Incidents

GDAC Hacked for $13 Million

Summary # On April 9, 2023, South Korean cryptocurrency exchange GDAC was hacked, resulting in the theft of cryptocurrencies worth approximately $13 million. Hackers gained access to the exchange’s hot wallets and stole various cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), and Wemix (WEMIX). Attackers # The attackers behind the GDAC hack remain unidentified. GDAC Hacker ETH wallets: 0x244615D99684175d31369332039b2D84ce925EC5 0x57192cca8b8e4beb77f3466c6d0550e64cc53b0f Losses # GDAC lost approximately $13 million: 10,000,000 WEMIX 220,000 USDT 350 ETH 60. ...

SushiSwap Drained of 1800 WETH Due to RouteProcessor2 Contract Vulnerability

Summary # On April 8, 2023, SushiSwap, a renowned decentralized exchange, came under attack due to a vulnerability in its newly launched RouteProcessor2 contract. The contract was part of the SushiSwap’s version 3 (V3) upgrades and was deployed on 14 different networks. Before SushiSwap could react, anonymous attackers exploited the vulnerability and managed to drain approximately 1800 Wrapped Ether (WETH) from user wallets. Attackers # The identity of the attacker is unknown. ...

Allbridge suffered a flash loan attack for $573k

Summary # On April 2, 2023, AllBridge, a multichain token bridge, fell victim to an exploit that resulted in approximately $573,000 worth of assets being drained from its BNB Chain pools. The attacker, acting as both a liquidity provider and a swapper, exploited a flaw in a smart contract that enabled them to manipulate swap prices. This led to the theft of $282,889 in Binance USD (BUSD) and $290,868 in Tether (USDT). ...

SafeMoon's Smart Contract Exploit: An $8.9M Heist and Unexpected Return of Funds

Summary # In March 2023, SafeMoon, a DeFi protocol, experienced a significant security breach when a vulnerability in its contract allowed an attacker to steal approximately $8.9 million. The attacker exploited unprotected burn and mint functions, essentially manipulating the value of the SFM token. In a surprising turn of events, the attacker agreed to return 80% of the stolen funds, retaining the remaining 20% as a bug bounty. Attackers # The attacker’s identity remains unknown. ...

Euler Finance Exploited with Flash Loan Attack Resulting in Loss of $196 Million

Summary # On March 13, 2023, a flash loan attack targeted Euler Finance, a noncustodial lending platform on the Ethereum blockchain. The attack led to a loss of roughly $196 million in various cryptocurrencies, including Dai, USD Coin, Staked Ether, and Wrapped Bitcoin. The attacker took advantage of a weakness in Euler’s smart contract, specifically in a feature called “donateToReserves.” The attacker used multiple Ethereum addresses to exploit this weakness in the contract and took advantage of a problem in Euler’s system for liquidation. ...

Flash Loan Attack on Platypus Finance Results in an $8.5 Million Loss

Summary # On February 16, 2023, Platypus Finance, the project behind the USP stablecoin, fell victim to a flash loan attack. This resulted in an estimated loss of $8.5 million. The exploit led to a significant drop in the price of the $USP stablecoin, devaluing it by more than 66% from its intended $1 peg. The attack was carried out by minting an excessive number of USP tokens from the MasterPlatypusV4 contract and using an inflated amount of Platypus LP-USDC tokens as collateral. ...

dForce DeFi Protocol Loses $3.65 Million in Reentrancy Attack

Summary # On February 9, 2023, dForce, a DeFi protocol, fell victim to a reentrancy attack. The attacker exploited a known vulnerability in the smart contract, resulting in a loss of approximately $3.6 million. Attackers # The identity of the attacker is unknown. The attackers utilized the following addresses: Arbitrum: 0xe0d551017c0111ac11108641771897aa33b2817c Optimism: 0xe0d551017c0111ac11108641771897aa33b2817c Losses # ~$3.65 million total Arbitrum: 1,236.65 ETH (~1,893,000 USD) 719,437 USX Optimism: 1,037,492 USDC source ...

CoW Swap Suffers Smart Contract Exploit, Resulting in an Approximately $166K Loss

Summary # On February 7, 2023, CoW Swap, a decentralized exchange (DEX) protocol, fell victim to a smart contract exploit, resulting in a loss of approximately 550 BNB, or about $180,000 USD. The breach occurred due to a flaw in the protocol’s smart contract, which allowed an unidentified attacker to approve fund transfers from the protocol. Attackers # The identity of the attacker is unknown. 0xc0e82c1ed4786f8b7f806d1b8a6335ec485266ff 0x55a37a2e5e5973510ac9d9c723aec213fa161919 Losses # $166,183 Timeline # January 27, 2023: Barter Solver enters the CoW Swap solver competition. ...

Reentrancy Attack on Orion Protocol Leads to $3 Million Loss

Summary # On February 2, 2023, Orion Protocol, a decentralized blockchain platform that aggregates liquidity across both centralized and decentralized exchanges, fell victim to a sophisticated smart contract exploit. The attacker manipulated a reentrancy vulnerability within the protocol’s core smart contracts, which enabled them to divert approximately $3 million in tokens across the Ethereum and Binance Smart Chain networks. Attackers # The identity of the attacker is unknown. Two addresses were primarily involved in the attack: ...

BonqDAO Suffers a $120 Million Loss Through Price Oracle Manipulation

Summary # In February 2023, BonqDAO, a lending platform hosted on the Polygon network, was hacked. The attacker exploited protocol’s price oracle weakness to manipulate the price of the $WALBT token. This allowed the attacker to borrow 100 million $BEUR, a stablecoin pegged to the euro, and liquidate other users’ collateral. The total loss from the hack was estimated to be around $120 million. Attackers # The attackers are unidentified. ...