Hacks in March:
- Treasure DAO
Mar 3, 2022: An Arbitrum-based NFT trading market, TreasureDAO was hacked by an unknown attacker. According to post mortem analysis done by Certik, the attacker took advantage of a flaw in the platform’s code. The vulnerability lies in Buyer.buyItem function, which allowed the _quantity set equal to 0. This means the attacker paid nothing to get the NFTs. However, The stolen NFTs were returned after some initial analysis and tracing of the hacker’s wallet.
Root cause: Smart Contract Vulnerability
Loss: Not disclosed.
Reference: News on Bitcoin.com
Claimable event: Yes (Smart Contract Vulnerability Cover)
2. Pirate X
Mar 9, 2022: The Pirate X, a blockchain gaming platform was hacked. The attacker exploited the vulnerability in the staking contract. It is suspected to be private key leakage since the attacker leveraged a valid signature to launch the attack. The attacker sold off more than 9.6 million $PXP and make a profit of around 212 BNB. According to the official incident report, The blame was on the careless team, who wants to launch the conversion feature faster despite its vulnerability as it has been long suspended. They have decided to dismiss the current developer team and recruit a new team to replace them. They also announced that they had bought back the stolen $PXP, and going to carry out an audit.
Root cause: Smart Contract Vulnerability
Loss: approx. $82000
Reference: Official Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
3. Active campaign (Email Marketing Partner of Unchained Capital)
Mar 10, 2021: ActiveCampaign (AC), the email marketing provider used by Unchained Capital, a Bitcoin financial services firm was hacked last week. According to Unchained, the impact is limited to the information shared with AC, including customer email addresses, usernames, account status and possibly IP addresses. No systems on Unchained were compromised, and customer profile information which was never shared with AC was not leaked. Kelly added that while customer Bitcoin custody is protected by multi-signature cold storage, customers should still be aware of what’s going on and be wary of phishing attacks.
Root cause: Phishing
Loss: Not Disclosed.
Reference: News on CoinDesk
Claimable event: No
4. Fantasm Finance
Mar 10, 2022: Fantom’s on-chain synthetic asset protocol, Fantasm Finance, was the victim of a hack. The attacker took advantage of a flaw in the error-checking code of the protocol’s mint function. That contract was exploited by the error in Fantasm’s Pool contract where the developer missed the condition checking for the minimum amount of input FTM when minting XFTM. After exploiting the vulnerability, the hacker exchanged all the profits for ETH, and used Tornado.cash to mix coins across the chain to the Ethereum and made a profit of 1,007 ETH.
Root cause: Smart Contract Vulnerability
Loss: approx. $2.7 million
Reference: Official Post Mortem
Claimable event: Yes (Smart Contract Vulnerability Cover)
5. Paraluni
Mar 13, 2022: The metaverse financial project, Paraluni was hacked by an attacker who exploited a re-entrancy vulnerability within the contract’s deposit by the “Add Liquidity” function. It cost a loss of $1.7 million. After the attack, part of the stolen funds was flown into Tornado Cash and cross-chain to Ethereum through cBridge.
Root cause: Smart Contract Vulnerability
Loss: $13 million
Reference: Incident Analysis from Slowmist
Claimable event: Yes (Smart Contract Vulnerability Cover)
6. NFTflow
Mar 14, 2022: According to PeckShield Alert, NFTFlow has a rug pull and its official social media account was closed. Also, several NFT players posted on social media that a project called “NFTflow” had a Rug Pull, ran away without completing the pre-sale and transferred the 92 ETHs from the sale to the Tornado mixer.
Root cause: Scam
Loss: approx. $270000
Reference: News on Aliens.com
Claimable event: No
7. PulseDAO Finance
Mar 14, 2022: According to RugDoc, PulseDAO Finance has rug pulled. Social and websites are closed. 4342 FTM was removed by the contract developer. Previously, Rugdoc.io had also warned that the project had a risk of governance mishandling and they needed their contracts to be subjected to a full audit with a reputable auditor.
