Hack Incidents Follow-up
This metrics provides a follow-up of hack incidents such as the exploitation of the Harmony-eco cross-chain bridge Horizon and the NFT lending protocol XCarnival.
MistTrack: Parity Wallet's 2017 Stolen Funds Move Again, Hackers Still Hold 137,000 ETH
KingData News: The hacker who attacked Parity's multi-signature wallet in 2017 began laundering ETH held in his 0x2d14 opening address through the coin blender eXch, security team Slow Fog MistTrack tweeted. The hacker still holds 137,000 ETH, currently worth about $174 million. As previously reported, a hacker exploited a vulnerability in the Parity wallet in 2017 and transferred over 150,000 ETH (worth about $30 million at the time of the hack), and has since recovered 377,000 of them.
PeckShield: Another set of profiteers made about $3.5 million from the Ankr breach, and the profits were transferred to Binance
KingData News: According to PeckShield, the address starting with 0x9bae has made about $3.5 million in profits from the Ankr exploit and has transferred about 1.87 million BUSD and 1.63 million USDC to Binance.
Ankr Hackers Exchange Stolen Funds for 5,500 BNBs and 5.34 Million USDC
KingData News: Security firm CertiK Alert tweeted that the Ankr exploiters 0xf3a465 address exchanged 10 trillion aBNB tokens for 5,500 BNBs and 5.34 million USDCs (about $7 million in total). The developer's address still holds about 60T aBNB tokens and about 100 BNB. To date, 900 BNBs have been sent to Tornado Cash, 5.34 million USDCs to Bridges, 3.7 million USDCs to Celer Network cBridge, and 1.64 million USDCs to 0xd1C5 opening addresses.
Some of Shen Bo's stolen Funds Were Converted to DAI Through Uniswap V3
KingData News: Distributed Capital founder Bo Shen's personal wallet was stolen, with approximately $42 million in stolen funds. monitoring by the Beosin EagleEye platform shows that most of the stolen funds have now been converted to DAI and transferred to addresses beginning with 0x4a and 0x66, with 1,606 ETH in addresses beginning with 0x24. According to 0xScope, to be more specific, the hacker give the proxy 38.2M USDC, and the proxy lend 38.1M DAI from Aave and transfer it to the hacker, then the proxy used the hacker's USDC to swap on Uniswap for DAI to pay the debt. Proxy earns $0.1 M while hacker "get clean money".
FTX Attack Hackers Still Hold About $282 Million in Crypto Assets on Ethereum
KingData News: Data from Arkham Intelligence, a cryptographic intelligence platform, shows that as of today the wallets associated with the FTX attack hack still hold approximately $282 million in crypto assets on Ether, including $215 million in ETH, $48 million in DAI, $44 million in BNB on the BSC chain, $20 million in frozen PAXG, $4 million in USDT on Avalanche and $3.8 million in MATIC on Matic Bridge. USDT (Avalanche) of $4 million on Avalanche and MATIC of $3.8 million on Matic Bridge.
Deribit Has about 6947 ETH, 691 BTC and 3.4 million USDC Stolen
KingData News: The $28 million stolen from Deribit's hot wallet consisted of 6947 ETH (about $10.8 million), 691 BTC (about $14.1 million) and about 3.4 million USDC, according to on-chain data. The attacker converted USDC to about 2133 ETH and currently holds 9080 ETH (0xb0...A44CD) and 691 BTC (bc1q...x6pvk) in the attacker's address. In addition, Binance founder Changpeng Zhao said he has asked his team to monitor and help freeze any stolen Deribit funds that were transferred to Binance.
Deribit's Hot Wallet Stolen for $28 Million, Losses to be Covered by Company Reserves
KingData News: Deribit, a crypto derivatives trading platform, tweeted that its hot wallet was stolen, losing $28 million in funds, and that the loss will be covered by the company's reserves. Client assets, Fireblocks or any of the cold storage addresses are not affected. It's company procedure to keep 99% of our user funds in cold storage to limit the impact of these type of events. Deribit is performing ongoing security checks and have to halt withdrawals including third-party custodians Copper Clearloop and Cobo.
