DeFi hacks [history]

[Daltonik]

The Vee.Finance landing platform was attacked by an unknown hacker, as a result, the attacker withdrew 8804.7 ETH and 213.93 BTC worth approximately $35 million. https://veefi.medium.com/vee-finance-accident-announcement-5e75ff197da6



All services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.

[awilliams]

Didn’t makerdao get hacked at some point?

[zasad@]

The Vee.Finance landing platform was attacked by an unknown hacker, as a result, the attacker withdrew 8804.7 ETH and 213.93 BTC worth approximately $35 million. https://veefi.medium.com/vee-finance-accident-announcement-5e75ff197da6



All services were suspended. We are investigating the cause, please follow our official accounts for the latest updates reported on the project's twitter.

Combining link information in 1 post
VEE FINANCE 8804.7 ETH and 213.93 BTC ( $35M)
21 Sep 2021

https://www.rekt.news/veefinance-rekt/
Exploiter ETH Address: 0xeeee458c3a5eaafcfd68681d405fb55ef80595ba

Exploiter AVAX Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA
"The exploiter’s Ethereum address was funded via TornadoCash in three lots of 10 ETH: ONE, TWO, THREE.

The funds were then bridged to Avalanche, where the attacker swapped 26.999006274904347875 WETH.e for 1,369.708 AVAX via Pangolin."

[Myleschetty]

It seems that most altcoin project devs are only after making money through projects rather than the safety of investors and the project security cause just in a short span the number of DeFi that was hacked is huge.
If this continues DeFi may lose the trust of crypto market finance enthusiasts.

[zasad@]

Compound bug leaves $80 million in COMP at risk of being misrewarded
https://www.theblockcrypto.com/linked/119086/compound-bug-comp-risk-misreward
"But a new bug contained in the upgraded Comptroller Contract has mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million.

Robert Leshner, founder of Compound Labs, said in follow-up tweets that the Comptroller contract address "contains a limited quantity of COMP" while the majority of the reward sits in a different Reservoir contract address.

Hence "the impact is bounded, at worst, 280,000 COMP tokens," Leshner said. That is worth about $80 million as of press time.

The Comptroller contract address now has 112,000 COMP tokens left."

[Daltonik]

Cream Finance reports that the project managed to recover 5152.6 ETH stolen on August 31, they managed to identify the hacker with the help of the community, the hacker received 10% of the stolen funds.

In addition to hacking in Defi, there are also scams, for example, the developer of the NFT project Evolved Apes, hiding under the nickname Evil Ape, deleted the site and account, hiding from 797 ETH $2.7 million) of users who were supposed to be used to pay for the work of artists.   https://www.vice.com/en/article/y3dyem/investors-spent-millions-on-evolved-apes-nfts-then-they-got-scammed


[moderator's note: consecutive posts merged]

[Jaered]

Something tells me this list is gonna be more populated before the year runs out. The truth is, the way DeFi is run, it is always easy draining funds from it and nobody can stop those malicious actors. The only way it can be curbed is by regulations, and regulations alone. And crypto as a whole is long overdue for that

[zasad@]

Indexed Finance -$16 M
https://ndxfi.medium.com/indexed-attack-post-mortem-b006094f0bdc

"Today Indexed suffered its first hack since its deployment in December, and it was a pretty devastating one. About $16m worth of assets were stolen from the indices DEFI5 and CC10 by 0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe."


Indexed Finance continuation of a story
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.

https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."

https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."

https://twitter.com/ZetaZeroes


This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe

[moderator's note: consecutive posts merged]

[Daltonik]

Indexed Finance continuation of a story
https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.

https://twitter.com/ndxfi/status/1449373158583279622
"The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified."

https://twitter.com/ndxfi/status/1449594187213680643
"The ultimatum has not been met.
In the minutes before the deadline elapsed,
@ZetaZeroes
made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought."

https://twitter.com/ZetaZeroes


This address is reported to be involved in a Indexed Finance exploit.
https://etherscan.io/address/0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe

It's good that sometimes hackers are too arrogant to stay in the shadows, although the team says that he is quite young, that's why he made these statements, but the bad thing is that project teams do not pay due attention to security in order to avoid situations that harm both the image of the team and damage the community and people simply lose their funds as a result.


