Topic: DeFi hacks [history] - page 14. (Read 19555 times)

Some results of 2021

The Biggest DeFi Hacks of 2021 until May 2021
https://www.cybavo.com/blog/defi-hacks-2021/

DeFi Has Accounted for Over 75% of Crypto Hacks in 2021
https://finance.yahoo.com/news/defi-accounted-over-75-crypto-140000154.html

Biggest Defi Hack in 2021
Poly Network Suffers Record-Breaking $600.3 Million Hack
https://decrypt.co/78163/polynetwork-suffers-record-breaking-600-3m-hack

---

#RugPull PeckShield has detected that Metaswap Gas (MGAS) soft-rugged, the stolen funds (1,100 BNB) are transfered to TornadoCash
https://twitter.com/peckshield/status/1475331156459790336?

#RugPull PeckShield has detected that  METADAO rugged, the stolen funds (800 Ether) are transferred to @TornadoCash
(#Ethereum). DO NOT STAKE in this contract and if you've approved it, REVOKE
https://twitter.com/PeckShieldAlert/status/1475434691939520523?

Tinyman -  the amount of hacking is unknown
Official Announcement About the Incidents of 01.01.2022
https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19
"When the attack began, total liquidity in Tinyman was around 43 million USD, only to be reduced to around 20 million even hours after the attack. Following our advice, projects and users have begun removing their liquidities, which brought the total number down to 5 million USD. It is crucial to realize that the difference between the 43 million USD and the current number is not a lost amount, a huge portion of this amount was reclaimed by the users and is totally safe in their wallets."





[moderator's note: consecutive posts merged]

Polygon developers revealed a case of theft committed by a hacker on December 4 of 801,601 MATIC tokens worth more than $2 million, which was made possible thanks to an exploit in the smart contract Polygon, which was reported on December 3 by @leonspacewalker, which later received with another user, whose name is not called, a reward of $3.46 million for reporting a bug.
source: https://blog.polygon.technology/all-you-need-to-know-about-the-recent-network-upgrade/?utm_source=Twitter-Main&utm_medium=Tweet&utm_campaign=Tier-1-Announcement

$8.8M is not big but not small.

I wonder that will the Visor Finance team will do compensation for their users. If they seriously compensate for their users, they will have to sacrifice their income in many months and in the same time, they will have to pay cost for staffs, developments, operations, maintenance and other things to keep their DeFi platform up and run.

It is not a good thing and it's bad to see it happened around Christmas which should be a peaceful period for all.

Visor Finance -$8.8M
Visor Finance Suffers DeFi Hack: Lost 8.8 million VISR tokens
https://blog.coincodecap.com/visor-finance-suffers-defi-hack
VISOR Finance Suffers DeFi Hack $8.2M Lost | Bitcoin News
https://medium.com/coinmonks/visor-finance-suffers-defi-hack-8-2m-lost-bitcoin-news-4a80e99199f0

There are also reports that the Visor protocol (Visorfinance) was attacked using a re-entry exploit and lost over 8.8 million VISR tokens, which as of this event was estimated at about $8.8 million, after that the price fell from $1 to $0.02, after which the project team announced the migration of user funds to a new contract to restore them
https://twitter.com/peckshield/status/1473315405498576901
https://visorfinance.medium.com/?p=7920e1dee55a

for a link to 1 post.

Grim Finance Hacked for $30 Million in Fantom Tokens
Grim Finance is the latest DeFi protocol to be hit by an exploit.
https://decrypt.co/88727/grim-finance-hacked-30-million-fantom-tokens
https://cryptobriefing.com/fantom-defi-project-grim-finance-suffers-30m-hack/


Vulcan Forged-$140M
https://twitter.com/VulcanForged/status/1470365117774770180
https://www.theblockcrypto.com/post/127270/96-private-keys-stolen-from-vulcan-forged-in-140-million-theft


Gelato-$26M
https://twitter.com/gelatonetwork/status/1470289886406004736


8IGHT FINANCE- $1.75M
https://rekt.news/8ight-finance-rekt/

BadgerDAO reveals the details of the hacker attack that allowed the theft of $120 million, everything boils down, in their opinion, to the unauthorized use of API keys of the Cloudflare Workers service.
The full technical analysis from the BadgerDAO team is here: https://badger.com/technical-post-mortem


Personally, one bad experience was enough for me using API keys to access an account on the yobit garbage exchange four years ago, after which I lost 0.5 BTC, but it was my funds, and here such a number of users and such vulnerability suffered, IMHO here is completely the fault of the developers.