PeckShield: KUMALEON Hacked, 111 NFTs Stolen So Far
KingData News: According to PeckShield monitoring, the Discord community of the NFT series KUMALEON has been hacked and 111 NFTs have been stolen, including BAYC #5313, ENS and others. Users participating in the program need to revoke their wallet privileges and transfer their funds to a new wallet.
PeckShield: White Hat Hackers in Team Finance Incident Have Returned $13.4 Million
KingData News: According to PeckShield's monitoring, the white-hat hackers of the Team Finance incident of the DeFi project on the ethereum chain have returned $13.4 million, including 548.7 ETH to FEG (about $860,000), 765,000 DAI and 11.8 million TSUKA to Tsuka ($626,000), and 209 ETH to KNDX ($328,000). 74.6 trillion CAW ($5.5 million) to CAW, 209 ETH ($328,000) to KNDX, and smithbot.eth has returned 263 billion KNDX ($292,000) to KNDX. As previously reported, Team Finance was hacked and lost $14.5 million.
PeckShield: Multi-chain Wallet UvToken Attacked, 5,011 BNBs Transferred to Tornado Cash
KingData News: According to PeckShield monitoring, the multi-chain wallet UvToken has been attacked and the price of the token UVT has dropped 99% in a short period of time. The attackers have transferred about 5,011 BNBs to Tornado Cash.
FTX Phishing Attackers Have Transferred Profitable Funds to FixedFloat and Binance
KingData News: According to MistTrack, the attackers of the FTX phishing incident have transferred their profits to crypto exchanges FixedFloat and Binance, after FTX founder Sam Bankman-Fried (SBF) said that if the attackers return 95% of the $6 million stolen from FTX accounts within 24 hours The attackers will be absolved of any liability.
FTX to Provide Approximately $6 Million in One-Time Compensation to Accounts Affected by Phishing Incidents
KingData News: FTX founder Sam Bankman-Fried (SBF) tweeted that some users accidentally registered on fake other sites, including 3Commas, who provided FTX API keys to use the site's trading tools, and that other users may have been phished through other methods. FTX will provide approximately $6 million in compensation to account holders affected by phishing incidents through third-party websites, but "this is a one-time thing. We will not making a habit of compensating for uses getting phished by fake versions of other companies". In addition, he said that if the attackers return 95 percent of the $6 million stolen from FTX accounts within 24 hours, "we will release them from liability".
MangoDAO to Use 42 Million USDC to Compensate Users for Losses
KingData News: A proposal to transfer 42 million USDC from the Mango community has been voted on, with the funds earmarked to pay compensation to Mango v3 depositors for previously agreed bad debts caused by the exploitation of the Price Prediction Machine, according to a proposal earlier this week.
Ethereum Alarm Clock Exploit Leads to $260K in Stolen Gas Fees so far
KingData News: A bug in the smart contract code for the Ethereum Alarm Clock service has reportedly been exploited, with nearly $260,000 said to have been swiped from the protocol so far. The Ethereum Alarm Clock enables users to schedule future transactions by pre-determining the receiver address, sent amount, and desired time of transaction. Users must have the required Ether on hand to complete the transaction and need to pay the gas fees upfront. According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process which allows them to make a profit on returned gas fees from canceled transactions. According to an Oct. 19 Twitter post from blockchain security and data analytics firm PeckShield, hackers managed to exploit a loophole in the scheduled transaction process which allows them to make a profit on returned gas fees from canceled transactions.
Moola Market Attackers Return 93.1% of Stolen Funds
KingData News: Moola Market twitted that following today's incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol.
