Lending Platform

Abracadabra Money Suffers $6.5 Million Loss Due to Smart Contract Exploit

Summary # Abracadabra Money, a prominent leverage and lending platform in the DeFi space, was exploited on January 30, 2024, due to a smart contract vulnerability on the Ethereum Mainnet. This exploit led to the unauthorized borrowing and subsequent theft of assets, totaling over $6.5 million, including 1800 ETH and 2.2 million MIM tokens. The attacker exploited the contract’s inability to accurately track the real amount of debt due to rounding errors. ...

Radiant Capitale Suffers $4.6 Million Loss

Summary # On January 2, 2024, Radiant Capital on the Arbitrum Chain suffered a $4.6 million loss from a sophisticated exploit, involving 1902 ETH, due to a smart contract vulnerability. The attack was orchestrated by utilizing flash loans to inflate the USDC reserve liquidity index on the platform artificially. This enabled the attacker to borrow excessive WETH against the artificially high collateral value. The situation was exacerbated by a rounding error within the contract’s calculations, allowing the attacker to manipulate deposit and withdrawal transactions cleverly. ...

Pine Protocol Suffers $92,000 Security Breach

Summary # Pine Protocol, a decentralized, non-custodial asset-backed lending platform, suffered a security breach on December 21, 2023, due to a vulnerability in its smart contract on the Ethereum Mainnet. This exploit resulted in a loss of approximately 40 ETH ($92,000), exploiting the protocol across multiple transactions. The attack was facilitated by a flaw related to shared pools between two different contracts within the platform. Attackers # The identity of the attacker is unknown. ...

Rodeo Finance Exploit on Arbitrum Leads to $888,000 Loss

Summary # On July 11, 2023, Rodeo Finance on Arbitrum was breached, losing around 472 ETH ($888,000) due to an attacker exploiting the TWAP Oracle. By manipulating the oracle’s price calculation, through a “sandwich” attack, they inflated asset prices. This allowed them to mislead the protocol, borrow against the inflated prices from the USDC Pool, and conduct swaps to profit from the manipulated price discrepancies, effectively bypassing Rodeo’s security checks. ...

Arcadia Finance Suffers $455,000 Security Breach

Summary # On July 10, 2023, Arcadia Finance, a DeFi protocol on Ethereum and Optimism, experienced a significant security breach due to vulnerabilities in its smart contract. The incident resulted in a financial loss of approximately $455,000. The breach was due to inadequate security measures in the protocol’s contract, allowing an attacker to manipulate the system for unauthorized asset transfers. Attackers # The identity of the hackers who attacked Arcadia Finance is unknown. ...

Themis Protocol Suffers $370,000 Loss in Exploit

Summary # On June 27, 2023, Themis Protocol, a decentralized lending and borrowing platform on the Arbitrum One chain, fell victim to a sophisticated exploit involving a flawed price oracle, leading to a loss of approximately $370,000. The attacker manipulated the Balancer LP token price by exchanging tokens within the Balancer pool, thus affecting the oracle’s valuation of the pool’s tokens. By utilizing flash loans and a series of calculated transactions, the exploiter was able to inflate the price of the Balancer LP tokens and borrow assets far exceeding their collateral, eventually laundering a portion of the stolen assets through Tornado Cash. ...

Sturdy Finance Loses $800K to DeFi Exploit

Summary # On June 12, 2023, Sturdy Finance, a DeFi protocol on the Ethereum blockchain known for its lending and borrowing services, was compromised in a security breach. Attackers exploited a vulnerability in the protocol’s price oracle, combined with a read-only reentrancy flaw, orchestrating a theft of approximately $800,000. Attackers # The identity of the hackers who attacked Multichain is unknown. Hacker Ethereum Wallet: 0x1E8419E724d51E87f78E222D935fbbdeb631a08B Losses # 442 ETH (800,000 USD) Timeline # June 12, 2023, 01:06:35 AM UTC: The malicious transaction occurred. ...

Deus Finance Suffers $6.5 Million Hack Across Multiple Networks

Summary # On May 5, 2023, Deus Finance, a DeFi protocol operating across Ethereum, Arbitrum, and BNB Chain, experienced a severe security breach. A vulnerability in the $DEI token contract allowed attackers to unauthorizedly burn and transfer tokens, culminating in losses estimated at $6.5 million. Attackers # The identity of the hackers who attacked Deus Finance is unknown. Hacker Wallets: Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Binance Smart Chain: 0x5a647e376d3835b8f941c143af3eb3ddf286c474 Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Losses # The total loss from the Deus Finance hack amounted to approximately $6. ...

0vix Hack: $2 Million Stolen in Exploit

Summary # On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events. Attackers # The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses: 0x702ef63881b5241ffb412199547bcd0c6910a970 0x407feaec31c16b19f24a8a8846ab4939ed7d7d57 0x49c6dd832d76fb9dd0dfd3a889775faa51af095c Losses # $2 million in USDC Timeline # April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a. ...

Hundred Finance Hacked for $6.8 Million

Summary # On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies. Attackers # The attackers remain unidentified. Exploiter addresses: ...