Root cause: Scam
Loss: approx. 4342 FTM
Reference: News on NEWSBTC
Claimable event: No
8. Agave
Mar 15, 2022: Multiple million-dollar exploits were reported one after the other. One of the victims, Agave on Gnosis Chain was attacked due to an untrusted external call. The attacker calls the liquidateCall function to liquidate himself without any debt. During the liquidation process, the liquidation contract is called the attacker contract. The attacker deposited 2728 WETH obtained through the flash loan and minted 2728 aWETH. and use this as collateral to lend out all available assets in the Agave project. After the external call ends, the liquidateCall function directly liquidates the 2728 aWETH previously deposited by the attacker and transfers it to the liquidator.
Root cause: Smart Contract Vulnerability
Loss: approx. $5.4 million
Reference: News on CryptoPotato
Claimable event: Yes (Smart Contract Vulnerability Cover)
9. Deus Finance
Feb 15, 2022: DeFi protocol Deus Finance was attacked by a flash loan. The hackers manipulate the price oracle for one of the project’s stablecoin lending contracts. The exploit caused a loss of about $3 million which has been laundered via Tornado Cash.
Root cause: Oracle Attack
Loss: approx. $3 million
Reference: Deus Finance DAO suffers $3 million flash loan attack
Claimable event: No
10. Hundred Finance
Mar 16, 2022: Hundred Finance, another project on the Gnosis chain suffered a flash loan attack in which the attacker exploited a reentrancy vulnerability in the protocol same as Agave.
Root cause: Smart Contract Vulnerability
Loss: approx. $6 million
Reference: Yahoo News
Claimable event: Yes (Smart Contract Vulnerability Cover)
11. APE
Mar 17, 2022: According to a report on Twitter, the arbitrage bot took out more than $500000 worth of APE Coins through flash loans. After analysis, it was found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, the function used to calculate the amount of ApeCoin to claim based on how many NFTs the caller owns but didn’t consider how long the caller owns. The attacker first borrows BYAC Token through a flash loan and then redeems it to obtain BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan.
Root cause: Smart Contract Vulnerability
Loss: approx. $500000
Reference: AirDrop process of ApeCoin cryptocurrency found vulnerable
Claimable event: Yes (Smart Contract Vulnerability Cover)
12. Umbrella Network
Mar 20, 2022: Decentralized oracle service provider, Umbrella Network was hacked. The attack impacted its Ethereum and BNB Chain reward pools, resulting in a loss of around $700,000. The hacker exploited ana vulnerability in withdraw() method of the contract, an underflow bug. This allowed the hacker to withdraw an arbitrary amount of LP tokens from the smart contract due to unchecked underflow in the withdrawal.
Root cause: Smart Contract Vulnerability
Loss: $700000
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
13. Li.finance
Mar 20, 2022: According to official reports, The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets. Attackers took various tokens from users’ wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The project team has fixed the vulnerability and compensated most of the affected users within 18 hours.
Root cause: Smart Contract Vulnerability
Loss: $600000
Reference: News on Cointelegraph
Claimable event: Yes (Smart Contract Vulnerability Cover)
14. Hubspot
Mar 20, 2022: Hubspot, one of the widely used third-party marketing campaign vendors, was reported a data breach affecting multiple crypto firms including BlockFi, Swan Bitcoin, NYDIG and Circle. However, the affected firms claimed that their operations were not affected and that their assets were not at risk. Hubspot stores user data including names, email addresses, and phone numbers. While the exact details of the stolen data have yet to be identified and disclosed, data such as passwords, government-issued IDs, and Social Security numbers were never stored on Hubspot.
Root cause: Data Breach
Loss: Not Disclosed.
Reference: News on CoinDesk
Claimable event: No
15. OneRing
Mar 21, 2022: OneRing, a Fantom ecological Stablecoin revenue optimizer was another victim of flash loan attacks. The contract was configured to self-destruct which made it almost impossible to track which specific functions in the contract are called to steal funds.
