Security Incidents in March

Hacks in March:

  1. Treasure DAO

Mar 3, 2022: An Arbitrum-based NFT trading market, TreasureDAO was hacked by an unknown attacker. According to post mortem analysis done by Certik, the attacker took advantage of a flaw in the platform’s code. The vulnerability lies in Buyer.buyItem function, which allowed the _quantity set equal to 0. This means the attacker paid nothing to get the NFTs. However, The stolen NFTs were returned after some initial analysis and tracing of the hacker’s wallet.

Root cause: Smart Contract Vulnerability

Loss: Not disclosed.

Reference: News on Bitcoin.com

Claimable event: Yes (Smart Contract Vulnerability Cover)

2. Pirate X

Mar 9, 2022: The Pirate X, a blockchain gaming platform was hacked. The attacker exploited the vulnerability in the staking contract. It is suspected to be private key leakage since the attacker leveraged a valid signature to launch the attack. The attacker sold off more than 9.6 million $PXP and make a profit of around 212 BNB. According to the official incident report, The blame was on the careless team, who wants to launch the conversion feature faster despite its vulnerability as it has been long suspended. They have decided to dismiss the current developer team and recruit a new team to replace them. They also announced that they had bought back the stolen $PXP, and going to carry out an audit.

Root cause: Smart Contract Vulnerability

Loss: approx. $82000

Reference: Official Announcement

Claimable event: Yes (Smart Contract Vulnerability Cover)

3. Active campaign (Email Marketing Partner of Unchained Capital)

Mar 10, 2021: ActiveCampaign (AC), the email marketing provider used by Unchained Capital, a Bitcoin financial services firm was hacked last week. According to Unchained, the impact is limited to the information shared with AC, including customer email addresses, usernames, account status and possibly IP addresses. No systems on Unchained were compromised, and customer profile information which was never shared with AC was not leaked. Kelly added that while customer Bitcoin custody is protected by multi-signature cold storage, customers should still be aware of what’s going on and be wary of phishing attacks.

Root cause: Phishing

Loss: Not Disclosed.

Reference: News on CoinDesk

Claimable event: No

4. Fantasm Finance

Mar 10, 2022: Fantom’s on-chain synthetic asset protocol, Fantasm Finance, was the victim of a hack. The attacker took advantage of a flaw in the error-checking code of the protocol’s mint function. That contract was exploited by the error in Fantasm’s Pool contract where the developer missed the condition checking for the minimum amount of input FTM when minting XFTM. After exploiting the vulnerability, the hacker exchanged all the profits for ETH, and used Tornado.cash to mix coins across the chain to the Ethereum and made a profit of 1,007 ETH.

Root cause: Smart Contract Vulnerability

Loss: approx. $2.7 million

Reference: Official Post Mortem

Claimable event: Yes (Smart Contract Vulnerability Cover)

5. Paraluni

Mar 13, 2022: The metaverse financial project, Paraluni was hacked by an attacker who exploited a re-entrancy vulnerability within the contract’s deposit by the “Add Liquidity” function. It cost a loss of $1.7 million. After the attack, part of the stolen funds was flown into Tornado Cash and cross-chain to Ethereum through cBridge.

Root cause: Smart Contract Vulnerability

Loss: $13 million

Reference: Incident Analysis from Slowmist

Claimable event: Yes (Smart Contract Vulnerability Cover)

6. NFTflow

Mar 14, 2022: According to PeckShield Alert, NFTFlow has a rug pull and its official social media account was closed. Also, several NFT players posted on social media that a project called “NFTflow” had a Rug Pull, ran away without completing the pre-sale and transferred the 92 ETHs from the sale to the Tornado mixer.

Root cause: Scam

Loss: approx. $270000

Reference: News on Aliens.com

Claimable event: No

7. PulseDAO Finance

Mar 14, 2022: According to RugDoc, PulseDAO Finance has rug pulled. Social and websites are closed. 4342 FTM was removed by the contract developer. Previously, Rugdoc.io had also warned that the project had a risk of governance mishandling and they needed their contracts to be subjected to a full audit with a reputable auditor.

