The attack was a "classic price manipulation" exploit, according to the Ironblocks security firm. The attacker was able to steal 1,152 ETH ($2.13 million) from the protocol. They then tumbled the stolen funds through Tornado Cash.
Zunami Protocol exploited for more than $2.1 million
The Zunami Protocol stablecoin-focused yield farming aggregator was exploited for more than $2.1 million when an attacker was able to perform a price manipulation attack on the project's primary pool. Zunami attracted users by promising "the highest APY on the market": around 14%. The project had been audited by Ackee and HashEx.
Uwerx crypto-based freelancer platform exploited
Uwerx is a nascent project intending to build a blockchain-based freelancer marketplace, because what better concepts to combine than blockchains and the gig economy? Sadly for them, just after completing their token presale, it was hit with a flash loan exploit that enabled an attacker to siphon 176 ETH (~$324,000) from the platform.
The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".
Platypus Finance hacked for the second time
Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.
This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
Arcadia Finance exploited
Arcadia Finance is a defi margin trading protocol that launched on Ethereum and the Optimism Ethereum layer 2 protocol in March 2023. On July 9, an attacker used a flash loan to drain liquidity pools in the lending portion of the project, resulting in a total loss to the project of around 160 ETH and $163,000 in stablecoins for a total loss of almost $460,000.
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
- "Arcadia Finance says exploiter contacted after $450K hack", Protos
- Tweet by PeckShield
- Etherscan transaction with message to the attacker
Themis Protocol hacked shortly after going live
Themis Protocol is a lending platform that has had somewhat of an excruciating rollout, with users waiting ever longer for the platform to finally go live as they endured multiphased airdrops but no usable product. On June 16, the project finally launched in beta on Arbitrum, an Ethereum layer 2.
Only eleven days later, on June 27, the team boasted that the project "has grown to over $1m TVL in 2 working days". An hour after that, they announced that they would be suspending the protocol and beginning an immediate investigation into an apparent theft. Themis boasts in its documentation that "security is the highest priority" of the project, and lists multiple audits from PeckShield.
An attacker was apparently able to exploit the project, draining around 220 Themis-wrapped ETH (nominally worth ~$417,000). Due to liquidity issues, they could only swap these for around 94 ETH (~$178,000) and almost $190,000 in stablecoins, for a total haul of around $368,000.
Jimbos Protocol exploited for $7.5 million
Three days after the launch of its v2 protocol, the Arbitrum-based Jimbos Protocol was exploited for 4,090 ETH (~$7.5 million). The project had not properly controlled for slippage, which enabled an attacker to use a flash loan to manipulate the trading pairs on the project. The attacker then bridged the stolen funds to the Ethereum chain.
After the attack, Jimbos Protocol tweeted "We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals. We will release further information when possible." They also sent an on-chain message to the exploiter, offering to stop all investigations if the hacker returns 90% of the stolen funds.
Brand new $CS token exploited for almost $700,000
An attacker exploited the brand new $CS token for almost $700,000 using a flash loan exploit. They then swapped the funds into around 383 ETH ($689,400) and laundered them through Tornado Cash.
0VIX Protocol exploited for $2 million
The 0VIX defi protocol on the Polygon blockchain was exploited for around $2 million. This was a substantial portion of the project's roughly $6.4 million TVL around the time of the hack. The attack was perpetrated by an attacker who manipulated an oracle, which then allowed them to execute a flash loan attack on the project.
The protocol was paused following the attack. 0VIX later tweeted that they had been collaborating with security firms to investigate the hack, and had offered to let the attacker keep $125,000 if they returned the remaining funds in a bug bounty agreement that would also involve 0VIX not pursuing legal action.
Euler Finance exploited for almost $200 million
The decentralized lending platform Euler Finance suffered a flash loan attack in which an exploiter stole $197 million from the project. The attacker stole $8.7 million in the Dai stablecoin, $18.5 million in wrapped Bitcoin, $135.8 million in Lido staked Ethereum (stETH), and $33.8 million in the USDC stablecoin. Although Euler was well known for its many code audits, the project had later added a vulnerable function that had not been as heavily audited.
Euler announced that they were aware of the exploit, and were "working with security professionals and law enforcement".
On April 3, Euler Finance announced that they had completed successful negotiations, and that "all of the recoverable funds taken from the Euler protocol on March 13th have now been successfully returned by the exploiter". Unfortunately, based on on-chain transfers, this appeared to only be around $31 million.
Platypus Finance stablecoin exploited for $8.5 million ten days after launch
Platypus USD, a stablecoin issued by the Platypus Finance defi protocol, was exploited only ten days after it first launched. The loss was estimated to be around $8.5 million, although crypto researcher zachxbt observed that Tether had blacklisted the attacker contract shortly after the theft.
The exploit was a flash loan attack that allowed them to drain some protocol pools, also causing the stablecoin to lose its dollar peg and drop to around $0.48. A team member reported on the project's Discord that "all operations are paused until we get more clarity".
The following day, the project reported they had recovered $2.4 million of the stolen funds, and were working with crypto sleuth zachxbt, who had leads as to the hacker's identity. Later that month, Platypus announced that French police had arrested two suspects, who had tried to withdraw stolen funds through Binance — to whom they had submitted identification documents for KYC purposes.