This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
Polter Finance exploited for $12 million
The Fantom-based Polter Finance defi project was exploited for $7 million when an attacker was able to perform an oracle manipulation attack. By artificially increasing the price of the $BOO token, which is a governance token used by the SpookySwap project, they were then able to use that token to drain Polter's liquidity pools using a flash loan. The attacker successfully drained the entire $12 million worth of tokens on the platform.
The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.
Hacker steals $1.45 million from CUT token liquidity pool
An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.
Minterest hacked for $1.4 million
An attacker stole $1.4 million from the defi lending project Minterest. Using a flash loan attack, they manipulated the exchange rate calculated by the project, allowing them to withdraw more tokens than they originally loaned.
Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.
Dough Finance hacked for $1.9 million
Defi platform Dough Finance was hacked for 608 ETH ($1.8 million) by a hacker using a flash loan attack funded through the Railgun privacy service.
Dough Finance sent an on-chain message to the attacker, asking them to return the "misappropriated funds", threatening that they would "pursue all criminal, legal, and administrative avenues available" in the event that the attacker did not do so.
UwU Lend suffers almost $20 million hack
The defi lending protocol UwU Lend was hacked for around $20 million. After various blockchain security firms observed suspicious outflows of funds, the protocol acknowledged there had been a "situation" on their Twitter account, and wrote that they had paused the protocol while they were investigating.
UwU Lend was founded by Michael Patryn, aka Omar Dhanani, aka "0xSifu" — a co-founder of the ill-fated QuadrigaCX exchange and ex-con. He also pseudonymously ran the defi cryptocurrency project Wonderland until his identity was revealed after the protocol suffered a meltdown.
Velocore decentralized exchange exploited for $6.8 million, Linea blockchain halts in response
The Velocore DEX, built on the Linea Ethereum layer-2 blockchain, was exploited for around $6.8 million in ETH. The hacker was able to take advantage of a bug in the project's smart contract in the logic to calculate swap fees. Using a flash loan attack funded through Tornado Cash, the attacker drained most of the tokens from the pool, bridged the tokens back to the Ethereum mainnet, and then tumbled the stolen funds back through Tornado.
In an unusual move, the operators of the Linea layer-2 blockchain chose to unilaterally halt the chain in order to stop the outflow of stolen assets. Because Linea — like many layer-2 chains — is highly centralized, it was possible for the Linea team to unilaterally stop the production of blocks.
This was very controversial, as a single operator being able to unilaterally control the operation of a blockchain goes against much of the cryptocurrency ethos. Following their action, they tried to explain that "Linea's goal is to decentralize our network - including the sequencer. When our network matures to a decentralized, censorship-resistant environment, Linea's team will no longer have the ability to halt block production and censor addresses - this is a primary goal of our network".
"Normie" memecoin plummets 99% after exploit
An attacker perpetrated a flash loan attack on the "Normie" memecoin on the Base layer-2 blockchain to drain millions of NORMIE tokens. The vulnerability was evidently discovered in March, but never patched.
Although the token claimed to have a market cap of $42 million, the attacker was only able to cash out around 224 wETH (~$882,000). However, the losses to some holders of the token were much more substantial. One individual had put around $1.16 million into $NORMIE, and those holdings are now priced at around $150.
The attacker has been negotiating the possible return of funds to the project team, who has expressed interest in relaunching the token.
Hedgey Finance hacked for almost $45 million
Hedgey Finance, a platform used to manage token claims, lockups, and vesting, was hit with a flash loan attack that drained $44.7 million of customer funds from the platform.
The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.
Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: "Well done for finding it! We're assuming you executed this exploit as a white hat, so we'd like to get in touch with you to discuss next steps." No on-chain response thus far.
- Tweet by Hedgey Finance [archive]
- Hedgey Finance, Rekt [archive]
- On-chain message from Hedgey Finance to the thief
WOOFi hacked for $8.75 million
An attacker was able to use a flash loan attack to manipulate an oracle on the WooFi DEX implementation on the Arbitrum network. By manipulating the price of $WOO, they were able to steal around $8.5 million.
Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".
- Woofi, Rekt [archive]
- "WOOFi sPMM exploit post-mortem", WOOFi [archive]