1. BonqDAO
February 2, 2023: Polygon-based lending and stablecoin protocol was hacked by a two-stage attack for 120 million. The attacker manipulated the price of the WALBT token such through a function of the oracle which allowed them toAs a result of the raised WALBT token, 100 million BEUR tokens were borrowed. The price of WALBT was then set to a low through a second transaction, which allowed the attacker to liquidate WALBT staked by other users and obtain 114M WALBT which was burnt to unlock ALBT tokens.
Root cause: Oracle Manipulation
Loss: approx. $120M
Reference: Analysis by Beosin
Claimable event: No
2. Orion Protocol
February 3, 2023: Orion Protocol was hit with a reentrancy attack due to a flaw in its smart contract. There was incomplete reentrancy protection which allowed token transfer to reenter other functions to increase user balance without costing any funds
Root cause: Contract Vulnerability (Reentrancy Attack)
Loss: $3M
Reference: Analysis by PeckShield
Claimable event: Yes (Smart Contract Cover)
3. SperaxUSD
February 4, 2023: SepraxUSD, a protocol on Arbitrium was exploited for a total of $300K through a vulnerability in its smart contracts which allowed the exploiter to increase his token balance without providing matching collateral. The flaw has since been solved with a smart contract upgrade.
Root cause: Contract Vulnerability
Loss: $300K
Reference: Twitter Announcement
Claimable event: Yes (Smart Contract Cover)
4. LianGoPay
February 7, 2023: LianGoPay ’s assets in the LGTPool pledge contract were attacked due to a private key compromoise that resulted in the deployment of fake pools alongside real ones, making it difficult to differentiate. The attacker deposited many tokens in the malicious pool and redeemed a large amount of LGT tokens which were exchanged for BSC-USD tokens
Root cause: Private Key Leakage
Loss: $1.6M
Reference: Analysis by Halborn
Claimable event: No
5. CoW Protocol
February 7, 2023: CoW Protocol, a decentralised exchange was attacked for a total of 550 BNB due to a vulnerability within the token authorisation process. Barter solver, a new solver for CoW’s solver competition deployed an approval to a contract called SwapGuard. The attacker was able to exploit the security issue of the SwapGuard contract, which allowed arbitrary call execution from the SwapGuard contract.
Root cause: Contract Vulnerability
Loss: $180K
Reference: Analysis by BlockSec
Claimable event: Yes (Smart Contract Cover)
6. Nostr
February 8, 2023: Nostr, a fake project on the Ethereuem chain has been rug pulled for 232.1 ETH.
Root cause: Rug Pull
Loss: 232.1 ETH
Reference: Online News
Claimable event: No
7. Umami Finance
February 9, 2023: Umami Finance, a DeFi protocol offering institutional yield products has been rug pulled. Its CEO dumped tokens on the market, which allowed him to cash out over $380,000 after the price of the UMAMI token crashed by over 60%
Root cause: Rug Pull
Loss: $380K
Reference: Online News
Claimable event: No
8. SushiSwap
February 10, 2023: SushiSwap’s BentoBoxv1 contract was compromised due to price manipulation. The Kashi Medium Risk ChainLink was updated later than the mortgage which allowed the attacker to conduct a flashloan that dropped the price of kmxSUSHI/USDT. The attacker then liquidated his assets and obtained 26K of USDT.
Root cause: Price Manipulation
Loss: $26K
Reference: Online News
Claimable event: No
9. dForce
February 10, 2023: dForce Network, a DeFi aggregation platform was attacked on Arbitrum and Optimism through a reentrancy vulnerability, profiting a total of 1.9M on Arbitrum and 1.7M on Optimism. The attacker took a flash loan and deposited them into Curve’s wstETH/ETH and further deposited the LP tokens into dForce’s wstETHCRV-gauge vault. When removing liquidity, the reentrancy vulnerability was exploited to manipulate the price of the wstETHCRV-gauge tokens, allowing him to profit off the liquidation of other users.
Root cause: Contract Vulnerability (Reentrancy Attack)
Loss: $3.65M
Reference: Analysis by SlowMist
Claimable event: Yes (Smart Contract Cover)
10. BSC-WBNB-WOOF Trading Pair
February 10, 2023: An individual managed to acquire the BSC-WBNB-WOOF trading pair through a backdoor for a total of $115,000. However, this was accomplished through an exploit, which caused the price of $WOOF to drop by 88%. The attacker used an address (jZKbvD) that could transfer $WOOF from any address to 0 authorization via the transferFrom function. They proceeded to transfer $WOOF tokens and update the reserves of the pool and then swapped out the WBNBs in the pair for a large number of $WOOF tokens
Root cause: Rug Pull
Loss: $155K
Reference: Online News
Claimable event: No
11. FDP Token
February 10, 2023: FDP was hit with a flash loan attack that was compromised for $10,000. The attacker borrowed 1,363 WBNBs and exchanged for $FDP. Prior to the manipulation, the currentRate was calculated for the FDPs. In this scenario, the rtotal was not reduced, and neither the pair nor the attacker was considered a deflationary exception. The attacker then called the deliver function with the tAmount, which decreased the user-specified tAmount and added it to the fee. The 284631626035854 tAmount FDPs accounted for 28% of the total supply of FDPs. After calling deliver, when _rTotal is 28% less and _tTotal remains the same, _getRate shrinks. Since the transaction pair is not a deflation-excluded address, the obtained balance is larger. Consequently, the attacker could withdraw the increased $FDP and exchange it for $WBNB.
