September Hacks

In September the volume of DeFi Hacks slowed down relative to the previous months. After figures rose above $200M for 2 consecutive months, in September the volume of digital assets lost to hackers dropped below $180m. Prominent Automated Market Maker (AMM), Wintermute was responsible for 90% of the exploits recorded in September.  

Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of September 2022.   

Hacks in September: 

  1. Wintermute 

September 20, 2022, prominent London-based AMM, Wintermute was reported to have had digital assets worth around $160 million stolen from its crypto trading arm. CEO Evgeny Gaevoy, confirmed the hack in a series of tweets where he offered a 10% Whitehat offer to the hackers.  The firm, which provides liquidity across major crypto exchanges and trading platforms, remains solvent after the hack. 

Root cause: Smart Contract Vulnerability  

Loss: approx. $160M  

Reference: Twitter Statement by CEO 

Claimable event: Yes (Smart Contract Cover) 

  1. ShadowFi 

September 2, 2022: Hacker hacked ShadowFi’s liquidity pool contract and exploited the vulnerability in the SDF token, leading to a drainage in funds. Stolen funds were transferred to TornadoCash. 

Root cause: Smart Contract Vulnerability 

Loss: $301K 

Reference: Twitter Announcement from PeckShieldAlert 

Claimable event: Yes (Smart Contract Cover) 

  1. Kyber Network 

September 2, 2022: KyberSwap, a decentralised exchange has been hacked for a total of 265K through a frontend exploit which involved a “malicious code” in its Google Tag Manager. Whale wallets were targeted and funds were drained to different addresses. 

Root cause: Front-end hack 

Loss: approx. $1.6M 

Reference: Twitter Announcement 

Claimable event: No 

  1. Bill Murray 

September 3, 2022: The actor Bill Murray’s wallet was compromised that a hacker stole $185k worth funds shortly after the closing of his NFT auction that was destined for charity. 

Root cause: Wallet Compromise 

Loss: approx. $185k 

Reference: Online News 

Claimable event: No 

  1. DaoSwap 

September 5, 2022: Hacker set the inviter’s address to themselves and was able to do so due to larger mining rewards as compared to fees charged during the swap process. 

Root cause: Smart Contract Vulnerability 

Loss: $580K 

Reference: Online News by BlockSec 

Claimable event: Yes (Smart Contract Cover) 

  1. Rug Pull Finder 

September 5, 2022: Rug Pull Finder’s NFT contract was exploited due to a flaw in their smart contracts, allowing 2 people to mint 450 NFTs instead of one per wallet. 

Root cause: Smart Contract Vulnerability 

Loss: 450 NFTs 

Reference: Official Twitter Announcement  

Claimable event: Yes (Smart Contract Cover) 

  1. Nereus 

September 6, 2022:  Avalanche-based lending protocol Nereus Finance has been exploited where a user deployed a custom smart contract and that utilized a $51M flash loan to manipulate the AVAX/USDC Trader Joe LP pool price. The user was able to mint 998,000 NXUSD against ~$508k worth of collateral. According to Nereus, the exploit resulted from a “missed step” in the price calculation, resulting in the opportunity to be exploited. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $371K 

Reference: Official Post-mortem 

Claimable event: Yes (Smart Contract Cover) 

  1. GERA 

September 7, 2022: According to the official announcement by the GERA team, GERA token’s security was compromised due to a private key leak resulting in hackers transferred the ownership of the GERA token’s smart contract deployer to another address.   

Root cause: Private Key Compromise 

Loss: $1.48M 

Reference: Twitter Announcement 

Claimable event: No 

  1. New Free DAO 

September 8, 2022: New Free Dao project on BSC chain suffered from a flash loan attack. that the attacker took advantage of weak reward calculation code to drain 4,481 WBNB worth approximately $1.25 million from the contract. 

Root cause: Smart Contract Vulnerability 

Loss: 4,481 WBNB 

Reference: Twitter Announcement by SlowMist 

Claimable event: Yes (Smart Contract Cover) 

9. Ragnarok Online Invasion 

September 8, 2022: Ragnarok Online Invasion($ROI) was attacked due the access control vulnerability in the ownership transfer function. Around 158 BNB (44,222.5 BUSD) was stolen by the hackers. 

