The Heart Project
Feb 2, 2022: The Heart Project faced an attack on their official Discord server in early February. The scammers deleted most of The Heart Project’s Discord channels and posted fake minting links. According to The Heart Project, some users claimed they lost their assets after they clicked on fraudulent links. The Heart Project promised to reimburse the affected user.
Root cause: Discord server ownership was not transferred.
Loss: Not disclosed.
Reference: Official Announcement
Claimable event: No
Wormhole
Feb 2, 2022: The Wormhole, a cross-chain bridge on the Solana network, became the victim of the largest exploit recently. The attacker exposed a security flaw that was presented in the smart contract to bypass the verification to continuously mint 120000 wrapped ETH on Solana and utilize it to deplete part of them in the bridge on Ethereum and sold the rest for SOL.
Root cause: Smart Contract Vulnerability
Loss: approx. $320 million
Reference: Wormhole cryptocurrency platform hacked for $325 million after an error on GitHub
Claimable event: Yes (Smart Contract Vulnerability Cover)
KLAYswap
Feb 3, 2021: A South Korean DeFi project, KLAYswap was being hacked. The hackers planned months in advance to start the attack via the instant messaging platform used by KLAYswap for marketing and tech support operations. The attackers modified the links which directed users to download malware when visiting the KLAYswap website. When a transaction is initiated, it ed and transferred to the hacker’s wallet. In a short period of just two hours, 407 suspicious transactions took place in 325 wallets and users suffered a loss of about $1.83 million.
Root cause: Front-end Attack
Loss: approx. $1.83 million
Reference: KlaySwap crypto users lose funds after BGP hijack
Claimable event: No
Meter.io
Feb 6, 2022: Meter Passport, a cross-chain bridge was hacked. The hacker exploited a vulnerability in the deposit function, which utilized the feature of automatically wrapping and unwrapping Gas Tokens (such as ETH and BNB) for user convenience to fake the transactions. The contract did not prohibit the wrapped ERC20 Token from interacting directly with the native Gas Token, nor did it properly transfer and verify the correct amount of WETH transferred from the caller address.
Root cause: Smart Contract Vulnerability
Loss: approx. $4.4 million
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
Superfluid
Feb 8, 2022: QiDao tweeted the happening of an exploit of Superfluid’s vesting contract which QI was one of the affected tokens. They also claimed the user funds on the QiDao contract are safe as the exploit was only on Superfluid. The stolen tokens belonged to the early backers of the project as well as team vested tokens.
Root cause: Smart Contract Vulnerability
Loss: $13 million
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
PayBito
Feb 8, 2022: The LockBit ransomware group claimed that they have successfully stolen the database, which contains more than 100000 records of customer information, from cryptocurrency exchange PayBito. Some of the stolen data is published on the group’s Tor leak site. They claimed the stolen records have email addresses with weak password complexity which can be easily decrypted. In addition, The alleged data also includes the administrator’s personal data. They also claimed that the stolen data would be released on Feb 21, 2022, if the ransom was not paid.
Root cause: Ransomware
Loss: NIL
Reference: LockBit ransomware gang claims PayBito crypto exchange as new victim
Claimable event: No
Dego Finance
Feb 10, 2022: Dego Finance, an NFT and DeFi aggregator, was recently hacked. The attackers compromised the keys to the address providing liquidity on Uniswap and PancakeSwap and withdrew more than $10 million from 13 wallet addresses.
Root cause: Compromised Key
Loss: approx. $10 million
Reference: Multichain DeFi, NFT Platform Dego Finance Suffers $10M Hack
Claimable event: No
BabyMuskCoin
Feb 10, 2022: BabyMuskCoin went down the drain in flash. 1,571 BNB which is the equivalent of $660,000 was dumped, and funds were moved to Tornado. The project team claimed to have been scammed via Telegram, but their website and social media accounts were also taken down. Users are also unable to sell their tokens. It appears to be a rug pull.
