Security Incidents in April

Hacks in April: 

  1. Multiple NFT Projects & Ticket Tool 

Apr 1, 2022: Ticket Tool, a widely used Discord robot that verifies users and pushes channel-wide notifications was compromised. There was a vulnerability in the recent update to its’ add command. The hacker exploited it and post fake minting links in several NFT projects Discord servers including BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz. 

Root cause: Discord Bot Vulnerability 

Loss: Not disclosed. 

Reference: News on Crypto Briefing  

Claimable event: No 

  1. Agora & Starstream Finance 

Apr 8, 2022: Starstream was exploited by an unprotected execute functions in its DistributorTreasury Contract. The attacker used the loopholes to drain tokens and used as the collateral to perform large loans from Agora. Part of the borrowed funds was then used to increase the price of STARs to increase their collateral. 

Root cause: Smart Contract Vulnerability in Starstream 

Loss: approx. $8.2M 

Reference: Halborn Hacks Explained 

Claimable event: Yes (Smart Contract Vulnerability Cover for Starstream) 

  1. Education Grants Council of India (UGC)  

Apr 10, 2021: The official twitter account of Education Grants Council (UGC) of India was hacked. The hackers changed the profile to Azuki NFT related and made several tweets related to NFT and posted a fake Azuki NFT airdrop link. The account was recovered after it was held hostage for six hours. 

Root cause: Twitter Account Hacked 

Loss: Not Disclosed. 

Reference: News on India Today 

Claimable event: No 

  1. CF 

Apr 11, 2022: According to tweets from PeckShield, there is a vulnerability in the $CF token contract which allows anyone to transfer someone else’s $CF balance. As of reported, The losses are around $1.9 million and the CF/USDT trading pair on PancakeSwap has also been affected. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $1.9 million 

Reference: PeckShield Twitter 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Marvin Inu 

Apr 11, 2022: Marvin Inu, the cross-chain bridge was hacked, and resulted in lost about 110 ETH. The team has shut down the cross-chain bridge and fixed the loopholes promptly. The team also promised to compensate for the loss. 

Root cause:  Smart Contract Vulnerability 

Loss: approx. $350000 

Reference: PA News 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Elephant Money 

Apr 13, 2022: Elephant Money, a yield optimizer on Binance Chain suffered an attack on its Reserve. This incident was due to flawed logic allowing for arbitrage between the PancakeSwap Liquidity Pool and the Elephant Reserve. The hacker used a flash loan to trade for thousands of ELEPHANT governance tokens while minting TRUNK stablecoin. During the mint stage, ELEPHANT token price was uplifted due to embedded buyback mechanics and liquidity depth was increased for both ELEPHANT and TRUNK tokens on PancakeSwap. The hacker then took a profit by selling the inflated ELEPHANT token on PancakeSwap and redeeming TRUNK tokens from the Reserve, extracting a large amount of BUSD and ELEPHANT tokens.   

Root cause: Smart Contract Vulnerability 

Loss: approx. $11 million 

Reference: InsurAce Blog Post 

Claimable event: Yes (Smart Contract Vulnerability Cover) – Voting in progress.  

  1. Rikkei Finance 

Apr 15, 2022: Rikkei Finance, a Metaverse DeFi protocol was hacked. The attacker modified the price oracle machine to a malicious contract. Rikkei Finance promised to fully compensate affected users. The team has fixed the bug and restored the services. 

Root cause: Oracle Attack 

Loss: approx. $1.1M  

Reference: News on CoinYuppie 

Claimable event: No 

  1. Metaconz 

Apr 16, 2022: Metaconz, a Klaytn-based NFT project was suffered an attack. A malicious bot was installed on the its overseas team’s Discord administrator account. In this attack, the hacker used a compromised function to deprive the victim of the wallet permission. The project team has promised to compensate all the losses. 

Root cause:  Discord Server Hacked 

Loss: approx. $34000 

Reference: News on Opera News 

Claimable event: No 

  1. FaceDAO 

Apr 16, 2022: FaceDAO tweeted that a large amount of FACE tokens were dumped on-chain. The investigation found out that a wallet held by a team was hacked. The FACE token held by the team member was transferred and sold by an unauthorized account. 

Root cause: Phishing Attack 

Loss: Not disclosed. 

Reference: Analysis from ZeroFriction 

Claimable event: No 

  1. Beanstalk 

Apr 17, 2022: Beanstalk, an Ethereum-based stablecoin project was suffering an attack. The attacker performed a flash loan attack to manipulate the decentralized governance mechanism (emergencyCommit function) to approve the malicious proposals. The stolen fund was distributed to the Ukraine fund and the attacker to pay off their flash loan.   

