Summary # On November 22, 2023, KyberSwap, a decentralized finance platform, experienced a sophisticated exploit resulting in a loss of approximately $49,000,000. The attack involved manipulating the platform’s smart contract through complex transactions. The attacker used flash loans to manipulate token prices, which enabled them to exploit a numerical anomaly in the smart contract. This allowed the attacker to double-count liquidity and withdraw substantial funds. Despite KyberSwap having failsafe mechanisms, the attacker skillfully avoided triggering these protections.
...
Summary # On November 19, 2023, Kronos Research, a Taipei-based cryptocurrency trading and investment firm, was targeted by a hacker who stole over $25 million from the firm’s treasury using unauthorized API keys. This breach enabled the attacker to access the company’s blockchain wallets and conduct unauthorized transactions. The attack’s impact extended beyond Kronos Research, affecting Woo X, an exchange closely affiliated with Kronos Research. As Kronos Research was a major liquidity provider for Woo X, the security incident led to a temporary suspension of certain asset pairs on Woo X due to a liquidity shortage.
...
Summary # On November 10, 2023, Raft Protocol experienced an exploit resulting in a loss of about 1,575 cbETH. The exploiter employed a sophisticated multistep attack strategy focusing on a smart contract’s precision calculation vulnerability. Initially, the attacker obtained cbETH through a flash loan before donating and liquidating the cbETH to the Interest Rate Position Manager. This maneuver manipulated the collateral token’s index rate, allowing the exploiter to systematically increase their position in small increments, exploiting a rounding issue in the mint function.
...
Summary # Astrid Finance, an Ethereum-based liquid restaking pool powered by the Eigen Layer, suffered a significant exploit on October 28, 2023, leading to a loss of $228,000. The exploit was executed through a smart contract vulnerability linked to insufficient input validation, specifically within the withdraw function of the protocol. This flaw enabled the attacker to manipulate transaction parameters, allowing the creation and utilization of fake tokens to illegitimately withdraw funds.
...
Summary # Exactly Protocol on Optimism faced a critical security breach on August 18, resulting in a loss of around $7.6 million. The attackers exploited a vulnerability by manipulating market address inputs, allowing them to bypass key security checks within the protocol. This manipulation granted them unauthorized access to execute a deposit function maliciously, leading to the theft of a substantial amount of USDC from users.
Attackers # The identity of the hackers who attacked Multichain is unknown.
...
Summary # On August 13, 2023, Zunami Protocol, a prominent DeFi platform on Ethereum, was compromised through a sophisticated flash loan attack, resulting in a significant loss of 1,178 ETH, approximately valued at $2.16 million. Central to this exploit was a vulnerability within the platform’s contract that allowed for the manipulation of the UZD token’s balance. By leveraging a flash loan the attacker was able to artificially inflate the value of the UZD token.
...
Summary # Steadefi, a yield farming platform on Arbitrum and Avalanche, reported a loss of $1.14 million due to a compromised deployer address. The exploit allowed the attacker to assume control over the platform’s vault contracts, leading to the unauthorized borrowing of all available funds. The total value locked (TVL) in Steadefi dropped from over $2 million to almost $0 as a result. The funds were converted to approximately 625 ETH and landed in Tornado Cash.
...
Summary: # On July 30, a hackers drained approximately $60 million from liquidity pools that decentralized exchanges uses to offer exchange of tokens. Affected protocols include CurveFi, MetronomeDAO, JPEGd and Alchemix.
Curve, as biggest funds lost from the breach, ranks among the most esteemed and reliable DEXes and relies on automated market makers in much the same way as Uniswap. Though it is still functioning, Curve has seen an exodus of funds since the hack.
...
Summary # On July 11, 2023, Rodeo Finance on Arbitrum was breached, losing around 472 ETH ($888,000) due to an attacker exploiting the TWAP Oracle. By manipulating the oracle’s price calculation, through a “sandwich” attack, they inflated asset prices. This allowed them to mislead the protocol, borrow against the inflated prices from the USDC Pool, and conduct swaps to profit from the manipulated price discrepancies, effectively bypassing Rodeo’s security checks.
...
Summary # On July 10, 2023, Arcadia Finance, a DeFi protocol on Ethereum and Optimism, experienced a significant security breach due to vulnerabilities in its smart contract. The incident resulted in a financial loss of approximately $455,000. The breach was due to inadequate security measures in the protocol’s contract, allowing an attacker to manipulate the system for unauthorized asset transfers.
Attackers # The identity of the hackers who attacked Arcadia Finance is unknown.
...