PancakeHunny on BSC on October 20 was attacked using a flash loan by a hacker, about $1.9 million was stolen, this is already happening for the second time, the first case of using a flash loan was in the month of June. In a preliminary report, the team assured users that their funds are safe.  https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad

[moderator's note: consecutive posts merged]

[zasad@]

PancakeHunny on BSC on October 20 was attacked using a flash loan by a hacker, about $1.9 million was stolen, this is already happening for the second time, the first case of using a flash loan was in the month of June. In a preliminary report, the team assured users that their funds are safe.  https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad

PancakeHunny- $1.9M

"What happened?
On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times. This is the sequence of events.
Obtained a 53.25 BTC Flashloan from Cream Finance.
Used 53.25 BTC to get a 2,717,107 TUSD Loan from Venus.
Manipulated the price of BNB/TUSD Pool on PancakeSwap.
Used 50 different Wallet Addresses to Deposit 38,250 TUSD into HUNNY TUSD Vault.
Redeemed 2842.16TUSD and Minted 12,020.40 Hunny.
Sold Minted Hunny for 7.78 WBNB.
Steps Repeated for 50 wallets 26 times."
https://medium.com/pancakehunny/pancakehunny-incident-report-b5b74557b0ad
https://twitter.com/peckshield/status/1450801612901937152?


Cream Finance - $130M
https://decrypt.co/84590/cream-finance-suffers-third-hack-losing-over-130-million
Cream Finance Suffers Third Hack, Loses Over $130 Million
Cream Finance, a DeFi lending protocol, has been hacked for over $130 million—marking the third hack suffered by the protocol.

[moderator's note: consecutive posts merged]

[Anonymous100]

~

There have been a lot of hacks on Defi coins in the last few months, but I see where the weakness lies in the swap platform. They try to hack in various ways, including resembling core tokens. Some even tried to create fake swap platforms. When we give permission to access the wallet, of course they already have control over our wallet. The most dangerous are the platforms with the import private key system.

[zasad@]

https://twitter.com/nomorebear/status/1453413216172740609
"Quick explanation of
@CreamdotFinance(C)
 >$100M exploit:

1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"


Information disclosure and analysis of major hacks in the DeFe ecosystem
https://github.com/yearn/yearn-security/tree/master/disclosures

Very good analysis of the latest CREAM Finance hack.
Incident Disclosure 2021-10-27
https://github.com/yearn/yearn-security/blob/master/disclosures/2021-10-27.md


Crypto Wallets MetaMask, Phantom Targeted in $500K Phishing Attack: Report
Check Point Research has discovered a “massive” phishing campaign that has seen funds stolen from MetaMask and Phantom users.
https://decrypt.co/85253/crypto-wallets-metamask-phantom-targeted-500k-phishing-attack-report
"Check Point Research has discovered a crypto phishing scam that has stolen at least half a million dollars.
Metamask and Pancake websites have both been mimicked in the scam."


bZx -$55M
Ethereum DeFi Project bZx Hacked Again—For a Reported $55 Million
The project says Ethereum contracts and treasury funds are unaffected.
https://decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
"bZx is a DeFi lending protocol.
It's investigating an exploit of a private key linked to its Binance Smart Chain and Polygon deployments."

https://twitter.com/nomorebear/status/1453413216172740609
"Quick explanation of
@CreamdotFinance(C)
 >$100M exploit:

1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
5. Use account A to deposit yUSD to CREAM
6. Repeat 4, then 5, then 4 again. Now account A has ~1.5B cyYUSD and ~500m yUSD
7. Redeem yUSD
8. Inflate price of yUSD by factor of 2. Now, account B is deeply underwater (bad debt) but account A has double collateral value***
9. Use account A to borrow ETH to return the flash loan.
10. Use the rest collateral power in A to borrow and drain CREAM.
11. Use redeemed yUSD (plus some small amount of DAI from money from 10) to repay DAI flash mint"

Moving Forward: Post Exploit Next Steps for C.R.E.A.M. Finance
https://creamdotfinance.medium.com/moving-forward-post-exploit-next-steps-for-c-r-e-a-m-finance-1ad05e2066d5
"The Path Forward
We will distribute 1,453,415 CREAM tokens to impacted users. We are utilizing remaining CREAM tokens within the treasury, and removing the project team’s remaining CREAM token allocation. There will be no further CREAM allocations to the team."

