6
Watch
29
Star
2
Fork
0
Issue

6
TheSquanch-147
TheSquanch-147
pushedAt 1 month ago

TheSquanch-147/Rugpulls-Hacks-Exploits-List

Rugpulls, hacks, exploits, etc...

Objective

The goal of this document is to serve as an up-to-date register of every rugpull, hack, exploit, etc... taking place on Ethereum & its sidechains to help users make more informed decisions when eyeing up prospective investments. Not all entries will necessarily be DeFi projects, and I'd like to focus on services rather than arbitrary tokens created purely for pumping & dumping. With this initial release I've only included events from 2021 and onward, but in the future I plan to add older events too.

If you have any questions for me or know of any (new or old) entries that you think I may have missed, please reach out with the contact information below, or submit a pull request.

Sidenote - I recommend watching RugDoc.io's website and following them on Twitter, as they do a great job reviewing projects for rug-potential. Huge shoutout to Rekt, and Watchpug as they've become my go-to for their investigations into these events.

For an up-to-date list of all slashings & rugpulls related to staking pools, see this link: https://github.com/TheSquanch-147/Staking-Pool-Mishaps

In the pipeline

  • Add events occurring pre-2021
  • Additional chart detailing audit protocol(s) of the top 25-50 DeFi projects.
  • Include a metric showing how long a project has been live without exploitation.

Contact Info

Discord: https://discordapp.com/users/0714

Twitter: https://twitter.com/TheSquanch3

GitHub: https://github.com/TheSquanch-147

RUGPULLS, HACKS, EXPLOITS, ETC.....

Service Chain Class Description Date Press Release Recovery Plan
PancakeHunny BSC Exploit $2.3m stolen after an attacker exploited the WBNB/TUSD pool by inflating the price of WBNB against TUSD with a flash loan. Then, TUSD was deposited into the vault to mint Hunny at an irregular rate & sold for a profit 10/20/2021 [Link] [Link]
Indexed Finance ETH Exploit
$16m stolen after an attacker exploited the way that tokens are rebalanced within the indexes by using flash loans which allowed them to throw off the valuation of the pools. Once the valuation was skewed, they were able to deposit relatively small amounts of one of the tokens in the pool, mint an inflated number of the pool tokens, and immediately cash these out.
10/14/2021 [Link] DAO voting on recovery plan Oct 27th
Compound ETH Exploit ~$147m of COMP was accidentally distributed after a vulnerability was discovered in one of their vaults. This vulnerability allowed users borrowing certain assets to claim more COMP than they otherwise should have been able to. Devs asked for money to be returned in a somewhat-threatening way which resulted in a lot of backlash and few returns. 09/30/2021 [Link] TBD
Vee Finance Avalanche Exploit $34m stolen after an attacker was able to manipulate the price of the Pangolin pool which was being used by the oracle as the source of the price feed. Orders are placed, funds swapped into target token in Pangolin, Pangolin pool is then manipulated. Once orders expire or stop-point reached, the loan is returned automatically. 09/21/2021 [Link] [Link]
Jay pegs Automart ETH Exploit Contracted Dev swapped his wallet address into the MISO auction instead of the auction's wallet. Attacker was identified & doxxed, funds returned. 09/16/2021 [Link] [Link]
Dinner The Mercer Rugpull POAPgod.eth & Wolf.eth denied dinner service due to lack of seating availability. Restaurant will never socially, or financially recover from this event. 09/13/2021 N/A N/A
DAO Maker ETH Exploit "DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each." 09/03/2021 [Link] [Link]
Tomb Finance Fantom Opera Exploit $TOMB stablecoin pegged to value of $FTM by way of a "gate keeper" fee system. The Gatekeeper collects fees on $TOMB sales until it reaches its peg with $FTM (up to 20%). Fees collected are then sold by the DAO for $FTM, with the other half provided as liquidity if it's above the peg, or burned if below the peg.

