Web3 Security
Exploit
Tracker
Stay informed with our Crypto Exploit Tracker, your go-to tool for monitoring the latest blockchain exploits and security incidents. This dashboard showcases the most recent attacks at the top, offering detailed insights into each exploit, including impact, involved tokens, recovery efforts, and relevant transaction details. Easily explore incidents with expandable views to enhance your security awareness and decision-making.
uniBTC Minting Logic Exploit
Funds Lost: $1,700,000
Date: 26.09.2024
Quick Summary: On September 26, 2024, uniBTC experienced a protocol logic vulnerability that led to a $1.7 million loss. The attacker exploited the minting mechanism to create unlimited tokens.
Exploit Details: The flaw in the minting logic allowed the hacker to generate an infinite number of uniBTC tokens, which were then dumped onto the market, causing significant devaluation and financial loss.
Block Data:
Onyx Liquidation Logic Exploit
Funds Lost: $4,000,000
Date: 26.09.2024
Quick Summary: On September 26, 2024, Onyx was targeted through a liquidation logic flaw, resulting in a $4 million loss. The exploit manipulated the liquidation process to drain funds.
Exploit Details: The attacker exploited a vulnerability in the liquidation logic, allowing them to force liquidations under unfavorable conditions and siphon off substantial funds from the protocol.
Block Data:
Truflation Private Key Compromise
Funds Lost: $5,000,000
Date: 25.09.2024
Quick Summary: On September 25, 2024, Truflation faced a severe security breach where malware led to the compromise of a private key, resulting in a $5 million loss.
Exploit Details: Malware infiltrated Truflation's infrastructure, compromising a critical private key. This allowed the attacker to access and drain funds from the platform, causing substantial financial damage.
Block Data:
Shezmu Infinite Mint and Dump
Funds Lost: $4,900,000
Date: 20.09.2024
Quick Summary: On September 20, 2024, Shezmu was exploited through a protocol logic flaw that allowed for infinite minting and subsequent dumping of tokens, leading to a $4.9 million loss.
Exploit Details: The vulnerability in Shezmu's minting logic enabled the attacker to create unlimited tokens. These tokens were then rapidly sold on the market, causing a significant drop in token value and substantial financial loss.
Block Data:
BingX Exchange Compromised
Funds Lost: $52,000,000
Date: 20.09.2024
Quick Summary: Singapore’s BingX Exchange suffered over a $50 million hack on September 20, 2024. The hacker exploited vulnerabilities to withdraw funds from BingX's 15 hot wallets.
Exploit Details: The breach targeted multiple chains, including Ethereum, Binance Smart Chain, Base, Optimism, Polygon, Arbitrum, and Avalanche. BingX activated emergency protocols, suspended withdrawals, and transferred assets to safety. Most funds are secure in cold wallets.
Block Data:
DeltaPrimeDefi Exploit on Arbitrum Chain
Funds Lost: $6,000,000
Date: 16.09.2024
Quick Summary: On September 16, 2024, DeFi platform Delta Prime suffered a breach exceeding $6 million on the Arbitrum chain. The attack is ongoing, with pools still being drained.
Exploit Details: It appears the admin lost the private key. The attacker gained control of the admin wallet and upgraded contracts to malicious versions, draining pools like DPUSDC, DPARB, and DPBTCb. The stolen USDC was swapped to ETH.
Block Data:
- Suspicious Address: 0x0ef5a5130c795dba28e6b2cbfda05cf1ef81cc54
Indodax Exploit: $22 Million Stolen
Funds Lost: $22,000,000
Date: 10.09.2024
Quick Summary: On September 10, 2024, a major breach hit Indodax, Indonesia's leading crypto exchange, resulting in the loss of $22 million in various cryptocurrencies. Hackers took control of hot wallets and transferred the funds across multiple blockchains.
Exploit Details: Hackers accessed the hot wallets and executed unauthorized transfers across networks like Bitcoin, Ethereum, and Tron. The attackers used Tornado Cash to obfuscate their tracks. The vulnerability is believed to have exploited weaknesses in the withdrawal system, targeting signature manipulations.
Block Data:
- Bitcoin: bc1q5uqpn0ha5llrvhcvkq3nfalp8fj7qe3rydcvmf
- Tron: TBooefeY6FvGuyKfvp5yE1HmzhzvXnvA1P
- Ethereum: 0xb0a2e43d3e0dc4c71346a71484ac6a2627bbcbed
- Polygon: 0x90fffbc09e9a5f6d035e92d25d67e244ef5e904f
- Optimism: 0x3b8f1131a20e131c195bda6fdd6e9be38935eb6d
CUT Token Flash Loan Attack
Funds Lost: $1,400,000
Date: 10.09.2024
Quick Summary: A flash loan attack hit the Binance Smart Chain's CUT token liquidity pool on September 10, 2024. The attacker manipulated the CUT-BUSD pair, draining liquidity worth $1.4 million.
