Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of January 2023.
1. Nikhil Gopalani
January 1, 2023: Nike’s encrypted fashion brand RTFKT’s Chief Operating Officer Nikhil Gopalani provided confidential information to hackers posing as Apple representatives and lost 19 CloneX NFTs, 18 RTKFT Space Pods and 11 CryptoKicks.
Root cause: Private Key Leakage
Loss: approx. $173K
Reference: Twitter Announcement
Claimable event: No
2. GDS Chain
January 1, 2023: GS Chain was hit with a flash loan attack that due to a contract vulnerability that resulted in a total loss of $187,000. There was a vulnerability in one of the smart contract functions that resulted in users with higher staking balances will receive higher rewards. The attacker manipulated the liquidity pool mining mechanism by transferring a huge amount of tokens using flash loan and continuously collecting rewards from the GDS token contract till the liquidity has dried up.
Root cause: Contract Vulnerability
Loss: $187K
Reference: Analysis by QuillAudits
Claimable event: Yes (Smart Contract Cover)
3. GMX Whale
January 3, 2023: A large GMX holder got hacked and 82,519 GMX tokens and 2,627 tokens were stolen. The hacker cross-chained the assets to the Ethereum network using Hop Protocol and Across Protocol. The total loss was estimated to be 3.4 million.
Root cause: Unknown
Loss: $3.4M
Reference: Online News
Claimable event: No
4. FUT
January 4, 2023: The deployer of FUT has committed an exit scam on the FUT project. Through the MasterChef contract, he withdrew approximately 67 million FCS tokens and swapped them for FUT tokens. These FUT tokens were then swapped for 2.6 million of USDT.
Root cause: Exit Scam
Loss: $2.6M
Reference: Analysis by Certik
Claimable event: No
5. DNP3
January 4, 2023: Twitch streamer DNP3 and founder of Goobers NFT, Gridcraft Network and ClucCoin has revealed that he has gambled away investors funds.
Root cause: Gambling
Loss: Unknown
Reference: Online News
Claimable event: No
6. CyberKongz
January 7, 2023: The official twitter of CyberKongz, an NFT project was hacked and original links were replaced by malicious, phishing links.
Root cause: Social Engineering Attack
Loss: $3.4M
Reference: Online News
Claimable event: No
7. Mycelium
January 7, 2023: One of Mycelium’s three oracle data vendors went offline, resulting in an overreliance of the remaining price oracles. The oracle feeding problem was magnified when Bitfinex’s ETH-USD feed price fluctuated significantly, leading to a large spread. This invited arbitrage bots to take advantage of this spread, resulting in a loss of MLP.
Root cause: Oracle Failure
Loss: $300K
Reference: Twitter Announcement
Claimable event: No
8. Twity
January 8, 2023: Web 3 Twitter marketing platform Twity’s telegram was hacked, leaking its chat record that contained the project’s private key and resulted in the disclosure of private administrator account information.
Root cause: Social Engineering Attack
Loss: Unknown
Reference: Online News
Claimable event: No
9. Chimpers
January 10, 2023: The official twitter of Chimpers, an NFT project was hacked and original links were replaced by malicious, phishing links that lured users to mint NFTs.
Root cause: Social Engineering Attack
Loss: Unknown
Reference: Online News
Claimable event: No
10. BRA
January 10, 2023: BRA token was exploited through a logical flaw in the BRA contract that allowed the hacker to gain additional rewards through a transfer process if the caller or receiver were a pair.
Root cause: Contract Vulnerability
Loss: 820BNB, approx. $225K
Reference: Analysis by BlockSec
Claimable event: Yes (Smart Contract Cover)
11. Sui Name Service
January 10, 2023: Sui Name Service, a provider of eco-friendly domain names, announced via social media that their Discord server had been hacked by a former employee who pretended to be an admin. Currently, Sui Name Service is fixing the user’s role labels.
Root cause: Social Engineering Attack
Loss: Unknown
Reference: Analysis by Slowmist
Claimable event: No
12. $ACS
January 11, 2023: $ACS was rug pulled for $10K via a backdoor function. The attacker used the transferFrom function to transfer $ACS within the BSC-USD-ACS pair and caused an imbalance in the K value. He then used a small number of $ACS to transfer out a large amount of BSC-USD within the pair.