Root cause: Smart Contract Vulnerability 

Loss: 158 BNB 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

10. Sandbox 

September 8, 2022: The instagram account of Sandbox Game was compromised, and it was used to try to rent out Bored Ape Yacht Club nonfungible tokens (NFTs). 

Root cause: Social Engineering Attack 

Loss: NA 

Reference: Online News 

Claimable event: No 

11. Dogechain 

September 11, 2022: Hackers minted 9.7m Doge and transfered 316K worth through a cross chain bridge Anyswap 

Root cause: Smart Contract Vulnerability 

Loss: approx. $600K 

Reference: Twitter Announcement 

Claimable event: No (Exclusions under Smart Contract Cover) 

12. Binance 

September 15, 2022: Binance misallocated roughly $20 million of Helium’s HNT token to its users due to an accounting bug, leading to a windfall in HNT. 

Root cause: Operations Failure 

Loss: NA 

Reference: Online News 

Claimable event: No 

13. ETHPoW 

September 16, 2022: ETHPoW suffered bridge replay exploit resulted in a hacker exploiting 200 WETH from the Ethereum PoW chain. The root cause of the exploit is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message. The hacker used this opportunity to send 200 WETH across the Omnibridge of the Gnosis chain. The identical transaction was then carried out again on the PoW chain to earn 200 more ETHW. 

Root cause: Smart Contract Vulnerability 

Loss: 200 ETHW 

Reference: Online News 

Claimable event: No (Exclusions under Smart Contract Cover) 

14. GMX 

September 18, 2022: Decentralized exchange (DEX) GMX has suffered a price manipulation exploit from an exploiter who managed to make off with around $565,000 from the Avalanche (AVAX)/USD market. 

Root cause: Economic Attack 

Loss: $565,000  

Reference: Official Twitter Announcement 

Claimable event: No 

15. CoinDCX 

September 20, 2022: The official Twitter account of India-based crypto exchange CoinDCX has been hacked and used by the hacker to post fake Ripple (XRP) promos partnered with phishing links. 

Root cause: Social Engineering Attack 

Loss: NA 

Reference: Online News 

Claimable event: No 

16. Wintermute 

September 20, 2022: Crypto market maker Wintermute Protocol was hacked due to a private key comprimise that was linked to Profanity-related bug. The vulnerability in Profanity allowed the hacker to gain access to the private key of Wintermute’s Externally Owned Account (EOA). 

Root cause: Private Key Compromise 

Loss: approx. $160M 

Reference: Article by QuillAudits 

Claimable event: No 

17. BXH 

September 21, 2022: The private key of the original owner of BXH VaultPool was suspected to be stolen. The funds in the contract were transfered to the hackers’ address by calling the inCaseTokensGetStuck function. Since then, the hacker has transfered all stolen funds to Tornado Cash. 

Root cause: Private Key Compromise 

Loss: $2.5M 

Reference: Online News 

Claimable event: No 

18. MEV Bots 

September 28, 2022: A user tried to swap $1.85M of Compound cUSDC for USDC MEV bot Oxbad on Uniswap but only received $500 due to a lack of liquidity. MEV bot 0xbad backrun the trade and made $1.02M but a hacker exploited the arbitrage contract code and stole a total of 1,101 ETH in 0xbad’s wallet. 

Root cause: Smart Contract Vulnerability 

Loss: approx. $1.5M 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

19. BXH 

September 28, 2022: BXH’s TokenStakingPoolDelegate contract was exploited through a flash loan attack. The hacker made a net profit of 31,794 after stealing 40,085 USDT 

Root cause: Smart Contract Vulnerability 

Loss: Approx. 40,085 USDT 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

20. Gnosis Guild 

September 28, 2022: Gnosis Guild Reality Module (DAO Module) has suffered an attack. The main cause of the attack was malicious proposals that the attacker first proposed and then pushed for execution. 

Root cause: Governance Attack  

Loss: 7.5 ETH 

Reference: Online News 

Claimable event: No  

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses. 

InsurAce.io currently offer insurance protections for: 

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked; 
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price 

For details on the coverage and exclusions for each cover, kindly read Cover Wording here. 

🛡 Get your investment funds protected with InsurAce.io: Buy Cover 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top