Security Incidents in June 

Others / July 3, 2022 / 7 minutes of reading

Hacks in June:

  1. Animoon

June 2, 2022: Animoon, a NFT project based on Pokémon was reported rug pull. The project team claimed to have signed a non-disclosure agreement (NDA) with Pokémon partner TopDeck. However, no evidence of development of the actual play-to-earn (P2E) NFT game. The team disappeared and deleted their Twitter account and website.

Root cause: Rug Pull 

Loss: Approx. $6.3 million 

Reference: Twitter Announcement

Claimable event: No 

  1. BAYC & Otherside

June 4, 2022: Bored Ape Yacht Club (BAYC) and Otherside were experienced phishing attacks and lost over 145 ETH. The Discord administrator’s account was compromised, which allowed the attackers gained the admin access to the server and posted a phishing link that encouraged users to link their wallets to access “exclusive giveaways.”

Root cause: Discord admin account hacked 

Loss: approx. $ 170,000 

Reference: News on Cointelegraph

Claimable event: No

  1. Individual Hacker from South Korea

June 4, 2022: A hacker from South Korea managed to stoles $660,000 worth of crypto from 900 victims by obtaining their crypto wallet and exchange login details which was leaked from a group chat service provided by Naver.

Root cause: Data Leakage 

Loss: approx. $ 660,000 

Reference: News on CryptoNews 

Claimable event: No 

  1. Elrond & Maiar

June 5, 2022: The Layer 1 blockchain network Elrond was experienced a security breach recently. The hackers stole more than 1.65 million worth of token and sold it through the decentralized exchange Maiar. Elrond founder tweeted that the bug has been resolved. All funds and users are safe and almost all stolen funds have been recovered. 

Root cause: Virtual Machine Vulnerability 

Loss: Not disclosed. 

Reference: Official Report 

Claimable event: No 

  1. Equalizer Finance

June 7, 2022: Equalizer Finance was suffered flash loan attack recently due to the non-compatibility of FlashLoanProvider contract with the Vault contract. 

Root cause:  Smart Contract Vulnerability 

Loss: Not disclosed. 

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover)

  1. Baby Elon

June 8, 2022: The Baby Elon project on BNBChain was reported rug pull by PeckShield Alert. The project team took 623 BNB and transferred to Tornado Cash.  

Root cause: Rug pull 

Loss: approx. $179,000 

Reference: Twitter Announcement 

Claimable event: No 

  1. ApolloX

June 8, 2022: There was a flaw in the ApolloX trading rewards contract. The attacker used the signature system flaw to generate 255 signatures which then withdrew a total of 53 million APX token. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $1.6 M  

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Osmosis

June 8, 2022: There was a tweet about a critical bug was discovered on Osmosis that could potentially drain all liquidity pools. Osmosis tweeted that the liquidity pool was not “completely drained” and that developers were fixing the bugs.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $5 M 

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. GYM Network 

June 8, 2022: According to the official Twitter account, the GYM Network was suffered by an attack on the Claim & Pool function, which resulted in a significant price drop.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $2.1 M 

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Trader Joe

June 10, 2022: Trader Joe was recently suffered an exploit due to a vulnerability lies in the protocol transaction fees process. Users’ funds are safu, only protocol fees were lost. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $1 M 

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. SHELL

June 11, 2022: According to a few rug pull monitoring websites, SHELL projects was identified as high risk project. SHELL token price fell by more than 56%. The project owner minted 150 million tokens at one address, and transferred them and sold some of them in 12 transactions for about $180,000. 

Root cause: Rug pull 

Loss: Approx. $180,000 

Reference: Announcement 

Claimable event: No 

  1. HEGE

June 11, 2022: According to a few rug pull monitoring websites, HEGE projects was reported as potential rug pull.  

Root cause: Rug pull 

Loss: Approx. $429,000 

Reference: Announcement 

Claimable event: No 

  1. TreasureSwap 

June 11, 2022: The treasure swap project was exploited recently. The attacker only used a very small amount of WETH to exchange all the WETH tokens in the transaction pool. The reverse of the source code found that the swap function of the attacked contract lacked the K value check.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $920,000 

Reference: PA News 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. FSwap 

June 13, 2022: According to Fswap official announcement, the project was hacked due to an error in the fee-charging mechanism of the protocol. Hackers borrowed money from BISWAP to FSWAP for transaction attacks. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $5 million 

Reference: News on Aliens 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. KnownOrigin

June 14, 2022: According to KnownOrigin official tweet, its discord had been compromised. They reminded users not to click on any links. 