Mango Markets Proposes Plan to Pay Back Victims After $114 Million Hack
KingData News: Mango Markets is proposing to pay back users with different tokens following a $114 million hack last week. The platform will use a snapshot of balances from an hour before the attacker made his first deposit on Oct. 11 at 6:19 p.m. ET. Mango Markets presented the motion in a Discord community call this morning. The DAO will have 72 hours to vote on the proposal once it's published. All perpetual futures, or borrowed funds, will be settled based on the time of the snapshot, and the Profit and Loss (PNL) will be converted to USDC.
LiveArtX: Hackers stole 197 NFTs, have upgraded contracts and frozen stolen NFTs
KingData News: In the official Discord, members of the NFT platform LiveArtX team said that the hackers stole 100 NFTs saved in the treasury and 97 NFTs originally intended for activity (stored at addresses starting with 0xCaF6) in the attack. The hackers then sold the stolen NFTs quickly by accepting bids, causing the NFT floor price to drop rapidly. The team has now upgraded the contract and frozen the stolen NFTs, and will buy back and provide additional compensation to those who have already purchased such NFTs. The team said that a large number of NFTs were stolen because it failed to separate the treasury wallet from the operations wallet and failed to set up the treasury wallet as a multi-signature wallet, leaving multiple team members with private keys and increasing the risk of hacking.
LiveArt Will Buy Back and Compensate Users Who Purchased NFT from Hacked Addresses
KingData News: The treasury wallet of the Meta-morphic: Seven Treasures series published by NFT platform LiveArtX has been stolen. According to the official announcement, LiveArt said it would take full responsibility for the theft of the treasury. According to the official investigation, the hacker gained access to the Treasury wallet at 4:24:11 p.m. UTC on Oct. 16, and 197 NFTs were transferred to the hacker's address 0x5f7848EC0286304DC5FE6497AF4B3C0FeaD6A920 24 seconds later, after which the transaction was pending. At present, LiveArt has upgraded the contract, the token ID of the stolen NFT is frozen and the related NFT can no longer be traded. The team will buy back and compensate users who have purchased NFTs from the hacker's address and destroy the stolen NFTs. The LiveArt team is currently proposing two possible solutions that will initiate discussions within the community. One is to migrate Meta-morphic: Seven Treasures to a new contract and airdrop it to users as it was distributed before the theft; the second is to continue using the existing NFT contract, where the LiveArt team would buy Meta-morphic blind boxes from the market and rebuild the treasury.
NFT Platform LiveArtX Official Wallet Stolen, Several Reserved NFTs Dumped
KingData News: NFT platform LiveArtX tweeted that the official wallet was stolen and is doing its best to resolve it and will keep the community updated. According to information on the NFTGo.io page, the NFT floor price of the Meta-morphic: Seven Treasures series issued by LiveArtX fell to 0.2ETH, a 24-hour drop of 83.87%. In addition, the series turnover increased by 597.76% in 24 hours.
TempleDAO Attackers Have Transferred 1831 ETH to Tornado Cash
KingData News: On-chain data shows that the attackers of the DeFi protocol TempleDAO have transferred funds via Tornado Cash, with 18 transactions of 100 ETH, 3 transactions of 10 ETH, and 1 transaction of 1 ETH transferred to Tornado Cash respectively. As previously reported, TempleDAO was attacked on October 11 and the attackers profited by 1,831 ETH.
PeckShield: Mango Attackers Transfer $7.8 Million in Tokens to Mango Upgrade Committee Wallet
KingData News: According to PeckShield, the Solana Eco DeFi platform Mango attackers transferred approximately $7.8 million worth of Token to a wallet controlled by the Mango Upgrade Council (9mM6NfXau...26wY ). As previously reported, the Mango attack hackers launched a proposal to use about 70 million USDC from the Mango treasury to pay off bad debts, and if this proposal is approved, the hackers will transfer MSOL, SOL and MNGO from the account to the address posted by the Mango team.