Root cause: Price Manipulation
Loss: 10K
Reference: Online News
Claimable event: No
12. OneKey
February 11, 2023: A cybersecurity startup called Unciphered conducted a whitehat attack on encrypted hardware wallets made by OneKey. The startup found that it was feasible to reset the device to its original factory mode and circumvent the security pin. This could potentially enable an attacker to erase the mnemonic phrase that is utilized to recover a wallet. OneKey has since paid Unciphered a bounty for the disclosure and no one was affected
Root cause: Wallet Attack
Loss: NIL
Reference: Online News
Claimable event: No
13. Namecheap
February 12, 2023: Namecheap’s email account was breached, allowing phishing emails said to be from MetaMask and DHL to flood users’ emails. The emails attempted to steal personal information and cryptocurrency wallets.
Root cause: Phishing Attack
Loss: NIL
Reference: Online News
Claimable event: No
14. Multichain
February 15, 2023: Multichain, an infrastructure designed to support arbitrary cross-chain interactions was hit with a front-running attack. The attacker used an MEV contract to front-run and call a function of the AnyswapV4Router to sign and approve the transfer. The stolen WETH lacked a signature verification function which allowed the attacker to transfer WETH to the victim contract. This was a result of a previous vulnerability that still exists for users who had not yet revoked approvals for their affected router contracts.
Root cause: Front-Running Attack
Loss: 130K
Reference: Online News
Claimable event: No
15. FarmApp
February 15, 2023: The FarmApp contract singer’s private key was stolen, resulting in an exploit that earned the hacker 301 BNB. By utilizing the singer’s signature, the attacker called the sowSeed function to generate newSowData with 42 sowid, and then proceeded to call the claimedSeed function again to steal 936,387 $MMT. The stolen MMT was exchanged for 301 BNB (equivalent to around 93K USD) and transferred to the tornado cash. As a consequence of the exploit, the price of MmtMiner dropped by 81%.
Root cause: Private Key Leakage
Loss: 301 BNB
Reference: Online News
Claimable event: No
16. Dexible
February 17, 2023: Dexible, a decentralised exchange aggregator was hacked for 1.54 million. There was a flaw in the logic of the selfSwap function that invokes the fill function, which in turn calls a data defined by the attacker. The hacker has created a transferfrom function within this data, enabling them to pass in their own attack address as well as that of other users. This allows the transfer of tokens approved for the contract to be moved out.
Root cause: Contract Vulnerability
Loss: $1.54M
Reference: Analysis by Beosin
Claimable event: Yes (Smart Contract Cover)
17. Platypus Finance
February 17, 2023: Platypus Finance was exploited through a flash loan attack which resulted in a total loss of $9 million. The exploit was executed by exploiting a flawed check mechanism during the withdrawal of collateral. Initially, the attacker obtained a flash loan of 44M USDC, which was subsequently deposited into Platypus. The resulting LP tokens were utilized as collateral to borrow 41.7M USP. The emergencyWithdraw() function only verifies if the user’s position is solvent, without considering the impact of any borrowed funds. This enables the attacker to withdraw the supplied collateral while retaining the borrowed USP. This resulted in the de-peg of USP and a loss in users’ funds in the main pool. The cause of this exploit is an exclusion in InsurAce’s cover wordings in that will not cover loss of value of users funds due to the de-peg of USP.
Root cause: Contract Vulnerability
Loss: $9M
Reference: Twitter Announcement
Claimable event: No (Exclusion under Smart Contract Cover)
18. BABYDOLL
February 19, 2023: BABYDOLL project suffered a flash loan attack that resulted in a loss of around $13.1K. The attacker borrowed 1,182 WBNB and subsequently changed 12 WBNB tokens in the BABYDOLL-WBNB pair to 0.000000000001 BABYDOLL tokens. By executing the burn function multiple times, the attacker destroyed BABYDOLL tokens, which lowered the value of “_tTotal” and the balance of BABYDOLL-WBNB. Since the BABYDOLL-WBNB pair is not excluded, the reflection mechanism affected its balance. Using the imbalanced reserves in the pool, the attacker called the swap function to acquire 37 WBNB, returned the flash loan, and walked away with 25 BNB ($7.9K).
