October Hacks Report

The volume of DeFi Hacks climbed sharply in the month of October 2022. According to the data compiled by Defillama, crypto holders and investors have just lost another $700 million to hacks and exploits. This figure presents a 430% jump from the $165 million that was recorded in September.

There were a series of hacks worth over $100m, but the $570 million BNBChain exploit was by far the most high-profile one. Both in terms of the sophisticated attack and the timely response of the Chang Peng Zhao-led Binance security team.

Here is InsurAce’s expert overview of the high-profile hacks that occurred in the global DeFi space during the month of October 2022.

  • Transit Swap

October 2, 2022:  Transit Swap, a decentralized cross-chain exchange suffered a bug that allowed an attacker to drain users’ wallets who had approved the protocol’s swap contracts. The root cause was a lack of input validation for critical parameters within the contract’s claim Tokens function.

Root cause: Smart Contract Vulnerability

Loss: approx. $21m

Reference: SlowMist Analysis on Medium

Claimable event: Yes (Smart Contract Cover)

  • Sovryn

October 5, 2022: Bitcoin Based decentralized finance protocol Sovryn was exploited through two legacy lending pools.  The attacker took advantage of an unsafe external call of _callTokensToSend function to execute their attack contract

Root cause: Smart Contract Vulnerability

Loss: $554K

Reference: Analysis by Halborn

Claimable event: Yes (Smart Contract Cover)

  • Sex DAO

October 5, 2022: Sex DAO, a web 3 social platform has been suspected to have been rug pulled. Its official website and Twitter account have been inaccessible, with its original white paper deleted.

Root cause: Rug Pull

Loss: approx. 220,000 USDT

Reference: News

Claimable event: No

  • Binance Bridge

October 6, 2022: BNBChain cross chain bridge was attacked, and more than 500 US million dollars were lost. The hacker minted two batches of 1m BNB each through falsifying proof of deposits. This was a bug in the bridge that allowed attackers to forge arbitrary messages.

Root cause: Smart Contract Vulnerability

Loss: approx. 2,000,000 BNB

Reference: Twitter Announcement by SlowMist

Claimable event: No (Exclusion under Smart Contract Cover)

  • BNBHACKINU

October 7, 2022: A malicious actor created fake tokens that were based on popular dog-themed memecoins after the initial hack on BNB chain. He used a function to create an arbtirary number of tokens before transferring them between token holders without any permission.

Root cause: Rug Pull

Loss: approx. $100K worth of Ethereum

Reference: Analysis by QuillAudits

Claimable event: No

  • Xave Finance

October 9, 2022: Ancilia, Inc a cybersecurity partner for Web3 identified suspicious activity on Xave Finance. A user was able to mint over 100 trillion RNBW and swapping it in a Uniswap pool. Fortunately, the pools were built in a way that owners cannot withdraw funds on behalf of user, leaving funds unaffected.

Root cause: Smart Contract Vulnerability

Loss: Nil

Reference: Post Mortem by Xave Finance

Claimable event: Yes (Smart Contract Cover)

  • Jumpn Finance

October 9, 2022: Jumpn Finance was rug pulled when the attacker called the 0xe156 contract’s 0x6b1d9018() function to withdraw user assets and transfer them into his address.

Root cause: Rug Pull

Loss: $1.15M

Reference: Analysis by QuillAudits

Claimable event: No

  • TempleDAO

October 11, 2022:  The TempleDAO project was hacked, involving an amount of approximately $2.36 million worth of LP tokens. The contract StaxLPStaking’s function had insufficient access control and allowed the hacker to create a contract with the oldStaking parameter and specifying an address to where the funds could be sent.

Root cause: Smart Contract Vulnerability

Loss: approx. $2.36M

Reference: Twitter Announcement by SlowMist

Claimable event: Yes (Smart Contract Cover)

  • Rabby

October 11, 2022: DeBank’s plug-in wallet Rabby was attacked through its token exchange function. The function was directly called externally and parameters passed in by users were not checked. Hackers were able to transfer funds through this exploit.

Root cause: Smart Contract Vulnerability

Loss: $190K

Reference: Twitter Announcement by SlowMist

Claimable event: Yes (Smart Contract Cover)

10. QANplatform

October 11, 2022:  The quantum-resistant Layer 1 blockchain QANplatform was exploited that QANX Bridge smart contract deployer wallet was compromised due to the profanity address vulnerability, resulting in the loss of $2 million in tokens.

Root cause: Private Key Leakage

Loss: $2M

Reference: Analysis by QANplatform

Claimable event: No

11. The Micro Elements

October 11, 2022: The Micro Elements Project was rug pulled and approximately $548,600 was stolen

Root cause: Rug Pull

Loss: $548K

Reference: Twitter Announcement by Certik

Claimable event: No

12. ATK

October 12, 2022: The Journey of Awakening (ATK) project was hacked through a flash loan attack. The hacker obtained many ATK tokens from the project’s contract and exchanged it for BNB which was then transferred to Tornado Cash.

