The attacker used a flash loan to artificially deflate prices of stablecoins Tether and USDC on Harvest—and then snatch the tokens up at bargain-basement prices from liquidity pools. Attack essentially was. Harvest referred to it as “theft” within its attack post-mortem as the asset values had been manipulated. Source
According to Chainalysis’ report, investigators have managed to track the whereabouts of the stolen funds, with an estimated 1,008 BTC being held in two separate addresses. Apart from Bitcoin, the hackers have stolen various other crypto assets, including:
- 11,543 ETH ($4,030,957.90)
- 19,834,042 USDT-ETH ($19,834,042.14)
- 18,495,798 XRP ($4,254,547.54)
- 26,733 LTC ($1,238,539.89)
- 999,160 USDT ($999,160)
- $147 million worth of ERC-20 tokens
- $87 million of Stellar tokens
Yfdex.Finance (Yfdex), a new liquidity mining pool, has reportedly exit scammed, making off with up to $20 million of investors’ funds. The decentralized finance (Defi) project convinced people to hand over their life savings following just two days of aggressive marketing on social media, and then disappeared without a trace. Source
A report published by Aleksey Studnev of blockchain forensics firm Bitquery on August 5 has revealed the extent of the incident, with Bitquery estimating that the attacker made off with 807,260 ETC. Source: https://blog.bitquery.io/attacker-stole-807k-etc-in-ethereum-classic-51-attack
Attackers have exploited a vulnerability in the Opyn ETH Put contract. One of the first members of Crypto Twitter to report on the theft, DegenSpartan, stated on Aug. 4 that the traders used flash loans to buy Ethereum Put oTokens (oETH) from Uniswap. They then reportedly chose an ERC20 token — in this case, USD Coin (USDC) — as collateral and exercised the trading option. The result was reportedly a double transfer which effectively “stole” the collateral. According to blockchain records, the attackers received both their original Ethereum (ETH) deposits and USDC options. Source https://twitter.com/DegenSpartan/status/1290699622013231104
DeFi platform Balancer was a second time attacked. Hacker claimed about $2,300 worth of Compound tokens (COMP).
The attack involved flash loans from both dYdX and Uniswap. The hacker loaned more than $33 million that was used to generate cTokens representing ownership in a Compound pool. Source
Two multi-token pools on DeFi platform Balancer were drained of ~$450,000 on June 29. The attacker conducted the attack in two separate flashloan transactions by draining one liquidity pool until close to zero, and then using that pool to attack another pool and draining the ETH for cheap. The attacker drained 601.3 ETH, 11.36 WBTC, 22,593 LINK, and 60,915 SNX. Loss is estimated at around $450,000 at the time of the attack. Source
Per reports from KBS and Joongang Ilbo, the ring made use of multi-level marketing (MLM) or pyramid tactics, and police believe some 1,500 people may have handed over cryptoassets to operators that they say they can no longer access. Source KBS and Joongang Ilbo
the money was drained on 19 April 2020 from the contracts of Lendf.Me, a lending protocol that’s part of dForce, a collection of DeFi protocols. The money was taken due to a known renetrancy bug in ERC777.
The Lendf.Me attacker was 0xa9bf70a420d364e923c74448d9d817d3f2a77822
AN in depth analysis can be read here https://medium.com/@slowmist/slowmist-details-of-lendf-me-reentrancy-attack-3e168ab5f2b1
The hackers got away with $25 million and even send some money back ($126,014) with a cheeky message: “Better luck next time”.
- Maker DAO liquidations on March 12 and 13 resulted in protocol losses of 5.67 million DAI
- This happened due to the opportunity to win liquidation auctions with zero bids, which was 36% of all liquidations
- The greatest Vault has lost ~35 000 ETH whereas the most successful liquidator has had a profit of 30 000 ETH
- $8.32 million was withdrawn through zero bids auctions in total