Root cause: Discord server hacked 

Loss: Not Disclosed 

Reference: Twitter Announcement 

Claimable event: No 

  1. Inverse Finance 

June 16, 2022: Inverse Finance suffered a flash loan attack due to the use of insecure oracles to calculate LP prices. 

Root cause: Oracle Failure 

Loss: approx. $1.26 million 

Reference: News on Cointelegraph 

Claimable event: No

  1. LV PLUS

June 21, 2022: The LV PLUS project has been identified as a Rug Pull project. They claimed to be affiliated with the “LV Metaverse”. Its deployer sent tokens to certain wallets and subsequently sold the project’s tokens, causing the project’s market to crash . 

Root cause: Rug pull 

Loss: $1.5 M 

Reference: News 

Claimable event: No 

  1. Justcows

June 24, 2022: Justcows, the hosting platform on BSC, is suspected of rug pull and siphoned off $5 million in user funds. The project team distributed a large amount of BUSD to thousands of addresses in the form of mixed currency, some of which were transferred to hunterswap, and some of them were transferred to the exchange. It is reported that the platform issued an announcement a month ago to stop user withdrawals. 

Root cause: Rug pull 

Loss: $5 M 

Reference: Twitter Announcement 

Claimable event: No

  1. ConvexFinance 

June 24, 2022: ConvexFinance officially tweeted that they were experiencing a DNS hijacking which caused users to approve malicious contracts on some interactions on the website, and the problem has been fixed. 

Root cause: DNS Hijacking 

Loss: approx. $250,000 

Reference: Twitter Announcement 

Claimable event: No 

  1. Harmony

June 24, 2022: Harmony project team has identified an attack occurred on its Horizon bridge. The attacker resulted in loss of more than 100 million USD.  

Root cause: Private Key Leak 

Loss: approx. $100 M 

Reference: Twitter Announcement 

Claimable event: No 

  1. XCarnival 

June 26, 2022: XCarnival, an Ethereum ecosystem liquidity provider was exploited recently. This attack is due to a flaw in its smart contract which allowed the pledged NFT still be used as the collateral for bollowing.  After the project team revealed, they suspended the transactions and successfully recovered 50% of the loss.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $3.2 M 

Reference: News on Cointelegraph 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Goldfinch

June 28, 2022: The SeniorPool contract of the Goldfinch project was experienced an arbitrage attack where the exchange rate of FIDU to USDC in Curve is 1:1.03, while the ratio in SeniorPool is 1:1.07, which creates room for arbitrage. The attacker can use Curve’s FIDU-USDC pool to obtain FIDU tokens to obtain the dividends of the SeniorPool contract mortgaged USDC tokens.  

Root cause: Arbitrage Attack 

Loss: approx. $541,158 

Reference: News 

Claimable event: No 

  1. OpenSea

June 16, 2022: OpenSea disclosed a vulnerability in their Shred Storefront contract via their official Twitter channel. This allows in some instances for sellers to accept offers on Shared Storefront items and receive payment without owning the NFT. 

Root cause: Smart Contract Vulnerability 

Loss: Not disclosed. 

Reference: Twitter Announcement 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

  1. Solidity

June 15, 2022: According to official disclosure, a previously unknown optimization bug was found in Solidity compiler. It causes the silent discard of important memory operations.  

Root cause: Smart Contract Vulnerability 

Loss: approx. $3.2 M 

Reference: Medium Post 

Claimable event: Yes (Smart Contract Vulnerability Cover) 

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses. 

InsurAce.io currently offer insurance protections for: 

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked; 
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days; 
  • IDO event risk: the smart contract of the covered IDO platform gets hacked 
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price 

For details on the coverage and exclusions for each cover, kindly read Cover Wording here. 

Get your investment funds protected with InsurAce.io: Buy Cover 

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top