DeFi and Cryptocurrency Hacks

NovaMind was identified as an exit scam in which funds worth 41 ETH, amounting to roughly $123,000, were misappropriated. The address linked with this transaction transferred these assets to a multisignature wallet, which is likely used for the project presale address. The social media account of the associated project has already been deleted, and the price of its underlying token fell by over 97 percent.

Pike Finance was exploited across the Ethereum Mainnet, Optimism, and Arbitrum chains, which collectively resulted in a loss of assets worth approximately $1.65 million. The root cause of the exploit is a misalignment in the storage layout of upgradeable smart contracts due to the introduction of a new dependency. This misalignment resulted in situations that allowed the attacker to bypass owner permissions. The attack transaction on the Ethereum Mainnet resulted in a loss of 479.39 ETH, which was worth approximately $1,443,114. On the Optimism chain, the attack resulted in a loss of 64,126 OP, which were worth approximately $150,458, while on the Arbitrum chain, the attack resulted in a loss of 99,970 ARB tokens, which were worth approximately $102,269.

Yield, a discontinued DeFi protocol, was exploited on the Arbitrum chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $181,000. The attacker exploited a discrepancy between the pool token balance and total supply with flash-loaned assets, and then withdrew extra pool tokens to complete the attack.

FENGSHOU, or the NGFS token, was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $191,000. The root cause of the exploit is a faulty smart contract implementation caused by a lack of regulated access control.

Magpie, the decentralized liquidity aggregation protocol, was exploited due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $129,000. The incident targeted approximately 221 wallet users. The root cause of the exploit is a lack of input validation in the call data parameter.

Pike Finance was exploited across multiple chains due to a smart contract vulnerability, which resulted in a loss of assets worth approximately 299,127 USDC. The root cause of the exploit is a forged CCTP message to drain the assets on the Ethereum, Arbitrum, and Optimism networks. 

XBridge was exploited on the Ethereum Mainnet and the BNB chain due to a smart contract vulnerability, which collectively resulted in a loss of assets worth approximately $1.44 million. The root cause of the exploit is a faulty smart contract implementation caused by a lack of regulated access control.

Yiedl was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of 260 BNB, worth approximately $160,000. The root cause of the exploit is due to insufficient parameter validation.

ZKasino, the betting platform, was identified as a rug pull, in which the team misappropriated approximately $33 million worth of users and investors' funds. More than 10,515 ETH were bridged by over 10,000 participants to ZKasino's network, hoping to score extra ZKAS alongside the possibility to withdraw their initially staked ETH on a 1:1 ratio when the protocol launched. However, the funds were automatically vested into ZKAS tokens in order to provide a seamless transition and superior user experience. The Telegram channel of the project has since been closed, and their social moderators have been banning their Discord community members after raising their concerns.

Hedgey Finance was exploited across a series of transactions, which resulted in a loss of $2.1 million on the Ethereum Mainnet and $42.6 million worth of assets on the Arbitrum network, totaling approximately $44.7 million. The root cause of the exploit is the lack of input validation on users' parameters, which allowed the attacker to manipulate and gain unauthorized token approvals.

The GFA token was exploited on the BNB chain, which resulted in a loss of assets worth approximately $15,000. The root cause of the exploit is a lack of access control. The vulnerable contracts had functions for calculating rewards, for which anyone could invoke a call to them. The hacker was able to manually calculate and generate the rewards and drain the tokens. The exploiter has already laundered the stolen assets into Tornado Cash.

Grand Base was exploited on the Base chain, which resulted in a loss of 808.57 ETH worth of assets, amounting to approximately $2.5 million. The root cause of the exploit is the compromise of the private keys of their deployer wallet.

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

Leaper Finance was identified as a scam in which funds worth approximately $1 million had already been taken away. The fraudulent group, infamous for previous exploits with Magnate Finance, Kokomo, Lendora, Solfire, and others, resurfaced with Leaper Finance on Blast. By leveraging the laundered funds from prior exploits, they artfully baited users with enticing liquidity, only to abscond with all the deposited funds. The scam also extended to Zebra Lending on the Base chain, which was live with approximately $311,000 worth of their TVL. Likewise, the same group of scammers were also reportedly behind the Glori Finance project on Arbitrum, which boasted $1.4 million worth of TVL. Following the community alert by ZachXBT, the X (formerly Twitter) accounts of both Leaper Finance and Gorli Finance were deactivated. All three websites for the associated projects have been taken down. 

The Zest Protocol was exploited, and the hacker took away funds worth approximately 324,000 STX from the protocol, amounting to roughly $972,000. The attack took place on the day the protocol was launched to the public, in which an attacker artificially inflated the value of their collateral to borrow an amount exceeding the value of their position. The team stated that their protocol will remain frozen until further notice. User positions will be unaffected until the protocol relaunches. 

Sumer Money was exploited on the Base chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $310,000. The root cause of the exploit is a lack of reentrancy protection, which led to the manipulation of the underlying assets.

xBlast, an omnichain-web3 ecosystem built inside Telegram, took to Twitter to announce that they had been hacked. The root cause of the exploit is unknown at the moment. The exploiter transferred XBL tokens from the main wallet of the project to their wallet and sold them for approximately 22 ETH. The team will deploy a new XBL token and restore liquidity, thereby providing fair compensation for all of the affected users.

The SQUID Game Coin was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $87,000. The root cause of the exploit is a faulty logic design within their swap contract, allowing for arbitrage opportunities.

Fixed Float was the target of an exploit on the Ethereum Mainnet and TRON networks, which resulted in a loss of assets worth approximately $2.8 million. The root cause of the exploit is a vulnerability in one of the third-party services used by them. The stolen funds were withdrawn from their hot wallets and then directed to a suspicious address, which subsequently received various digital assets, including ETH, USDT, WETH, DAI, and USDC. The suspicious address then swapped these assets into ETH via DEX before funneling these funds into the eXch and Binance exchanges. Following the exploit, Tether added multiple different addresses to their blacklist, which supported the rescue of $400,000 worth of USDT involved in this exploit.