Root cause: Scam

Loss: approx. 4342 FTM

Reference: News on NEWSBTC

Claimable event: No

8. Agave

Mar 15, 2022: Multiple million-dollar exploits were reported one after the other. One of the victims, Agave on Gnosis Chain was attacked due to an untrusted external call. The attacker calls the liquidateCall function to liquidate himself without any debt. During the liquidation process, the liquidation contract is called the attacker contract. The attacker deposited 2728 WETH obtained through the flash loan and minted 2728 aWETH. and use this as collateral to lend out all available assets in the Agave project. After the external call ends, the liquidateCall function directly liquidates the 2728 aWETH previously deposited by the attacker and transfers it to the liquidator.

Root cause: Smart Contract Vulnerability

Loss: approx. $5.4 million

Reference: News on CryptoPotato

Claimable event: Yes (Smart Contract Vulnerability Cover)

9. Deus Finance

Feb 15, 2022: DeFi protocol Deus Finance was attacked by a flash loan. The hackers manipulate the price oracle for one of the project’s stablecoin lending contracts. The exploit caused a loss of about $3 million which has been laundered via Tornado Cash.

Root cause: Oracle Attack

Loss: approx. $3 million

Reference: Deus Finance DAO suffers $3 million flash loan attack

Claimable event: No

10. Hundred Finance

Mar 16, 2022: Hundred Finance, another project on the Gnosis chain suffered a flash loan attack in which the attacker exploited a reentrancy vulnerability in the protocol same as Agave.

Root cause: Smart Contract Vulnerability

Loss: approx. $6 million

Reference: Yahoo News

Claimable event: Yes (Smart Contract Vulnerability Cover)

11. APE

Mar 17, 2022: According to a report on Twitter, the arbitrage bot took out more than $500000 worth of APE Coins through flash loans. After analysis, it was found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, the function used to calculate the amount of ApeCoin to claim based on how many NFTs the caller owns but didn’t consider how long the caller owns. The attacker first borrows BYAC Token through a flash loan and then redeems it to obtain BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan.

Root cause: Smart Contract Vulnerability

Loss: approx. $500000

Reference: AirDrop process of ApeCoin cryptocurrency found vulnerable

Claimable event: Yes (Smart Contract Vulnerability Cover)

12. Umbrella Network

Mar 20, 2022: Decentralized oracle service provider, Umbrella Network was hacked. The attack impacted its Ethereum and BNB Chain reward pools, resulting in a loss of around $700,000. The hacker exploited ana vulnerability in withdraw() method of the contract, an underflow bug. This allowed the hacker to withdraw an arbitrary amount of LP tokens from the smart contract due to unchecked underflow in the withdrawal.

Root cause: Smart Contract Vulnerability

Loss: $700000

Reference: Official Twitter Announcement

Claimable event: Yes (Smart Contract Vulnerability Cover)

13. Li.finance

Mar 20, 2022: According to official reports, The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets. Attackers took various tokens from users’ wallets, including USDC, MATIC, RPL, GNO, USDT, MVI, AUDIO, AAVE, JRT, and DAI. The project team has fixed the vulnerability and compensated most of the affected users within 18 hours.

Root cause: Smart Contract Vulnerability

Loss: $600000

Reference: News on Cointelegraph

Claimable event: Yes (Smart Contract Vulnerability Cover)

14. Hubspot

Mar 20, 2022: Hubspot, one of the widely used third-party marketing campaign vendors, was reported a data breach affecting multiple crypto firms including BlockFi, Swan Bitcoin, NYDIG and Circle. However, the affected firms claimed that their operations were not affected and that their assets were not at risk. Hubspot stores user data including names, email addresses, and phone numbers. While the exact details of the stolen data have yet to be identified and disclosed, data such as passwords, government-issued IDs, and Social Security numbers were never stored on Hubspot.

Root cause: Data Breach

Loss: Not Disclosed.

Reference: News on CoinDesk

Claimable event: No

15. OneRing

Mar 21, 2022: OneRing, a Fantom ecological Stablecoin revenue optimizer was another victim of flash loan attacks. The contract was configured to self-destruct which made it almost impossible to track which specific functions in the contract are called to steal funds.

