Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.
Aperture Finance users lose at least $3.4 million
An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled "instant liquidity management" features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their "intents".
$13.43 million stolen from Matcha Meta users in SwapNet exploit
Some users of Matcha Meta, a decentralized exchange aggregator on the Base blockchain, suffered losses after a thief exploited a vulnerability in its SwapNet integration. SwapNet is another DEX aggregator that integrates with Matcha Meta, and Matcha blamed a vulnerability in their smart contracts that enabled a thief to steal assets transferred via the integration.
Most of the lost funds came from a single user, who lost $13.34 million in assets. Other users lost a combined $90,000.
- "SwapNet Incident Post Mortem", Matcha Meta
Saga halts blockchain after $7 million theft
The Saga project halted its blockchain after acknowledging that $7 million had been stolen. An attacker was evidently able to mint a large quantity of Saga Dollar tokens, though it's not yet clear whether it was because of a smart contract vulnerability, private key compromise, or some other issue. The attacker was quick to swap most of the assets to ETH to thwart asset freezes or blockchain halts.
The Saga Dollar token lost its peg and fell to around $0.75 after the attack.
Truebit exploited for over $26 million
A bug in a smart contract belonging to the Ethereum-based Truebit project allowed an attacker to steal 8,535 ETH (~$26.4 million). The thief targeted one of the project's older contracts — deployed in 2021 — which contained a bug in which the price calculation to mint sufficiently large quantities of the protocol's TRU token would overflow, erroneously allowing people to mint large amounts of TRU for next to nothing. The exploiter took advantage of this by minting TRU and swapping it for ETH, ultimately causing the TRU token price to crash 99.9%. Another subsequent attack saw around $300,000 more drained from the project.
Truebit acknowledged the hack and urged users not to interact with the vulnerable smart contract.
Yearn Finance suffers fourth exploit only weeks after third
Only weeks after losing $6.6 million to an infinite mint exploit, a Yearn Finance smart contract has again been exploited, allowing an attacker to make off with around 103 ETH (~$300,000). The affected contract is a legacy contract that was part of the Yearn v1 project (once known as iearn). The attacker used a flash loan to manipulate the price of tokens in the vault, allowing them to withdraw the iearn assets, which they then swapped for ETH.
This is Yearn's fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.
Ribbon Finance suffers $2.7 million exploit, plans to use "dormant" users' funds to repay active users
Ribbon Finance, which has partially rebranded to Aevo, has lost $2.7 million after attackers exploited a vulnerability in the smart contract for legacy Ribbon vaults that enabled them to manipulate oracle prices and withdraw a large amount of ETH and USDC.
Ribbon has announced it will cover $400,000 of the lost funds with its own assets. However, Ribbon is also offering users a lower-than-expected haircut on their assets by assuming that some of the largest affected accounts will not withdraw their assets, having been dormant for several years. While this plan may benefit active users, it seems like it could get very messy if those dormant users do wish to withdraw their assets and discover they've been used to pay others.
Prysm consensus client bug causes Ethereum validators to lose over $1 million
Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its "Fusaka" network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.
- "Fusaka Mainnet Prysm Incident", Prysm
- Client Distribution, Clientdiversity.org
Yearn Finance hacked for the third time
Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.
$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.
This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.
Aerodrome and Velodrome suffer website takeovers, again
Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.
This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.
Elixir shuts down deUSD after Stream Finance halt
After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.
Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, "Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)".