Pac Finance has said they are "actively developing a plan with [impacted users] to mitigate the issue."
$26 million liquidated in surprise Pac Finance smart contract change
Pac Finance, a fork of the Aave lending protocol deployed on the Blast blockchain, surprised some of its users as an unannounced and unexpected code change lowered the liquidation threshold. Pac Finance said that they had asked an engineer to make changes to the smart contract, and that that person had unexpectedly decreased the threshold at which positions could be forcibly liquidated. This change resulted in $26 million being liquidated across the project.
Curio RWA project suffers $16 million exploit
Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.
A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.
Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.
Dolomite exchange exploited for $1.8 million
The Dolomite DEX suffered a $1.8 million theft as an exploiter was able to take advantage of a vulnerability in a smart contract that had been deployed in 2019. Although most contemporary users of the exchange use a version deployed on the Arbitrum layer-2 network, the old contracts were still usable on Ethereum.
An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.
Unizen platform hacked for $2.1 million
The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract.
The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.
Seneca Protocol bug enables at least $3 million in stolen user funds
A bug in Seneca Protocol's smart contract has allowed attackers to steal funds from users who had approved the contract. So far, around $3 million has been stolen across the Ethereum blockchain and Arbitrum layer-2.
Making things worse, although the project's smart contract inherits the Pausable module that should allow the Seneca team to halt the malfunctioning code, they never implemented the function, meaning there's no way for them to stop the thefts. Instead, individual users must each revoke access to the flawed contract.
DeezNutz_404 hacked for $170,000
I might otherwise skip over news of a $170,000 hack, given how commonly thefts of that scale happen in the crypto world, but with a name like this... come on.
One thing that keeps me from ever trying my hand as a crypto project hacker is that if I made $170,000 from exploiting a project called "DeezNutz_404", I would immediately be caught because I wouldn't be able to resist telling everyone I know that I'd just made enough money to not have to work for a couple years by exploiting deez nuts.
Anyway, there was a bug in their code that allowed an attacker to mint infinite tokens and steal around 58.65 ETH (~$170,000).
Harmony blockchain encounters "infinite mint" bug; accusations of wrongdoing fly
On December 7, the Harmony blockchain began encountering a bug that ultimately caused around 150 million of the project's $ONE token (priced at around $2.2 million) to be erroneously minted and distributed to 79 wallets. Most of the recipients, who were anonymous, quickly sold their unexpected windfall.
The bug was fixed about a week later. There has been a dispute since then between Harmony employees and a consultant who was involved in identifying the bug, and the consultant has been accused of delaying action to profit from the excess tokens. The consultant also balked at destroying some of the tokens he mistakenly received.
The consultant claims that he didn't profit from the bug, and objected to a Harmony employee coming after him to destroy the excess tokens when he'd done little towards others who profited from the error. He did, however, say later that he had destroyed the tokens.
According to the consultant, a Harmony employee claimed that he had filed reports to the FBI and IRS about the consultant's behavior, and had the consultant banned from the annual ETH Denver event.
Yearn Finance accidentally swaps its entire Ip-yCRVv2 treasury, asks nicely for the money back
Periodically, Yearn Finance converts a small quantity of its treasury tokens into stablecoins to spend on operations. However, something went terribly wrong during this process when they went to perform the swap and erroneously converted the entire amount — nearly 3.8 million Ip-yCRVv2 tokens — into a stablecoin. According to one Yearn Finance employee, this pool of tokens comprised around 3% of the project's treasury.
Because there was not sufficient liquidity for such a large trade at the going price, the trade was ultimately fulfilled, but at a 63% loss. Before the trade, that quantity of tokens was priced at around $2.28 million; however, Yearn received only around $780,000 in stablecoins because of the slippage.
Yearn quickly identified the issue and embarked on a campaign to ask nicely for the counterparties in the trade to please give some of their profits back. In on-chain messages, Yearn wrote: "one of yearns multisigs made a costly mistake last night that affected a critical source of yCRVs liquidity. we identified you as having made a profit off of this and are kindly requesting that you return as much as you see reasonable to yearns main multisig: ychad.eth. sorry we have to ask this, but hope you can understand." Doesn't hurt to ask, I guess. So far, only one wallet has taken them up on the offer, returning 2 ETH (~$4,400).
- "Incident disclosure - 2023-12-11", Yearn Finance Github [archive]
- On-chain message from Yearn Finance [archive]
Ethereum projects scramble to address widespread smart contract vulnerability through ThirdWeb
Projects using the suite of pre-built smart contracts from crypto development platform ThirdWeb have been racing to migrate to patched versions as ThirdWeb has disclosed a vulnerability affecting dozens of its contracts. Although they claim no contracts containing the vulnerability have been exploited, they've urged projects using them to urgently migrate to updated versions without the flaw.
Projects relying on these pre-built smart contracts will have to lock the old contract and deploy new ones, then provide new versions of tokens via airdrop or a claim page — a fairly disruptive process.
Major NFT marketplace OpenSea issued a statement that they were working with ThirdWeb about a vulnerability "impacting some NFT collections". Rarible also stated that some NFT collections on their platform were affected, including some on the Polygon sidechain. Coinbase and Base also disclosed that some projects on their platforms were vulnerable. Projects by groups including Cool Cats and Mocaverse will need to be migrated.
KyberSwap hacked for $50 million
The KyberSwap decentralized exchange was hacked by an attacker who stole large sums of ETH, wETH, and the USDC stablecoin. Altogether, the assets are valued at around $54.7 million. The attacker was able to exploit a complex bug in a feature for liquidity pool providers. Prior to the hack, KyberSwap had approximately $80 million in TVL.
Shortly after the attack, the thief sent a message: "Negotiations will start in a few hours when I am fully rested." The KyberSwap team later responded to offer a 10% bounty, also seeming to praise the attacker: "You have done one of the most sophisticated hacks ser. That was high EV and everyone missed it."
The thief had other plans, though, ultimately issuing a list of "demands" which included "complete executive control" over the company and "surrender of all ... assets" to the hacker. They wrote that they had big plans for the network, and although they planned to dismiss all executives, they wrote that employees would be offered double salaries to continue their work. The hacker signed the message "Kyber Director".
Meanwhile, KyberSwap regained around $4.7 million after negotiations with the operators of front-running bots, who agreed to return 90% of the funds they obtained through frontrunning the hacker's transactions.
- "KyberSwap offers 10% bounty to hacker following $47 million exploit", The Block
- "KyberSwap DEX Hacked for $48 Million, Attacker Teases Negotiations", CoinDesk
- On-chain messages between the attacker and KyberSwap
- On-chain message from the attacker