Root cause: Smart Contract Vulnerability

Loss: approx. $1.5 M

Reference: Official Post Mortem

Claimable event: Yes (Smart Contract Vulnerability Cover)

16. Arthur

Mar 22, 2022: The founder of a DeFi venture fund lost more than $1.7 million in his hot wallet, suspected due to a social engineering attack. He also mentioned that He thinks a hot wallet on a mobile phone is indeed not safe enough.

Root cause: Hot Wallet Breach

Loss: Approx. 310 ETH

Reference: News on CoinMarketCap

Claimable event: No

17. Cashio

Mar 23, 2022: Cashio, a stablecoin project on Solana has been hacked. The attacker forged a chain of fake accounts by exploiting a vulnerability in Cashio’s smart contracts to mint an infinite supply of CASH without providing any liquidity in exchange. According to the official announcement, Users were allowed to suspend the use of the contract, and a temporary patch has been released to fix the vulnerability.

Root cause: Smart Contract Vulnerability

Loss: Approx. $52 million

Reference: Millions Lost as Solana DeFi App Cashio Suffers Hack

Claimable event: Yes (Smart Contract Vulnerability Cover)

18. VEVE

Mar 23, 2022: Veve, an NFT marketplace with licensed digital collectables experienced an exploit, resulting in millions of gems (in-app tokens) being acquired illegally. According to the early reports, the attackers managed to mint millions of gems without having to pay for it by exploiting a bug in buying mechanism.

Root cause: Smart Contract Vulnerability

Loss: Not disclosed.

Reference: News on Cointelegraph

Claimable event: Yes (Smart Contract Vulnerability Cover)

19. MekaVerse

Mar 23, 2022: NFT project MekaVerse confirmed that their official Discord server was hacked by compromising one of their head moderator who has access to important discord modification roles thru social engineering attack.

Root cause: Social Engineering Attack

Loss: Not disclosed.

Reference: MekaVerse Releases A Statement Regarding Its Compromised Discord

Claimable event: No

20. Maison Ghost

Mar 25, 2022: Maison Ghost, a Twitter user who is an NFT collector, had his Discord hacked, and the attacker posted a fake minting link which resulted in around 300 NFTs being stolen and eventually sold off for 128 ETH and sent to Tornado.

Root cause: Discord Server Hacked

Loss: 128 ETH

Reference: Tweets on this hack event

Claimable event: No

21. InuSaitama

Mar 26, 2022: InuSaitama was suspected to have suffered an arbitrage attack. The attacker exchanged almost 10 times the value of SAITAMA Token through swap, and then exchanged it back to ETH through UniSwap.

Root cause: Arbitrage Attack

Loss: 430 ETH

Reference: Official Twitter Announcement

Claimable event: No

Page Break

22. Revest Finance

Mar 27, 2022: the Revest Protocol suffered an exploit in which roughly caused a loss of $120000. The tokens, namely BLOCKS, ECO, and RENA were stolen from the Ethereum-based token vault. The minting-related functions in this attack were not designed strictly in accordance with the check-validation-interaction model, which allowed the attacker to exploit the re-entrancy vulnerability.

Root cause: Smart Contract Vulnerability

Loss: approx. $120000

Reference: A brief analysis of Revest Finance being attacked

Claimable event: Yes (Smart Contract Vulnerability Cover)

23. Buccaneer Finance

Mar 28, 2022: According to PeckShield, Buccaneer Finance, a DeFi project on the BNB Chain has a Rug Pull. The project social media account and community have been deleted, and about 841 BNB have been transferred to Tornado Cash after cleaning out investor funds.

Root cause: Scam

Loss: 841 BNB

Reference: PeckShield detects rug pull on DeFi project Buccaneer

Claimable event: No

24. Cryptovoxel

Mar 28, 2022: It is reported that anonymous attackers used a vulnerability in the Discord bot to manage to direct community users to phishing sites on the official Cryptovoxels Discord channel which induced users to authorize, stole multiple NFTs and then sold them on Opensea.

Root cause: Discord Server Hacked

Loss: Not disclosed.

Reference: Official Twitter Announcement

Claimable event: No

25. BNB DEFI

Mar 29, 2022: According to PeckShield, BNB DEFI has rugged pull. The DEFI token fell by 68% in a short time. At present, the project community was closed. Billions od DEFI tokens were exchanged for about 255 BNB.

