Term Finance loses $1.65 million due to misconfiguration, recovers $1 million
The Ethereum-based lending project Term Finance lost $1.6 million when an oracle misconfiguration resulted in unintended liquidations. The team later announced that they had "successfully negotiated [the] return" of 333 ETH (~$600,000) that had been lost, and that another roughly 223 ETH (~$400,000) had been "captured internally", leaving the final loss at around 362 ETH (~$650,000).
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
UniLend exploited for almost $200,000
The UniLend project, which advertises itself as a "unified platform for all things AI and defi", was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.
UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.
Alpaca Finance proposes $50,000 restitution for $2.8 million in losses
Users of the Alpaca Finance lending protocol suffered losses when the protocol's sloppy oracle implementation finally resulted in consequences. Although many had warned the project about their glacial oracle setup, and the vulnerabilities they were opening themselves up to, the project repeatedly denied any issues and even banned those voicing concerns.
Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca's issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.
On December 10, Alpaca Finance proposed distributing $50,000 "saved" by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a "group bot/FUD attack".
Bedrock staking platform loses $2 million after bug that allowed users to trade Bitcoin and Ethereum 1:1
A staking platform called Bedrock lost around $2 million after exploiters discovered a bug that allowed them to swap 1 ETH for 1 BTC despite the more than $63,000 difference in prices for the two assets.
A security firm working with Bedrock had tried to warn Bedrock of the vulnerability several hours before the attack, but the team was asleep. The vulnerable contracts had been deployed a day and a half prior to the attack, and had not been audited.
Fortunately for Bedrock, security groups were able to pause third-party projects surrounding Bedrock, which helped to limit the losses — which ultimately could have been as high as the entire value of funds on the protocol.
Shezmu hacked for almost $5 million, negotiates bounty
A crypto yield platform called Shezmu suffered a loss of around $4.9 million in $ShezUSD after an attacker exploited a flaw that allowed anyone to mint collateral, which they could then use to borrow ShezUSD. These tokens were relatively illiquid, however, so the total amount the attacker could have obtained was likely considerably less.
Shortly after the attack, Shezmu offered a 10% "bounty" for the return of the funds. The attacker responded that they would only consider a 20% bounty. Shezmu agreed to the terms, and announced to their followers that they had achieved a recovery from the "white hat" hacker.
$12 million taken by whitehats from Ronin bridge
The Ronin bridge, which bridges crypto assets to the Ronin Network used by Axie Infinity and other gaming projects, has once again suffered a breach — though a considerably smaller one than the recordbreaking $625 million theft in March 2022. An update to the bridge code introduced a flaw with respect to how transactions were confirmed.
Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.
The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.
ConvergenceFi hacked for $210,000
An attacker took advantage of a flaw in the code for the yield farming project ConvergenceFi, draining it of all the tokens that had been allocated for staking emissions. Because a function call in the smart contract did not do proper validation, an attacker was able to provide their own smart contract that set the amount of tokens to return to anything they wanted. Naturally, the attacker set it to return all 58.7 million tokens available to them, which they quickly swapped to around $210,000 and laundered through Tornado Cash.
Although ConvergenceFi described itself as audited, they admitted they had made changes to that portion of the code after the audits.
They assured their users that all user funds were safe, but recommended that users remove their staked funds from the platform.
- "Post-mortem | 08/01/2024", ConvergenceFi Medium [archive]
RHO Markets lending protocol loses $7.6 million to apparent whitehat
An apparent misconfiguration by the RHO Markets lending protocol allowed operators of an MEV bot to take $7.6 million from the project's users across multiple chains.
In a stroke of luck for the RHO team, the MEV bot operator sent RHO an on-chain message indicating they were willing to return all of the funds, although they first demanded that RHO "admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what you are going to do to prevent it from happening again."
RHO is built on the Scroll Ethereum layer-2 network. Scroll temporarily paused the chain as RHO investigated the loss.