Web3 is Going Just Great

March 31, 2025

zkLend thief gets robbed

The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.

On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."

The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.

There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.

On-chain messages between zkLend and thief
Tweet by zkLend [archive]

March 25, 2025

Abracadabra loses $13 million in "Magic Internet Money"

(attribution)

An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.

This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.

"Hacker steals $13 million in Abracadabra's 'Magic Internet Money' seemingly using a flash loan attack", The Block

March 5, 2025

1inch loses $5 million to smart contract bug

(attribution)

An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.

February 27, 2025

Founder of the Mask Network loses more than $4 million to a wallet hack

Suji Yan, the founder of the Mask Network, suffered the loss of more than $4 million in various cryptocurrency assets to an apparent wallet hack. According to Yan, the theft happened on his birthday while he was at a party. "[E]ither the private key was leaked same day as my birthday and hacker manual[ly transferred assets] out or it might be an offline attack. I was in a private gathering with dozen friends and my phone was away for some minutes when I using the restroom etc."

Tweet by Suji Yan [archive]

February 24, 2025

Almost $50 million stolen from Infini "stablecoin neobank"

(attribution)

Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".

Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.

The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."

Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.

"0xInfini Incident Analysis", CertiK
Tweet by Infini [archive]
Messages from Infini to the exploiter

February 21, 2025

$1.5 billion taken from Bybit crypto exchange

(attribution)

In what is looking like largest ever theft from a cryptocurrency exchange, attackers took control of a hot wallet belonging to the Bybit cryptocurrency exchange and moved a massive amount of ETH-based tokens amounting to approximately $1.5 billion in notional value (though it should be noted that that quantity of stolen tokens could not be quickly cashed out for that many dollars without affecting the ETH price).

Bybit CEO Ben Zhou confirmed the attack on Twitter, writing that an attacker used an advanced phishing technique to take control of the hot wallet. Zhou also promised "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."

February 18, 2025

Around 9,000 wallets used with Cardex fantasy trading card game compromised

(attribution)

Around $400,000 in ETH was stolen from around 9,000 wallets on the Abstract layer-2 network, which is built by the same company that makes the Pudgy Penguins NFTs. It appears that the affected wallets had all been used to play Cardex, a fantasy trading card game that had launched only a week prior.

Attackers compromised a private key belonging to the game's creators, which allowed them to drain wallets that still had an active session with the game.

Tweet by 0xCygaar

January 30, 2025

"On-chain Microstrategy" clone Ether Strategy loses over $500,000 of ETH

(attribution)

A Ethereum-based project promising to duplicate the bitcoin leveraged investment strategy used by MicroStrategy has announced that, prior to even launching, 165 ETH (~$535,850) was lost when a misconfiguration in the project interface resulted in tokens being sent to the wrong address. The project appears to have determined that those tokens are irrecoverably lost, because they announced that they had contributed 165 ETH of their own to reimburse users for their costly mistake.

Tweet by Ether Strategy [archive]

January 14, 2025

The Idols NFT loses $324,000 to exploit

An illustration of a young-looking human wearing silver armor and a blue toga, with a silver tiara, long brown hair, and blue markings on their face

Idol #1295 (attribution)

An attacker noticed a vulnerability in a smart contract for The Idols, an NFT project that also incorporates ETH staking functionality. They discovered that a function used to distribute rewards had a bug when the sender and recipient addresses were the same, allowing a holder to repeatedly claim rewards. By taking advantage of this bug, they were able to siphon 97 stETH (~$324,000) from the project.

Although The Idols boasts of two audits from several years ago, the contract containing the vulnerability may not have been audited.

"The Idols NFT", Rekt [archive]

January 14, 2025

Sony accused of "rugging" after freezing IP infringing memecoins on their Soneium blockchain

[person 1]
yeah the two meme tokens that everyone was excited about seem to be blacklisted now

[person 2]
0xea4E0CfF21Ea0a1650B658AAf5142720195245bB Is this what the team members do?

[person 3]
aibo now forbidden on explorer...

[person 4]
I just wanted a cute robot dog koin?

[person 5]
Why are you honeypotting coins lol

[person 1]
this is very bad vibes

[person 2]
A disastrous beginning

[person 1]
obviously not end-of-the-world but people bridged to Soneium to ape new memecoins and seeing themselves get locked out and rugged in real time

Chats from the Soneium Discord (attribution)

Only hours after Sony launched its "Soneium" layer-2 Ethereum blockchain, the company was accused of "rugging" people who had purchased various memecoins launched on Soneium when it began prohibiting their trading. The two tokens, now listed as "forbidden" for trading, were based on Sony products. One, "Aibo", was themed around a series of robotic dog toys. The other, "Toro", was based on Sony's unofficial Toro Inoue mascot.

Sony's crackdown on these tokens perhaps should not have come as a huge surprise, given that the announcement of Soneium's launch touted "protecting content rights and creating fair profit-sharing mechanisms" among its goals.

Nevertheless, members of the Soneium Discord widely accused Sony of "rugging" or "honeypotting" them by prohibiting trading on the memecoins they had purchased.

"Traders seethe after Sony freezes memecoins on its new blockchain", DL News [archive]

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.