More Than $718 Million Has Been Stolen Since October, With Hackers Earning More Than $3 Billion
KingData News: October is now the biggest month in the biggest year ever for hacking activity, with more than half the month still to go. So far this month, $718 million has been stolen from DeFi protocols across 11 different hacks. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. So far, hackers have grossed over $3 billion dollars across 125 hacks. Cross-chain bridges remain a major target for hackers, with 3 bridges breached this month and nearly $600 million stolen, accounting for 82% of losses this month and 64% of losses all year.
Mango Attackers Launch Community Vote on Proposal to Repay Bad Debt; Voting to End in 3 Days
KingData News: Mango attackers have launched a community vote on a proposal to pay off bad debts. The proposal states that the mango treasury has about 70M USDC available to repay bad debt. All users who do not have bad debts will be compensated. Any bad debt will be considered a bug bounty / insurance and paid from the Mango treasury. If the proposal is approved, the attacker will send MSOL, SOL and MNGO from the account to the address published by the Mango team. In addition, the attackers have requested that the tokens be returned without being held criminally liable. Voting on the proposal will end in 3 days, with 99.9% of the vote currently in favor of the proposal. This news comes on the heels of a potential $100 million attack on Mango, a Solana-based DeFi platform. The attackers manipulated their Mango collateral and temporarily increased the value of the collateral, then obtained a large loan from the Mango treasury.
UXD Protocol Affected by Nearly $20 Million in Mango Attack
KingData News: Solana Ecological Stability Protocol UXD Protocol was affected in the Mango attack with a total of $19,986,134.9037. UXD Protocol said, "Our insurance fund has more than enough capital to cover losses. UXD is 100% backed and users will be able to redeem once Mango Markets recovers from the exploit. The insurance fund has a total of $53,527,304.7757 in capital. UXD Protocol has paused minting of UXD temporarily to minimize risk. Once we are confident that the issue with Mango Markets is solved, we will re-enable minting.” In the meantime, users can swap UXD for USDC at JupiterExchange. There is enough liquidity for UXD holders to swap for USDC at par value.
PeckShield: JumpnFinance Project Rug pull, 2,100 BNBs Transferred to Tornado Cash
KingData News: According to PeckShield, a Rug pull is suspected to have occurred on the JumpnFinance project, with 2,100 BNB ($582,225) transferred to Tornado Cash and the remaining 2,058 BNB still stored at the attacker's address.
Beosin: Xave Finance hacked, leading to 1000x increase in RNBW
KingData News: According to the Beosin EagleEye platform monitoring, the Xave Finance project was hacked, resulting in a 1,000-fold increase in RNBW. The attack transaction is 0xc18ec2eb7d41638d9982281e766945d0428aaeda6211b4ccb6626ea7cff31f4a. Beosin security team analysis found that the attacker first creates the attack contract 0xe167cdaac8718b90c03cf2cb75dc976e24ee86d3, the attack contract first calls the executeProposalWithIndex() function of DaoModule contract 0x8f90 to execute the proposal, the proposal content is to call the mint() function to cast 100,000, 000,000,000 RNBW and transfer ownership rights to the attacker. Finally the hacker converts it to xRNBW and stores it on the attacker's address (0x0f44f3489D17e42ab13A6beb76E57813081fc1E2). The stolen funds are still stored at the attacker's address and Beosin Trace will keep track of the stolen funds.
Cosmos Associates: Hackers Forge Merkle Proofs via RangeProof in BNB Chain Attack
KingData News: Ethan Buchman, co-founder of Cosmos, commented on the BSC cross-chain bridge attack, saying that the crux of the problem in this incident was that the hackers were able to forge Merkle proofs. This is not supposed to be possible - merkle proofs are supposed to provide high integrity. Blockchain light clients (and IBC) are built on merkle proofs, so it’s important to get them right.
TransitFinance Has Now Started The First Part of The Refund of Users’ Assets(about 68%)
KingData News: TransitFinance has now started the first part of the refund of users’ assets(about 68%). Users affected by the incident can now claim for it. For users who have leaked their private keys and mnemonics due to personal reasons, the TransitFinance Team will assist them to return their assets safely as soon as possible. In early October, Token Pocket's cross-chain transaction aggregator Transit Swap was attacked, and according to Slow Fog, the total known stolen losses exceeded $28 million. The fourth wave of attackers in the hack (Hacker#4) stole approximately $246,000, which has been fully refunded. Hacker#2 and Hacker#5 have already refunded some of the hacked assets.
