Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.
Arcadia Finance exploited for $3.5 million
The Arcadia Finance defi margin protocol was exploited for $3.5 million after an attacker found a vulnerability in a project smart contract. The attacker quickly swapped the stolen tokens and bridged them from Base to the Ethereum mainnet. The attacker stole the funds in two separate transactions that were more than four hours apart.
Kinto token crashes; community claims rug pull, Kinto claims hack
The price of Kinto's $K token suddenly crashed 90%, sparking accusations of a rug pull. A tranche of investor tokens had just been unlocked recently, leading some to speculate that investors dumped their tokens on retail buyers.
However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that "we got hacked by a state actor". Venn seemed to corroborate Kinto's explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, "Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate."
Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.
GMX exchange hacked for $42 million
The decentralized perpetual exchange GMX has been exploited for $42 million. The exploit involved a vulnerability in one version of the exchange's price calculation smart contract. GMX paused some trading while they investigated the hack, and placed other temporary restrictions on the platform.
GMX offered a 10% "bug bounty" to the hacker if they returned the funds. The attacker later returned $40.5 million in stolen assets; unusually, this is more than the 90% return requested by GMX.
Cork Protocol exploited for $12 million
Cork Protocol, a defi project aimed at "tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens", suffered a $12 million loss after an attacker exploited a bug in how the project's smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.
Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.
Cetus DEX exploited for $223 million; some funds "paused"
An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $163 million of the funds had been frozen, leaving around $60 million unaccounted for.
This led some to question how decentralized the project truly is if the funds can be frozen in such a way.
Sui validators later voted to return the frozen assets to the Cetus project. Cetus also announced that users would be fully compensated, and that they would cover the $60 million gap with project treasury funds and a loan from the Sui Foundation.
Curve Finance website and Twitter account hacked
The website and Twitter accounts belonging to the Curve Finance defi projects were compromised in quick succession. On May 5, an attacker compromised the Twitter account belonging to the project, posting a scam in which they appeared to announce an airdrop.
Then, on May 12, the project posted a warning that the website for the Curve frontend was "hijacked" in an apparent domain takeover.
This is not the first such compromise for Curve, which suffered a frontend compromise in August 2022 that resulted in $620,000 in losses (later recovered with the help of some exchanges).
Loopscale hacked for $5.8 million two weeks after launch
A new Solana-based defi protocol called Loopscale, backed by Coinbase Ventures and Solana Labs, suffered a $5.8 million exploit only two weeks after its launch. The stolen funds represented 12% of the protocol's TVL. The project blamed the exploit on a bug in the protocol's pricing calculations. Although the project had been audited in February by OShield, the audit evidently did not detect the flaw.
KiloEx exploited for $7.5 million
KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx's pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.
KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.
KiloEx later announced that the recovery had been successful, and that they would pay out the 10% "bounty".
zkLend thief gets robbed
The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.
On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."
The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.
There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.
- On-chain messages between zkLend and thief
- Tweet by zkLend [archive]
HyperLiquid loses $13.5 million in alleged JELLYJELLY manipulation incident
HyperLiquid's Hyperliquidity Provider market making vault suffered a $13.5 million loss after an alleged market manipulation incident involving a memecoin called JELLYJELLY. A trader holding nearly $5 million (notional) of the token used a combination of shorts and spot purchases to force HyperLiquid to take on the short position. By forcing the token price up with large spot purchases, HLP suffered an unrealized loss of $13.5 million.
HyperLiquid validators voted to delist the JELLY token. They also evidently overrode the JELLY price provided by the market oracle in an attempt to reduce their losses, leading an unrelated crypto executive to question "Is that even legal?"