Security Incidents in January

Start of New Year 2022, There are around 26 highlights of hacks. Hacks happened almost every day. Below is the summary of the hack events. 👇👇👇

1. Tinyman

Jan 1, 2022: Beginning on the 1st of January 2022, an attack was orchestrated by unauthorized users on some of Tinyman’s pools by exploiting a previously unknown vulnerability in the Tinyman contracts.

Root cause: Smart Contract Vulnerability

Loss: approx. $2.9 million

Reference: 1.) Official Announcement About the Incidents of 01.01.2022 2.) Technical Report 1 — First Insights 3.) Full Technical Report on Attacks

2. Arbix Finance

Jan 4, 2022: Binance Smart Chain-based yield farming protocol Arbix Finance was identified by blockchain security company CertiK as a rug pull, deleting its site, Twitter, and Telegram channel and transferring $10 million worth in funds deposited by users to “unverified pools” where they were converted to Ethereum.

Root cause: Scam/Rug pull

Loss: $10 Million

Reference: CertiK identifies Arbix Finance as a rug pull

3. Bored Bunny

Jan 5, 2021: Bored Bunny, an NFT project launched on January 5th has drained out all the 2000 ETH raised, and nearly 800 ETH has been transferred to Binance. The project has muted all its channels on Discord and the floor price for the project fell to 90.59 ETH on the same day.

Root cause: Scam/Rug pull

Loss: approx. 2000 ETH

Reference: NFT Rugpull: Bored Bunny NFT project drains out 2000 ETH

4. DaoMetaland

Jan 7, 2022: PeckShield issued an alert tweet saying that Metaland DAO had suffered a rug pull on January 7th. The official Metaland Twitter page seems deactivated, and all previous activities have been erased.

Root cause: Scam/Rug pull

Loss: Over 640 BNB

Reference: Metaland DAO Suffers Rug Pull

5. StoboxCompany

Jan 7, 2022: StoboxCompany, a digital asset service provider, has been attacked by hackers. Its official said that the private key has been leaked that the deployer address of Stobox Token was hacked, and as ETH and BSC have the same deployer address, all reserve funds have been stolen or liquidated.

Root cause: Private Key Leak

Loss: Nil

Reference: Stobox Hacked: STBU drops by 96%

6. Roco Finance

Jan 8, 2022: Roco Finance (ROCO), a decentralized GAMEFI platform and AXAV-based project announced that it was hacked. In the Twitter post, it stated that due to a vulnerability in the Stake and Farm contracts, the hacker created a bot to replace the ‘ROCOperSecond’ contract, claiming a total of 136,000 ROCO tokens. It was stated that the tokens of all ROCO investors and stakers are safe.

Root cause: Smart Contract Vulnerability

Loss: 136,000 ROCO

Reference: Altcoin project hacked: 136,000 tokens withdrawn in seconds

7. Arbitrum One

Jan 9, 2022: Arbitrum One, Ethereum’s leading Layer 2 scaling solution, is down. The team posted a tweet Sunday afternoon confirming that the network was suffering from sequencer downtime, but all funds in the system were safe.

Root cause: Sequencer Downtime

Loss: Nil

Reference: Ethereum Layer 2 Arbitrum One Hit By Another Outage

8. LCX

Jan 9, 2022: Liechtenstein-based crypto exchange LCX has confirmed the compromise of one of its hot wallets, losing a cumulative of $6.8 million after the hacker successfully transferred eight types of tokens that included Sandbox (SAND), Quant (QNT), Chainlink (LINK), Enjin Coin (ENJ) and Maker (MKR).

Root cause: Hot Wallet Breach

Loss: approx. $6.8 Million

Reference: LCX loses $6.8M in a hot wallet compromise

9. Frosties

Jan 9, 2022: Investors in a non-fungible token (NFT) collection called Frosties, have been scammed for over $1 million after creators of the digital tokens absconded with their funds.