[moderator's note: consecutive posts merged]

[Daltonik]

Elliptic analytical company.released a study according to which users have suffered losses in excess of $12 billion since 2020 due to fraud and theft on DeFi platforms, of which $10.5 billion falls in 2021.
 $721 million of the $12 billion was subsequently reimbursed. The most frequent targets of cybercriminals were the Ethereum and BSC blockchains.
The main reasons for attacks on decentralized projects in Elliptic are called errors in the code and architectural flaws.
https://www.elliptic.co/resources/defi-risk-regulation-and-the-rise-of-decrime

[zasad@]

DeFi exploits total $680 million so far in 2021
https://www.theblockcrypto.com/post/123030/defi-exploits-total-680-million-so-far-in-2021
"Quick Take
There have been 70 DeFi attacks this year across four blockchain platforms.
Around $1.4 billion was initially stolen but $760 million has been returned."

[slaman29]

DeFi exploits total $680 million so far in 2021
https://www.theblockcrypto.com/post/123030/defi-exploits-total-680-million-so-far-in-2021
"Quick Take
There have been 70 DeFi attacks this year across four blockchain platforms.
Around $1.4 billion was initially stolen but $760 million has been returned."

Those that are known anyway. I bet you on BSC and Tron there are loads of small tiny rug pulls that don't make the news or are even talked about but I see a new IDO every few hours, and most of them gonna end up scams. People also who got scammed mostly won't say it (the small losers whine but the big ones keep quiet) and then all this doesn't go reported.

[Daltonik]

The Polygon based MonoX DeFi platform was hacked, the hacker managed to withdraw crypto assets worth $31 million, the following assets were withdrawn:
 -5.7M MATIC ($10.5M)
- 3.9k WETH ($18.2M)
- 36.1 WBTC ($2M)
- 1.2k LINK ($31k)
- 3.1k GHST ($9.1k)
- 5.1M DUCK ($257k)
- 4.1k MIM ($4.1k)
- 274 IMX ($2k)

The developers of MonoX confirmed the fact of hacking and apologized to investors, but the developers also said that the incident is being investigated and measures are being taken to refund funds.
As it turned out during the investigation, the hacking mechanism looked like this: the attacker managed to raise the price of the MONO token to the skies with the help of a swap contract, and then purchase all the other assets in the pool for it.

[zasad@]

MonoXFinance $31 M

The Polygon based MonoX DeFi platform was hacked, the hacker managed to withdraw crypto assets worth $31 million, the following assets were withdrawn:
 -5.7M MATIC ($10.5M)
- 3.9k WETH ($18.2M)
- 36.1 WBTC ($2M)
- 1.2k LINK ($31k)
- 3.1k GHST ($9.1k)
- 5.1M DUCK ($257k)
- 4.1k MIM ($4.1k)
- 274 IMX ($2k)

The developers of MonoX confirmed the fact of hacking and apologized to investors, but the developers also said that the incident is being investigated and measures are being taken to refund funds.
As it turned out during the investigation, the hacking mechanism looked like this: the attacker managed to raise the price of the MONO token to the skies with the help of a swap contract, and then purchase all the other assets in the pool for it.

for a link to 1 post.
MonoX Finance Drained of $31M in Latest DeFi Hack
https://cryptobriefing.com/monox-finance-drained-of-31m-in-latest-defi-hack/

"Key Takeaways
A hacker has exploited MonoX Finance's smart contracts, draining $31 million worth of assets.
The MonoX team are attempting to contact the hacker to ask for the funds to be returned.
Despite receiving two independent audits, the vulnerabilities in MonoX's smart contracts were not found."

[goldkingcoiner]

Amazing list! It worries me that DEFI can be so easily hacked and that it happens so very very often... The thing that bothers me most is the disgusting bounty haggling from Fullcrum. They saved their 2.5 Million dollars and don't even get paid for their efforts. What kind of move is that? Fullcrum? More like Fullscum. I would keep away from doing business with them.

That being said, thanks for this list. Im sure it will be very helpful for future Defi.

[BitcoinAccepted]

That's really a lot of hacks and very big money involved but we shouldn't forget the small ones and if we sum that up I think they are much more expensive than those on the list. What I mean is something like the rug pull I think the one that happened in Binance before and other rug pulls of different developers that consist of million of $.

[Daltonik]

BadgerDAO reported unauthorized withdrawal of user funds, engineers BadgerDAO are investigating this issue, the protocol's smart contracts have been temporarily suspended.

One of the victims lost 896 BTC https://etherscan.io/tx/0x951babdddbfbbba81bbbb7991a959d9815e80cc5d9418d10e692f41541029869 , in total about $ 100 million was withdrawn from the project.

But whether it was an attack or the funds were simply burned as a result of using a bug in contracts is not yet clear.
https://twitter.com/DefiWhiskey/status/1466271476416454656