BXH Releases Stolen Incident Buyback Program, Plans to Buy Back 5% of VToken on Sept. 27
KingData News: In response to the previous theft, BXH officially released a buyback program, planning to buy back 5% of VToken on September 27th. Users should submit information such as the address of the wallet involved in the pledge and the corresponding public chain, the type and quantity of VToken currently held, etc. via email. As previously reported, a total of $2.5 million worth of assets and 38 million BXH tokens were stolen from BXH on September 21.
Wintermute: Hacking Only Affects DeFi Business, Has Enough Funds to Repay All Loans
KingData News: Cryptocurrency market maker Wintermute tweeted that the hack only affected DeFi business and that no other business was affected, and that Wintermute suspended trading for a few hours after yesterday's hack due to risk management measures and resumed trading in CeFi and OTC yesterday afternoon UTC. Wintermute is still able to meet its settlement obligations in fiat or cryptocurrency, the liquidity service has returned to normal, the loans used to provide liquidity are unaffected and there are still sufficient funds to repay all loans. In addition, Wintermute also stated that the hack was not related to DeFi smart contracts and did not affect any of Wintermute's internal systems, and that no third party or Wintermute data was compromised.
Hacked Crypto Market Maker Wintermute Has $200M in Outstanding DeFi Debt
KingData News: Cryptocurrency market maker Wintermute, the victim of Tuesday's $160 million hack, has over $200 million in outstanding DeFi debt to several counterparties, according to on-chain data. The largest debt involves a $92 million tether (USDT) loan issued by TrueFi, which is due to mature on Oct. 15. Wintermute's loan book also includes a $75 million debt, comprised of USDC and wrapped ether (WETH), owed to Maple Finance and a $22.4 million debt owed to Clearpool.
Wintermute Founder: 10% Bounty If Hackers Return $160M in Assets
KingData News: Evgeny Gaevoy, founder of cryptomarket maker Wintermute, tweeted that the attack was in relation to our wallet used for DeFi proprietary trading operations, which are completely separate and independent from our CeFi and OTC operations. The attack was likely linked to the Profanity-type exploit of our DeFi trading wallet. We did use Profanity and an internal tool to generate addresses with many zeroes in front. Last time we generated addresses this way was in June. We have since moved to a more secure key generation script. As we learned about the Profanity exploit last week, we accelerated the “old key” retirement. And then, due to an internal (human) error, a wrong function has been called and we blacklisted the router instead of the operator (contract that signs). To the hacker, we offer a 10% bounty on funds taken. To make it easy, we propose for you to transfer all of the funds taken through the exploit, save for $16M USDC, to: 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81.
Maple: Wintermute has the ability to absorb losses, agreement depositors are not affected
KingData News: Maple Finance, an institutional lending agreement, tweeted that it was in communication with Wintermute, which said it was well positioned to cover losses from the hack and would continue to service Maple Finance loans, so depositors would not be affected. Wintermute's most recent financials support that there is sufficient equity buffer to meet their obligations and they are providing refreshed financials to the Delegates for review. As previously reported, on August 11, Maple Finance launched a $40 million liquidity pool backed by crypto-native investment firm Maven 11, with borrowers including Wintermute.
BlockSec: The root cause of the attack on Wintermute was a private key leak
KingData News: In response to the attack on the Wintermute wallet, BlockSec tweeted that the root cause of the attack on Wintermute was a private key compromise. The attacker used the leaked private key to execute a privileged function and specify the swap contract as the attacker-controlled one (0x0248f752802b2cfb4373cc0c3bc3964429385c26). The assets will be transferred to this contract.
