February Hacks Report

1. BonqDAO

February 2, 2023:  Polygon-based lending and stablecoin protocol was hacked by a two-stage attack for 120 million. The attacker manipulated the price of the WALBT token such through a function of the oracle which allowed them toAs a result of the raised WALBT token, 100 million BEUR tokens were borrowed. The price of WALBT was then set to a low through a second transaction, which allowed the attacker to liquidate WALBT staked by other users and obtain 114M WALBT which was burnt to unlock ALBT tokens.

Root cause: Oracle Manipulation

Loss: approx. $120M

Reference: Analysis by Beosin

Claimable event: No 

2. Orion Protocol

February 3, 2023: Orion Protocol was hit with a reentrancy attack due to a flaw in its smart contract. There was incomplete reentrancy protection which allowed token transfer to reenter other functions to increase user balance without costing any funds

Root cause: Contract Vulnerability (Reentrancy Attack)

Loss: $3M 

Reference: Analysis by PeckShield

Claimable event: Yes (Smart Contract Cover) 

3. SperaxUSD

February 4, 2023: SepraxUSD, a protocol on Arbitrium was exploited for a total of $300K through a vulnerability in its smart contracts which allowed the exploiter to increase his token balance without providing matching collateral. The flaw has since been solved with a smart contract upgrade.

Root cause: Contract Vulnerability

Loss: $300K

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover) 

4. LianGoPay

February 7, 2023: LianGoPay ’s assets in the LGTPool pledge contract were attacked due to a private key compromoise that resulted in the deployment of fake pools alongside real ones, making it difficult to differentiate. The attacker deposited many tokens in the malicious pool and redeemed a large amount of LGT tokens which were exchanged for BSC-USD tokens

Root cause: Private Key Leakage

Loss: $1.6M

Reference: Analysis by Halborn

Claimable event: No 

5. CoW Protocol

February 7, 2023: CoW Protocol, a decentralised exchange was attacked for a total of 550 BNB due to a vulnerability within the token authorisation process. Barter solver, a new solver for CoW’s solver competition deployed an approval to a contract called SwapGuard. The attacker was able to exploit the security issue of the SwapGuard contract, which allowed arbitrary call execution from the SwapGuard contract.

Root cause: Contract Vulnerability

Loss: $180K

Reference: Analysis by BlockSec

Claimable event: Yes (Smart Contract Cover) 

6. Nostr

February 8, 2023: Nostr, a fake project on the Ethereuem chain has been rug pulled for 232.1 ETH.

Root cause: Rug Pull

Loss: 232.1 ETH

Reference: Online News

Claimable event: No 

7. Umami Finance

February 9, 2023: Umami Finance, a DeFi protocol offering institutional yield products has been rug pulled. Its CEO dumped tokens on the market, which allowed him to cash out over $380,000 after the price of the UMAMI token crashed by over 60%

Root cause: Rug Pull

Loss: $380K

Reference: Online News

Claimable event: No 

8. SushiSwap

February 10, 2023: SushiSwap’s BentoBoxv1 contract was compromised due to price manipulation. The Kashi Medium Risk ChainLink was updated later than the mortgage which allowed the attacker to conduct a flashloan that dropped the price of kmxSUSHI/USDT. The attacker then liquidated his assets and obtained 26K of USDT.

Root cause: Price Manipulation

Loss: $26K

Reference: Online News

Claimable event: No 

9. dForce

February 10, 2023: dForce Network, a DeFi aggregation platform was attacked on Arbitrum and Optimism through a reentrancy vulnerability, profiting a total of 1.9M on Arbitrum and 1.7M on Optimism. The attacker took a flash loan and deposited them into Curve’s wstETH/ETH and further deposited the LP tokens into dForce’s wstETHCRV-gauge vault. When removing liquidity, the reentrancy vulnerability was exploited to manipulate the price of the wstETHCRV-gauge tokens, allowing him to profit off the liquidation of other users.

Root cause: Contract Vulnerability (Reentrancy Attack)

Loss: $3.65M

Reference: Analysis by SlowMist

Claimable event: Yes (Smart Contract Cover) 

10. BSC-WBNB-WOOF Trading Pair

February 10, 2023: An individual managed to acquire the BSC-WBNB-WOOF trading pair through a backdoor for a total of $115,000. However, this was accomplished through an exploit, which caused the price of $WOOF to drop by 88%. The attacker used an address (jZKbvD) that could transfer $WOOF from any address to 0 authorization via the transferFrom function. They proceeded to transfer $WOOF tokens and update the reserves of the pool and then swapped out the WBNBs in the pair for a large number of $WOOF tokens

