Incidents

Sturdy Finance Loses $800K to DeFi Exploit

Summary # On June 12, 2023, Sturdy Finance, a DeFi protocol on the Ethereum blockchain known for its lending and borrowing services, was compromised in a security breach. Attackers exploited a vulnerability in the protocol’s price oracle, combined with a read-only reentrancy flaw, orchestrating a theft of approximately $800,000. Attackers # The identity of the hackers who attacked Multichain is unknown. Hacker Ethereum Wallet: 0x1E8419E724d51E87f78E222D935fbbdeb631a08B Losses # 442 ETH (800,000 USD) Timeline # June 12, 2023, 01:06:35 AM UTC: The malicious transaction occurred. ...

Multichain Bridge Suffers $126 Million Security Breach

Summary # On July 6, 2023, Multichain Bridge experienced a security breach due to a private key compromise. The total losses amounted to approximately $126 million, including wBTC, wETH, USDT, USDC, and other assets. The stolen assets were transferred to several addresses. Attackers # The identity of the hackers who attacked Multichain is unknown. Hacker ETH Wallets: 0x9d5765ae1c95c21d4cc3b1d5bba71bad3b012b68 0xefeef8e968a0db92781ac7b3b7c821909ef10c88 0x418ed2554c010a0c63024d1da3a93b4dc26e5bb7 0x622e5f32e9ed5318d3a05ee2932fd3e118347ba0 0x48bead89e696ee93b04913cb0006f35adb844537 0x027f1571aca57354223276722dc7b572a5b05cd8 Losses # Multichain estimated the losses from the hack to be $126 million. ...

Atomic Wallet Suffers Over $100 Million Security Breach

Summary # On June 2, 2023, Atomic Wallet, a non-custodial multichain DeFi wallet, experienced an exploit resulting in the loss of over $100 million worth of various assets from its users. The largest affected wallet lost a total of 7,950,000 USDT. The suspected perpetrator of this attack is the Lazarus Group, a known North Korean hacking group. The hackers moved the stolen funds to Ethereum and TRON addresses. The part of the stolen assets were laundered through Sinbad mixer and Russia-based exchange Garantex. ...

Fintoch DeFi Platform Executes $31.6 Million Rug Pull Scam

Summary # In May 2023, the DeFi investment platform Fintoch executed a rug pull, defrauding users of $31.6 million. The project claimed backing by Morgan Stanley and offered unrealistic 1% daily returns. Fintoch’s legitimacy was questioned, after Morgan Stanley debanked Fintoch’s claims. The fradulent company launched a public sale, and accumulated a large amount of USDT in Fintoch STO smart contract. The smart contract was deployed in Binance Smart Chain, and contained functionality of FTH BEP20 token and FTH/USDT liquidity pair. ...

Deus Finance Suffers $6.5 Million Hack Across Multiple Networks

Summary # On May 5, 2023, Deus Finance, a DeFi protocol operating across Ethereum, Arbitrum, and BNB Chain, experienced a severe security breach. A vulnerability in the $DEI token contract allowed attackers to unauthorizedly burn and transfer tokens, culminating in losses estimated at $6.5 million. Attackers # The identity of the hackers who attacked Deus Finance is unknown. Hacker Wallets: Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Binance Smart Chain: 0x5a647e376d3835b8f941c143af3eb3ddf286c474 Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Losses # The total loss from the Deus Finance hack amounted to approximately $6. ...

Level Finance Hacked for $1.1 Million in LVL Tokens

Summary # On May 1, 2023, Level Finance, a decentralized finance (DeFi) protocol, was hacked for $1.1 million in LVL tokens. The attacker exploited a vulnerability in the protocol’s Referral Controller Contract. Attackers # The identity of the attacker is unknown. BSC: 0x70319d1c09e1373fc7b10403c852909e5b20a9d5 Losses # The attacker stole 214,000 LVL tokens and swapped LVL to 3,345 BNB, which were worth approximately $1.1 million at the time of the hack. ...

0vix Hack: $2 Million Stolen in Exploit

Summary # On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events. Attackers # The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses: 0x702ef63881b5241ffb412199547bcd0c6910a970 0x407feaec31c16b19f24a8a8846ab4939ed7d7d57 0x49c6dd832d76fb9dd0dfd3a889775faa51af095c Losses # $2 million in USDC Timeline # April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a. ...

Hundred Finance Hacked for $6.8 Million

Summary # On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies. Attackers # The attackers remain unidentified. Exploiter addresses: ...

Bitrue Hacked for $23 Million

Summary: # On April 14, 2023, cryptocurrency exchange Bitrue was hacked, resulting in the theft of cryptocurrencies worth approximately $23 million. Hackers gained access to the exchange’s hot wallets and stole various cryptocurrencies, including ETH, SHIB, QNT, HOT, MATIC, and GALA. Attackers: # The identity of the hackers who carried out the attack on Bitrue is unknown. Bitrue Drainer wallet: 0x1819ede3b8411ebc613f3603813bf42ae09ba5a5 Losses: # Bitrue estimated the losses from the hack to be approximately $23 million. ...

Yearn Finance Suffers $11.54 Million Loss Due to Smart Contract Vulnerability

Summary # On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million. Attackers # The attackers are unidentified, but their wallet addresses and contracts are known: ...