Exploit Details: The attacker exploited a flaw in the token's yield mechanics through a PancakeSwap flash loan, using the address 0x0917914b0A70ee7F1f2460Fcd487696856E31154 to manipulate the pool. The exploited pool was drained of its assets.
Block Data:
Penpie Exploit: Reentrancy Attack
Funds Lost: $27,000,000
Date: 03.09.2024
Quick Summary: On September 3, 2024, Penpie, a yield aggregator protocol, suffered a major reentrancy attack, with over $27 million in assets being drained.
Exploit Details: The attacker exploited the protocol’s contract to create fraudulent yield tokens. By executing multiple transactions, the hacker siphoned funds from the Penpie system.
Block Data:
Aave Contract Exploit
Funds Lost: $56,000
Date: 28.08.2024
Quick Summary: On August 28, 2024, Aave’s Repay With Collateral Adapter V3 suffered an exploit that led to the loss of $56,000.
Exploit Details: The exploit stemmed from a flaw in the _buyOnParaSwap function, where an unchecked token allowance led to unauthorized transfers of funds. The attacker exploited this to drain tokens from the contract.
Block Data:
Phishing on DeFi Saver Proxy
Funds Lost: $55,000,000
Date: 21.08.2024
Quick Summary: A phishing scam targeted a DeFi Saver Proxy user on August 21, 2024, leading to a loss of $55 million in DAI.
Exploit Details: The victim unknowingly signed a malicious transaction that gave the attacker control over their proxy, leading to the complete draining of their assets.
Block Data:
Vow Token Exploit
Funds Lost: $1,200,000
Date: 13.08.2024
Quick Summary: On August 13, 2024, the Vow project suffered an exploit where a vulnerability in token conversion resulted in the loss of $1.2 million.
Exploit Details: A smart contract bug allowed the attacker to create valueless tokens, which they converted into real assets by manipulating the burn rate, resulting in significant losses.
Block Data:
Nexera Access Control
Funds Lost: $449,000
Date: 07.08.2024
Quick Summary: On August 7, 2024, the Nexera platform experienced a major exploit where unauthorized access led to the theft of $449,000 in NXRA tokens.
Exploit Details: The attacker exploited security credentials to gain control of the Nexera Fundrs’ smart contracts and transfer millions of NXRA tokens to an external address.
Block Data:
Ronin Bridge Hack
Funds Lost: $12,000,000
Date: 06.08.2024
Quick Summary: The Ronin Network's bridge was hacked on August 6, 2024, with losses totaling $12 million in ETH and USDC due to a contract vulnerability.
Exploit Details: The attackers exploited an uninitialized variable in the updated bridge contract to execute unauthorized withdrawals. A failure in security protocols enabled the attacker to gain access to critical funds.
Block Data:
Convergence Finance Exploit
Funds Lost: $210,000
Date: 01.08.2024
Quick Summary: On August 1, 2024, Convergence Finance faced an exploit in their liquidity pools, leading to the loss of $210,000 worth of assets.
Exploit Details: A vulnerability in the reward distribution contract allowed the attacker to claim excessive rewards, which they then swapped for assets, draining liquidity pools.
Block Data:
Terra Blockchain Exploit
Funds Lost: $6,500,000
Date: 31.07.2024
Quick Summary: Terra Blockchain suffered an exploit on July 31, 2024, leading to a $6.5 million loss in assets due to an oracle manipulation attack.
Exploit Details: The exploit targeted price feeds from the oracle contract, manipulating the price of TerraUSD to allow for massive liquidations across the ecosystem.
Block Data:
Karastar Access Exploit
Funds Lost: $69,000
Date: 26.07.2024
Quick Summary: Karastar, a GameFi project, suffered an attack on July 26, 2024, resulting in the theft of $69,000. The hacker exploited a backdoor function in the contract to steal tokens.
Exploit Details: The attacker upgraded several contract implementations to bypass access controls and used the transfer(address token, address fromUser, uint256 value) function to siphon tokens from the platform.
Block Data:
WazirX: India K Exploit
Funds Lost: $230,000,000
Date: 18.07.2024
Quick Summary: WazirX, a prominent Indian crypto exchange, was compromised on July 18, 2024, losing approximately $230 million in Ethereum-based assets.
Exploit Details: Attackers infiltrated the exchange’s multi-signature wallet system by compromising multiple signer accounts. They were able to swap signers' Externally Owned Accounts (EOAs) and replace the multisig implementation.
Block Data:
ETHTrustFund Rugpull
Funds Lost: $2,200,000
Date: 16.07.2024
Quick Summary: The crypto project ETHTrustFund, once regarded as promising, was revealed as a scam on July 16, 2024, when the developer moved $2.2 million in funds from the treasury to a private wallet, initiating a rug pull.
Exploit Details: The developer, known only as "Peng," drained the treasury by moving all the assets to a new address. The ETHTrustFund project was a fork of the $OHM project, which had leveraged hype and built a community, only to collapse under the exit scam.