Root cause: Rug Pull
Loss: $10K
Reference: Analysis by Beosin
Claimable event: No
13. Google Chrome
January 11, 2023: A security flaw referred to as CVE-2022-3656 impacts over 2.5 billion users of Google Chrome and browsers based on Chromium engine. This flaw enables the theft of confidential files such as encrypted wallets and cloud service provider files. The flaw was uncovered by investigating the interaction between the browser and the file system. The browser failed to properly verify if a symbolic link directed to an unreachable location, making it possible to steal sensitive files. This is commonly referred to as symbolic link following. Hackers can exploit encrypted phishing websites to access users’ confidential files.
Root cause: Browser Vulnerability
Loss: Unknown
Reference: Online News
Claimable event: No
14. RoeFinance
January 12, 2023: ROE Finance suffered an attack on the Ethereum blockchain. The attacker utilized flash loans to disrupt one of the pools that had limited liquidity, affecting the price, then drained the funds from the target pool resulting in a loss of $80K.
Root cause: Economic Attack
Loss: $80K
Reference: Analysis by BlockSec
Claimable event: No
15. CirculateBUSD and CirculateWBNB
January 12, 2023: An externally owned address 0x5695E created two contracts named CirculateBUSD and CirculateWBNB along with an additional unverified contract, referred to as “SwapHelper”. A function had a third party dependency with SwapHelper that allowed any funds deposited into this contract to be transferred to the deployer’s own address
Root cause: Exit Scam
Loss: $2.5M
Reference: Analysis by Certik
Claimable event: No
16. LendHub
January 13, 2023: The LendHub hack was a result of not properly removing a outdated token during a market update. LendHub switched the existing IBSV token with a new version that had its own Comptroller contracts, but failed to eliminate the old token, causing both to coexist with the same market value. This error enabled the attacker to manipulate both token contracts independently, exploiting their differences. The attacker utilized the mint and redeem options in the old market and obtained loans in the new market, leading to discrepancies in the liabilities calculation between the two markets, allowing the attacker to steal about $6 million from the new token.
Root cause: Ops Failure
Loss: $6M
Reference: Analysis by Slowmist
Claimable event: No
17. UF Dao
January 13, 2023: xdaoapp’s UF DAO has been hacked due to a contract vulnerability caused by incorrect parameter settings. The attacker took advantage of UF Dao’s 1:1 public offer and then redeemed almost all of it in USDC
Root cause: Contract Vulnerability
Loss: $90K
Reference: Analysis by QuillAudits
Claimable event: Yes (Smart Contract Cover)
18. NFT God
January 14, 2023: An NFT influencer by the name of NFT God has been hacked after downloading a malicious software when he clicked a sponsored advertisement. His crypto wallet was compromised, leading to a loss of his entire crypto and NFT portfolio. At least 19 Ether and a Mutant Ape Yacht Club NFT were stolen..
Root cause: Wallet Compromise
Loss: Unknown
Reference: Twitter Announcement
Claimable event: No
19. Midas Capital
January 16, 2023: The Jarvis Network and Midas Capital were considering expanding collateral options and setting supply limits to prevent excessive borrowing, but this was not enough to stop the flash loan exploit that has been a persistent problem in the market. The attacker inflated the price of the LP token and took out a flash loan, stealing over $660,000 in jAssets. The team acknowledged their mistake in assuming that the reentrancy issue they had encountered before would not impact the native “raw_call” function of the chain.
Root cause: Contract Vulnerability
Loss: $650K
Reference: Twitter Announcement
Claimable event: Yes (Smart Contract Cover)
20. Yield Robot
January 17, 2023: The Yield Robot project on BSC has been rug pulled for 2.1 million. Initially, the team described it the drainage was an exploit by a hacker. However, the project’s social media accounts were deleted after 48 hours and no further announcements were made.