Root cause: Governance Attack 

Loss: approx. $182 million 

Reference: Halborn Blog: The Beanstalk Hack (April 2022) 

Claimable event: No 

  1. Ugly People 

Apr 17, 2022: According to BlockSecAlert twitter, the Discord of a NFT project, Ugly People has been hacked. The attackers are spreading fake mint links. 

Root cause:  Discord Server Hacked 

Loss: Not disclosed. 

Reference: BlockSecAlert 

Claimable event: No 

  1. MaxAPY Finance 

Apr 20, 2022: According to PeckSheld Alert, a Rug Pull has occurred in MaxAPY Finance, an automatic pledge protocol on BNB Chain. The team has ran away with its official Twitter account and Telegram group deleted. The contract owners also have transferred out 1,042 BNB. 

Root cause: Rug Pull 

Loss: approx. $440000 

Reference: Peckshield Alert Twitter Announcement 

Claimable event: No 

  1. ZEED 

Apr 21, 2022: ZEED, a DeFi lending protocol was attacked and lost about $1 million. The hacker exploited a vulnerability in the reward distribution mechanism to allow them to mint extra tokens. The stolen crypto was transferred to a contract which set to self-destruct. However, the attackers have not transferred the stolen crypto out of the contract before it was set to self-destruct.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $1M 

Reference: News on Cointelegraph 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Akutars 

Apr 23, 2022: The Akutars, a highly anticipated NFT project was hit by a smart contract bug which locked up $34 million worth of Ether. The vulnerability was exploited by the developers who tried to warn the project about the flaws. After the successful exploit, the team has rewritten the minting contract which has been audited. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $34M 

Reference: News on Cointelegraph 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Bored Ape Yacht Club (BAYC)  

Apr 25, 2022: The official Instagram of BAYC, a NFT project was hacked. A phishing link was sent out to users and managed to steal three million worth of crypto which includes 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX etc.  

Root cause:  Phishing Attack 

Loss: approx. $3 M 

Reference: Official Twitter Announcement 

Claimable event: No 

  1. MetalSwap 

Apr 13, 2022: MetalSwap, the first decentralized exchange has rug pulled and closed all communication channels. The token price was also plunged by 99%. 

Root cause: Rug Pull 

Loss: Not Disclosed 

Reference: Official Twitter Announcement 

Claimable event: No  

  1. HospoWise  

Apr 5, 2022: HospoWise, a project bringing hospitality to the blockchain was hacked. The exploit was due to the public burn() function which allowed users to purchase only a few tokens and burn the rest of the Hospo tokens on Uniswap, inflating the worth of their tokens. The project was audited and the team claimed it was due to the negligence of the audit team who did not discover the flaws. They also announced that they will proceed with the V2 launch and airdrop tokens with extra benefits for their holders. 

Root cause: Smart Contract Vulnerability 

Loss: Not disclosed. 

Reference: News on CoincodeCap  

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Inverse Finance 

Apr 2, 2022: Inverse Finance, an Ethereum-based lending protocol was a victim of the recent hack. The attacker took advantage of a vulnerability in a Keep3r price oracle to manipulate the token prices and then took out huge loans on Anchor using the inflated INV as collateral. 

Root cause: Oracle Attack 

Loss: approx. $15.6M 

Reference: Official Twitter Announcement  

Claimable event: No 

  1. Phantasma 

Apr 2, 2022: Phantasma, a cross-chain layer-1 blockchain for smart NFTs, announced on its official twitter that they suffered an admin key leak incident. SOUL and KCAL smart contracts on Binance Smart Chain were affected. The attacker minted additional KCAL and SOUL tokens on Binance Smart Chain.  

Root cause: Admin Key Leakage 

Loss: Not disclosed. 

Reference: Official Twitter Announcement 

Claimable event: No 

  1. Multiple protocols: PI-DAO, Medamon, Last Kilometer, Wiener DOGE 

Apr 24, 2022: According to Certik announcement and analysis, There were four projects namely, PI-DAO, Medamon, Last Kilometer, and Wiener DOGE suffered flash loan attack on the same day. The attackers were using the same attack method for these four attacks. They exploited the inconsistency between the LP token’s charging mechanism and the exchange pool to launch the attack. 

Root cause: Smart Contract Vulnerability 

Loss: PI-DAO(approx. $6445), Medamon (approx. $3159), Last Kilometer (approx. $26495), Wiener DOGE (approx. $30000) 

Reference: Certik Announcement  

Claimable event: Yes (Smart Contract Vulnerability Cover) 

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses. 

InsurAce.io currently offer insurance protections for: 

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked; 
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days; 
  • IDO event risk: the smart contract of the covered IDO platform gets hacked 
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price 

For details on the coverage and exclusions for each cover, kindly read Cover Wording here. 

Get your investment funds protected with InsurAce.io: Buy Cover 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top