Quick Summary: On September 10, 2024, a major breach hit Indodax, Indonesia's leading crypto exchange, resulting in the loss of $22 million in various cryptocurrencies. Hackers took control of hot wallets and transferred the funds across multiple blockchains.

Exploit Details: Hackers accessed the hot wallets and executed unauthorized transfers across networks like Bitcoin, Ethereum, and Tron. The attackers used Tornado Cash to obfuscate their tracks. The vulnerability is believed to have exploited weaknesses in the withdrawal system, targeting signature manipulations.

Block Data:

• Bitcoin: bc1q5uqpn0ha5llrvhcvkq3nfalp8fj7qe3rydcvmf
• Tron: TBooefeY6FvGuyKfvp5yE1HmzhzvXnvA1P
• Ethereum: 0xb0a2e43d3e0dc4c71346a71484ac6a2627bbcbed
• Polygon: 0x90fffbc09e9a5f6d035e92d25d67e244ef5e904f
• Optimism: 0x3b8f1131a20e131c195bda6fdd6e9be38935eb6d

Quick Summary: A flash loan attack hit the Binance Smart Chain's CUT token liquidity pool on September 10, 2024. The attacker manipulated the CUT-BUSD pair, draining liquidity worth $1.4 million.

Exploit Details: The attacker exploited a flaw in the token's yield mechanics through a PancakeSwap flash loan, using the address 0x0917914b0A70ee7F1f2460Fcd487696856E31154 to manipulate the pool. The exploited pool was drained of its assets.

Block Data:

• Exploiter Address

Quick Summary: On September 3, 2024, Penpie, a yield aggregator protocol, suffered a major reentrancy attack, with over $27 million in assets being drained.

Exploit Details: The attacker exploited the protocol’s contract to create fraudulent yield tokens. By executing multiple transactions, the hacker siphoned funds from the Penpie system.

Block Data:

• Exploiter 1
• Exploiter 4

Quick Summary: On August 28, 2024, Aave’s Repay With Collateral Adapter V3 suffered an exploit that led to the loss of $56,000.

Exploit Details: The exploit stemmed from a flaw in the _buyOnParaSwap function, where an unchecked token allowance led to unauthorized transfers of funds. The attacker exploited this to drain tokens from the contract.

Block Data:

• Exploiter
• Transaction

Quick Summary: A phishing scam targeted a DeFi Saver Proxy user on August 21, 2024, leading to a loss of $55 million in DAI.

Exploit Details: The victim unknowingly signed a malicious transaction that gave the attacker control over their proxy, leading to the complete draining of their assets.

Block Data:

• Exploit Transaction

Quick Summary: On August 13, 2024, the Vow project suffered an exploit where a vulnerability in token conversion resulted in the loss of $1.2 million.

Exploit Details: A smart contract bug allowed the attacker to create valueless tokens, which they converted into real assets by manipulating the burn rate, resulting in significant losses.

Block Data:

• Exploiter Address

Quick Summary: On August 7, 2024, the Nexera platform experienced a major exploit where unauthorized access led to the theft of $449,000 in NXRA tokens.

Exploit Details: The attacker exploited security credentials to gain control of the Nexera Fundrs’ smart contracts and transfer millions of NXRA tokens to an external address.

Block Data:

• Exploiter

Quick Summary: The Ronin Network's bridge was hacked on August 6, 2024, with losses totaling $12 million in ETH and USDC due to a contract vulnerability.

Exploit Details: The attackers exploited an uninitialized variable in the updated bridge contract to execute unauthorized withdrawals. A failure in security protocols enabled the attacker to gain access to critical funds.

Block Data:

• Exploit Transaction

Quick Summary: On August 1, 2024, Convergence Finance faced an exploit in their liquidity pools, leading to the loss of $210,000 worth of assets.

Exploit Details: A vulnerability in the reward distribution contract allowed the attacker to claim excessive rewards, which they then swapped for assets, draining liquidity pools.

Block Data:

• Exploiter

Quick Summary: Terra Blockchain suffered an exploit on July 31, 2024, leading to a $6.5 million loss in assets due to an oracle manipulation attack.

Exploit Details: The exploit targeted price feeds from the oracle contract, manipulating the price of TerraUSD to allow for massive liquidations across the ecosystem.

Block Data:

• Exploit Transaction

Quick Summary: Karastar, a GameFi project, suffered an attack on July 26, 2024, resulting in the theft of $69,000. The hacker exploited a backdoor function in the contract to steal tokens.

Exploit Details: The attacker upgraded several contract implementations to bypass access controls and used the transfer(address token, address fromUser, uint256 value) function to siphon tokens from the platform.

Block Data:

• Proxy Upgrade TX
• Drain TX
• Funds Held By

Quick Summary: WazirX, a prominent Indian crypto exchange, was compromised on July 18, 2024, losing approximately $230 million in Ethereum-based assets.

