Summary # On March 5th, WOOFi Swaps’ sPMM algorithm was exploited on the Arbitrum network. The attacker used a sequence of flash loans to manipulate the price of the WOO token due to low liquidity. The exploit occurred due to a combination of the sPMM algorithm vulnerability, incorrect price adjustment, and a failure in the fallback check mechanism. The attacker was able to use flash loans to manipulate the price of WOO and drain funds from the affected pool.
...
Summary # Since February 23, 2024, BitForex, a crypto exchange operational since 2017, ceased processing withdrawals amidst unexplained outflows of about $56.5M worth of crypto from its hot wallets. The absence of communication from BitForex, coupled with the recent departure of its CEO Jason Luo, has raised concerns over a potential inside job or exit scam.
Attackers # The identity of the scammers is unknown, but the main suspect is the CEO of the exchange, Jason Luo.
...
Summary # On November 22, 2023, Heco Bridge and HTX Exchange were victims of cyberattacks, resulting in over $113.3 million in losses. The attacks appear coordinated and carried out by the same attacker based on similar exploitative techniques and the connection between the two targets. Blockchain security firms CertiK, Peckshield, and Cyvers have reported over $86.6 million in digital assets losses for Heco Bridge and $13.6 million in losses for HTX.
...
Summary # On November 22, 2023, KyberSwap, a decentralized finance platform, experienced a sophisticated exploit resulting in a loss of approximately $49,000,000. The attack involved manipulating the platform’s smart contract through complex transactions. The attacker used flash loans to manipulate token prices, which enabled them to exploit a numerical anomaly in the smart contract. This allowed the attacker to double-count liquidity and withdraw substantial funds. Despite KyberSwap having failsafe mechanisms, the attacker skillfully avoided triggering these protections.
...
Summary # On November 10, 2023, Poloniex, a custodial centralized exchange, experienced a security breach due to a private key compromise. The attacker exploited Poloniex’s hot wallets and withdrew funds across three chains: Bitcoin, Ethereum, and Tron. The total losses amounted to approximately $122.98 million, including BTC, USDT, USDC, ETH, TRX, and other assets. The stolen assets were exchanged for native tokens and transferred to sereval addresses.
Attackers # The attackers believed to be the Lazarus Group, North Korean cybercrime group.
...
Summary # On November 8, 2023, the Australian crypto exchange, CoinSpot, experienced an attack on two of its hot wallets, resulting in more than $2.4 million in losses due to a private key leak. The recipient of these funds exchanged them using platforms THORchain and Wan Bridge before exchanging them for Bitcoin using Uniswap and spreading them into four wallets. The Australian financial authority, AUSTRAC, is actively addressing the security breach because the amount stolen is more than $10,000.
...
Summary # On September 24, 2023, HTX, a global custodial crypto exchange, formerly Huobi Global, experienced a security breach due to a private key leak. The attacker exploited this vulnerability and extracted approximately $7.9 million worth of ETH (4,999 ETH) from the hot wallet of the exchange. After HTX identified the attacker and demanded the return of the funds, the hacker returned the stolen assets on October 7, 2023, and received a “white hat bonus” of 250 ETH, equivalent to $408,666.
...
Summary # On September 14, 2023, Remitano, a cryptocurrency exchange, fell victim to a security breach, resulting in unauthorized transactions on the Ethereum and TRON blockchains and a significant financial loss of $2.7 million. This incident was primarily a hack of the exchange’s hot wallet, triggered by a data leak from a third-party source. Tether’s prompt intervention helped freeze the attacker’s addresses, securing 1.9 million USDT and averting further potential losses.
...
Summary # On September 12, 2023, CoinEx, a crypto trading platform operating on various chains, experienced a massive security breach due to a private key compromise. The attacker exploited CoinEx’s hot wallets and extracted approximately $52.8 million worth of assets across 9 different chains. The stolen funds were transferred to the attacker’s addresses and then laundered via distribution between multiple addresses and smart contracts. Lazarus Group is suspected to be behind the theft, as multiple sources have confirmed an onchain connection between Stake.
...
Summary: # On July 30, a hackers drained approximately $60 million from liquidity pools that decentralized exchanges uses to offer exchange of tokens. Affected protocols include CurveFi, MetronomeDAO, JPEGd and Alchemix.
Curve, as biggest funds lost from the breach, ranks among the most esteemed and reliable DEXes and relies on automated market makers in much the same way as Uniswap. Though it is still functioning, Curve has seen an exodus of funds since the hack.
...