Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.
Cork Protocol exploited for $12 million
Cork Protocol, a defi project aimed at "tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens", suffered a $12 million loss after an attacker exploited a bug in how the project's smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.
Term Finance loses $1.65 million due to misconfiguration, recovers $1 million
The Ethereum-based lending project Term Finance lost $1.6 million when an oracle misconfiguration resulted in unintended liquidations. The team later announced that they had "successfully negotiated [the] return" of 333 ETH (~$600,000) that had been lost, and that another roughly 223 ETH (~$400,000) had been "captured internally", leaving the final loss at around 362 ETH (~$650,000).
$5 million in tokens stolen from ZKsync
An attacker compromised an admin account belonging to the ZKsync Ethereum layer-2 project, which is built by Matter Labs. By doing so, they were able to steal approximately $5 million worth of the ZK token, which the project said were "the remaining unclaimed tokens from the ZKsync airdrop".
ZK Sync offered a 10% "bug bounty" to the thief, who accepted and returned 90% of the stolen funds.
KiloEx exploited for $7.5 million
KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx's pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.
KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.
KiloEx later announced that the recovery had been successful, and that they would pay out the 10% "bounty".
zkLend thief gets robbed
The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.
On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."
The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.
There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.
- On-chain messages between zkLend and thief
- Tweet by zkLend [archive]
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
Founder of the Mask Network loses more than $4 million to a wallet hack
Suji Yan, the founder of the Mask Network, suffered the loss of more than $4 million in various cryptocurrency assets to an apparent wallet hack. According to Yan, the theft happened on his birthday while he was at a party. "[E]ither the private key was leaked same day as my birthday and hacker manual[ly transferred assets] out or it might be an offline attack. I was in a private gathering with dozen friends and my phone was away for some minutes when I using the restroom etc."
Almost $50 million stolen from Infini "stablecoin neobank"
Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".
Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.
The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."
Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.
- "0xInfini Incident Analysis", CertiK
- Tweet by Infini [archive]
- Messages from Infini to the exploiter
$1.5 billion taken from Bybit crypto exchange
In what is looking like largest ever theft from a cryptocurrency exchange, attackers took control of a hot wallet belonging to the Bybit cryptocurrency exchange and moved a massive amount of ETH-based tokens amounting to approximately $1.5 billion in notional value (though it should be noted that that quantity of stolen tokens could not be quickly cashed out for that many dollars without affecting the ETH price).
Bybit CEO Ben Zhou confirmed the attack on Twitter, writing that an attacker used an advanced phishing technique to take control of the hot wallet. Zhou also promised "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."