Security Incidents in August

Security Incidents / September 2, 2022 / 7 minutes of reading

Total hacks in August: 21 

This shows the importance of security assessment, audit, code review, and of course, InsurAce!

There are also several types of other risks exposed such as scam/rug pull, social engineering attacks, custodian hack, private key leak etc.  

Below is the summary of the hack events. 👇👇👇  

  1. ZB 

August 1, 2022: The ZB exchange was hacked with a total loss of around $4.3 million, leading to the suspension of deposits and withdrawals. The reason is “Sudden failure of the core application”. 

Root cause: Stolen Hot Wallet 

Loss: $4.3M 

Reference: Online News 

Claimable event: Yes (Custodian Risk Cover)  

  1. Reaper Farm 

August 2, 2022: Reaper Farm’s multi-strategy vault, ReaperVaultV2 contract was hacked, resulting in more than $1.6 million worth of damage. Attackers took advantage of a vulnerability in the ReaperVaultV2 contract that could destroy other users’ vault shares and withdraw tokens, thereby withdrawing large amounts of tokens from multiple vaults. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $1.6M 

Reference: Twitter Announcement from PeckShieldAlert 

Claimable event: Yes (Smart Contract Cover) 

  1. Nomad 

Cross-chain token bridge Nomad was attacked by hackers through a smart contract vulnerability. A recent update to a smart contract allowed users to withdraw money from the bridge that did not belong to them without much technical knowledge, thereby leading to a “free for all” attacks. 

Root cause: Smart Contract Vulnerability 

Loss: $190M 

Reference: Online News 

Claimable event: No (Exclusion under smart contract cover) 

  1. Solana 

August 3, 2022: Around 8000 unique Solana software wallets have been compromised and drained of SOL, USDC and other Solana-based tokens. Sources say the issue was not in the source code but possibly within software based wallet apps that allowed hackers to access users’ assets in those wallets.  

Root cause: Private Key Leak 

Loss: approx. $4.5M 

Reference: Twitter Announcement 

Claimable event: No 

  1. Velodrome 

August 4, 2022: A team member of Velodrome Finance, Gabagool stole operation funds from one of its wallets containing $350,000. Gabagool wanted to recoup the losses incurred during the 2022 crypto crash and planned on making $56,000 before returning the funds. 

Root cause: Internal Theft 

Loss: $350K 

Reference: Online News 

Claimable event: No 

  1. GenomesDAO 

August 6, 2022: The GenomesDAO project was hacked and funds were withdrawn from its LPSTAKING contract, which was arbitrarily repeated to initialise and set key parameters, leading to a withdrawal of collateral that is tied to the contract. 

Root cause: Smart Contract Vulnerability 

Loss: Not Disclosed 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

  1. Steven Galanis 

August 6, 2022: Steven Galanis, CEO of Cameo’s Apple ID was hacked, leading to a loss of a variety of NFTs, including a Bored Ape Yacht Club. In addition, the hacker took Apecoin, three Otherside land plots, 1 Phanta Bear and 2 11CaptainsClub 

Root cause: Social Engineering Attack 

Loss: approx. $230K 

Reference: Twitter Announcement 

Claimable event: No 

  1. Saxon James Musk 

August 7, 2022: Saxon James Musk, a meme token launched on BSC has been rug pulled. Its token price plummeted by 68% when its developer decided to cash in on profits. 

Root cause: Rug Pull 

Loss: approx. $420K 

Reference: Twitter Announcement by CertiK 

Claimable event: No 

  1. EGD Finance 

August 8, 2022: EGD Finance on BSC was hacked, leading to an unexpected withdrawal of funds from its pool. A flash loan was used to manipulate the token price for profit. The cause of the hack was due to the simplicity in calculating the reward through its price-feeding mechanism.  

Root cause: Price Manipulation 

Loss: $36K 

Reference: Online News 

Claimable event: No 

  1.  Curve Finance 

August 9, 2022: Curve Finance suffered from a DNS hijacking which resulted in a loss of $570,000 from approval of malicious contracts. The Curve Finance website was cloned and its DNS was changed, leading users to a fake website operated by hackers. 

Root cause: DNS Attack 

Loss: approx. $570K 

Reference: Online News 

Claimable event: No 

  1.  Blur Finance 

August 10, 2022: Blur Finance, a defi yield aggregator that ran on BNB chain and Polygon has been rug pulled by developers. Similar to previous rug pulls, the developers launched and popularised a Defi application before launching its own token. Since the rug pull, its website and social media channels are down, an indication that developers have ran off with the scam. 

Root cause: Rug Pull 

Loss: Approx. 600K 

Reference: Online News 

Claimable event: No 

  1.  Acala 

August 14, 2022: A hacker exploited a bug within Acala Network’s iBTC/aUSD liquidity pool which led to the minting of 1.2 billion aUSD (Acala’s native stablecoin) without any collateral. This led to the depegging of aUSD to $0.01, which triggered Acala into entering maintenance mode and the freezing of funds from the hackers wallet.  

Root cause: Misconfiguration of liquidity pool 

Loss: Not disclosed 

Reference: Online news 

Claimable event: Yes (Stablecoin De-peg Cover) 

  1.  The Bribe Protocol 

August 18, 2022: Bribe Protocol, a project that seeks to incentivise token holders to govern has been inactive on its socials for more than 3 months, leading some to suspect a rug pull. One of the investors of Bribe Protocol, Figment Capital revealed that the project has been shut down and 86% of the funds have been returned to institutional investors, leaving retail investors in the lurch 

Root cause: Unknown 

Loss: approx. $5.5M 

Reference: Twitter Announcement 

Claimable event: No 

  1.  Celer 

August 18, 2022: Celer Network suffered from a DNS exploit that compromised the front end of cBridge. Users who gave access to malicious smart contracts were victims of the exploit that drained all approved tokens. Celer suspended cBridge in order to protect users from further mishaps. 

Root cause: DNS Attack 

Loss: approx. $240K 

Reference: Online News 

Claimable event: No 

  1.  Sudorare 

August 23, 2022: SudoRare, an NFT platform has been rug pulled with $815 000 in user funds and has since deleted all its social media accounts. The funds were transferred to three different addresses. 

Root cause: Rug Pull 

Loss: approx. $815K 

Reference: Online news 

Claimable event: No 

  1.  Kaoyaswap 

August 24, 2022: BSC Defi platform KaoyaSwap was hacked due to a flaw in the swap function logic of the protocol. A total of 37,294 BUSD and 271.2 wrapped BNB (WBNB) were stolen. 

Root cause: Smart Contract Vulnerability 

Loss: approx. 180K 

Reference: Twitter Announcement by BlockSec 

Claimable event: Yes (Smart Contract Cover) 

  1.  PokémonFi 

August 24, 2022: PokémonFi has the rug pulled with a total of 701K, which saw the project’s two tokens $PMC and $PMF falling to zero. The project’s Twitter account has been deleted since then. 

Root cause: Rug Pull 

Loss: approx. 708K 

Reference: Twitter Announcement by CertiK 

Claimable event: No 

  1.  Sui 

August 27, 2022: Sui Creators Mysten’s Labs’s Discord has been hacked through malicious links. Users are warned not to click on any links. Some of the links are posted in announcement channels that lead to airdrops. 

Root cause: Social Engineering Attack 

Loss: approx. Unknown 

Reference: Twitter Announcement 

Claimable event: No 

  1.  DDC 

August 29, 2022:  DDC’s handleDeductFee function was exploited and its key parameters were controlled. As a result, a large amount of USD can be swapped with a small amount of USDC. 

Root cause: Smart Contract Vulnerabilities 

Loss: approx. $104.6K 

Reference: Twitter Announcement by BeosinAlert 

Claimable event: Yes (Smart Contract Cover) 

  1.  OptiFi 

August 29, 2022:  OptiFi, a derivative DEX’s mainnet program was shut down due to an operation error. As a result 661K of USDC was locked. Fortunately, 95% of funds belonged to team members. The remaining 5% of the funds will be returned to users. 

Root cause: Team Operations Failure 

Loss: approx. $661K 

Reference: Twitter Announcement 

Claimable event: No 

  1.  CUPID 

August 31, 2022:  A hacker used a flash loan to add liquidity into the Venus/USDT pair to obtain Venus LP token which was sent to various addresses and converted to contract rewards in Cupid. 

Root cause: Flash Loan Attack 

Loss: approx. $78K 

Reference: Twitter Announcement by BlockSec 

Claimable event: No 

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses. 

InsurAce.io currently offer insurance protections for: 

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked; 
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days; 
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price 

For details on the coverage and exclusions for each cover, kindly read Cover Wording here. 

💚​ Get your investment funds protected with InsurAce.io: Buy Cover 

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top