November Hacks Report

Security Incidents / December 3, 2022 / 5 minutes of reading
security, protection, antivirus-265130.jpg

Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of November 2022.   

Hacks in November: 

  1. FITE 

November 1, 2022:  The FITE project is suspected of having been rug pulled. Its social media has been deleted, and its website is down. 

Root cause: Rug Pull 

Loss: approx. 1900 BNB 

Reference: Online News 

Claimable event: No 

  1. Skyward Finance 

November 2, 2022: Skyward Finance, the NEAR on-chain token launchpad, has been exploited for 1.1M NEAR, worth approximately 3 million at the time of exploit. The attacker bought SKYWARD tokens from Ref Finance and redeemed them through Treasury in Skyward Finance, effectively draining it. 

Root cause: Smart Contract Vulnerability 

Loss: $3M 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

  1. Rubic 

November 2, 2022: The private key of an admin wallet of the crypto exchange Rubic was stolen. As a result, the attacker gained access to 34 million Rubic tokens which were sold on Uniswap and PancakeSwap. 

Root cause: Private Key Leakage 

Loss: approx. $303,758 

Reference: Twitter Announcement by Rubic 

Claimable event: No 

  1. Solend 

November 2, 2022: Solend suffered from an oracle attack, where the attacker manipulated the oracle price of an asset which caused $1.26 million in bad debt. 

Root cause: Oracle Manipulation 

Loss: approx. $1.26M 

Reference: Twitter Announcement by Solend 

Claimable event: No  

  1. Deribit 

November 2, 2022: Deribit, a cryptocurrency platform was exploited for $28 million through the compromise of its hot wallet. The company has claimed that client funds are safe and that only BTC, ETH and USDC hot wallets were affected. 

Root cause: Wallet Compromise  

Loss: approx. $28M  

Reference: Twitter Announcement by Deribit 

Claimable event: No 

  1. pGALA 

November 4, 2022: pNetwork claimed that a “misconfiguration” led to a misunderstanding that the cross-chain bridge provider was hacked for $1 billion. The network intentionally minted 28.4 pGALA tokens to drain PancakeSwap pool in an attempt to protect token holders after the “misconfiguration” was found in its bridge contracts. 

Root cause: Unknown 

Loss: Unknown 

Reference: Online News 

Claimable event: No 

  1. Loopring 

November 5, 2022: Loopring was hit with a large-scale DDoS attack that crashed its services for 11 hours. 

Root cause: Front-End Attack 

Loss: NIL 

Reference: Twitter Announcement by Loopring 

Claimable event: No 

  1. Pando 

November 6, 2022: Pando suffered from an oracle price manipulation which affected its products: Pando Rings, Leaf, Lake and 4swap protocol. The protocol was in negotiations with the hacker to return some funds. 

Root cause: Oracle Price Manipulation 

Loss: approx. $20M 

Reference: Twitter Announcement by Pando 

Claimable event: No 

  1. MooCakeCTX 

November 7, 2022: MooCakeCTX was exploited through a flash loan attack for $143,921. The contract did not settle the previous reward before conducting a new investment. The hacker borrowed 50,000 CAKE tokens using a flash loan to profit from this contract vulnerability. 

Root cause: Smart Contract Vulnerability 

Loss: $143K 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

10. brahTOPG 

November 10, 2022:  The brahTOPG project on Ethereum was hacked for $89,879 due to an exploit in the Zapper contract that strictly checks the data passed in by the user, resulting in the issue of arbitrary external calls. The attacker used this exploit to steal tokens from users who are authorised to the contract. 

Root cause: Smart Contract Vulnerability 

Loss: $89K 

Reference: Analysis by Slowmist 

Claimable event: Yes (Smart Contract Cover) 

11. DFXFinance 

November 11, 2022: DFX Finance project on the ETH chain was attacked for a profit of about $231,138. The Curve contract flash loan function did not have re-entrancy protection which led to re-entry of the deposit function to transfer tokens to judge the balance of flash loan repayments. 

Root cause: Smart Contract Vulnerability 

Loss: $231K 

Reference: Twitter Announcement by Certik 

Claimable event: Yes (Smart Contract Cover) 

12. Flare 

November 14, 2022: Flare project is suspected of having been rug-pulled after the price of the Flare project dropped by more than 95%. A total of 4 billion tokens were made by the team before being taking a profit of around $18 million. 

Root cause: Rug Pull (Suspected) 

Loss: approx. $18.5M 

Reference: Online News 

Claimable event: No  

13. DeFiAI 

November 14, 2022: DefiAI was rug pulled for $4 million. Stolen funds have been transferred to MEXC Global and FixedFloat cryptocurrency exchange. 

Root cause: Rug Pull 

Loss: 4M 

Reference: Online News 

Claimable event: No 

14. Ranger 

November 15, 2022: The Ranger Project on BSC experienced an exit scam, sinking its token by 95%. The attacker sent tokens to an external wallet, profiting $77,000. 

Root cause:  Exit Scam 

Loss: approx. 77K 

Reference: Twitter Announcement by Certik 

Claimable event: No 

15. SheepFarm 

November 16, 2022: BNB Chain’s SheepFarm project was hacked for 262 BNB due to a vulnerability in its smart contracts. The register function of the SheepFarm contract could be called multiple times, which led to an exploit in increasing the attacker’s rewards and yield. 

Root cause: Smart Contract Vulnerability 

Loss:  262 BNB 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

16. Numbers Protocol 

November 23, 2022: Numbers Protocol was hacked for 13,836 due to vulnerabilities in its smart contract. The NUM token did not have a permit function, which allowed a fake signature to be passed in order to transfer users’ assets out. 

Root cause: Smart Contract Vulnerability 

Loss: 13K 

Reference: Online News 

Claimable event: Yes (Smart Contract Cover) 

The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses. 

InsurAce.io currently offers insurance protections for: 

  • Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked; 
  • Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days; 
  • Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price 

For details on the coverage and exclusions for each cover, kindly read Cover Wording here. 

🛡 Get your investment funds protected with InsurAce.io: Buy Cover 

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top