---

The next victim of hackers in the DeFi segment was the Grim Finance platform, losses are estimated at more than $30 million, developers have suspended deposits and recommend users to withdraw their funds urgently.

https://twitter.com/financegrim/status/1472357770846519312


With a name like the platform, investors needed to be more circumspect

[moderator's note: consecutive posts merged]

BadgerDAO $100 M


for a link to 1 post.
https://cryptobriefing.com/120m-lost-badgerdao-defi-hack/
$120M Lost in BadgerDAO DeFi Hack
"Key Takeaways
BadgerDAO has suffered a major frontend attack.
The hacker reportedly compromised Badger's user interface by inserting a malicious script that prompted users to give the hacker permission to spend their funds.
Smart contract auditing firm Peckshield has estimated the value of the stolen funds to around $120 million."

BadgerDAO reported unauthorized withdrawal of user funds, engineers BadgerDAO are investigating this issue, the protocol's smart contracts have been temporarily suspended.


One of the victims lost 896 BTC https://etherscan.io/tx/0x951babdddbfbbba81bbbb7991a959d9815e80cc5d9418d10e692f41541029869 , in total about $ 100 million was withdrawn from the project.


But whether it was an attack or the funds were simply burned as a result of using a bug in contracts is not yet clear.
https://twitter.com/DefiWhiskey/status/1466271476416454656

That's really a lot of hacks and very big money involved but we shouldn't forget the small ones and if we sum that up I think they are much more expensive than those on the list. What I mean is something like the rug pull I think the one that happened in Binance before and other rug pulls of different developers that consist of million of $.

Amazing list! It worries me that DEFI can be so easily hacked and that it happens so very very often... The thing that bothers me most is the disgusting bounty haggling from Fullcrum. They saved their 2.5 Million dollars and don't even get paid for their efforts. What kind of move is that? Fullcrum? More like Fullscum. I would keep away from doing business with them.

That being said, thanks for this list. Im sure it will be very helpful for future Defi.

MonoXFinance $31 M


for a link to 1 post.
MonoX Finance Drained of $31M in Latest DeFi Hack
https://cryptobriefing.com/monox-finance-drained-of-31m-in-latest-defi-hack/

"Key Takeaways
A hacker has exploited MonoX Finance's smart contracts, draining $31 million worth of assets.
The MonoX team are attempting to contact the hacker to ask for the funds to be returned.
Despite receiving two independent audits, the vulnerabilities in MonoX's smart contracts were not found."

The Polygon based MonoX DeFi platform was hacked, the hacker managed to withdraw crypto assets worth $31 million, the following assets were withdrawn:
 -5.7M MATIC ($10.5M)
- 3.9k WETH ($18.2M)
- 36.1 WBTC ($2M)
- 1.2k LINK ($31k)
- 3.1k GHST ($9.1k)
- 5.1M DUCK ($257k)
- 4.1k MIM ($4.1k)
- 274 IMX ($2k)


The developers of MonoX confirmed the fact of hacking and apologized to investors, but the developers also said that the incident is being investigated and measures are being taken to refund funds.
As it turned out during the investigation, the hacking mechanism looked like this: the attacker managed to raise the price of the MONO token to the skies with the help of a swap contract, and then purchase all the other assets in the pool for it.

Those that are known anyway. I bet you on BSC and Tron there are loads of small tiny rug pulls that don't make the news or are even talked about but I see a new IDO every few hours, and most of them gonna end up scams. People also who got scammed mostly won't say it (the small losers whine but the big ones keep quiet) and then all this doesn't go reported.

DeFi exploits total $680 million so far in 2021
https://www.theblockcrypto.com/post/123030/defi-exploits-total-680-million-so-far-in-2021
"Quick Take
There have been 70 DeFi attacks this year across four blockchain platforms.
Around $1.4 billion was initially stolen but $760 million has been returned."