Root cause: Unknown

Loss: approx. $120,000

Reference: Online News

Claimable event: No

13. Mango Markets

October 12, 2022: Mango Markets, a decentralized finance (DeFi) trading platform on the Solana blockchain, has been hacked which hackers stole $117 million from the platform. According to the tweet from Mango Market, the hack was caused by a price manipulation on the native MNGO token.

Root cause: Economic Attack/Price Manipulation

Loss: 117M

Reference: Post Mortem Tweet by Mango

Claimable event: No

14. FTX

October 13, 2022: Crypto Exchange FTX has lost 81 ETH due to a gas theft vulnerability. The hacker minted over 100 million XEN tokens which were then converted into ETH at zero cost. FTX’s mode of operation allowed the hack to happen, having no restrictions on the gas limit of withdrawal transactions. The hacker was able to steal at zero cost.

Root cause:  Gas Theft Vulnerability

Loss: 81 ETH

Reference: Online News

Claimable event: No

15. Earning.farm

October 13, 2022: Yield Platform Earning.farm was hit by a flash loan attack. The contract was not able to verify if flashloan callbacks were initiated by the protocol, allowing the attacker to exploit this flaw and draw large amounts of funds

Root cause: Smart Contract Vulnerability

Loss:  750 ETH

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

16. MTDAO

October 17, 2022: Metaverse DAO was exploited through a flash loan attack. Both MT and ULM tokens were affected through functions in an unopened contract that allowed MT and ULM token contracts to profit.

Root cause: Unknown

Loss: 1930 BNB

Reference: Online News

Claimable event: No

17. LiveArtX

October 17, 2022: NFT platform LiveArtX’s wallet was stolen and several NFTs were sold. The attacker transferred 7.3 ETH and 22.30 WETH to Bitkeep before exchanging it for USDT. The price of the collection fell from 1 ETH to 0.1 ETH.

Root cause: Wallet Compromise

Loss: $39K

Reference: Online News

Claimable event: No

18. Bitkeep Swap

October 18, 2022: BitKeep crypto wallet’s Swap feature was hacked and used to drain approximately $1 million from the wallet. Affected users were compensated by the project in full.

Root cause: Smart Contract Vulnerability

Loss: approx. $1.1M

Reference: Official Twitter Announcement by BitKeep

Claimable event: Yes (Smart Contract Cover)

19. PLTD

October 18, 2022: The PLTD project was exploited due to loopholes in the PLTD contract. The attacker used two flash loans to borrow 666,000 BUSD which was exchanged into 1.57 million PLTD tokens.

Root cause: Smart Contract Vulnerability

Loss: approx. 24,497 BUSD

Reference: Analysis by QuillAudits

Claimable event: Yes (Smart Contract Cover)

20. BitBTC

October 19, 2022: A vulnerability was detected in the BitBTC bridge to Ethereum layer-2 network Optimism by a security researcher on Twitter. Following the tweet, an attacker generated 200 billion BitBTC coins to test that theory and claimed that it was just a test.

Root cause: Smart Contract Vulnerability

Loss: NIL

Reference: Online News

Claimable event: No (Exclusions under Smart Contract Cover)

21. Dataverse

October 19, 2022: Metaverse data platform Dataverse detected a hack on their GEO BSC contract. User were advised not to buy any GEO on BSC and any tokens bought from October 19th to 22nd are invalid.

Root cause: Unknown

Loss: NIL

Reference: Twitter Announcement by Dataverse

Claimable event: No

22. Moola Market

October 19, 2022: Lending Protocol Moola Market was exploited through a price manipulation, like Mango Markets. With an initial fund of 243K CELO, the attacker was able to use 60K of CELO to borrow 1.8M of MOO and the remaining CELO to buy MOO, increasing the value of their collateral. The attacker then drained the protocol off their remaining assets.

Root cause: Economic Attack/Price Manipulation

Loss: $8.4M

Reference: Post Mortem Tweet by Moola Market

Claimable event: No

23. Ethereum Alarm Clock

October 20, 2022: The Ethereum Alarm Clock had a smart contract bug that was exploited to allow hackers to make a profit on returned gas fees from cancelled transactions. The bug refunded hackers a greater value of gas fees than they initially paid for, allowing them to profit from the difference.

Root cause: Smart Contract Vulnerability

Loss: $260K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

24. Mango INU

October 20, 2022: The Mango INU project had a rug pull and the price of MNGO has dropped by more than 80%. The attackers behind the project leveraged on the Mango Market hack.

Root cause: Rug Pull

Loss: $48.5K

Reference: Twitter Announcement by CertiK

Claimable event: No

25. Petra

October 20, 2022:  Aptos Labs discovered an error related to account creation in Petra Wallet. This error is related to the creation of an account in an existing wallet which results in an inaccurate mnemonic displayed on the page.