Root cause: Smart Contract Vulnerability
Loss: approx. $1.5 M
Reference: Official Post Mortem
Claimable event: Yes (Smart Contract Vulnerability Cover)
16. Arthur
Mar 22, 2022: The founder of a DeFi venture fund lost more than $1.7 million in his hot wallet, suspected due to a social engineering attack. He also mentioned that He thinks a hot wallet on a mobile phone is indeed not safe enough.
Root cause: Hot Wallet Breach
Loss: Approx. 310 ETH
Reference: News on CoinMarketCap
Claimable event: No
17. Cashio
Mar 23, 2022: Cashio, a stablecoin project on Solana has been hacked. The attacker forged a chain of fake accounts by exploiting a vulnerability in Cashio’s smart contracts to mint an infinite supply of CASH without providing any liquidity in exchange. According to the official announcement, Users were allowed to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.
Root cause: Smart Contract Vulnerability
Loss: Approx. $52 million
Reference: Millions Lost as Solana DeFi App Cashio Suffers Hack
Claimable event: Yes (Smart Contract Vulnerability Cover)
18. VEVE
Mar 23, 2022: Veve, an NFT marketplace with licensed digital collectables experienced an exploit, resulting in millions of gems (in-app tokens) being acquired illegally. According to the early reports, the attackers managed to mint millions of gems without having to pay for it by exploiting a bug in buying mechanism.
Root cause: Smart Contract Vulnerability
Loss: Not disclosed.
Reference: News on Cointelegraph
Claimable event: Yes (Smart Contract Vulnerability Cover)
19. MekaVerse
Mar 23, 2022: NFT project MekaVerse confirmed that their official Discord server was hacked by compromising one of their head moderator who has access to important discord modification roles thru social engineering attack.
Root cause: Social Engineering Attack
Loss: Not disclosed.
Reference: MekaVerse Releases A Statement Regarding Its Compromised Discord
Claimable event: No
20. Maison Ghost
Mar 25, 2022: Maison Ghost, a Twitter user who is an NFT collector, had his Discord hacked, and the attacker posted a fake minting link which resulted in around 300 NFTs being stolen and eventually sold off for 128 ETH and sent to Tornado.
Root cause: Discord Server Hacked
Loss: 128 ETH
Reference: Tweets on this hack event
Claimable event: No
21. InuSaitama
Mar 26, 2022: InuSaitama was suspected to have suffered an arbitrage attack. The attacker exchanged almost 10 times the value of SAITAMA Token through swap, and then exchanged it back to ETH through UniSwap.
Root cause: Arbitrage Attack
Loss: 430 ETH
Reference: Official Twitter Announcement
Claimable event: No
Page Break
22. Revest Finance
Mar 27, 2022: the Revest Protocol suffered an exploit in which roughly caused a loss of $120000. The tokens, namely BLOCKS, ECO, and RENA were stolen from the Ethereum-based token vault. The minting-related functions in this attack were not designed strictly in accordance with the check-validation-interaction model, which allowed the attacker to exploit the re-entrancy vulnerability.
Root cause: Smart Contract Vulnerability
Loss: approx. $120000
Reference: A brief analysis of Revest Finance being attacked
Claimable event: Yes (Smart Contract Vulnerability Cover)
23. Buccaneer Finance
Mar 28, 2022: According to PeckShield, Buccaneer Finance, a DeFi project on the BNB Chain has a Rug Pull. The project social media account and community have been deleted, and about 841 BNB have been transferred to Tornado Cash after cleaning out investor funds.
Root cause: Scam
Loss: 841 BNB
Reference: PeckShield detects rug pull on DeFi project Buccaneer
Claimable event: No
24. Cryptovoxel
Mar 28, 2022: It is reported that anonymous attackers used a vulnerability in the Discord bot to manage to direct community users to phishing sites on the official Cryptovoxels Discord channel which induced users to authorize, stole multiple NFTs and then sold them on Opensea.
Root cause: Discord Server Hacked
Loss: Not disclosed.
