Summary # On June 2, 2023, Atomic Wallet, a non-custodial multichain DeFi wallet, experienced an exploit resulting in the loss of over $100 million worth of various assets from its users. The largest affected wallet lost a total of 7,950,000 USDT. The suspected perpetrator of this attack is the Lazarus Group, a known North Korean hacking group. The hackers moved the stolen funds to Ethereum and TRON addresses. The part of the stolen assets were laundered through Sinbad mixer and Russia-based exchange Garantex.
...
Summary # In May 2023, the DeFi investment platform Fintoch executed a rug pull, defrauding users of $31.6 million. The project claimed backing by Morgan Stanley and offered unrealistic 1% daily returns. Fintoch’s legitimacy was questioned, after Morgan Stanley debanked Fintoch’s claims. The fradulent company launched a public sale, and accumulated a large amount of USDT in Fintoch STO smart contract. The smart contract was deployed in Binance Smart Chain, and contained functionality of FTH BEP20 token and FTH/USDT liquidity pair.
...
Summary # On May 5, 2023, Deus Finance, a DeFi protocol operating across Ethereum, Arbitrum, and BNB Chain, experienced a severe security breach. A vulnerability in the $DEI token contract allowed attackers to unauthorizedly burn and transfer tokens, culminating in losses estimated at $6.5 million.
Attackers # The identity of the hackers who attacked Deus Finance is unknown.
Hacker Wallets:
Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Binance Smart Chain: 0x5a647e376d3835b8f941c143af3eb3ddf286c474 Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Losses # The total loss from the Deus Finance hack amounted to approximately $6.
...
Summary # On May 1, 2023, Level Finance, a decentralized finance (DeFi) protocol, was hacked for $1.1 million in LVL tokens. The attacker exploited a vulnerability in the protocol’s Referral Controller Contract.
Attackers # The identity of the attacker is unknown.
BSC:
0x70319d1c09e1373fc7b10403c852909e5b20a9d5 Losses # The attacker stole 214,000 LVL tokens and swapped LVL to 3,345 BNB, which were worth approximately $1.1 million at the time of the hack.
...
Summary # On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events.
Attackers # The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses:
0x702ef63881b5241ffb412199547bcd0c6910a970 0x407feaec31c16b19f24a8a8846ab4939ed7d7d57 0x49c6dd832d76fb9dd0dfd3a889775faa51af095c Losses # $2 million in USDC
Timeline # April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a.
...
Summary # On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies.
Attackers # The attackers remain unidentified.
Exploiter addresses:
...
Summary # On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.
Attackers # The attackers are unidentified, but their wallet addresses and contracts are known:
...
Summary # On April 8, 2023, SushiSwap, a renowned decentralized exchange, came under attack due to a vulnerability in its newly launched RouteProcessor2 contract. The contract was part of the SushiSwap’s version 3 (V3) upgrades and was deployed on 14 different networks. Before SushiSwap could react, anonymous attackers exploited the vulnerability and managed to drain approximately 1800 Wrapped Ether (WETH) from user wallets.
Attackers # The identity of the attacker is unknown.
...
Summary # On April 2, 2023, AllBridge, a multichain token bridge, fell victim to an exploit that resulted in approximately $573,000 worth of assets being drained from its BNB Chain pools. The attacker, acting as both a liquidity provider and a swapper, exploited a flaw in a smart contract that enabled them to manipulate swap prices. This led to the theft of $282,889 in Binance USD (BUSD) and $290,868 in Tether (USDT).
...
Summary # In March 2023, SafeMoon, a DeFi protocol, experienced a significant security breach when a vulnerability in its contract allowed an attacker to steal approximately $8.9 million. The attacker exploited unprotected burn and mint functions, essentially manipulating the value of the SFM token. In a surprising turn of events, the attacker agreed to return 80% of the stolen funds, retaining the remaining 20% as a bug bounty.
Attackers # The attacker’s identity remains unknown.
...