Summary # On June 27, 2023, Themis Protocol, a decentralized lending and borrowing platform on the Arbitrum One chain, fell victim to a sophisticated exploit involving a flawed price oracle, leading to a loss of approximately $370,000. The attacker manipulated the Balancer LP token price by exchanging tokens within the Balancer pool, thus affecting the oracle’s valuation of the pool’s tokens. By utilizing flash loans and a series of calculated transactions, the exploiter was able to inflate the price of the Balancer LP tokens and borrow assets far exceeding their collateral, eventually laundering a portion of the stolen assets through Tornado Cash.
...
Summary # On June 12, 2023, Sturdy Finance, a DeFi protocol on the Ethereum blockchain known for its lending and borrowing services, was compromised in a security breach. Attackers exploited a vulnerability in the protocol’s price oracle, combined with a read-only reentrancy flaw, orchestrating a theft of approximately $800,000.
Attackers # The identity of the hackers who attacked Multichain is unknown.
Hacker Ethereum Wallet:
0x1E8419E724d51E87f78E222D935fbbdeb631a08B
Losses # 442 ETH (800,000 USD) Timeline # June 12, 2023, 01:06:35 AM UTC: The malicious transaction occurred.
...
Summary # On July 6, 2023, Multichain Bridge experienced a security breach due to a private key compromise. The total losses amounted to approximately $126 million, including wBTC, wETH, USDT, USDC, and other assets. The stolen assets were transferred to several addresses.
Attackers # The identity of the hackers who attacked Multichain is unknown.
Hacker ETH Wallets:
0x9d5765ae1c95c21d4cc3b1d5bba71bad3b012b68 0xefeef8e968a0db92781ac7b3b7c821909ef10c88 0x418ed2554c010a0c63024d1da3a93b4dc26e5bb7 0x622e5f32e9ed5318d3a05ee2932fd3e118347ba0 0x48bead89e696ee93b04913cb0006f35adb844537 0x027f1571aca57354223276722dc7b572a5b05cd8 Losses # Multichain estimated the losses from the hack to be $126 million.
...
Summary # On June 2, 2023, Atomic Wallet, a non-custodial multichain DeFi wallet, experienced an exploit resulting in the loss of over $100 million worth of various assets from its users. The largest affected wallet lost a total of 7,950,000 USDT. The suspected perpetrator of this attack is the Lazarus Group, a known North Korean hacking group. The hackers moved the stolen funds to Ethereum and TRON addresses. The part of the stolen assets were laundered through Sinbad mixer and Russia-based exchange Garantex.
...
Summary # In May 2023, the DeFi investment platform Fintoch executed a rug pull, defrauding users of $31.6 million. The project claimed backing by Morgan Stanley and offered unrealistic 1% daily returns. Fintoch’s legitimacy was questioned, after Morgan Stanley debanked Fintoch’s claims. The fradulent company launched a public sale, and accumulated a large amount of USDT in Fintoch STO smart contract. The smart contract was deployed in Binance Smart Chain, and contained functionality of FTH BEP20 token and FTH/USDT liquidity pair.
...
Summary # On May 5, 2023, Deus Finance, a DeFi protocol operating across Ethereum, Arbitrum, and BNB Chain, experienced a severe security breach. A vulnerability in the $DEI token contract allowed attackers to unauthorizedly burn and transfer tokens, culminating in losses estimated at $6.5 million.
Attackers # The identity of the hackers who attacked Deus Finance is unknown.
Hacker Wallets:
Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Binance Smart Chain: 0x5a647e376d3835b8f941c143af3eb3ddf286c474 Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 Losses # The total loss from the Deus Finance hack amounted to approximately $6.
...
Summary # On May 1, 2023, Level Finance, a decentralized finance (DeFi) protocol, was hacked for $1.1 million in LVL tokens. The attacker exploited a vulnerability in the protocol’s Referral Controller Contract.
Attackers # The identity of the attacker is unknown.
BSC:
0x70319d1c09e1373fc7b10403c852909e5b20a9d5 Losses # The attacker stole 214,000 LVL tokens and swapped LVL to 3,345 BNB, which were worth approximately $1.1 million at the time of the hack.
...
Summary # On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events.
Attackers # The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses:
0x702ef63881b5241ffb412199547bcd0c6910a970 0x407feaec31c16b19f24a8a8846ab4939ed7d7d57 0x49c6dd832d76fb9dd0dfd3a889775faa51af095c Losses # $2 million in USDC
Timeline # April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a.
...
Summary # On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies.
Attackers # The attackers remain unidentified.
Exploiter addresses:
...
Summary # On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.
Attackers # The attackers are unidentified, but their wallet addresses and contracts are known:
...