Root cause: Rug Pull
Loss: $2.1M
Reference: Analysis By Certik
Claimable event: No
21. OMNI Real Estate Token
January 17, 2023: The attack OMNI Real Estate occurred due to a weakness in the StakingPool Contract, which lacked adequate parameter validation. The rewards were calculated in the contract using the “_Check_reward” function, which had two parameters (durations and balance) that were controlled by the user.
Root cause: Contract Vulnerability
Loss: $70K
Reference: Analysis By QuillAudits
Claimable event: Yes (Smart Contract Cover)
22. Upswing Finance
January 17, 2023: Upswing Finance was hit with a flash loan attack due to a design flaw in its UPStkn token, allowing the attacker to manipulate the price of the token in the liquidity pool.
Root cause: Price Manipulation
Loss: $35K
Reference: Online News
Claimable event: No
23. Thoreum Finance
January 19, 2023: Thoreum Finance was exploited due to vulnerabilities in its smart contract. The vulnerability arose from an incorrect implementation of the transfer function in the contract, where if a wallet sent funds to itself, the number of tokens in the wallet would increase by the amount sent.
Root cause: Contract Vulnerability
Loss: $580K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
24. FFF
January 20, 2023: The FFF token on BSC experienced an unusual additional issuance event where the administrator of the project party utilized the pre-set additional issuance contract to purchase and sell the extra tokens. Over $1.03 million worth of FFF tokens were sold in this event.
Root cause: Rug Pull
Loss: $1M
Reference: Online News
Claimable event: No
25. Doglands
January 21, 2023: Dogechain’s ecological Doglands project has been rug pulled. Its official Twitter and Website have been removed and 2 addresses have drained all the reserves in the LP token which had around $204,000. The funds have since been transferred to Ethereum via a cross chain bridge and transferred to multiple addresses.
Root cause: Rug Pull
Loss: $204K
Reference: Analysis By QuillAudits
Claimable event: No
26. Robinhood
January 26, 2023: The Robinhood Twitter account was compromised and used to promote a fake crypto project. The hackers advertised a new token called $RBH, claiming it would be priced at $0.0005 on Binance Smart Chain. Approximately 25 individuals bought the fraudulent tokens for a total of nearly $8,000 before the link was taken down. Robinhood stated in a blog post that the unauthorized posts on their Twitter, Instagram, and Facebook were removed promptly, and the company believes the cause was a third-party vendor.
Root cause: Social Engineering Attack
Loss: $8K
Reference: Online News
Claimable event: No
27. Kevin Rose
January 26, 2023: Kevin Rose, founder of NFT project Moonbirds’s personal wallet was hacked and a total of around 40 NFTs were stolen. Rose signed a malicious signature which gave the hackers the authority to transfer his NFTs.
Root cause: Private Key Leakage
Loss: $2M
Reference: Online News
Claimable event: No
28. UniswapV2Pair WETH-BCI
January 26, 2023: The WETH-BCI pool was attacked due to a contract vulnerability which highlighted a flawed logic in the internal_transfer function of the BCI token contract. The logic allowed 1% of BCI tokens to be burnt every 10 minutes when there is a transfer, inflating the value of the BCI tokens. Note: The vulnerability does not stem from Uniswap’s smart contracts and hence is not claimable for Uniswap’s Smart Contract Cover on InsurAce.
Root cause: Contract Vulnerability
Loss: $11K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
29. Azuki
January 27, 2023: Azuki’s Twitter account was hacked and a tweet was posted that asked followers to “claim land” in The Garden, which was Azuki’s native metaverse platform. The malicious link has since been deleted and followers were warned not to click any links from the account.
Root cause: Social Engineering Attack
Loss: 1.7M
Reference: Twitter Announcement
Claimable event: No
30. Bevo
January 30, 2023: The BEVO NFT Art Token on BSC suffered an attack resulting in a loss of around $45,000. The exploit was due to the token being deflationary, where the attacker manipulated the token balance by calling the deliver() function, decreasing the value of _rTotal and affecting the calculation of the balance using getRate(). The attacker then transferred the increased PancakePair balance to their account using skim, and exchanged the increased BEVO back to WBNB after another call to deliver().
Root cause: Economic Attack
Loss: $45K
Reference: Analysis by BlockSec
Claimable event: No