Root cause: Scam/Rug Pull

Loss: $1.3 million

Reference: Frosties NFT investors rug pulled, loses over $1 million

10. Lympo

Jan 10, 2022: Sports NFT platform Lympo suffered a hot wallet security breach that hackers managed to gain access to Lympo’s operational hot wallet and stole a total of approximately 165.2 million LMT from it.

Root cause: Hot Wallet Breach

Loss: 165.2 million LMT

Reference: Lympo Statement to The Community

11. CityDAO

Jan 10, 2022: CityDAO, an Ethereum-based community blockchain city project, has stated that the CityDAO Discord administrator account has been hacked. The attacker issued a fake “land drop” from the admin’s compromised account, pocketing 29.67 ETH ($95,000) in the process.

Root cause: Scam

Loss: 29.67 ETH

Reference: CityDAO Falls Victim to $95K Hack via Discord

12. Big Daddy Ape Club

Jan 11, 2022: Solana NFT project Big Daddy Ape Club rug pulled investors and made off with 9,136 SOL. Their Twitter account, Discord server, and the official website of the collection all shut down, according to Decrypt.

Root cause: Scam/Rug Pull

Loss: 9136 SOL

Reference: NFT scammers made off with $1.3 million in Solana after a ‘rug pull’

13. LooksRare

Jan 11, 2022: The official website of the NFT marketplace LooksRare suffered distributed denial of service (DDoS) attack within hours of its launch, taking the platform off the web and inaccessible.

Root cause: DDoS Attack

Loss: Nil

Reference: New NFT Marketplace LooksRare Suffers DDoS Attack

14. Float Protocol / Rari Capital

Jan 15, 2022: Float Protocol Pool 90 on RariCapital pool suffered effects from a lack of liquidity in the Uniswap V3 FLOAT/USDC oracle which lead to severe price manipulation.

Root cause: Oracle Attack

Loss: 25,000 DAI

Reference: Official Twitter announcement from Float Protocol

15. Crypto Burger

Jan 17, 2022: Crypto Burger suffered multiple flash loan attacks caused by a smart contract vulnerability that allows the token to burn in any account.

Root cause: Smart Contract Vulnerability

Loss: around $770K

Reference: Action plan for the attack received

16. Crypto.com

Jan 17, 2022: Crypto.com stated that they detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation. The exchange claimed that The incident affected 483 users and unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies.

Root cause: Unauthorised withdrawals

Loss: around $33.7M

Reference: 1.) Crypto.com Security Report & Next Steps 2.) CRYPTO.COM — REKT

17. Crosswise

Jan 18, 2022: Crosswise was exploited on Binance Smart Chain for a total loss of 880,000 dollars for the protocol. This hacker made use of a publicly exposed privileged function in smart contract that was exploited to set the trustedForwarder and further hijack the owner privilege of Crosswise MasterChef.

Root cause: Smart Contract Vulnerability

Loss: approx. $880,000

Reference: Crosswise exploited due to bug in smart contract

18. Multichain (Anyswap)

Jan 18, 2022: Critical smart contract vulnerability was found to affected six tokens on Multichain: WETH, PERI, OMT, WBNB, MATIC, and AVAX. This allowed multiple attackers to steal these tokens from users who had previously created approvals for them.

Root cause: Smart Contract Vulnerability

Loss: around $3M

Reference: EXPLAINED: THE MULTICHAIN HACK

19. BNB Heroes

Jan 18, 2022: The BNB Heroes play-to-earn game rug pulled after a period of inactivity from the development team. The owner dumped 432 BNB ($191,037.97) worth of the token into the market.

Root cause: Scam/Rug Pull

Loss: 432 BNB

Reference: Security alert from Certik

20. Kingfund Finance

Jan 20, 2022: PeckShieldAlert tweeted that it has detected a Rug Pull in Kingfund Finance, with a loss of more than 300 WBNB. Upon inquiry, the project owner dumped the rugged tokens and has disabled their website and Twitter account.

Root cause: Scam/Rug Pull

Loss: over 300 WBNB

Reference: Rug Pull occurred in Kingfund Finance

21. Full Send Metacard

Jan 22, 2022: The Discord server of Full Send Metacard was hacked. The hacker posted scam links which resulted in users losing their money and NFTs.

Root cause: Scam

Loss: Unknown

Reference: Official Twitter announcement

22. OpenSea

Jan 25, 2022: OpenSea, the world’s largest NFT marketplace place has been reportedly hacked for 332 ETH due to a bug in the front end as it allowed users to buy popular NFTs at their previous floor price.

Root cause: Front-end Attack

Loss: 332 ETH

Reference: OpenSea reportedly hacked

23. CryptoBay VIP

Jan 26, 2022: PeckShieldAlert tweeted that it has detected a Rug Pull in CryptoBay VIP, with a loss of more than 1,098 WBNB.

Root cause: Scam/Rug Pull

Loss: over 1098 WBNB

Reference: Security alert from PeckShieldAlert

24. Mercenary Gold

Jan 26, 2022: PeckShieldAlert tweeted that it has detected a Rug Pull in Mercenary Gold, with a loss of more than $760,000.

Root cause: Scam/Rug Pull

Loss: over $760,000

Reference: Security alert from PeckShieldAlert

25. CoinExGem

Jan 26, 2022: The team of CoinExGem, a project on CoinEx Smart Chain, rug pulled by suddenly removing its liquidity from OneSwap.

Root cause: Scam/Rug Pull

Loss: Unknown

Reference: CoinExGem Rugged

26. Qubit

Jan 28, 2022: The Qubit protocol was subject to an exploit to its QBridge deposit function which the hacker was able to exploit a security flaw in Qubit’s smart contract code that let him send in a deposit of 0 ETH and withdraw almost $80 million in return.

Root cause: Smart Contract Vulnerability

Loss: approx. $80 million

Reference: Hackers have stolen $80 million from the Qubit DeFi platform

Wonderland Issues

The last few days have seen reports and reactions explode regarding the ongoing events at Wonderland. InsurAce.io is dedicated to reducing risk and increasing security for all users and as such felt it was important to provide our community with an update regarding the situation with Wonderland.

Kindly read our take and findings on the situation here:

Community Update regarding recent Wonderland issues

The crypto industry has generated a lot of excitement; however, there are a lot of risks involved. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.

InsurAce.io currently offer insurance protections for:

Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
IDO event risk: the smart contract of the covered IDO platform gets hacked
Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price

For details on the coverage and exclusions for each cover, kindly read Cover Wording here.

👉 Get your investment funds protected with InsurAce.io: Buy Cover

About InsurAce.io

InsurAce.io is a decentralized multi-chain insurance protocol, to empower the risk protection infrastructure for the DeFi community. InsurAce.io offers portfolio-based insurance products with optimized pricing models to substantially lower the cost; launches insurance investment functions with flexible underwriting mining programs to create sustainable returns for the participants, and provides coverage for cross-chain DeFi projects to benefit the whole ecosystem.

At the time of writing, InsurAce.io has provided coverage to 100+ protocols, safeguarding over $210M+ DeFi assets on 16 public chains.

InsurAce.io is backed by DeFiance Capital, Parafi Capital, Alameda Research, Hashkey group, Huobi DeFiLabs, Hashed, IOSG, Signum Capital, LongHash Ventures and a dozen of other top funds.

Join InsurAce.io community:

1. Tinyman

2. Arbix Finance

3. Bored Bunny

4. DaoMetaland

5. StoboxCompany

6. Roco Finance

7. Arbitrum One

8. LCX

9. Frosties

10. Lympo

11. CityDAO

12. Big Daddy Ape Club

13. LooksRare

14. Float Protocol / Rari Capital

15. Crypto Burger

16. Crypto.com

17. Crosswise

18. Multichain (Anyswap)

19. BNB Heroes

20. Kingfund Finance

21. Full Send Metacard

22. OpenSea

23. CryptoBay VIP

24. Mercenary Gold

25. CoinExGem

26. Qubit

Wonderland Issues

About InsurAce.io

Join InsurAce.io community:

Must Read

Leave a Comment Cancel Reply