Elliptic analytical company.released a study according to which users have suffered losses in excess of $12 billion since 2020 due to fraud and theft on DeFi platforms, of which $10.5 billion falls in 2021.
 $721 million of the $12 billion was subsequently reimbursed. The most frequent targets of cybercriminals were the Ethereum and BSC blockchains.
The main reasons for attacks on decentralized projects in Elliptic are called errors in the code and architectural flaws.
https://www.elliptic.co/resources/defi-risk-regulation-and-the-rise-of-decrime

https://twitter.com/nomorebear/status/1453413216172740609
"Quick explanation of
@CreamdotFinance(C)
 >$100M exploit:

1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"

---

Information disclosure and analysis of major hacks in the DeFe ecosystem
https://github.com/yearn/yearn-security/tree/master/disclosures

Very good analysis of the latest CREAM Finance hack.
Incident Disclosure 2021-10-27
https://github.com/yearn/yearn-security/blob/master/disclosures/2021-10-27.md

---

Crypto Wallets MetaMask, Phantom Targeted in $500K Phishing Attack: Report
Check Point Research has discovered a “massive” phishing campaign that has seen funds stolen from MetaMask and Phantom users.
https://decrypt.co/85253/crypto-wallets-metamask-phantom-targeted-500k-phishing-attack-report
"Check Point Research has discovered a crypto phishing scam that has stolen at least half a million dollars.
Metamask and Pancake websites have both been mimicked in the scam."

---

bZx -$55M
Ethereum DeFi Project bZx Hacked Again—For a Reported $55 Million
The project says Ethereum contracts and treasury funds are unaffected.
https://decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
"bZx is a DeFi lending protocol.
It's investigating an exploit of a private key linked to its Binance Smart Chain and Polygon deployments."

---

Moving Forward: Post Exploit Next Steps for C.R.E.A.M. Finance
https://creamdotfinance.medium.com/moving-forward-post-exploit-next-steps-for-c-r-e-a-m-finance-1ad05e2066d5
"The Path Forward
We will distribute 1,453,415 CREAM tokens to impacted users. We are utilizing remaining CREAM tokens within the treasury, and removing the project team’s remaining CREAM token allocation. There will be no further CREAM allocations to the team."

[moderator's note: consecutive posts merged]

There have been a lot of hacks on Defi coins in the last few months, but I see where the weakness lies in the swap platform. They try to hack in various ways, including resembling core tokens. Some even tried to create fake swap platforms. When we give permission to access the wallet, of course they already have control over our wallet. The most dangerous are the platforms with the import private key system.

PancakeHunny- $1.9M

"What happened?
On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times. This is the sequence of events.
Obtained a 53.25 BTC Flashloan from Cream Finance.
Used 53.25 BTC to get a 2,717,107 TUSD Loan from Venus.
Manipulated the price of BNB/TUSD Pool on PancakeSwap.
Used 50 different Wallet Addresses to Deposit 38,250 TUSD into HUNNY TUSD Vault.
Redeemed 2842.16TUSD and Minted 12,020.40 Hunny.
Sold Minted Hunny for 7.78 WBNB.
Steps Repeated for 50 wallets 26 times."
https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad
https://twitter.com/peckshield/status/1450801612901937152?

---

Cream Finance - $130M
https://decrypt.co/84590/cream-finance-suffers-third-hack-losing-over-130-million
Cream Finance Suffers Third Hack, Loses Over $130 Million
Cream Finance, a DeFi lending protocol, has been hacked for over $130 million—marking the third hack suffered by the protocol.

[moderator's note: consecutive posts merged]

It's good that sometimes hackers are too arrogant to stay in the shadows, although the team says that he is quite young, that's why he made these statements, but the bad thing is that project teams do not pay due attention to security in order to avoid situations that harm both the image of the team and damage the community and people simply lose their funds as a result.

---

PancakeHunny on BSC on October 20 was attacked using a flash loan by a hacker, about $1.9 million was stolen, this is already happening for the second time, the first case of using a flash loan was in the month of June. In a preliminary report, the team assured users that their funds are safe.  https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad


[moderator's note: consecutive posts merged]