Hacks in December:
1. BadgerDAO
Dec 2, 2021: The DeFi platform BadgerDAO suffered a front-end attack which the hacker used a compromised API key that was created without the knowledge or authorization of Badger engineers to periodically inject the malicious code that stole $120M in funds.
Root cause: Front-end Attack
Loss: approx. $120 million
Reference: BadgerDAO Hack: It Could Have Been Easily Avoided
2. BitMart
Dec 5, 2021: Crypto trading platform Bitmart had experienced “a large-scale security breach” caused by a stolen private key, which affected its Ethereum and Binance smart chain hot wallets, but other assets were “safe and unharmed.”
Root cause: Private key leak
Loss: $150 Million
Reference: BitMart hack
3. 8ight Finance
Dec 6, 2021: 8ight Finance, an OHM fork on Harmony reported that all funds in the treasury were withdrawn due to a leak of the private keys. The team stated that two developers in the team have the key, and they were sent through Facebook groups chat and google drive.
Root cause: Project Team Ops failure
Loss: approx. $1.75 Million
Reference: 8ight Finance hacked due to leak of the private key
4. Autobot DeFi
Dec 6, 2021: Autobot DeFi rug pulled, removing liquidity shortly after the farm start.
Root cause: Scam
Loss: NA
Reference: Alert by rugdoc.io
5. PizzaPro Finance
Dec 8,2021: DeFi platform Pizza has been hacked which the hacker was able to exploited an overflow vulnerability on eCurve to mount infinite Tripool tokens and use them as collateral on PIZZA to withdraw all the funds from the platform.
Root cause: Smart Contract Vulnerability
Loss: $5 million
Reference: Pizza EOS DeFi Hacked, $5M Stolen
6. Solana
Dec 10, 2021: Solana’s blockchain performance was reportedly hit by a distributed denial-of-service (DDoS) attack that temporarily clogged the network .
Root cause: DDoS Attack
Loss: NIL
Reference: Solana reportedly hit by DDoS attack
7. AscendEX
Dec 11, 2021: The AscendEX cryptocurrency exchange suffered a hot wallet breach of $77.7 million.
Root cause: Private key leak
Loss: approx. $77.7 Million
Reference: Crypto Exchange AscendEX Hacked, Losses Estimated at $77M
8. Vulcan Forged
Dec 13, 2021: Vulcan Forged, a Polygon-based NFT marketplace, suffered a security breach that allowed attackers to gain access to the private keys of 96 users’ wallets.
Root cause: Project Team Ops failure
Loss: $140 million
Reference: NFT Marketplace Vulcan Forged Hacked for $140M
9. Brinc Finance
Dec 14, 2021: Brinc Finance was attacked due to private key compromise, resulting in the loss of 290 ETH (~ $1.1 million).
Root cause: Project Team Ops failure
Loss: 290 ETH
Reference: Brinc Finance was attacked due to suspected private key compromise
10. WePiggy
Dec 15, 2021: WePiggy-OEC protocol experienced a short-term error in the CHE oracle, causing the CHE price in WePiggy to be much higher than the market price, and resulting in abnormal liquidations for users who borrowed CHE assets.
Root cause: Oracle Failure
Loss: $400,000
Reference: Incident Report for WePiggy
11. Grim Finance
Dec 19, 2021: The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits. The attacker exploited the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while an initial transaction is still going, thereby tricking the platform.
Root cause: Smart Contract Vulnerability
Loss: $30 million
Reference: DeFi Protocol Grim Finance Exploited for $30 Million Worth of FTM
12. Bent Finance
Dec 21, 2021: Bent Finance suffered an internal attack which a rogue developer inserted a backdoor into the contract that later allowed the attack to exploit the cvxcrv and MIM pools and stole 513k cvxcrv LP tokens.
Root cause: Project Team Ops Failure
Loss: 513k cvxcrv LP tokens
Reference: Bent Finance exploit update
13. Visor Finance
Dec 21, 2021: The DeFi protocol Visor Finance has been hacked, resulting in over $8 million worth of losses. Due to a vulnerable require() check in the vVISR Rewards Contract’s deposit() function, the hacker was managed to manipulate the transfer function, mint unlimited shares using their own contract and drain the staking pool.
Root cause: Smart Contract Vulnerability
Loss: approx. $8 million
Reference: Visor Finance Hacked For $8M in Latest DeFi Exploit
14. Grape Protocol
Dec 22, 2021: Grape Protocol reported that one of their setup admins got hacked 7 days ago. The hackers are using an exploit involving Discord webhooks to attack several servers where that admin had access.
Root cause: Unknown
Loss: NA
Reference: Twitter announcement from Grape Protocol
15. Fractal
Dec 22, 2021: NFT platform Fractal suffered a webhook exploit due to security flaws in Grape Protocol. The hacker gained access to Fractal project Discord server’s announcement channel who then made out with around 800 sol (~$150,000) by managing to post a fake NFT mint link in the channel and asking community members to pay for the new NFTs.
Root cause: Scam
Loss: approx. 800 SOL
Reference: Official statement from Fractal about the hacking
16. Monkey Kindom
Dec 22, 2021: Monkey Kindom suffered the same webhook exploit as Fractal. Its Discord server was hacked which resulted in hackers stealing $1.3M in $SOL from the community.
Root cause: Scam
Loss: approx. $1.3 million
Reference: Update of the Monkey discord hack
17. MetaDAO
Dec 27, 2021: MetaDAO has made off with roughly 800 ETH, or $3.2 million, in a rug pull scam.
Root cause: Scam
Loss: approx. $3.2 million
Reference: MetaDAO Makes Off With $3.2M in Rug Pull
18. MetaSwap
Dec 27, 2021: NFT Swapping Platform MetaSwap was detected by PechShield to rug pulled with $600k worth of BNB stolen.
Root cause: Scam
Loss: approx. $600,000
Reference: MetaSwap Rug Pulled: $600K Worth of BNB Stolen
19. Vesper Finance
Dec 31, 2021: Vesper Finance tweeted that there was an exploit in the beta Vesper Lend Rari Fuse Pool #23. The attacker manipulated an oracle and drained the beta test lending pool of approx $1 million in DAI, ETH, WBTC, and USDC. This is not an attack on the Vesper contract, no VSP or VVSP was jeopardized.
Root cause: Oracle Attack
Loss: approx. $1 million
Reference: Vesper official Twitter announcement
The crypto industry has generated a lot of excitement; however, there are a lot of risks involved. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
· Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
· Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
· IDO event risk: the smart contract of the covered IDO platform gets hacked
· Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
👉 Get your investment funds protected with InsurAce.io: Buy Cover
About InsurAce.io
InsurAce.io is a decentralized multi-chain insurance protocol, to empower the risk protection infrastructure for the DeFi community. InsurAce.io offers portfolio-based insurance products with optimized pricing models to substantially lower the cost; launches insurance investment functions with flexible underwriting mining programs to create sustainable returns for the participants, and provides coverage for cross-chain DeFi projects to benefit the whole ecosystem.
At the time of writing, InsurAce.io has provided coverage to 90+ protocols, safeguarding over $190M DeFi assets on 14+ public chains.
InsurAce.io is backed by DeFiance Capital, Parafi Capital, Alameda Research, Hashkey group, Huobi DeFiLabs, Hashed, IOSG, Signum Capital, LongHash Ventures and a dozen of other top funds.
Join InsurAce.io community:
Website | Twitter | Telegram | LinkedIn | Announcements | Medium