Root cause: Rug Pull

Loss: $155K

Reference: Online News

Claimable event: No

11. FDP Token

February 10, 2023: FDP was hit with a flash loan attack that was compromised for $10,000. The attacker borrowed 1,363 WBNBs and exchanged for $FDP. Prior to the manipulation, the currentRate was calculated for the FDPs. In this scenario, the rtotal was not reduced, and neither the pair nor the attacker was considered a deflationary exception. The attacker then called the deliver function with the tAmount, which decreased the user-specified tAmount and added it to the fee. The 284631626035854 tAmount FDPs accounted for 28% of the total supply of FDPs. After calling deliver, when _rTotal is 28% less and _tTotal remains the same, _getRate shrinks. Since the transaction pair is not a deflation-excluded address, the obtained balance is larger. Consequently, the attacker could withdraw the increased $FDP and exchange it for $WBNB.

Root cause: Price Manipulation

Loss: 10K

Reference: Online News

Claimable event: No 

12. OneKey

February 11, 2023: A cybersecurity startup called Unciphered conducted a whitehat attack on encrypted hardware wallets made by OneKey. The startup found that it was feasible to reset the device to its original factory mode and circumvent the security pin. This could potentially enable an attacker to erase the mnemonic phrase that is utilized to recover a wallet. OneKey has since paid Unciphered a bounty for the disclosure and no one was affected

Root cause: Wallet Attack

Loss: NIL

Reference: Online News

Claimable event: No

13. Namecheap

February 12, 2023: Namecheap’s email account was breached, allowing phishing emails said to be from MetaMask and DHL to flood users’ emails. The emails attempted to steal personal information and cryptocurrency wallets.

Root cause: Phishing Attack

Loss: NIL

Reference: Online News

Claimable event: No

14. Multichain

February 15, 2023: Multichain, an infrastructure designed to support arbitrary cross-chain interactions was hit with a front-running attack. The attacker used an MEV contract to front-run and call a function of the AnyswapV4Router to sign and approve the transfer. The stolen WETH lacked a signature verification function which allowed the attacker to transfer WETH to the victim contract. This was a result of a previous vulnerability that still exists for users who had not yet revoked approvals for their affected router contracts.

Root cause: Front-Running Attack

Loss: 130K

Reference: Online News

Claimable event: No

15. FarmApp

February 15, 2023: The FarmApp contract singer’s private key was stolen, resulting in an exploit that earned the hacker 301 BNB. By utilizing the singer’s signature, the attacker called the sowSeed function to generate newSowData with 42 sowid, and then proceeded to call the claimedSeed function again to steal 936,387 $MMT. The stolen MMT was exchanged for 301 BNB (equivalent to around 93K USD) and transferred to the tornado cash. As a consequence of the exploit, the price of MmtMiner dropped by 81%.

Root cause: Private Key Leakage

Loss: 301 BNB

Reference: Online News

Claimable event: No

16. Dexible

February 17, 2023: Dexible, a decentralised exchange aggregator was hacked for 1.54 million. There was a flaw in the logic of the selfSwap function that invokes the fill function, which in turn calls a data defined by the attacker. The hacker has created a transferfrom function within this data, enabling them to pass in their own attack address as well as that of other users. This allows the transfer of tokens approved for the contract to be moved out.

Root cause: Contract Vulnerability

Loss: $1.54M

Reference: Analysis by Beosin

Claimable event: Yes (Smart Contract Cover)

17. Platypus Finance

February 17, 2023: Platypus Finance was exploited through a flash loan attack which resulted in a total loss of $9 million. The exploit was executed by exploiting a flawed check mechanism during the withdrawal of collateral. Initially, the attacker obtained a flash loan of 44M USDC, which was subsequently deposited into Platypus. The resulting LP tokens were utilized as collateral to borrow 41.7M USP. The emergencyWithdraw() function only verifies if the user’s position is solvent, without considering the impact of any borrowed funds. This enables the attacker to withdraw the supplied collateral while retaining the borrowed USP. This resulted in the de-peg of USP and a loss in users’ funds in the main pool. The cause of this exploit is an exclusion in InsurAce’s cover wordings in that will not cover loss of value of users funds due to the de-peg of USP.

Root cause: Contract Vulnerability

Loss: $9M

Reference: Twitter Announcement

Claimable event: No (Exclusion under Smart Contract Cover)

18. BABYDOLL

February 19, 2023: BABYDOLL project suffered a flash loan attack that resulted in a loss of around $13.1K. The attacker borrowed 1,182 WBNB and subsequently changed 12 WBNB tokens in the BABYDOLL-WBNB pair to 0.000000000001 BABYDOLL tokens. By executing the burn function multiple times, the attacker destroyed BABYDOLL tokens, which lowered the value of “_tTotal” and the balance of BABYDOLL-WBNB. Since the BABYDOLL-WBNB pair is not excluded, the reflection mechanism affected its balance. Using the imbalanced reserves in the pool, the attacker called the swap function to acquire 37 WBNB, returned the flash loan, and walked away with 25 BNB ($7.9K).