Root cause: Contract Vulnerability
Loss: $7.9K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
19. Revert Finance
February 20, 2023: Revert Finance, an AMM liquidity management protocol reported on Twitter that their v3utils contract had been hacked, and a single account lost 90% of its funds. The stolen assets included 22983.235188 USDC, 4106.316699 USDT, 485.5786287699002 OP, 0.18217977664322793 WETH, 36.59093198260223 DAI, 211.21463945524238 WMATIC, and 22 Premia, totaling about $29,000 based on current market prices.
Root cause: Contract Vulnerability
Loss: $29K
Reference: Twitter Announcement
Claimable event: Yes (Smart Contract Cover)
20. Edge Wallet
February 20, 2023: Edge Wallet has been compromised, resulting in the theft of 2000 private keys. A user had notified Edge Wallet’s staff of an unauthorized transaction of Bitcoins it was determined that the private key of the Bitcoin wallet was compromised. Since then, a vulnerability that would leak private keys when a user perform both actions have been identified.
Root cause: Private Key Leakage
Loss: Unknown
Reference: Online News
Claimable event: No
21. Snowfall Protocol
February 21, 2023: Snowfall Protocol has been hit with a rug pull, with the Snowfallcoin dropping in price by over 97%. The attacker removed 536.5 WBNB from the project’s liquidity, estimated to be about $166,000 in stolen funds.
Root cause: Rug Pull
Loss: $166K
Reference: Online News
Claimable event: No
22. Dynamic Finance
February 22, 2023: Dynamic Finance, a smart money market aggregator was hacked due to insufficient reentrancy protection, losing 73 BNB. In their staking contract, users were able to deposit DYNA and claim reward. However, the logic of the deposit function allows this value to be recorded for the first deposit, allowing the attacker to redeem rewards when depositing a large amount of DYNA due to a large flash loan
Root cause: Contract Vulnerability
Loss: $22K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
23. Hope Finance
February 22, 2023: Hope Finance, an Arbitrum-based DeFi project has been claimed to have been rug pulled by a team member. The attacker deployed a fake router in transaction 0xf188, and subsequently updated SwapHelper to use this fake router in transaction 0xc9ee. The change of details in the smart contract led to the drainage of funds.
Root cause: Rug Pull
Loss: $2M
Reference: Online News
Claimable event: No
24. HakunaMatata
February 22, 2023: HakunaMatata was attacked through a flash loan attack which saw the attacker earn 33 WBNB. The attacker manipulated the tTotal and rTotal in deflationary tokens and through the deliver and burn functions.
Root cause: Price Manipulation
Loss: $10K
Reference: Online News
Claimable event: No
25. Solana
February 25, 20233: Solana network experienced technical difficulties that hindered users’ ability to conduct on-chain activities such as trading crypto and transferring assets. This was caused by the blockchain “forking” at approximately 12:53 a.m. ET, leading to a drop in transaction throughput and an increase in validators’ RAM usage. Consequently, almost all on-chain activities were effectively frozen on the network. By 2 a.m., the network’s transaction processing rate had reduced to about 93 transactions per second (TPS), down from the previous rate of nearly 5000 TPS about 15 minutes earlier, as reported by Solana Explorer.
Root cause: Validator Bug
Loss: NIL
Reference: Online News
Claimable event: No
26. HideYoApes
February 27, 2023: An NFT collector’s several expensive NFTs, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds have been stolen and sold for a profit of 127.3 wETH. The MetaMask wallet extension has been downloaded and installed from the official website.
Root cause: Unknown
Loss: $208K
Reference: Twitter Announcement
Claimable event: No
27. DungeonSwap
February 27, 2023: The DeFi project Dungeon Swap on BSC has been exploited for $728,000. The exploiter stole BUSD from users who approved the DND token contract and transferred all profits to another hash.
Root cause: Contract Vulnerability
Loss: $728K
Reference: Twitter Announcement
Claimable event: Yes (Smart Contract Cover)
28. LaunchZone
February 27, 2023: LaunchZone, a DeFi protocol on the BNB chain was exploited for a total of $700,000. The value of the LZ token dropped by more than 80% as the funds were swapped out through PancakeSwap.
Root cause: Unknown
Loss: $700K
Reference: Online News
Claimable event: No
29. MyAlgo
February 28, 2023: MyAlgo, a wallet provider for the Algorand network has been hit with an exploit that has seen an estimated of $9.2 million worth of funds stolen. As of writing, the team has issued warnings to users and is still finding the root of the exploit. Users who had mnemonic wallets were more susceptible to the exploit.
Root cause: Unknown
Loss: $9.2M
Reference: Online News
Claimable event: No
