Hacks in November:
1. Squid Game
Nov 1, 2021: The anonymous scammers behind the BSC project Squid Game have pulled the rug on the project, making off with an estimated $3.3 million of funds.
Root cause: Scam
Loss: approx. $3.3 million
Reference: Squid Game Crypto Creators Steal Millions in Rug Pull
2. Vesper Finance
Nov 3, 2021: Vesper Finance suffered an oracle manipulation attack. An attacker created a Uniswap LP position on VUSD. As VUSD is a low-liquidity token, the attacker was able to manipulate and raise the VUSD price. This enabled it to come to the Rari Fuse pool #23 (“Vesper Lend Beta”) with inflated collateral, which was used to borrow all of the tokens from that pool.
All tokens in that pool were then swapped for ETH, netting the attacker over $3 million.
Root cause: Oracle Attack
Loss: $3 Million
Reference: On the Vesper Lend Beta / Rari Fuse Pool #23 Exploit
3. bZx
Nov 5, 2021: Decentralized finance (DeFi) lender bZx suffered a hack of reportedly $55 million. A private key controlling the protocol’s deployment on Polygon and Binance Smart Chain was compromised, but its smart contracts were not.
Root cause: Private Key Leak
Loss: $55 million
Reference: DeFi Lender bZx Suffers Hack for Reported $55M
4. Synapse Bridge
Nov 7,2021: The developers of the cross-chain protocol Synapse Bridge have identified a bug in the AMM Saddle metapool contracts when an attacker tried to exploit a vulnerability using a bridge to transfer assets from Polygon (MATIC) to Avalanche (AVAX). The team successfully prevented the attacker from withdrawing about $8 million from the Avalanche Neutral Dollar (nUSD) metapool.
Root cause: Smart Contract Vulnerability
Loss: Nil
Reference: Cross-chain Protocol Synapse Bridge Prevents $8M Attack
5. Curve Finance
Nov 11, 2021: The USDM stablecoin protocol Mochi launched a governance attack against the stablecoin transaction protocol Curve, caused USDM liquidity users to face a loss of $46 million.
The Mochi project party purchased Convex’s CVX tokens, voted to increase the USDM pool reward to increase the liquidity of USDM and other assets, and then exchanged the large amount of USDM tokens owned by the project party into DAI after the liquidity increased.
Root cause: Governance Attack
Loss: $46 million
Reference: The Curve Emergency DAO has killed the USDM gauge
6. Phantom Galaxies
Nov 19, 2021: Unknown hackers gained access to the official Discord account of Phantom Galaxies by a malware bot that compromised the two-factor authentication for the admin account. Once in control of the Discord server, the hackers banned all staff accounts as well as all accounts of advisors and community moderators.
The hackers then began to post fraudulent announcements, claiming that the game was launching an immediate surprise NFT minting event — a stealth mint. The hackers directed users to a fraudulent website that purported to be a Phantom Galaxies NFT minting platform. The fake minting platform charged users a 0.1 ETH “minting fee” that did not actually mint anything and simply transferred the funds to the scammers’ Ethereum wallet address.
Root cause: Malware Attack
Loss: approx. $1.1 Million
Reference: Hacking of Discord server of Phantom Galaxies
7. Formation.fi
Nov 20, 2021: A hacker launched a flash loan attack to alter the price of the FORM token which the exploit contract excessively increases the value of the reward calculated at the withdrawal transaction. Only the rewards from the liquidity pool were affected. No investor funds, wallets or any information was affected.
Root cause: Smart contract vulnerabilities
Loss: unknown
Reference: Formation.fi Attack Post-Mortem
8. Unlock Protocol
Nov 21, 2021: One of Julien’s (Unlock Founder & CEO) private keys was stolen. With that private key, the hacker upgraded the Unlock contracts on both xDAI and Polygon to add a function that seems to have enabled them to transfer ownership of the tokens held by these contracts.
Root cause: Private Key Breach
Loss: 50,000 UDT
Reference: November 21st, 2021 Incident Update
9. Olympus DAO
Nov 23, 2021: Olympus DAO mistakenly believed they had shut down the OHM/DAI bond but didn’t actually do so. This mistake enabled someone to spend $50,000 to receive $1.43 million of Olympus (OHM) tokens when they should have received far less.
Root cause: Project Team Ops Failure
Loss: Nil
Reference: OlympusDAO mistake lets user spend $50,000 to buy $1.43 million in OHM
10. Ploutoz Finance
Nov 23, 2021: Ploutoz Finance, the BSC loan agreement, was attacked by a flash loan attack. The hacker manipulated the oracle price of DOP tokens and used the manipulated DOP as collateral to borrow other assets, including CAKE, ETH, BTCB, etc.
Root cause: Oracle Attack
Loss: approx. $365,000
Reference: Ploutoz Finance Exploited using a Price Oracle Manipulation Hack
11. Optics
Nov 23, 2021: The cross-chain bridge Optics had been reported that the multi-signature permission of Optics was replaced because someone unilaterally activated the Optics repair mode (recovery mode) on the GovernmentRouter contract. Although the bridge service is all normal, this operation caused the Optics protocol to be fully controlled by the recovery manager account, and the original multi-signature permissions were also overwritten. Later investigation disclosed that the incident actually occurred on October 29, 25 days ago, by a community developer in order to fix a contract bug.
Root cause: Project Team Misconduct
Loss: Nil
Reference: What happened to Celo when the cross-chain bridge multi-signature permission was replaced?
12. Lever
Nov 27, 2021: Lever, a decentralized margin trading protocol based on AMM, was attacked by flash loans due to a smart contract loophole that had been there since the first contract deployment, but was neglected by the team and the third-party auditing partners.
Root cause: Smart contract vulnerabilities
Loss: approx. $652,941
Reference: Full Report of the Lever Hack
13. Visor Finance
Nov 28, 2021: Visor Finance Uniswap V3 pool was attacked by flash loans due to oracle bugs. The community has recently found out an issue in their smart contract (Hypervisor) which used the spot price of DEX pools as the Oracle instead of using TWAP.
Root cause: Smart contract vulnerabilities
Loss: 40.93 ETH
Reference: Twitter Post
The crypto industry has generated a lot of excitement; however, there are a lot of risks involved. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- IDO event risk: the smart contract of the covered IDO platform gets hacked
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
🚀 Get your investment funds protected with InsurAce.io: Buy Cover
About InsurAce.io
InsurAce.io is a decentralized multi-chain insurance protocol, to empower the risk protection infrastructure for the DeFi community. InsurAce.io offers portfolio-based insurance products with optimized pricing models to substantially lower the cost; launches insurance investment functions with flexible underwriting mining programs to create sustainable returns for the participants, and provides coverage for cross-chain DeFi projects to benefit the whole ecosystem.
At the time of writing, InsurAce.io has provided coverage to 80+ protocols, safeguarding over $150M DeFi assets on 11 public chains.
InsurAce.io is backed by DeFiance Capital, Parafi Capital, Alameda Research, Hashkey group, Huobi DeFiLabs, Hashed, IOSG, Signum Capital, LongHash Ventures and a dozen of other top funds.
Join InsurAce.io community:
Website | Twitter | Telegram | LinkedIn | Announcements | Medium