Block Data:
NEVER Token Rugpull
Funds Lost: $240,000
Date: 16.07.2024
Quick Summary: The NEVER token project, operating on the Binance Smart Chain, was exit scammed on July 16, 2024, resulting in a $240,000 loss for investors.
Exploit Details: A backdoor within the smart contract allowed insiders to dump tokens on PancakeSwap without holding them in their wallet, leading to the drain of project funds.
Block Data:
LI.FI Exploit
Funds Lost: $8,000,000
Date: 16.07.2024
Quick Summary: On July 16, 2024, LI.FI, a cross-chain DeFi protocol, was exploited, resulting in an $8 million loss due to a vulnerability in its GasZipFacet.sol contract.
Exploit Details: A bug in the depositToGasZipERC20 function allowed an attacker to execute arbitrary code and perform unauthorized transfers from the protocol, using carefully crafted calldata to exploit the protocol's swap mechanism.
Block Data:
Minterest Exploit
Funds Lost: $1,460,000
Date: 15.07.2024
Quick Summary: Minterest fell victim to an exploit on July 15, 2024, with the loss of $1.46 million in cryptocurrency, primarily ETH, due to a flash loan attack on the Mantle Network.
Exploit Details: The attacker used a reentrancy vulnerability in Minterest's flashloan contract, manipulating the market's cash balances to borrow mETH tokens, which they then exchanged for ETH.
Block Data:
Dough Finance Flash Loan Attack
Funds Lost: $1,800,000
Date: 12.07.2024
Quick Summary: Dough Finance, a DeFi protocol, was exploited on July 12, 2024, in a flash loan attack, resulting in the loss of $1.8 million in assets, primarily in USDC.
Exploit Details: The attacker exploited a vulnerability in the ConnectorDeleverageParaswap contract, using a flash loan to drain liquidity and swap assets for ETH, which was later mixed via Tornado Cash.
Block Data:
Smart Bank Token Flash Loan Exploit
Funds Lost: $56,000
Date: 11.07.2024
Quick Summary: Smart Bank Token, operating on the Binance Smart Chain, was exploited on July 11, 2024, in a flash loan attack that resulted in $56,000 in losses.
Exploit Details: The attacker utilized a flash loan from PancakeV3Pool to manipulate the vulnerable Smart Bank Token contract, creating an opportunity to profit by draining liquidity from the protocol.
Block Data:
CoinStats Phishing Exploit
Funds Lost: $2,000,000
Date: 22.06.2024
Quick Summary: CoinStats, a popular cryptocurrency portfolio tracker, was hacked on June 22, 2024. Users lost approximately $2 million due to phishing attacks that targeted wallets created within CoinStats.
Exploit Details: Hackers sent phishing messages to CoinStats users, tricking them into providing access to their wallets. The stolen funds were linked to North Korea’s Lazarus Group.
Block Data:
Sportsbet.io Exploit
Funds Lost: $3,500,000
Date: 21.06.2024
Quick Summary: On June 21, 2024, Sportsbet.io, a popular online crypto sports betting platform, was hacked, resulting in a $3.5 million loss. The hack was likely linked to a larger attack that previously affected BtcTurk.
Exploit Details: The hacker targeted Sportsbet.io's wallets, stealing USDT and TRX. Crypto investigators believe this attack is part of a larger series of breaches by the same malicious actor.
Farcana Exploit
Funds Lost: $440,000
Date: 19.06.2024
Quick Summary: On June 19, 2024, the Farcana GameFi project was exploited, with an attacker stealing approximately $440,000 due to a leaked private key.
Exploit Details: The attacker gained access to one of Farcana’s treasuries by compromising an externally owned account (EOA) and transferred assets to an external wallet, later mixing the funds via Tornado Cash.
Block Data:
Pendle Phishing Exploit
Funds Lost: $1,400,000
Date: 19.06.2024
Quick Summary: On June 19, 2024, a Pendle protocol user fell victim to a phishing attack and lost $1.4 million in Ethereum.
Exploit Details: The attacker tricked the user into signing a malicious transaction, which gave them access to the user’s wallet and enabled them to transfer funds to their own address.
Block Data:
Holograph Exploit
Funds Lost: $14,400,000
Date: 13.06.2024
Quick Summary: In June 2024, Holograph, an NFT protocol, experienced a $14.4 million exploit after a former developer used a vulnerability in the smart contract to mint 1 billion HLG tokens.
Exploit Details: The hacker took advantage of their previously assigned permission to mint tokens, creating a massive supply of HLG, which led to a token crash. The tokens were later transferred to Ethereum and sold.
YYS Token Exploit
Funds Lost: $29,000
Date: 08.06.2024
Quick Summary: YYS token on the Binance Smart Chain was exploited on June 8, 2024, in a flash loan attack, leading to a loss of $29,000.
Exploit Details: The attacker borrowed USDT from PancakeSwap’s V3 pool and used it to manipulate the YYS token contract's sell function, extracting liquidity from the protocol.
Block Data: