Hacker steals $1.45 million from CUT token liquidity pool
An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.
Minterest hacked for $1.4 million
An attacker stole $1.4 million from the defi lending project Minterest. Using a flash loan attack, they manipulated the exchange rate calculated by the project, allowing them to withdraw more tokens than they originally loaned.
Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.
Dough Finance hacked for $1.9 million
Defi platform Dough Finance was hacked for 608 ETH ($1.8 million) by a hacker using a flash loan attack funded through the Railgun privacy service.
Dough Finance sent an on-chain message to the attacker, asking them to return the "misappropriated funds", threatening that they would "pursue all criminal, legal, and administrative avenues available" in the event that the attacker did not do so.
UwU Lend suffers almost $20 million hack
The defi lending protocol UwU Lend was hacked for around $20 million. After various blockchain security firms observed suspicious outflows of funds, the protocol acknowledged there had been a "situation" on their Twitter account, and wrote that they had paused the protocol while they were investigating.
UwU Lend was founded by Michael Patryn, aka Omar Dhanani, aka "0xSifu" — a co-founder of the ill-fated QuadrigaCX exchange and ex-con. He also pseudonymously ran the defi cryptocurrency project Wonderland until his identity was revealed after the protocol suffered a meltdown.
Velocore decentralized exchange exploited for $6.8 million, Linea blockchain halts in response
The Velocore DEX, built on the Linea Ethereum layer-2 blockchain, was exploited for around $6.8 million in ETH. The hacker was able to take advantage of a bug in the project's smart contract in the logic to calculate swap fees. Using a flash loan attack funded through Tornado Cash, the attacker drained most of the tokens from the pool, bridged the tokens back to the Ethereum mainnet, and then tumbled the stolen funds back through Tornado.
In an unusual move, the operators of the Linea layer-2 blockchain chose to unilaterally halt the chain in order to stop the outflow of stolen assets. Because Linea — like many layer-2 chains — is highly centralized, it was possible for the Linea team to unilaterally stop the production of blocks.
This was very controversial, as a single operator being able to unilaterally control the operation of a blockchain goes against much of the cryptocurrency ethos. Following their action, they tried to explain that "Linea's goal is to decentralize our network - including the sequencer. When our network matures to a decentralized, censorship-resistant environment, Linea's team will no longer have the ability to halt block production and censor addresses - this is a primary goal of our network".
"Normie" memecoin plummets 99% after exploit
An attacker perpetrated a flash loan attack on the "Normie" memecoin on the Base layer-2 blockchain to drain millions of NORMIE tokens. The vulnerability was evidently discovered in March, but never patched.
Although the token claimed to have a market cap of $42 million, the attacker was only able to cash out around 224 wETH (~$882,000). However, the losses to some holders of the token were much more substantial. One individual had put around $1.16 million into $NORMIE, and those holdings are now priced at around $150.
The attacker has been negotiating the possible return of funds to the project team, who has expressed interest in relaunching the token.
Hedgey Finance hacked for almost $45 million
Hedgey Finance, a platform used to manage token claims, lockups, and vesting, was hit with a flash loan attack that drained $44.7 million of customer funds from the platform.
The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.
Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: "Well done for finding it! We're assuming you executed this exploit as a white hat, so we'd like to get in touch with you to discuss next steps." No on-chain response thus far.
- Tweet by Hedgey Finance [archive]
- Hedgey Finance, Rekt [archive]
- On-chain message from Hedgey Finance to the thief
WOOFi hacked for $8.75 million
An attacker was able to use a flash loan attack to manipulate an oracle on the WooFi DEX implementation on the Arbitrum network. By manipulating the price of $WOO, they were able to steal around $8.5 million.
Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".
- Woofi, Rekt [archive]
- "WOOFi sPMM exploit post-mortem", WOOFi [archive]
Goledo Finance hacked for $1.7 million
Goledo Finance, an Aave-based lending protocol, was exploited through a flash loan attack. The attacker stole assets estimated by CertiK at around $1.7 million.
Goledo Finance contacted the attacker to offer a 10% "bounty" for the return of the remaining assets. In a message on January 29, the attacker wrote: "I hacked Goledo and want to negotiate".
- Tweet by CertiK [archive]
- On-chain message from the attacker [archive]
Platypus Finance hacked for a third time this year
At this point, they should probably just have a form email ready to go. Platypus Finance has suffered a cumulative $2.23 million in losses thanks to several attacks on the platform over the course of several hours. This set of hacks followed a $8.5 million hack in February, and another hack of at least $150,000 in July.
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.