Reference: Official Twitter Announcement
Claimable event: No
25. BNB DEFI
Mar 29, 2022: According to PeckShield, BNB DEFI has rugged pull. The DEFI token fell by 68% in a short time. At present, the project community was closed. Billions od DEFI tokens were exchanged for about 255 BNB.
Root cause: Scam
Loss: 255 BNB
Reference: PeckShield Alert Twitter Announcement
Claimable event: No
26. Rare Bears
Mar 17, 2022: The Discord server of Rare Bears was hacked. The hackers posted phishing links to scam people. The team later regained access to the project’s Discord server. In the process, scammers stole 286 Ether (ETH), worth over $795,500.
Root cause: Discord Server Hacked
Loss: Approx. $795,500
Reference: Official Twitter Announcement
Claimable event: No
27. Wizard Pass
Mar 14, 2022: The Discord server of Wizard Pass, a collection of NFTs on the OpenSea, was hacked. The hackers made 107 ETH selling the stolen NFTs.
Root cause: Discord Server hacked
Loss: 107 ETH
Reference: Official Twitter Announcement
Claimable event: No
28. Bacon Protocol
Mar 5, 2022: Bacon Protocol suffered a re-entrancy attack recently, suffering a total $1 million loss. The vulnerability in the lend() routine so the attacker can get more lending credits by re-entering the lend() routin.
Root cause: Smart Contract Vulnerability
Loss: Approx. $1 million
Reference: BaconProtocol suffers a $1 million loss in a hack
Claimable event: Yes (Smart Contract Vulnerability Cover)
29. Tether Shiba
Mar 8, 2022: According to PeckShield, Tether Shiba, a meme coin on BSC, rug pulled investors by deleting their social media accounts.
Root cause: Scam
Loss: Not disclosed.
Reference: Somagnews Article
Claimable event: No
30. Jeff Passon
Mar 10, 2022: Jeff Passon’s, a top MLB insider Twitter account was hacked. Passan’s account shifted to being a page promoting weird skull NFTs.
Root cause: Twitter Account Compromise
Loss: N.A.
Reference: Jeff Passan’s Account Was Hacked: MLB World Reacts
Claimable event: No
31. EarnHubBSC
Mar 2, 2022: According to PeckShield Alert, EarnHubBSC which is a high-yield staking platform has rug pulled. It has deleted the project’s official website and Twitter handle. Their Telegram channel is also not accessible.
Root cause: Scam
Loss: Not disclosed
Reference: PeckShield Alert
Claimable event: No
32. Peaceful World Token
Mar 3, 2022: According to PeckShield Alert, Peaceful World, a crypto token project appeared to be a scam. Although Ukraine’s Crypto Airdrop had no relationship with the Peaceful World project, blockchain media has related both projects and claimed that Ukrainian government started sending Peaceful World tokens to who donated crypto to support the nation against Russia. Hence, The Vice Prime Minister of Ukraine decided to cancel the airdrop.
Root cause: Scam
Loss: Not disclosed.
Reference: Yahoo News
Claimable event: No
33. Evolution BSC
Mar 4, 2022: Evolution BSC is a cross-chain payment ecosystem website. Its bridge front-end was hacked. The bridge page was still up but its home page down. The hacker redirected the bridge to send funds to a foreign address.
Root cause: Front-end Attack
Loss: Not disclosed.
Reference: Twitter Announcement
Claimable event: No
34. BasketDAO
Mar 30, 2022: BasketDAO announced at their official Twitter regarding the exploitation of a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.
Root cause: Smart Contract Vulnerability
Loss: approx. $1.2 million
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
35. Voltage Finance
Mar 31, 2022: The Voltage Finance lending platform on the Fuse chain was attacked and about $4 million was stolen. While the official report is still pending, Peckshield has stated that the hack was due to a re-entrancy bug that allowed hackers to drain the lending pool.
Root cause: Smart Contract Vulnerability
Loss: approx. $4 million
Reference: News on Crypto Briefing
Claimable event: Yes (Smart Contract Vulnerability Cover)
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- IDO event risk: the smart contract of the covered IDO platform gets hacked
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
Get your investment funds protected with InsurAce.io: Buy Cover