Bonq defi borrowing project exploited

The Polygon-based defi borrowing protocol Bonq suffered an attack in which 112 million ALBT tokens and around 100 million BEUR tokens were stolen. A flaw in the protocol enabled the attacker to modify oracle prices, allowing them to mint new ALBT and BEUR for significantly less than market price.

The attacker quickly bridged the tokens to the Ethereum chain and swapped them for ETH and USDC, collectively worth around $1.7 million. The price of ALBT plunged around 50%, and the BEUR Euro-pegged stablecoin significantly lost its peg.

Pando exploited for $20 million

The defi protocol Pando suffered a $20 million loss when it was exploited with an oracle manipulation attack. The protocol suspended several of its projects in response to the hack, and wrote that they hoped to negotiate with the hacker to regain some of the stolen proceeds. Some of the stolen funds were able to be locked, although it's not clear if it was the total amount.

Oracle attack on Solend costs the project $1.26 million

Solend announced that an exploiter had manipulated the oracle price of an asset on their platform, allowing them to take out a loan that left the platform with $1.26 million in bad debt. They reported that they had paused affected pools, and did not anticipate other pools on the platform were at risk.

Oracle manipulation attack on a QuickSwap market earns exploiter $188,000

Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.

Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

Mango Markets suffers loss of more than $116 million

Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.

Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.

Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months

A hacker was able to perform an oracle manipulation attack enabled by flash loans to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency tumbler.

Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.

Attacker steals $3 million from Fortress Protocol

An attacker was able to steal 1,048 ETH (~$2.65 million) and 400,000 DAI from the Fortress Protocol borrowing and lending platform in what appears to have been an oracle manipulation attack. The attacker quickly moved their ~$3 million in stolen funds to the Tornado Cash cryptocurrency tumbler to obscure their tracks.

The exploit caused the $FTS token to drop 42%. The creators of Fortress urged people not to supply any assets to the pool as the attack was ongoing, and tweeted "we need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds!"

Attack on Inverse Finance results in a $15.6 million loss

An attacker targeting the defi project Inverse Finance was able to manipulate the price oracle of INV/ETH, artificially inflating the apparent price of INV and allowing the attacker to borrow against it. The attacker was ultimately able to turn the borrowed DOLA, ETH, WBTC, and YFI tokens, priced at a total of around $15.6 million, into around 4300 ETH (priced at around $14.5 million). As of early April 2, the attacker had transferred 1,300 ETH (around $4.5 million) to a tumbler to make it more difficult to trace.

Hackers make off with over $3 million from Deus Finance

Hackers were able to use a flash loan attack to manipulate a price oracle, pulling 200,000 DAI and 1101.8 ETH (totaling almost $3.1 million) out of the Deus Finance defi platform. PeckShield, the analysis firm that identified the vulnerability, wrote that the $3 million number represented the amount the hackers were actually able to withdraw and put through a cryptocurrency tumbler, but that the loss to the project may have been larger. The CEO of Deus Finance subsequently wrote on Twitter that users whose positions were liquidated as a result of the exploit would be repaid.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.