Hacks in March - InsurAce.io Blog

We saw total 28 hacks in March, here are details:

1. ArbiSwap

March 2, 2023: Arbitrum’s ArbiSwap was rug pulled for approximately $100,000. Its developers minted 1 billion fake tokens which were converted to USDC, causing a sharp drop in the price of the USDC/ARBI transaction pair.

Root cause: Rug Pull

Loss: approx. 84 ETH

Reference: Online News

Claimable event: No

2. Algodex

March 5, 2023: Algorand based’s Algodex’s company wallet was attacked by a malicious actor. The attack was similar to recent incidents in the Algorand ecosystem, one of which was in relation to MyAlgo. The attacker was able to steal $25,000 worth of ALGX tokens allocated to provide liquidity rewards and another $30,000 worth of ALGX and Algo Tokens were removed through redemption of liquidity tokens of the tinymanorg pools

Root cause: Unknown

Loss: $55K

Reference: Twitter Announcement

Claimable event: No

3. PeopleDAO

March 6, 2023: PeopleDAO’s community treasury on Safe was attacked and approximately $120,000 (76ETH) was stolen. A google form is used to collect information about contributor rewards every month. However, the link that was shared in a public discord had edit access and hackers inserted 76 ETH worth of payment to themselves.

Root cause: Social Engineering Attack

Loss: 76 ETH

Reference: Twitter Announcement

Claimable event: No
4. Fake GPT Token

March 6, 2023: ChatGPT’s popularity has led to some scammers releasing fake ChatGPT tokens for a pump and dump scheme. Amongst all these fake tokens, one of its deployer removed the LP, resulting in 99% slippage and transferred 42.8 BNB through Tornado Cash.

Root cause: Rug Pull

Loss: $12K

Reference: Online News

Claimable event: No

5. Tender.fi

March 7, 2023: Hackers exploited Tender.fi’s misconfigured data oracle that allowed them to borrow $1.59 million in crypto assets with just a single GMX token worth $70 as collateral. The hackers have since returned the fund and a bounty reward was given.

Root cause: Misconfigured Oracle

Loss: NIL (funds have been returned by hacker)

Reference: Online News

Claimable event: No

6. Hedera

March 9, 2023: Hedera mainnet’s Smart Contract Service code’s was exploited and victims’ Hedera Token Service tokens were transferred to the attackers accounts. They targetted liquidity pools on multiple DEXs that used Uniswap v2-derived contract code that was ported over to use the Hedera Token Service. To prevent the attacker from stealing more tokens, they turned off mainnet proxies to minimise damage.

Root cause: Contract Vulnerability

Loss: approx $600K

Reference: Post Mortem

Claimable event: Yes (Smart Contract Cover)
7. Phoenix

March 10, 2023: Polygon’s Phoenix was hit with a stealth attack where the attacker used a reflection attack with a self-created token $OPTS to syphon off money (“borrows”) continuously. Once 100,000 USDC have been accumulated; they were bridged off using celer.

Root cause: Contract Vulnerability

Loss: approx. $100K

Reference: Analysis by QuillAudits

Claimable event: Yes (Smart Contract Cover)

8. ProTradex

March 10, 2023: BNB Chain’s ProTradex was exploited through an exit scam that caused $698,000 worth of loss.

Root cause: Rug Pull

Loss: $698K

Reference: Analysis by QuillAudits

Claimable event: No

9. SUCKR

March 10, 2023: Aptos’s SUCKR project was suspected of being rug pulled. The hacker minted a large number of SUCKR tokens before exchanging them for USDT.

Root cause: Rug Pull

Loss: $180K

Reference: Online News

Claimable event: No

10. Euler Finance

March 13, 2023: Euler Finance, a DeFi lending protocol was exploited for $197 million. The vulnerability was due to how the project permits donations to be performed without a proper account health check. The attacker took a flashloan of 30 million DAI and deposited 20 million DAI in Euler Finance to receive 20 million eDAI which was used to borrow 200 million eDAI and 200 million dDAI. The attacker then invoked the “donate to reserve” call to burn $100 million worth of eDAI which made the amount of dDAI greater than eDAI, which skipped their liquidation checks and made them liquidatable. This process was repeated with other pools.

Root cause: Contract Vulnerability

Loss: $197M

Reference: Post Mortem

Claimable event: Yes (Smart Contract Cover)

11. Block Chain Games

March 13, 2023: Block Chain Games was rug pulled for a total of $39,092. The project owner called 2 privileged functions, one to mint a large amount of BCGA and the other to burn other users’ BCGA to prevent them from selling. The minted BCGA was immediately swapped for 128 BNB.

Root cause: Rug Pull

Loss: $39K

Reference: Analysis by Beosin

Claimable event: No

12. Poolz Finance

March 15, 2023: Poolz Finance, a cross chain decentralised IDO platform was hacked on BSC and Polygon for a total of $390,000 through an arithmetic overflow issue. Since then, the POOLZ token has taken a hit of over 95%.

Root cause: Contract Vulnerability

Loss: $390K

Reference: Twitter Announcement

Claimable event: Yes (Smart Contract Cover)

13. iEarn Bot

March 17, 2023: iEarn Bot, a cryptocurrency AI quantitative trading bot managed to scam victims by helping them trade crypto currencies on their behalf. The website had fake information, including companies and institutions being listed as “strategic partners” even though they had no such partnerships. A total of 13,000 victims lost a total of approximately $1.3 million.

Root cause: Social Engineering Attack

Loss: $1.3M

Reference: Online News

Claimable event: No

14. General Bytes

March 17, 2023: General Bytes’s ATM service was hacked by uploading the attacker’s java application remotely via a master service interface. As a result, the attacker could access the database in the server that included the ability to access funds in hot wallets. Since then, General Bytes has promised to refund the customers affected by the hack.