User found a way to avoid this tax (exploit?), and made it publicly available via a website. Tomb team shut down their gatekeeper as a result, causing the stablecoin to lose its peg and the protocol's token price to tank.
09/03/2021 [Link] [Link]
Cream Finance ETH Exploit 17 transactions were issued that utilized an exploit which would allow the attackers (Primary + Copycat) to nest a secondary borrow function inside of the token transfer function before the initial borrow function was updated. This allowed the loan to be paid back while keeping the remainder from the secondary borrow function. 08/31/2021 [Link] [Link]
X-Token BSC Exploit An attacker was able to call a function (that should not be publicly available) due to a vulnerability in X-Token's xSNX code. This has already happened once in the past (May, 2021) and failed to be patched. Devs are planning to compensate their users and shut down their xSNX contract. 08/29/2021 [Link] [Link]
Punk Protocol ETH Exploit Attacker exploited a "crucial flaw in the  investing strategy". A whitehat hacker noticed these transactions with his/her frontrunning bot and managed to recover ~$6m (at time of writing). The whitehat negotiated with Punk & agreed to return ~$5m, taking $1m as their bounty. The hacker was able to keep ~$3m. 08/10/2021 [Link] [Link]
Poly Network Poly, ETH, BSC Exploit Poly had a vulnerability that allowed the attacker to call special contracts by replicating the signature hash (through a bit of trial and error) which would allow them to change the public keys. Read the Rekt writeup (link to the right) for more details. Roughly $611m stolen at time of writing. The attacker has begun returning some of the funds and claims that he will return the rest. 08/10/2021 [Link] [Link]
Wault Finance BSC Exploit 370 ETH drained after a flash loan attack that was able to manipulate the price of WEX, which a portion of the Wault reserves holds 08/04/2021 [Link] [Link]
Popsicle Finance ETH Exploit Attacker modified the information fed to the contract to convince it that their funds were depostied for longer than they really were, entitling them to a greater share of the fees generated. This allowed them to drain 85% of one of Popsicle Finance's UniswapV3 Optimizer pools, worth roughly $20.7m at the time of the attack 08/03/2021 [Link] [Link]
Levyathan BSC Rugpull Devs left a private key with the ability to mint tokens on their public github repo. Tokens were infinitely minted and dumped on the market for ETH. Devs claiming that it "was not an inside job" as the keys were publicly available. 07/30/2021 [Link] N/A
ThorChain Multi Exploit ETH router attacked by exploiting "multiple critical issues". Left note in tx data: "Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited. Wanted to teach lesson minimizing damage. Multiple critical issues. 10% VAR bounty would have prevented this. Disable until audits are complete. Audits are not a nice to have. Do not rush code that controls 9 figures." 07/22/2021 [Link] [Link]
Pancake Bunny Poly Exploit PolyBUNNY minter exploited, producing 2.1M polyBUNNY 07/16/2021 [Link] [Link]
ThorChain Multi Exploit Attacker exploited BiFrost, a middleware that allows for multichain operations, with a custom wrapper contract, stealing 4,000 ETH worth of ERC20 tokens and ETH. 07/15/2021 [Link] [Link]
Bondly BSC Exploit Attacker exploited "infinite mint" bug & dumped 373M tokens 07/15/2021 [Link] [Link]
ApeRocket Poly Exploit Flash loan exploit of code vulnerability 07/14/2021 [Link] [Link]
ApeRocket BSC Exploit Flash loan exploit of code vulnerability 07/14/2021 [Link] [Link]
Chainswap Multi Exploit Attacker exploited a bug in the cross-chain quota code. This quota is ordinarily increased automatically by the signature node, but due to the bug, addresses that were not whitelisted were able to increase the amount. 07/11/2021 [Link] [Link]
Anyswap ETH Exploit An attacker was able to deduce the private key to the MPC account by analyzing two transactions that occurred on the V3 router with matching R value signatures. 07/10/2021 [Link] [Link]
Whalefarm BSC Rugpull Obvious pump & dump scheme (7,217,848% APY promised), Twitter page & Telegram group deleted immediately following event 06/29/2021 N/A N/A
SafeDollar Poly Exploit Attacker exploited a bug in the code that would allow them to drain the balance of PLX nearly to zero which would raise the exchange rate to SDO tremendously. Using this new rate, they were able to mint 831,309,277,244,108,000 SDO and begin dumping them on the market. 06/28/2021 [Link] [Link]
SharedStake ETH Rugpull Dev member withdrew and dumped $500k worth of the org's governance token (SGT), dropping its value by 95% 06/24/2021 [Link] [Link]