Root cause: Mnemonic Inconsistence

Loss: NIL

Reference: Twitter Announcement by Petra

Claimable event: No

26. OlympusDAO

October 21, 2022: OlympusDAO suffered an exploitation where the attacker was able to withdraw 30K of OGM due to a loophole via the project’s smart contract “BondFixedExpiryTeller” parameter. The attacker has since returned all the tokens.

Root cause: Smart Contract Vulnerability

Loss: $292K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

27. Gate.io

October 22, 2022: Hackers impersonated Gate.io and created a fake website. After they took over Gate.io’s official Twitter account, they replaced the original link with the fake website that promotes a fake giveaway of 500,000 USDT. When a user connects their wallet to the fake website, it allows the hackers to drain their assets.

Root cause: Phishing Attack

Loss: NIL

Reference: Online News

Claimable event: No

28. Vivity

October 22, 2022: According to CertiK, Vivity’s discord server was hacked. Users are warned not to click on any links, mint or approve any transactions.

Root cause: Discord Server Hack

Loss: NIL

Reference: Online News

Claimable event: No

29. Blur

October 22, 2022: A fake phishing account of Blur NFT platform was discovered on Twitter. The account tweeted that the BLUR token query was open and users can access it through a URL. Users were warned not to click on any of their links.

Root cause: Phishing Attack

Loss: NIL

Reference: Online News

Claimable event: No

30. FTX & 3Commas

October 23, 2022: Automated crypto trading provider 3Commas discovered that some API keys associated with 3Commas accounts were not obtained from 3Commas. Fake websites posing as 3Commas were used to phish API keys as users linked their FTX accounts. These keys were then used to perform unauthorised DMG trades.

Root cause: Phishing Attack

Loss: approximately $4M

Reference: Online News

Claimable event: No

31. Freeway

October 23, 2022:  Crypto investment platform reportedly banned withdrawals on assets worth more than $100 million. The names of all platform team members have been erased from the website, and a $100 million Rug pull is suspected of having occurred

Root cause: Rug Pull (Suspected)

Loss: $100M

Reference: Online News

Claimable event: No

32. Layer2DAO

October 23, 2022: Investment DAO Layer2DAO was exploited through a multisig hack on Optimism that drained 49 million L2DAO tokens. Layer2DAO has since repurchased 31 million tokens from the hackers through its treasury funds. The project announced it will be rolling out support for the token price in the coming days.

Root cause: Operations Failure

Loss: 49,950,000 L2DAO

Reference: Twitter Announcement by Layer2DAO

Claimable event: No

33. Quickswap

October 24, 2022: The Market XYZ lending market on Quickswap was compromised for $220,000 due to a vulnerability with the Curve Oracle, which Market XYZ was using.

Root cause: Oracle Failure/Attack

Loss: $220,000

Reference: Online News

Claimable event: No

34. Melody

October 25, 2022: Melody was compromised due to a vulnerability involving an off-chain frontend module which allowed the hacker to bypass the access control.

Root cause: Front-end Attack

Loss: 992,450 SGS

Reference: Online News

Claimable event: No

35. UvToken

October 27, 2022: The UvTokenWallet’s Eco Staking project was hacked  due to lack of properly authenticated input data in its staking contract.

Root cause: Smart Contract Vulnerability

Loss: $1.5M

Reference: Twitter Announcement by UvToken

Claimable event: Yes (Smart Contract Cover)

36. Team Finance

October 27, 2022:  Team Finance, a crypto liquidity provider, had lost $14.5 million due to a smart contract bug in its migration function.The attacker transferred liquidity from Uniswap V2 to an attacker controlled V3 pair with skewed pricing.

Root cause: Smart Contract Vulnerability

Loss: $14.5M

Reference: Twitter Announcement by Team Finance

Claimable event: Yes (Smart Contract Cover)

37. VTF Token

October 27, 2022:  VTF Token on BSC was compromised due to a bug in VTF’s contract to receive holding rewards.

Root cause: Smart Contract Vulnerability

Loss: $58,000

Reference: Twitter Alert by Boesion

Claimable event: Yes (Smart Contract Cover)

38. THORChain

October 28, 2022:  Cross-chain exchange and proof-of-bond network THORChain was halted on Oct. 27 due to a coding bug that caused “non-determinism between individual nodes.” The network is now fully operational after an outage of approximately 20.5 hours.

Root cause: Off-chain Coding Bug

Loss: NIL

Reference: Online News

Claimable event: No

39. FriesDAO

October 28, 2022: FriesDAO was hacked which the attacker stolen $2.3 million in FRIES tokens by controlling the team’s deployer wallet.

Root cause: Wallet Compromise

Loss: $2.3M

Reference: Online News

Claimable event: No

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.

InsurAce.io currently offer insurance protections for:

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price

For details on the coverage and exclusions for each cover, kindly read Cover Wording here.

🛡 Get your investment funds protected with InsurAce.io: Buy Cover

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top