Root cause: Malware

Loss: approx. $1.8M

Reference: Post Mortem

Claimable event: No

15. ParaSpace Protocol

March 17, 2023: BlockSecTeam and ParaSpace Protocol identified a exploit that would have caused them the loss of $5 million worth of NFTs. There was a vulnerabililty in one of ParaSpace’s smart contracts that would have allowed the attacker to borrow additional tokens. All assets are safe and a 5% bounty will be given to BlockSec.

Root cause: Contract Vulnerability

Loss: NIL

Reference: Twitter Announcement

Claimable event: No (Smart Contract Cover Exclusion)

16. Harvest Keeper

March 19, 2023: Harvest Keeper, an AI trading app on the BNB chain was rug pulled for $933,000. The attacker exploited a vulnerability in the HarvestKeeper contract to access a privileged function that allowed them to transfer the USDT funds pledged by a user. They were able to carry out this transfer by using the owner’s authority. As a result, the attacker was able to deplete the user’s funds.

Root cause: Rug Pull

Loss: $933K

Reference: Analysis By QuillAudits

Claimable event: No

17. BNQ Token

March 20, 2023: BNQ Token on BNB Chain was rug pulled for a total of approximately $72,000.

Root cause: Unknown

Loss: $700K

Reference: Analysis By Beosin

Claimable event: No

18. Indexed Finance

March 21, 2023: Indexed Finance, was hit with a flash loan attack due to a contract flaw in which “calcSingleOutGivenPoolIn()” calculated the tokenAmountOut value wrongly.

Root cause: Contract Vulnerability

Loss: $9K

Reference: Analysis By Ancilia

Claimable event: Yes (Smart Contract Cover)

19. ASKACR Token

March 21, 2023: ASKACR token on the BSC was exploited for a total of 85BNB. The reason for the vulnerability was a flawed reward distribution system in the token’s transfer function, which allowed transactions to occur without verifying the transfer amount.

Root cause: Contract Vulnerability

Loss: $28.4K

Reference: Analysis by Neptune Mutual

Claimable event: Yes (Smart Contract Cover)

20. Archive PEACEMINUSONE

March 22, 2023: A vulnerability was identified in the NFT series “Archive of PEACEMINUSONE” released by Korean singer Quan Zhilong. The vulnerability was disclosed as a CVE-2022-38217 general vulnerability

Root cause: Contract Vulnerability

Loss: NIL

Reference: Twitter Announcement

Claimable event: No (Smart Contract Cover Exclusion)

21. Circle’s Chief Strategy Officer

March 22, 2023: Circle’s Chief Strategy Officer’s twitter was taken over by a scammer and a fake tweet regarding a loyalty rewards distribution program was tweeted. The tweet has since been deleted.

Root cause: Social Engineering Attack

Loss: NIL

Reference: Online News

Claimable event: No

22. FASTSWAP

March 24, 2023: FASTSWAP, a project on BNB Chain was hacked for 26.7 BNB through a flash loan attack.

Root cause: Unknown

Loss: 26.77 BNB

Reference: Online News

Claimable event: No

23. Swerve Finance

March 25, 2023: Swerve Finance, a clone of Curve Finance was hit with a governance exploit. The attacker first accumulated a majority of the protocol’s governance tokens before he submitted and approved a malicious proposal which transferred $1.3 million to his address.

Root cause: Governance Attack

Loss: $1.3M

Reference: Online News

Claimable event: No

24. Arbitrum Discord

March 25, 2023: One of Abritrum’s Dev Discord account was hacked. A phishing link was shared in the Arbitrum Discord through an announcement. The message offered members a chance to reclaim additional stake in Arbitrum DAO Governance.

Root cause: Social Engineering Attack

Loss: NIL

Reference: Online News

Claimable event: No

25. EC Token

March 26, 2023: EC Token was rug pulled for $43.8K, which caused the price of the token to drop by 98%.

Root cause: Rug Pull

Loss: $43.8K

Reference: Twitter Announcement

Claimable event: No

26. Kokomo Finance

March 26, 2023: Optimism based DeFi Protocol, Kokomo Finance was rug pulled for a total of $4 million. Blockchain security firm CertiK highlighted the incident through Twitter. The KOKO token has since dropped by more than 95%.

Root cause: Rug Pull

Loss: $4M

Reference: Announcement By CertiK

Claimable event: No

27. Safemoon

March 29, 2023: Safemoon, a DeFi protocol based on the BNB chain was exploited for a total $8.65 million due to a smart contract vulnerability. The presence of a public burn function that allowed anyone to burn tokens instead of the sender. The attacker removed SFM tokens from the SafeMoon-WBNB LP, increasing the price of SFM tokens which were sold at an overpriced rate through an front run attack by an MEV bot.

Root cause: Contract Vulnerability

Loss: $8.65M

Reference: Online News

Claimable event: No

28. Patricio Worthalter

March 30, 2023: Founder of POAP, Patricio Worthhalter was hit with a phishing attack for a total of $3 million. The attacker who stole 85, 898 RPL from his address by transferring them to a DEX before selling all the RPL, leading to a price drop.

Root cause: Social Engineering Attack

Loss: $3.8M

Reference: Announcement on Twitter

Claimable event: No

About us:

InsurAce is a leading decentralised insurance protocol, providing reliable, robust and secure insurance services to DeFi users, allowing them to secure their investment funds against various risks.

InsurAce has been live since April 2021 and has built a full-spectrum cross-chain insurance product line, covering Smart Contract Vulnerabilities, Stablecoin De-Peg events, IDO risks, and Custodian Risks… protecting over $350m of assets of 5000+ customers!