People briefly borrow Bored Ape NFTs to claim as much as $1.1 million in $APE tokens

The Bored Ape Yacht Club recently created a token called ApeCoin, some of which they announced would be distributed to people who owned various Bored Ape NFTs and NFTs from their related collections. However, because the token distribution didn't use a snapshot of ownership data, but rather distributed tokens per-NFT to the first owner who claimed them, people were able to game the system. Some owners of Bored Ape and related NFTs had put their NFTs into an NFTX vault, which is a setup where someone takes a subset of their NFTs and creates a token that is based on them. The token can then be staked to generate yield, or can be sold, and if someone owns enough of the tokens, they can redeem them for the NFTs. A clever operator found a vault containing five Bored Ape NFTs, which had unclaimed $APE associated with them since they were locked up in the vault. They used a flash loan to purchase a large amount of the vault's token, redeem the five BAYC NFTs, claim the airdropped tokens, return the BAYC NFTs, sell back the tokens, and repay the loan, all in one transaction that cost them nothing but netted them 60,564 $APE, which they then swapped for 399 ETH ($1.1 million).

People were somewhat split on whether this could be classed as a vulnerability in the $APE airdrop, since (as with many crypto hacks and scams) the person was operating completely within the rules set out in code.

Hundred Finance and Agave Finance are both exploited for a collective $12 million

An attacker using a flash loan attack targeted two projects on the Gnosis blockchain: Hundred Finance and Agave Finance. Each project paused their smart contracts, but not before the attacker made off with a considerable sum of money. That day, the attacker put the funds through a cryptocurrency tumbler, making it much more difficult to trace the collective 4,479 ETH that was stolen in roughly equal amounts from each protocol.

Hundred and Agave were the second and third defi protocols targeted by flash loan attacks that same day, with Deus Finance losing more than $3 million to hackers using the same class of exploit.

Hackers make off with over $3 million from Deus Finance

Hackers were able to use a flash loan attack to manipulate a price oracle, pulling 200,000 DAI and 1101.8 ETH (totaling almost $3.1 million) out of the Deus Finance defi platform. PeckShield, the analysis firm that identified the vulnerability, wrote that the $3 million number represented the amount the hackers were actually able to withdraw and put through a cryptocurrency tumbler, but that the loss to the project may have been larger. The CEO of Deus Finance subsequently wrote on Twitter that users whose positions were liquidated as a result of the exploit would be repaid.

CryptoBurgers play-to-earn game is hacked shortly after launch

The value of the $BURG token associated with the CryptoBurgers game suddenly plummeted after being hacked shortly after launching earlier that day. The game allowed users to earn cryptocurrency by flipping burgers... yes, really. A bug in the smart contract allowed an attacker to use flash loan attacks to drain $BURG, netting them around $770,000 as of that evening. The CryptoBurgers team announced they would be contacting Binance to try to recover funds, and the team would be creating a new smart contract and token. Hope the next one goes better!

DeFi platform C.R.E.A.M. is hacked for a third time, this time for $130 million

Crypto lending service C.R.E.A.M. Finance lost $130 million in a flash loan attack. It was the third hack of the platform this year, following a $37.5 million hack in February and an $18.8 million attack in August.

Hacker steals $16 million from Indexed Finance

A hacker drained $16 million from Indexed Finance, a defi protocol built on the Ethereum blockchain. The stolen funds represented nearly half of the total value locked on the platform. The hacker was later revealed to allegedly be an 18-year-old Canadian named Andy Medjedovic, who continued to refuse to return the funds even when his identity was revealed. The hacker argues that he simply took advantage of an arbitrage opportunity, and swore to "fight to the death" in court over his right to keep the money. However, the hacker never showed up to a December court appearance, and a warrant was issued for his arrest.

xToken loses another $4.5 million in second hack of the year

A vulnerability in xToken's xSNX product allowed hackers to use flash loans to empty $4.5 million from xToken. This hack followed an even larger hack in May, where the platform was exploited for around $25 million.

Flash loan exploit empties $25 million from Popsicle Finance

Popsicle Finance, a DeFi platform, lost $25 million to a bug exploited with flash loans. The organization later reimbursed users who lost money to the exploit.

Hacker nets $6.3 million in Belt Finance exploit

Belt Finance fell victim to a flash loan attack which netted an attacker $6.3 million. This was yet another exploit targeting a protocol built on the Binance Smart Chain protocol, following other attacks over the previous five months on C.R.E.A.M. Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon, Spartan Protocol, BurgerSwap, and PancakeBunny.

"Trivial" bug costs BurgerSwap $7.2 million

A missing line of code made it "trivally" easy for an attacker to use a flash loan attack to pull $7.2 million from the DeFi platform BurgerSwap. BurgerSwap said it would "strive to cover all [users'] loss".

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.