Summary # In early December 2021, Polygon, an Ethereum-based network has “silently fixed” a vulnerability that had put its native MATIC tokens worth $24 billion at risk. The issue came to light after a group of ethical hackers informed Immunefi, a bug bounty platform associated with decentralised finance (DeFi). Immunefi hosts the bug bounty for the Polygon network. Both white hat hackers who helped discover the bug were compensated a combined total of $3.
...
Summary # On December 4, 2021, BitMart Exchange, a global cryptocurrency platform operating in 180+ countries, fell victim to a significant security breach. The attacker extracted approximately $196 million worth of various digital assets from the hot wallets of the exchange across two networks: Binance Smart Chain (BSC) - $96 million, and Ethereum - $100 million. The primary targets were meme-based tokens, such as SHIB and SAFEMOON. The attacker converted the stolen tokens into ETH and BNB via 1inch and laundered these assets using TornadoCash.
...
Summary # On October 27, 2021, Cream Finance, a decentralized finance (DeFi) platform, fell victim to a sophisticated attack resulting in the theft of $130 million worth of cryptocurrency. The attacker exploited vulnerabilities in Cream Finance’s lending pool contract and manipulated the price oracle, allowing them to carry out a series of orchestrated transactions that ultimately drained the protocol of its liquidity.
Attackers # The attackers remain unidentified.
0x24354d31bc9d90f62fe5f2454709c32049cf866b Losses # $130M USD
...
Summary # On August 28, 2021, Bilaxy, a Seychelles-based centralized exchange, experienced a security breach, resulting in a loss of approximately $21 million. The attacker compromised Bilaxy’s hot wallet and transferred roughly 300 tokens, including notable cryptocurrencies such as USDT, USDC, UNI, and Bilaxy Token(BIA), among others. As of August 16, 2023, the attacker still controls various tokens worth roughly $3,628,005.
Attackers # The identity of the attackers remains unknown.
...
Summary # On August 18, 2021, Liquid, a Japanese cryptocurrency exchange, was hacked for $97 million. The attacker gained access to one of the exchange’s hot wallets, which are used to store user funds that are available for withdrawal.
Attackers # The identity of the attacker(s) is unknown.
BTC:
1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q ETH:
0x5578840aae68682a9779623fa9e8714802b59946 0xefb33ccafc98d5fdb27a6f5ff17350ca76bf3b53 XRP:
rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby TRX:
TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp Losses # The attackers managed to steal a total of $97 million worth of cryptocurrency from the Liquid hot wallet.
...
Summary # On August 10, 2021, Poly Network, a cross-chain decentralized finance (DeFi) platform, was hacked for over $610 million in digital assets. The attackers exploited a vulnerability in Poly Network’s code to transfer the funds to their own wallets.
Attackers # Attackers’ identities have not been publicly disclosed. The hacker used the following addresses to transfer the funds:
Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 Losses # The total amount of losses resulting from the Poly Network hack was over $610 million.
...
Summary # On May 19, 2021 PancakeBunny, a yield farming aggregator built on Binance Smart Chain, suffered a flash loan attack.
Exploit was possible because of how the protocol uses PancakeSwap AMM for its asset price calculation. In bugs like this, flashloans are the go-to way to manipulate the price of AMM pools which affects the price oracle
– Adrian Hetman Source
The hacker exploited a vulnerability related to reward minting to mint 6,972,455 BUNNY tokens, after which the flash loan was paid back, dumping the huge number of newly minted BUNNY in the market caused the token’s price to plummet, the attacker ran off with 114k BNB and 697k BUNNY.
...
Summary # On April 28, 2021, Uranium Finance, a BSC-based decentralized exchange, was exploited due to a calculation error bug in its v2 pair contracts, which had been forked from the Uniswap v2 code. The bug allowed an attacker to swap minimum amount of the input token for 98% of the total balance of the output token, leading to massive losses. Uranium Finance had discovered the potential vulnerability but failed to prevent the attack:
...
Summary # In April 2021, Turkey-based cryptocurrency exchange Thodex collapsed in an exit scam, defrauding investors of $2 billion. Thodex’s founder, Faruk Fatih Ozer, fled to Albania with the stolen funds but was later arrested and extradited back to Turkey. In January 2023, Faruk Fatih Ozer and his two siblings were sentenced to 11,196 years in prison each for money laundering, fraud, and organized crime. Thodex’s rapid growth and promises of a safe and secure trading platform concealed its fraudulent intentions.
...
Summary # On April 19, 2021, a hacker stole $81 million worth of cryptocurrency from EasyFi, a decentralized finance platform. The hacker introduced a malicious version of MetaMask into the computer and stole the private key.
Attackers # The identity of the hackers who attacked EasyFi is unknown.
Hacker ETH Wallet:
0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 Losses # EasyFi estimated the losses from the hack to be $81 million. The stolen assets included:
...