Exploit Details: Attackers infiltrated the exchange’s multi-signature wallet system by compromising multiple signer accounts. They were able to swap signers' Externally Owned Accounts (EOAs) and replace the multisig implementation.

Block Data:

• Attacker Address
• Attack Transaction

Quick Summary: The crypto project ETHTrustFund, once regarded as promising, was revealed as a scam on July 16, 2024, when the developer moved $2.2 million in funds from the treasury to a private wallet, initiating a rug pull.

Exploit Details: The developer, known only as "Peng," drained the treasury by moving all the assets to a new address. The ETHTrustFund project was a fork of the $OHM project, which had leveraged hype and built a community, only to collapse under the exit scam.

Block Data:

• Treasury Address
• Fund Transfer

Quick Summary: The NEVER token project, operating on the Binance Smart Chain, was exit scammed on July 16, 2024, resulting in a $240,000 loss for investors.

Exploit Details: A backdoor within the smart contract allowed insiders to dump tokens on PancakeSwap without holding them in their wallet, leading to the drain of project funds.

Block Data:

• Scammer Address
• Sell TX

Quick Summary: On July 16, 2024, LI.FI, a cross-chain DeFi protocol, was exploited, resulting in an $8 million loss due to a vulnerability in its GasZipFacet.sol contract.

Exploit Details: A bug in the depositToGasZipERC20 function allowed an attacker to execute arbitrary code and perform unauthorized transfers from the protocol, using carefully crafted calldata to exploit the protocol's swap mechanism.

Block Data:

• Attacker Address
• Attack TX

Quick Summary: Minterest fell victim to an exploit on July 15, 2024, with the loss of $1.46 million in cryptocurrency, primarily ETH, due to a flash loan attack on the Mantle Network.

Exploit Details: The attacker used a reentrancy vulnerability in Minterest's flashloan contract, manipulating the market's cash balances to borrow mETH tokens, which they then exchanged for ETH.

Block Data:

• Attacker Address
• Tornado Cash TX

Quick Summary: Dough Finance, a DeFi protocol, was exploited on July 12, 2024, in a flash loan attack, resulting in the loss of $1.8 million in assets, primarily in USDC.

Exploit Details: The attacker exploited a vulnerability in the ConnectorDeleverageParaswap contract, using a flash loan to drain liquidity and swap assets for ETH, which was later mixed via Tornado Cash.

Block Data:

• Attacker Address
• Flash Loan TX

Quick Summary: Smart Bank Token, operating on the Binance Smart Chain, was exploited on July 11, 2024, in a flash loan attack that resulted in $56,000 in losses.

Exploit Details: The attacker utilized a flash loan from PancakeV3Pool to manipulate the vulnerable Smart Bank Token contract, creating an opportunity to profit by draining liquidity from the protocol.

Block Data:

• Attacker Address
• Flash Loan TX

Quick Summary: CoinStats, a popular cryptocurrency portfolio tracker, was hacked on June 22, 2024. Users lost approximately $2 million due to phishing attacks that targeted wallets created within CoinStats.

Exploit Details: Hackers sent phishing messages to CoinStats users, tricking them into providing access to their wallets. The stolen funds were linked to North Korea’s Lazarus Group.

Block Data:

• Phishing TX

Quick Summary: On June 21, 2024, Sportsbet.io, a popular online crypto sports betting platform, was hacked, resulting in a $3.5 million loss. The hack was likely linked to a larger attack that previously affected BtcTurk.

Exploit Details: The hacker targeted Sportsbet.io's wallets, stealing USDT and TRX. Crypto investigators believe this attack is part of a larger series of breaches by the same malicious actor.

Quick Summary: On June 19, 2024, the Farcana GameFi project was exploited, with an attacker stealing approximately $440,000 due to a leaked private key.

Exploit Details: The attacker gained access to one of Farcana’s treasuries by compromising an externally owned account (EOA) and transferred assets to an external wallet, later mixing the funds via Tornado Cash.

Block Data:

• Exploiter Address

Quick Summary: On June 19, 2024, a Pendle protocol user fell victim to a phishing attack and lost $1.4 million in Ethereum.

Exploit Details: The attacker tricked the user into signing a malicious transaction, which gave them access to the user’s wallet and enabled them to transfer funds to their own address.

Block Data:

• Exploiter Address

Quick Summary: In June 2024, Holograph, an NFT protocol, experienced a $14.4 million exploit after a former developer used a vulnerability in the smart contract to mint 1 billion HLG tokens.

Exploit Details: The hacker took advantage of their previously assigned permission to mint tokens, creating a massive supply of HLG, which led to a token crash. The tokens were later transferred to Ethereum and sold.

Quick Summary: YYS token on the Binance Smart Chain was exploited on June 8, 2024, in a flash loan attack, leading to a loss of $29,000.

Exploit Details: The attacker borrowed USDT from PancakeSwap’s V3 pool and used it to manipulate the YYS token contract's sell function, extracting liquidity from the protocol.

Block Data:

• Attacker Address