Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of November 2022.
Hacks in November:
- FITE
November 1, 2022: The FITE project is suspected of having been rug pulled. Its social media has been deleted, and its website is down.
Root cause: Rug Pull
Loss: approx. 1900 BNB
Reference: Online News
Claimable event: No
- Skyward Finance
November 2, 2022: Skyward Finance, the NEAR on-chain token launchpad, has been exploited for 1.1M NEAR, worth approximately 3 million at the time of exploit. The attacker bought SKYWARD tokens from Ref Finance and redeemed them through Treasury in Skyward Finance, effectively draining it.
Root cause: Smart Contract Vulnerability
Loss: $3M
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
- Rubic
November 2, 2022: The private key of an admin wallet of the crypto exchange Rubic was stolen. As a result, the attacker gained access to 34 million Rubic tokens which were sold on Uniswap and PancakeSwap.
Root cause: Private Key Leakage
Loss: approx. $303,758
Reference: Twitter Announcement by Rubic
Claimable event: No
- Solend
November 2, 2022: Solend suffered from an oracle attack, where the attacker manipulated the oracle price of an asset which caused $1.26 million in bad debt.
Root cause: Oracle Manipulation
Loss: approx. $1.26M
Reference: Twitter Announcement by Solend
Claimable event: No
- Deribit
November 2, 2022: Deribit, a cryptocurrency platform was exploited for $28 million through the compromise of its hot wallet. The company has claimed that client funds are safe and that only BTC, ETH and USDC hot wallets were affected.
Root cause: Wallet Compromise
Loss: approx. $28M
Reference: Twitter Announcement by Deribit
Claimable event: No
- pGALA
November 4, 2022: pNetwork claimed that a “misconfiguration” led to a misunderstanding that the cross-chain bridge provider was hacked for $1 billion. The network intentionally minted 28.4 pGALA tokens to drain PancakeSwap pool in an attempt to protect token holders after the “misconfiguration” was found in its bridge contracts.
Root cause: Unknown
Loss: Unknown
Reference: Online News
Claimable event: No
- Loopring
November 5, 2022: Loopring was hit with a large-scale DDoS attack that crashed its services for 11 hours.
Root cause: Front-End Attack
Loss: NIL
Reference: Twitter Announcement by Loopring
Claimable event: No
- Pando
November 6, 2022: Pando suffered from an oracle price manipulation which affected its products: Pando Rings, Leaf, Lake and 4swap protocol. The protocol was in negotiations with the hacker to return some funds.
Root cause: Oracle Price Manipulation
Loss: approx. $20M
Reference: Twitter Announcement by Pando
Claimable event: No
- MooCakeCTX
November 7, 2022: MooCakeCTX was exploited through a flash loan attack for $143,921. The contract did not settle the previous reward before conducting a new investment. The hacker borrowed 50,000 CAKE tokens using a flash loan to profit from this contract vulnerability.
Root cause: Smart Contract Vulnerability
Loss: $143K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
10. brahTOPG
November 10, 2022: The brahTOPG project on Ethereum was hacked for $89,879 due to an exploit in the Zapper contract that strictly checks the data passed in by the user, resulting in the issue of arbitrary external calls. The attacker used this exploit to steal tokens from users who are authorised to the contract.
Root cause: Smart Contract Vulnerability
Loss: $89K
Reference: Analysis by Slowmist
Claimable event: Yes (Smart Contract Cover)
11. DFXFinance
November 11, 2022: DFX Finance project on the ETH chain was attacked for a profit of about $231,138. The Curve contract flash loan function did not have re-entrancy protection which led to re-entry of the deposit function to transfer tokens to judge the balance of flash loan repayments.
Root cause: Smart Contract Vulnerability
Loss: $231K
Reference: Twitter Announcement by Certik
Claimable event: Yes (Smart Contract Cover)
12. Flare
November 14, 2022: Flare project is suspected of having been rug-pulled after the price of the Flare project dropped by more than 95%. A total of 4 billion tokens were made by the team before being taking a profit of around $18 million.
Root cause: Rug Pull (Suspected)
Loss: approx. $18.5M
Reference: Online News
Claimable event: No
13. DeFiAI
November 14, 2022: DefiAI was rug pulled for $4 million. Stolen funds have been transferred to MEXC Global and FixedFloat cryptocurrency exchange.
Root cause: Rug Pull
Loss: 4M
Reference: Online News
Claimable event: No
14. Ranger
November 15, 2022: The Ranger Project on BSC experienced an exit scam, sinking its token by 95%. The attacker sent tokens to an external wallet, profiting $77,000.
Root cause: Exit Scam
Loss: approx. 77K
Reference: Twitter Announcement by Certik
Claimable event: No
15. SheepFarm
November 16, 2022: BNB Chain’s SheepFarm project was hacked for 262 BNB due to a vulnerability in its smart contracts. The register function of the SheepFarm contract could be called multiple times, which led to an exploit in increasing the attacker’s rewards and yield.
Root cause: Smart Contract Vulnerability
Loss: 262 BNB
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
16. Numbers Protocol
November 23, 2022: Numbers Protocol was hacked for 13,836 due to vulnerabilities in its smart contract. The NUM token did not have a permit function, which allowed a fake signature to be passed in order to transfer users’ assets out.
Root cause: Smart Contract Vulnerability
Loss: 13K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offers insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
Get your investment funds protected with InsurAce.io: Buy Cover