Root cause: Scam

Loss: 255 BNB

Reference: PeckShield Alert Twitter Announcement

Claimable event: No

26. Rare Bears

Mar 17, 2022: The Discord server of Rare Bears was hacked. The hackers posted phishing links to scam people. The team later regained access to the project’s Discord server. In the process, scammers stole 286 Ether (ETH), worth over $795,500.

Root cause: Discord Server Hacked

Loss: Approx. $795,500

Reference: Official Twitter Announcement

Claimable event: No

27. Wizard Pass

Mar 14, 2022: The Discord server of Wizard Pass, a collection of NFTs on the OpenSea, was hacked. The hackers made 107 ETH selling the stolen NFTs.

Root cause: Discord Server hacked

Loss: 107 ETH

Reference: Official Twitter Announcement

Claimable event: No

28. Bacon Protocol

Mar 5, 2022: Bacon Protocol suffered a re-entrancy attack recently, suffering a total $1 million loss. The vulnerability in the lend() routine so the attacker can get more lending credits by re-entering the lend() routin.

Root cause: Smart Contract Vulnerability

Loss: Approx. $1 million

Reference: BaconProtocol suffers a $1 million loss in a hack

Claimable event: Yes (Smart Contract Vulnerability Cover)

29. Tether Shiba

Mar 8, 2022: According to PeckShield, Tether Shiba, a meme coin on BSC, rug pulled investors by deleting their social media accounts.

Root cause: Scam

Loss: Not disclosed.

Reference: Somagnews Article

Claimable event: No

30. Jeff Passon

Mar 10, 2022: Jeff Passon’s, a top MLB insider Twitter account was hacked. Passan’s account shifted to being a page promoting weird skull NFTs.

Root cause: Twitter Account Compromise

Loss: N.A.

Reference: Jeff Passan’s Account Was Hacked: MLB World Reacts

Claimable event: No

31. EarnHubBSC

Mar 2, 2022: According to PeckShield Alert, EarnHubBSC which is a high-yield staking platform has rug pulled. It has deleted the project’s official website and Twitter handle. Their Telegram channel is also not accessible.

Root cause: Scam

Loss: Not disclosed

Reference: PeckShield Alert

Claimable event: No

32. Peaceful World Token

Mar 3, 2022: According to PeckShield Alert, Peaceful World, a crypto token project appeared to be a scam. Although Ukraine’s Crypto Airdrop had no relationship with the Peaceful World project, blockchain media has related both projects and claimed that Ukrainian government started sending Peaceful World tokens to who donated crypto to support the nation against Russia. Hence, The Vice Prime Minister of Ukraine decided to cancel the airdrop.

Root cause: Scam

Loss: Not disclosed.

Reference: Yahoo News

Claimable event: No

33. Evolution BSC

Mar 4, 2022: Evolution BSC is a cross-chain payment ecosystem website. Its bridge front-end was hacked. The bridge page was still up but its home page down. The hacker redirected the bridge to send funds to a foreign address.

Root cause: Front-end Attack

Loss: Not disclosed.

Reference: Twitter Announcement

Claimable event: No

34. BasketDAO

Mar 30, 2022: BasketDAO announced at their official Twitter regarding the exploitation of a vulnerability in BMIZapper, which caused users to lose about 1.2 million US dollars.

Root cause: Smart Contract Vulnerability

Loss: approx. $1.2 million

Reference: Official Twitter Announcement

Claimable event: Yes (Smart Contract Vulnerability Cover)

35. Voltage Finance

Mar 31, 2022: The Voltage Finance lending platform on the Fuse chain was attacked and about $4 million was stolen. While the official report is still pending, Peckshield has stated that the hack was due to a re-entrancy bug that allowed hackers to drain the lending pool.

Root cause: Smart Contract Vulnerability

Loss: approx. $4 million

Reference: News on Crypto Briefing

Claimable event: Yes (Smart Contract Vulnerability Cover)

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.

InsurAce.io currently offer insurance protections for:

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
  • IDO event risk: the smart contract of the covered IDO platform gets hacked
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price

For details on the coverage and exclusions for each cover, kindly read Cover Wording here.

Get your investment funds protected with InsurAce.io: Buy Cover

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top