Root cause: Scam/Rug Pull
Loss: 1,571 BNB
Reference: BabyMuskCoin Comes Crashing Down After Rug Pull, $660K in BNB Lost
Claimable event: No
FutureSwap
Feb 11, 2022: Decentralized derivatives trading platform FutureSwap announced that an account with access to a reserve of around 300,000 FST reward (0.3% of supply) was compromised yesterday by human error. The attackers were able to gain access to Arbitrum and transfer the available reward FST to themselves. Currently, Arbitrum FST has used the new contract to control the compromised FST. The FST Arbitrum bridge was disabled and the restoration was scheduled within 24 to 48 hours.
Root cause: Credential disclosure
Loss: NIL
Reference: Official Twitter Announcement
Claimable event: No
IRA Financial
Feb 12, 2022: IRA Financial Trust, an institutional partner of the Gemini cryptocurrency exchange, was hacked last week, leading to the theft of $36 million in cryptocurrency. They detected suspicious activity affecting the customer base with accounts on the Gemini protocol. The hackers managed to withdraw $21 million in Bitcoin and $15 million in Ethereum from IRA Financial Trust accounts. Some users claimed their cash stored in their Gemini account was also taken.
Root cause: Not disclosed.
Loss: approx. $36 million
Reference: Hackers Snagged $36 Million in Crypto in Breach of IRA Financial
Claimable event: No
Titano Finance
Feb 14, 2022: The Titano Finance project on the BSC chain was attacked. This hack was made possible by a project trusting contractors to deploy a smart contract without adequate oversight. The smart contract code included a statement that allowed the deployer of the contract to set the pool’s strategy. This allowed the contractor to exploit these privileges to steal 4828.7 BNB.
Root cause: Third-Party Attack
Loss: 4,828.7 BNB
Reference: Explained: The Titano Finance Hack
Claimable event: No
Build Finance
Feb 15, 2022: Build Finance, the venture capital DAO organization, suffered a malicious governance takeover. The perpetrator successfully controlled the Build token contract by getting a majority of the votes. He tricked DAO members to gain control over DAO’s treasury and its ability to mint tokens. From this takeover, he successfully stole BUILD and METRIC tokens worth $470K.
Root cause: Governance Attack/Failure
Loss: $470000
Reference: Official Twitter Announcement
Claimable event: No
Rigoblock
Feb 18, 2022: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited.
Root cause: Smart Contract Vulnerability
Loss: Unknown
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Vulnerability Cover)
Gold Mine Finance
Feb 19, 2022: According to Rugdoc.io, the Fantom ecological project Gold Mine Finance has been rug pulled.
Root cause: Scam/Rug Pull
Loss: 432 BNB
Reference: Rugdoc.io Tweet
Claimable event: No
OpenSea
Feb 20, 2022: attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. Several users posted a warning on Twitter that the new migration contract launched by OpenSea yesterday was suspected of having a bug, and the attacker was using the bug to steal a large number of NFTs and sell arbitrage. OpenSea responded and claimed that it was a phishing attack from outside its official website and warned the users not to click any link outside of http://opensea.io.
Root cause: Phishing Attack
Loss: approx. $1.7 M
Reference: $1.7 million in NFTs stolen in an apparent phishing attack on OpenSea users
Claimable event: No
Flurry Finance
Feb 23, 2022: Flurry Finance’s Vault contract suffered from a flash loan attack. The attacker deployed a malicious contract in the protocol and further created a PancakeSwap pair for the RhoToken against Binance stablecoin (BUSD).
The creation of the malicious contract code rebases all update multipliers for RhoTokens and enable him to repeatedly execute the withdrawal transactions more than what they deserved from the pool, which resulted in more than $290k losses to the protocol.
Root cause: Smart Contract Vulnerability
Loss: Approx. $293000
Reference: Over $290,000 Stolen From DeFi Protocol Flurry Finance
Claimable event: Yes (Smart Contract Vulnerability Cover)
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- IDO event risk: the smart contract of the covered IDO platform gets hacked
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
Get your investment funds protected with InsurAce.io: Buy Cover
