Summary # On April 30, 2022, Fei Protocol, a decentralized finance (DeFi) protocol that merged with Rari Capital in 2021, was hacked for $80 million. The attacker exploited a reentrancy vulnerability in the protocol’s smart contracts to withdraw funds from the protocol’s reserves.
Attackers # The identity of the attacker(s) is unknown.
ERC-20
FeiProtocol-Fuse Exploiter: 0x6162759eDAd730152F0dF8115c698a42E666157F Losses # $80 Million
Timeline # April 30, 2022, 09:01:35 AM +UTC: The hacker exploited a reentrancy vulnerability in lending protocol April 30, 2022, 10:23:58 AM +UTC: Funds have started to be laundered through Tornado Cash.
...
Summary # On April 17, 2022, Beanstalk Farms, an Ethereum-based DeFi protocol that enables users to earn yield on their cryptocurrency deposits, fell victim to a flash loan attack. This attack resulted in a staggering loss of $182 million, including around $77 million in assets taken from liquidity pools unrelated to Beanstalk. The attacker managed to profit from the exploit, absconding with 24,840 ETH, equivalent to roughly $80 million. The remaining $106 million was returned via a flash loan to Aave, the lending platform.
...
Summary # On February 3, 2022, a security breach occurred on Wormhole, a DeFi platform designed to facilitate the transfer of tokens and NFTs across various blockchains such as Ethereum, Solana, and Binance Smart Chain. The attacker successfully exploited a vulnerability by utilizing a spoofed sysvar account, enabling them to mint 120,000 wrapped ETH (wETH) tokens on the Solana network. These tokens were later deemed invalid. Subsequently, the attacker redeemed 93,750 wETH tokens for an equivalent value of ETH tokens on the Ethereum network.
...
Summary # On January 28, 2022, Qubit Finance, a project built on the BNB Chain (formerly known as Binance Smart Chain), announced a breach of its QBridge credit protocol on their Twitter page. The platform was hacked due to a specific vulnerability in the bridge. Hackers were able to mint an unlimited amount of xETH as collateral for loans on the Binance Smart Chain network. The platform’s native token, QBT, plummeted by 26% overnight.
...
Summary # On October 27, 2021, Cream Finance, a decentralized finance (DeFi) platform, fell victim to a sophisticated attack resulting in the theft of $130 million worth of cryptocurrency. The attacker exploited vulnerabilities in Cream Finance’s lending pool contract and manipulated the price oracle, allowing them to carry out a series of orchestrated transactions that ultimately drained the protocol of its liquidity.
Attackers # The attackers remain unidentified.
0x24354d31bc9d90f62fe5f2454709c32049cf866b Losses # $130M USD
...
Summary # On August 10, 2021, Poly Network, a cross-chain decentralized finance (DeFi) platform, was hacked for over $610 million in digital assets. The attackers exploited a vulnerability in Poly Network’s code to transfer the funds to their own wallets.
Attackers # Attackers’ identities have not been publicly disclosed. The hacker used the following addresses to transfer the funds:
Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 Losses # The total amount of losses resulting from the Poly Network hack was over $610 million.
...
Summary # On May 19, 2021 PancakeBunny, a yield farming aggregator built on Binance Smart Chain, suffered a flash loan attack.
Exploit was possible because of how the protocol uses PancakeSwap AMM for its asset price calculation. In bugs like this, flashloans are the go-to way to manipulate the price of AMM pools which affects the price oracle
– Adrian Hetman Source
The hacker exploited a vulnerability related to reward minting to mint 6,972,455 BUNNY tokens, after which the flash loan was paid back, dumping the huge number of newly minted BUNNY in the market caused the token’s price to plummet, the attacker ran off with 114k BNB and 697k BUNNY.
...
Summary # On April 28, 2021, Uranium Finance, a BSC-based decentralized exchange, was exploited due to a calculation error bug in its v2 pair contracts, which had been forked from the Uniswap v2 code. The bug allowed an attacker to swap minimum amount of the input token for 98% of the total balance of the output token, leading to massive losses. Uranium Finance had discovered the potential vulnerability but failed to prevent the attack:
...
Summary # On April 19, 2021, a hacker stole $81 million worth of cryptocurrency from EasyFi, a decentralized finance platform. The hacker introduced a malicious version of MetaMask into the computer and stole the private key.
Attackers # The identity of the hackers who attacked EasyFi is unknown.
Hacker ETH Wallet:
0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 Losses # EasyFi estimated the losses from the hack to be $81 million. The stolen assets included:
...
Summary # On February 13, 2021, Alpha Finance, a DeFi project, suffered a hack that resulted in a $37.5 million loss. The attacker exploited a rounding error in the repayment process, accumulating a substantial amount of cySUSD. They used this to obtain loans in different assets and distributed the stolen Ether. Iron Bank responded by modifying the smart contract configuration, freezing funds and preventing lenders on Alpha Homora from withdrawing their liquidity.
...