Root cause: Contract Vulnerability

Loss: $7.9K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

19. Revert Finance

February 20, 2023: Revert Finance, an AMM liquidity management protocol reported on Twitter that their v3utils contract had been hacked, and a single account lost 90% of its funds. The stolen assets included 22983.235188 USDC, 4106.316699 USDT, 485.5786287699002 OP, 0.18217977664322793 WETH, 36.59093198260223 DAI, 211.21463945524238 WMATIC, and 22 Premia, totaling about $29,000 based on current market prices.

Root cause: Contract Vulnerability

Loss: $29K

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover)

20. Edge Wallet

February 20, 2023: Edge Wallet has been compromised, resulting in the theft of 2000 private keys. A user had notified Edge Wallet’s staff of an unauthorized transaction of Bitcoins it was determined that the private key of the Bitcoin wallet was compromised. Since then, a vulnerability that would leak private keys when a user perform both actions have been identified.

Root cause: Private Key Leakage

Loss: Unknown

Reference: Online News

Claimable event: No

21. Snowfall Protocol

February 21, 2023: Snowfall Protocol has been hit with a rug pull, with the Snowfallcoin dropping in price by over 97%. The attacker removed 536.5 WBNB from the project’s liquidity, estimated to be about $166,000 in stolen funds.

Root cause: Rug Pull

Loss: $166K

Reference: Online News

Claimable event: No

22. Dynamic Finance

February 22, 2023: Dynamic Finance, a smart money market aggregator was hacked due to insufficient reentrancy protection, losing 73 BNB. In their staking contract, users were able to deposit DYNA and claim reward. However, the logic of the deposit function allows this value to be recorded for the first deposit, allowing the attacker to redeem rewards when depositing a large amount of DYNA due to a large flash loan

Root cause: Contract Vulnerability

Loss: $22K

Reference: Online News

Claimable event: Yes (Smart Contract Cover)

23. Hope Finance

February 22, 2023: Hope Finance, an Arbitrum-based DeFi project has been claimed to have been rug pulled by a team member. The attacker deployed a fake router in transaction 0xf188, and subsequently updated SwapHelper to use this fake router in transaction 0xc9ee. The change of details in the smart contract led to the drainage of funds.

Root cause: Rug Pull

Loss: $2M

Reference: Online News

Claimable event: No

24. HakunaMatata

February 22, 2023: HakunaMatata was attacked through a flash loan attack which saw the attacker earn 33 WBNB. The attacker manipulated the tTotal and rTotal in deflationary tokens and through the deliver and burn functions.

Root cause: Price Manipulation

Loss: $10K

Reference: Online News

Claimable event: No

25. Solana

February 25, 20233: Solana network experienced technical difficulties that hindered users’ ability to conduct on-chain activities such as trading crypto and transferring assets. This was caused by the blockchain “forking” at approximately 12:53 a.m. ET, leading to a drop in transaction throughput and an increase in validators’ RAM usage. Consequently, almost all on-chain activities were effectively frozen on the network. By 2 a.m., the network’s transaction processing rate had reduced to about 93 transactions per second (TPS), down from the previous rate of nearly 5000 TPS about 15 minutes earlier, as reported by Solana Explorer.

Root cause: Validator Bug

Loss: NIL

Reference: Online News

Claimable event: No

26. HideYoApes

February 27, 2023: An NFT collector’s several expensive NFTs, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds have been stolen and sold for a profit of 127.3 wETH. The MetaMask wallet extension has been downloaded and installed from the official website.

Root cause: Unknown

Loss: $208K

Reference: Twitter Announcement

Claimable event: No

27. DungeonSwap

February 27, 2023: The DeFi project Dungeon Swap on BSC has been exploited for $728,000. The exploiter stole BUSD from users who approved the DND token contract and transferred all profits to another hash.

Root cause: Contract Vulnerability

Loss: $728K

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover)

28. LaunchZone

February 27, 2023: LaunchZone, a DeFi protocol on the BNB chain was exploited for a total of $700,000. The value of the LZ token dropped by more than 80% as the funds were swapped out through PancakeSwap.

Root cause: Unknown

Loss: $700K

Reference: Online News

Claimable event: No

29. MyAlgo

February 28, 2023: MyAlgo, a wallet provider for the Algorand network has been hit with an exploit that has seen an estimated of $9.2 million worth of funds stolen. As of writing, the team has issued warnings to users and is still finding the root of the exploit. Users who had mnemonic wallets were more susceptible to the exploit.

Root cause: Unknown

Loss: $9.2M

Reference: Online News

Claimable event: No

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top