PeckShield: About 73% of the $160 million stolen from Wintermute was in stablecoins
KingData News: Pai Shield says about 73% of the $160 million stolen from Wintermute is in stablecoins (DAI, USDT, USDC, USDP), 8% in WBTC, and 6% in ETH. the attackers are currently depositing $114 million in CRV as LP. In previous news, Wintermute had approximately $160 million stolen from the Defi operation.
Wintermute's DEX Bebop Announces Suspension of Trading
KingData News: DEX Bebop, the decentralized trading platform launched by crypto market maker Wintermute, tweeted that today Wintermute experienced a hack. Wintermute is incubating Bebop and is providing liquidity to Bebop. We are temporarily pausing trading on Bebop. The trading will be restored within days as normal. Bebop says that its contracts are unaffected and that users' funds and private keys are safe. The news comes on the heels of the June announcement that Wintermute will launch the new DEX Bebop on Ether.
Data: The Wintermute hacker address is now the third largest holder of 3Crv, currently holding nearly 7,000 ETH and multiple ERC-20 tokens as well
KingData News: The wallet address flagged by Etherscan as the Wintermute hacker currently holds 6,927 Ether, or approximately $9.44 million. In addition, the wallet holds 671.24 WBTC (approximately $13 million), over 3.97 million USDP, 1,789,602 Somnium Space Cubes tokens CUBE (approximately $2.34 million), 59,407 Maple Token tokens MPL (approximately $1.18 million), nearly 1.02 million CRV (approximately $0.99 million), over 2.17 million YGG (approximately $0.83 million) and over 70 ERC-20 tokens with a total current value of $38.25 million. At 13:39 today, the address gained 111,953,508 3Crv by adding liquidity to the Curve DAI/USDC/USDT pool. it is currently the third largest holder of 3Crv. Previously, Wintermute lost $160 million in the DeFi hack, according to Evgeny Gaevoy, founder and CEO of Wintermute.
Wintermute loses $160 million in DeFi hack, service to be suspended for days
KingData News: Evgeny Gaevoy, founder of cryptocurrency market maker Wintermute, tweeted that Wintermute lost $160 million in the DeFi hack and that CeFi and OTC operations were unaffected. Of the 90 assets hacked, only two had a nominal value of more than $1 million (no more than $2.5 million), so it is not expected to cause much of a sell-off in the market. Wintermute is still willing to consider the attackers as "white hat hackers" and calls on the attackers to come forward and contact Wintermute. In addition, Evgeny Gaevoy said that Wintermute's current solvency is twice its remaining equity and that Wintermute's services may be interrupted today and in the coming days, before resuming normalcy.
PeckShield: DAO Maker Attacker Address Again Transfers 500,000 DAIs to Tornado Cash
KingData News: According to PeckShield monitoring, the hacker who attacked crypto incubator DAO Maker's address transferred 500,000 DAIs to Tornado Cash. In previous news, DAO Maker was hacked and lost about $7 million.
Kyber Network Attackers Return Funds by September 6 to Receive 15% Vulnerability Bounty
KingData News: Kyber Network, the on-chain liquidity protocol, tweeted that this is the last public statement against the attacker and that the team has been collecting all data and logs traceable to the attacker and is working with partners, security experts and law enforcement to take the next step. Attackers who return funds through a centralized exchange by 17:00 GMT on September 6 (17:00 BST on September 7) will receive a 15 percent bounty for the breach. In previous news, KyberSwap was attacked, losing a total of $265,000 from two addresses, and the Coin Security team said on September 3 that it had identified two suspects in the attack on KyberSwap.
CertiK: ShadowFi Privacy Token SDF Hacked, Hackers Make About $300,000 in Profits
KingData News: Privacy token ShadowFi (SDF) has been hacked and the coin price has plummeted 99%, according to CertiK monitoring. The hackers exploited a vulnerability in SDF that allowed anyone to burn the tokens, and the hackers have replaced the profitable tokens with 1,078 BNB (about $300,000) and transferred them to TornadoCash.