Eleven Finance BSC Exploit 100% loss of funds from vaults (~$4.5m USD) due to a fault in the "emergencyBurn()" function. Issue was present since inception. 06/23/2021 [Link] [Link]
StableMagnet BSC Rugpull StableMagnet's SwapUtils library was written with functionality to drain all pairs 06/23/2021 [Link] N/A
Polywhale Poly Soft Rug Soft rug(?) - Dev team claimed they were shutting down due to bad tokenomics & market conditions. Community thinks otherwise due to deleted Telegram chat room & treasury withdrawals to dev wallets leading up to exit 06/21/2021 [Link] N/A
Impossible Finance BSC Exploit Attacker exploited a vulnerability in the LP contract to swap IF into BUSD twice in a row without incurring slippage. 229.84ETH Stolen 06/21/2021 [Link] [Link]
Iron Finance Poly Collapse Bank run on Iron Finance's governance token (TITAN) occurred as their stablecoin (IRON) lost its peg due to arbitrageurs' repeated purchasing & exchanging of the IRON token for USDC & TITAN, before selling off the TITAN for a profit & furthering the off-peg condition 06/17/2021 [Link] [Link]
Alchemix ETH Exploit Users were able to withdraw their collateral from the protocol before completing the repayment of their loan. 06/16/2021 [Link] [Link]
PolyButterfly Poly Rugpull 600 ETH stolen by dev team through the use of a backdoor.
Website, Twitter, and Telegram all shut down
06/05/2021 [Link] N/A
Belt Finance BSC Exploit Flash loan exploit of beltBUSD pool. 6,234,753BUSD lost. Vault users lost 21.36% of funds, pool users lost 5.51% 05/29/2021 [Link] [Link]
BurgerSwap BSC Exploit Due to a missing line of code from the original Uniswap V2 fork, an attacker was able to use a flash loan to exploit the service 05/27/2021 [Link] [Link]
Merlin Labs BSC Exploit Copycat of Pancake Bunny vulnerability 05/19/2021 05/26/2021 N/A N/A
Autoshark BSC Exploit Copycat of Pancake Bunny vulnerability 05/19/2021 05/24/2021 [Link] [Link]
Bogged Finance BSC Exploit Due to a flaw in the staking section of the BOG smart contract, an attacker was able to use a flash loan to inflate the supply of staking rewards 05/22/2021 [Link] [Link]
DeFi100 BSC Rugpull Exit scam 05/22/2021 [Link] N/A
Pancake Bunny BSC Exploit Flash loan exploit of LP ratios of USDT/BNB & BUNNY/BNB 05/19/2021 [Link] [Link]
FinNexus
(now Pheonix Finance)
ETH Hack Admin keys were used (potentially stolen) to mint tokens on BSC & Ethereum and began dumping them. 05/17/2021 [Link] [Link]
bEarn Fi BSC Exploit Exploit allowed an attacker to continuously deposit and withdraw BUSD from bEarn's vault, earning more of the stablecoin with every transaction. 05/16/2021 [Link] [Link]
X-Token ETH Exploit Attacker exploited xBNTa and xSNXa contracts simulatenously & drained their pools immediately. 416ETH stolen. 05/12/2021 [Link] [Link]
Spartan Protocol BSC Exploit Flash loan exploit of a bug in Spartan Protocol's code which utilized current balances instead of cached balances. This allowed LP tokens to be exchanged for more of the constituent tokens than it should have. 05/03/2021 [Link] [Link]
Rari Capital Ethereum Pool ETH Exploit Flash loan exploit of code vulnerability 05/08/2021 [Link] [Link]
Value DeFi ETH Exploit 05/08/2021 [Link] [Link]
Value DeFi ETH Exploit 05/05/2021 [Link] [Link]
Uranium Finance BSC Exploit Attacker (possible inside job) exploited token migration event 04/27/2021 [Link] N/A
EasyFi Poly Hack Attacker gained remote access to the admin's machine and stole private keys to drain the protocol's pools of roughly $6m. 04/19/2021 [Link] [Link]
ForceDAO ETH Exploit Attacker exploited known Solidity issue to mint xFORCE tokens without needing to lock their (nonexistant, in this case) FORCE tokens. 04/04/2021 [Link] [Link]
TurtleDex BSC Rugpull Exit scam.
Website, Telegram, Twitter page deleted
03/20/2021 [Link] N/A
Roll ETH Hack Hot wallet private keys compromised 03/14/2021 [Link] [Link]
DODO ETH Exploit Attacker exploited a bug within DODO's V2 Crowdpool 03/08/2021 [Link] [Link]
PAID Network ETH Hack "The attacker used a compromised private key to the original contract deployer to leverage the upgrade function of the smart contract. The attacker then proceeded to ‘upgrade’ to a new smart contract which had the ability to burn and re-mint tokens." 03/05/2021 [Link] [Link]
Meerkat Finance BSC Rugpull Exit scam.
Website, Twitter page deleted
03/04/2021 [Link] N/A
Alpha Finance ETH Exploit Flash loan exploit of Alpha vulnerability 02/13/2021 [Link] [Link]
Yearn Finance ETH Exploit Using flash loans, the attacker was able to debalance the exchange rate in Curve's 3CRV pool, deposit into the pool with the yDAI vault, correct the imbalance, and profit the difference. 02/04/2021 [Link] N/A
ucloud ads