funds from it and nobody can stop those malicious actors. The only way it can be curbed is by regulations, and regulations alone. And crypto as a whole is long overdue for that
Cream Finance reports that the project managed to recover 5152.6 ETH stolen on August 31, they managed to identify the hacker with the help of the community, the hacker received 10% of the stolen funds.
In addition to hacking in Defi, there are also scams, for example, the developer of the NFT project Evolved Apes, hiding under the nickname Evil Ape, deleted the site and account, hiding from 797 ETH $2.7 million) of users who were supposed to be used to pay for the work of artists.
https://www.vice.com/en/article/y3dyem/investors-spent-millions-on-evolved-apes-nfts-then-they-got-scammed
[moderator's note: consecutive posts merged]
In addition to hacking in Defi, there are also scams, for example, the developer of the NFT project Evolved Apes, hiding under the nickname Evil Ape, deleted the site and account, hiding from 797 ETH $2.7 million) of users who were supposed to be used to pay for the work of artists.
https://www.vice.com/en/article/y3dyem/investors-spent-millions-on-evolved-apes-nfts-then-they-got-scammed[moderator's note: consecutive posts merged]
Compound bug leaves $80 million in COMP at risk of being misrewarded
https://www.theblockcrypto.com/linked/119086/compound-bug-comp-risk-misreward
"But a new bug contained in the upgraded Comptroller Contract has mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million.
Robert Leshner, founder of Compound Labs, said in follow-up tweets that the Comptroller contract address "contains a limited quantity of COMP" while the majority of the reward sits in a different Reservoir contract address.
Hence "the impact is bounded, at worst, 280,000 COMP tokens," Leshner said. That is worth about $80 million as of press time.
The Comptroller contract address now has 112,000 COMP tokens left."
https://www.theblockcrypto.com/linked/119086/compound-bug-comp-risk-misreward
"But a new bug contained in the upgraded Comptroller Contract has mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million.
Robert Leshner, founder of Compound Labs, said in follow-up tweets that the Comptroller contract address "contains a limited quantity of COMP" while the majority of the reward sits in a different Reservoir contract address.
Hence "the impact is bounded, at worst, 280,000 COMP tokens," Leshner said. That is worth about $80 million as of press time.
The Comptroller contract address now has 112,000 COMP tokens left."
It seems that most altcoin project devs are only after making money through projects rather than the safety of investors and the project security cause just in a short span the number of DeFi that was hacked is huge.
If this continues DeFi may lose the trust of crypto market finance enthusiasts.
If this continues DeFi may lose the trust of crypto market finance enthusiasts.
The Vee.Finance landing platform was attacked by an unknown hacker, as a result, the attacker withdrew 8804.7 ETH and 213.93 BTC worth approximately $35 million. https://veefi.medium.com/vee-finance-accident-announcement-5e75ff197da6
All services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.
Combining link information in 1 postAll services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.
VEE FINANCE 8804.7 ETH and 213.93 BTC ( $35M)
21 Sep 2021
https://www.rekt.news/veefinance-rekt/
Exploiter ETH Address: 0xeeee458c3a5eaafcfd68681d405fb55ef80595ba
Exploiter AVAX Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA
"The exploiter’s Ethereum address was funded via TornadoCash in three lots of 10 ETH: ONE, TWO, THREE.
The funds were then bridged to Avalanche, where the attacker swapped 26.999006274904347875 WETH.e for 1,369.708 AVAX via Pangolin."
Didn’t makerdao get hacked at some point?
The Vee.Finance landing platform was attacked by an unknown hacker, as a result, the attacker withdrew 8804.7 ETH and 213.93 BTC worth approximately $35 million. https://veefi.medium.com/vee-finance-accident-announcement-5e75ff197da6
All services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.
All services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.
There is only one defect among them that hurt me, the defi was pancakebunny. I was getting my Yield revenues with bunny, after the hack, the price went down and it hurt me. Defi, I knew that there were too many hacks, there are projects in this list that I have not heard before, a good list has been prepared.
pNetwork - a cross-chain DeFi platform was attacked on Binance Smart Chain, losing 277 bitcoin (over USD 12 million).
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
pNetwork Protocol -$12M
https://decrypt.co/81301/defi-bridging-protocol-pnetwork-suffers-12-million-hack
DeFi Bridging Protocol pNetwork Suffers $12 Million Hack
An unknown hacker has exploited a bug in pNetwork’s codebase to steal 277 Bitcoin from the protocol's bridge on Binance Smart Chain.
pNetwork - a cross-chain DeFi platform was attacked on Binance Smart Chain, losing 277 bitcoin (over USD 12 million).
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
pNetwork Protocol -$12M
https://decrypt.co/81301/defi-bridging-protocol-pnetwork-suffers-12-million-hack
DeFi Bridging Protocol pNetwork Suffers $12 Million Hack
An unknown hacker has exploited a bug in pNetwork’s codebase to steal 277 Bitcoin from the protocol's bridge on Binance Smart Chain.
Uniswap when BZRX launched their IDO but when reading the article the author explained how the guy earned 500k usd but not by hacking but combining defi trading bot. It is very important to give real information people. People think that decentralized finance doesn't have any risks! But it's quite the opposite. It is a new industry, new code, no one has tested for long so be careful. Thank you very much for sharing the important information needed.
pNetwork - a cross-chain DeFi platform was attacked on Binance Smart Chain, losing 277 bitcoin (over USD 12 million).
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
Right after the attack, pNetwork offered a clean bounty of USD 1.5 million if the hacker returned the funds.
The hacker withdrew 864.8 ETH something more than $3 million from the NFT auction)on the MISO IDO platform of the SushiSwap protocol by introducing malicious code into the external interface of MISO and spoofing the auction address. Chief technical officer SushiSwap Joseph Delong reports on Twitter. Hacker's transaction ID: https://etherscan.io/address/0x3ddd8b6d092df917473680d6c41f80f708c45395#internaltx
https://twitter.com/josephdelong/status/1438839165873967107
"100 ETH has been returned to the Sushi multisig. Hoping the attacker sends the rest
https://etherscan.io/tx/0x4bfd68aaaaad03d0dd2d5b9e862e3bc4c7ee90cb85507eb85262e932c8748521"
https://twitter.com/AppletonDave/status/1438854505332764672
https://etherscan.io/tx/0x904e5bcb5ef9cfb19f19afd04849f3b12d17dc347d3e525072fcd139cc08cbdb
https://twitter.com/josephdelong/status/1438861783599652868
"All funds returned"
https://twitter.com/skymoon_gt/status/1438847456377192450
"I think the biggest hackers are the ones taking positions of short in exchanges right at the moment of the incident or right before. Once all funds are returned, check these individuals/groups as well. Probably they make more money that way!"
https://decrypt.co/81120/sushiswaps-token-launchpad-hacked-over-3m-ethereum
SushiSwap’s Token Launchpad Hacked for Over $3M in Ethereum
Jump to: