Total hacks in August: 21
This shows the importance of security assessment, audit, code review, and of course, InsurAce!
There are also several types of other risks exposed such as scam/rug pull, social engineering attacks, custodian hack, private key leak etc.
Below is the summary of the hack events. 👇👇👇
- ZB
August 1, 2022: The ZB exchange was hacked with a total loss of around $4.3 million, leading to the suspension of deposits and withdrawals. The reason is “Sudden failure of the core application”.
Root cause: Stolen Hot Wallet
Loss: $4.3M
Reference: Online News
Claimable event: Yes (Custodian Risk Cover)
- Reaper Farm
August 2, 2022: Reaper Farm’s multi-strategy vault, ReaperVaultV2 contract was hacked, resulting in more than $1.6 million worth of damage. Attackers took advantage of a vulnerability in the ReaperVaultV2 contract that could destroy other users’ vault shares and withdraw tokens, thereby withdrawing large amounts of tokens from multiple vaults.
Root cause: Smart Contract Vulnerability
Loss: approx. $1.6M
Reference: Twitter Announcement from PeckShieldAlert
Claimable event: Yes (Smart Contract Cover)
- Nomad
Cross-chain token bridge Nomad was attacked by hackers through a smart contract vulnerability. A recent update to a smart contract allowed users to withdraw money from the bridge that did not belong to them without much technical knowledge, thereby leading to a “free for all” attacks.
Root cause: Smart Contract Vulnerability
Loss: $190M
Reference: Online News
Claimable event: No (Exclusion under smart contract cover)
- Solana
August 3, 2022: Around 8000 unique Solana software wallets have been compromised and drained of SOL, USDC and other Solana-based tokens. Sources say the issue was not in the source code but possibly within software based wallet apps that allowed hackers to access users’ assets in those wallets.
Root cause: Private Key Leak
Loss: approx. $4.5M
Reference: Twitter Announcement
Claimable event: No
- Velodrome
August 4, 2022: A team member of Velodrome Finance, Gabagool stole operation funds from one of its wallets containing $350,000. Gabagool wanted to recoup the losses incurred during the 2022 crypto crash and planned on making $56,000 before returning the funds.
Root cause: Internal Theft
Loss: $350K
Reference: Online News
Claimable event: No
- GenomesDAO
August 6, 2022: The GenomesDAO project was hacked and funds were withdrawn from its LPSTAKING contract, which was arbitrarily repeated to initialise and set key parameters, leading to a withdrawal of collateral that is tied to the contract.
Root cause: Smart Contract Vulnerability
Loss: Not Disclosed
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
- Steven Galanis
August 6, 2022: Steven Galanis, CEO of Cameo’s Apple ID was hacked, leading to a loss of a variety of NFTs, including a Bored Ape Yacht Club. In addition, the hacker took Apecoin, three Otherside land plots, 1 Phanta Bear and 2 11CaptainsClub
Root cause: Social Engineering Attack
Loss: approx. $230K
Reference: Twitter Announcement
Claimable event: No
- Saxon James Musk
August 7, 2022: Saxon James Musk, a meme token launched on BSC has been rug pulled. Its token price plummeted by 68% when its developer decided to cash in on profits.
Root cause: Rug Pull
Loss: approx. $420K
Reference: Twitter Announcement by CertiK
Claimable event: No
- EGD Finance
August 8, 2022: EGD Finance on BSC was hacked, leading to an unexpected withdrawal of funds from its pool. A flash loan was used to manipulate the token price for profit. The cause of the hack was due to the simplicity in calculating the reward through its price-feeding mechanism.
Root cause: Price Manipulation
Loss: $36K
Reference: Online News
Claimable event: No
- Curve Finance
August 9, 2022: Curve Finance suffered from a DNS hijacking which resulted in a loss of $570,000 from approval of malicious contracts. The Curve Finance website was cloned and its DNS was changed, leading users to a fake website operated by hackers.
Root cause: DNS Attack
Loss: approx. $570K
Reference: Online News
Claimable event: No
- Blur Finance
August 10, 2022: Blur Finance, a defi yield aggregator that ran on BNB chain and Polygon has been rug pulled by developers. Similar to previous rug pulls, the developers launched and popularised a Defi application before launching its own token. Since the rug pull, its website and social media channels are down, an indication that developers have ran off with the scam.
Root cause: Rug Pull
Loss: Approx. 600K
Reference: Online News
Claimable event: No
- Acala
August 14, 2022: A hacker exploited a bug within Acala Network’s iBTC/aUSD liquidity pool which led to the minting of 1.2 billion aUSD (Acala’s native stablecoin) without any collateral. This led to the depegging of aUSD to $0.01, which triggered Acala into entering maintenance mode and the freezing of funds from the hackers wallet.
Root cause: Misconfiguration of liquidity pool
Loss: Not disclosed
Reference: Online news
Claimable event: Yes (Stablecoin De-peg Cover)
- The Bribe Protocol
August 18, 2022: Bribe Protocol, a project that seeks to incentivise token holders to govern has been inactive on its socials for more than 3 months, leading some to suspect a rug pull. One of the investors of Bribe Protocol, Figment Capital revealed that the project has been shut down and 86% of the funds have been returned to institutional investors, leaving retail investors in the lurch
Root cause: Unknown
Loss: approx. $5.5M
Reference: Twitter Announcement
Claimable event: No
- Celer
August 18, 2022: Celer Network suffered from a DNS exploit that compromised the front end of cBridge. Users who gave access to malicious smart contracts were victims of the exploit that drained all approved tokens. Celer suspended cBridge in order to protect users from further mishaps.
Root cause: DNS Attack
Loss: approx. $240K
Reference: Online News
Claimable event: No
- Sudorare
August 23, 2022: SudoRare, an NFT platform has been rug pulled with $815 000 in user funds and has since deleted all its social media accounts. The funds were transferred to three different addresses.
Root cause: Rug Pull
Loss: approx. $815K
Reference: Online news
Claimable event: No
- Kaoyaswap
August 24, 2022: BSC Defi platform KaoyaSwap was hacked due to a flaw in the swap function logic of the protocol. A total of 37,294 BUSD and 271.2 wrapped BNB (WBNB) were stolen.
Root cause: Smart Contract Vulnerability
Loss: approx. 180K
Reference: Twitter Announcement by BlockSec
Claimable event: Yes (Smart Contract Cover)
- PokémonFi
August 24, 2022: PokémonFi has the rug pulled with a total of 701K, which saw the project’s two tokens $PMC and $PMF falling to zero. The project’s Twitter account has been deleted since then.
Root cause: Rug Pull
Loss: approx. 708K
Reference: Twitter Announcement by CertiK
Claimable event: No
- Sui
August 27, 2022: Sui Creators Mysten’s Labs’s Discord has been hacked through malicious links. Users are warned not to click on any links. Some of the links are posted in announcement channels that lead to airdrops.
Root cause: Social Engineering Attack
Loss: approx. Unknown
Reference: Twitter Announcement
Claimable event: No
- DDC
August 29, 2022: DDC’s handleDeductFee function was exploited and its key parameters were controlled. As a result, a large amount of USD can be swapped with a small amount of USDC.
Root cause: Smart Contract Vulnerabilities
Loss: approx. $104.6K
Reference: Twitter Announcement by BeosinAlert
Claimable event: Yes (Smart Contract Cover)
- OptiFi
August 29, 2022: OptiFi, a derivative DEX’s mainnet program was shut down due to an operation error. As a result 661K of USDC was locked. Fortunately, 95% of funds belonged to team members. The remaining 5% of the funds will be returned to users.
Root cause: Team Operations Failure
Loss: approx. $661K
Reference: Twitter Announcement
Claimable event: No
- CUPID
August 31, 2022: A hacker used a flash loan to add liquidity into the Venus/USDT pair to obtain Venus LP token which was sent to various addresses and converted to contract rewards in Cupid.
Root cause: Flash Loan Attack
Loss: approx. $78K
Reference: Twitter Announcement by BlockSec
Claimable event: No
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
💚 Get your investment funds protected with InsurAce.io: Buy Cover