Incidents

The WOOFi suffered a flash loan exploit on Arbitrum

Summary # On March 5th, WOOFi Swaps’ sPMM algorithm was exploited on the Arbitrum network. The attacker used a sequence of flash loans to manipulate the price of the WOO token due to low liquidity. The¬†exploit occurred due to a combination of the sPMM algorithm vulnerability, incorrect price adjustment, and a failure in the fallback check mechanism. The attacker was able to use flash loans to manipulate the price of WOO and drain funds from the affected pool. ...

BitForex's Exit Scam Leads to $56.5 Million in Financial Losses.

Summary # Since February 23, 2024, BitForex, a crypto exchange operational since 2017, ceased processing withdrawals amidst unexplained outflows of about $56.5M worth of crypto from its hot wallets. The absence of communication from BitForex, coupled with the recent departure of its CEO Jason Luo, has raised concerns over a potential inside job or exit scam. Attackers # The identity of the scammers is unknown, but the main suspect is the CEO of the exchange, Jason Luo. ...

Miner ERC-X avatar collection Suffers $466,000 Loss

Summary # On February 14, 2024, the Miner ERC-X avatar collection experienced a critical security breach on the Ethereum Mainnet, resulting in the unauthorized withdrawal of 168.8 ETH, equivalent to approximately $466,000. The root cause of this breach was a smart contract vulnerability stemming from insufficient input validation, specifically, a double-transfer flaw. This issue enabled an attacker to exploit the contract’s transfer function, effectively duplicating their token balance by executing self-transfers, which were not properly restricted by the contract’s logic. ...

PlayDapp Suffers $32.35 Million Security Breach

Summary # On February 9, 2024, PlayDapp, a Play to Earn (P2E) game based on Ethereum, experienced a security breach due to compromised private keys. The attacker exploited the platform and minted a total of 3.38 billion PLA tokens, which was worth nearly $617 million at the time of an incident. However, the attacker managed to convert the tokens for $32.35 million. The stolen funds were transferred to various addresses, with some deposited into the Polygon chain and Binance exchange, while a significant portion remains in the attacker’s address as of February 13, 2024. ...

Abracadabra Money Suffers $6.5 Million Loss Due to Smart Contract Exploit

Summary # Abracadabra Money, a prominent leverage and lending platform in the DeFi space, was exploited on January 30, 2024, due to a smart contract vulnerability on the Ethereum Mainnet. This exploit led to the unauthorized borrowing and subsequent theft of assets, totaling over $6.5 million, including 1800 ETH and 2.2 million MIM tokens. The attacker exploited the contract’s inability to accurately track the real amount of debt due to rounding errors. ...

HyperVerse Crypto Hedge Fund Collapses, Resulting in $1.3 Billion Losses

Summary # HyperVerse, a cryptocurrency hedge fund formerly known as HyperFund, collapsed, leading to a loss of approximately $1.3 billion for its customers. The fund, promoted by Australian entrepreneur Sam Lee and his business partner Ryan Xu, both founders of the now-defunct Australian bitcoin company Blockchain Global, has caught the attention of regulators across several countries, labeling it as a potential “scam” and “suspected pyramid scheme.” The CEO Steven Reece Lewis’s identity and background are under scrutiny, as his stated qualifications and work history are reportedly fabricated. ...

Radiant Capitale Suffers $4.6 Million Loss

Summary # On January 2, 2024, Radiant Capital on the Arbitrum Chain suffered a $4.6 million loss from a sophisticated exploit, involving 1902 ETH, due to a smart contract vulnerability. The attack was orchestrated by utilizing flash loans to inflate the USDC reserve liquidity index on the platform artificially. This enabled the attacker to borrow excessive WETH against the artificially high collateral value. The situation was exacerbated by a rounding error within the contract’s calculations, allowing the attacker to manipulate deposit and withdrawal transactions cleverly. ...

Orbit Bridge Suffers $81.54 Million Security Breach

Summary # On December 31, 2023, Orbit Chain, a South Korean cross-chain project, experienced a significant security breach involving their Orbit Bridge. The attacker exploited the Orbit Bridge through a private key compromise and drained approximately $81.54 million worth of assets from the Orbit Bridge’s ETH Vault. The stolen funds were converted into ETH and DAI and then distributed across several addresses. Attackers # The identity of the attacker remains unknown. ...

Telcoin Suffers $1.2 Million Security Breach

Summary # On December 25, 2023, Telcoin, experienced a security breach due to incorrect initialization of wallet contracts, which resulted from a mismatch between the actual implementation of the wallet and the corresponding proxy server, the attacker was able to transfer $TEL from user wallets for $1.2 million. Attackers # The identity of the hackers who attacked Telcoin is unknown. Hacker ETH Wallets: 0x35d2775e5f95596509951b140d68fc5b9185ff98 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7 Losses # Telcoin estimated the losses from the hack to be $1. ...

Pine Protocol Suffers $92,000 Security Breach

Summary # Pine Protocol, a decentralized, non-custodial asset-backed lending platform, suffered a security breach on December 21, 2023, due to a vulnerability in its smart contract on the Ethereum Mainnet. This exploit resulted in a loss of approximately 40 ETH ($92,000), exploiting the protocol across multiple transactions. The attack was facilitated by a flaw related to shared pools between two different contracts within the platform. Attackers # The identity of the attacker is unknown. ...