This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
Zoth hacked for nearly $8.3 million, second theft in two weeks
RWA restaking platform Zoth suffered a $8.29 million hack after an attacker gained access to admin privileges that allowed them to modify the platform's smart contracts. The hacker "upgraded" the contract to a malicious version, then withdrew $8.45 million in USD0++, a token issued by the Usual protocol. After swapping the assets into various other tokens, they were left with 4,223 ETH (~$8.29 million).
This is the second Zoth exploit in two weeks, following a $285,000 theft on March 6 by an attacker who took advantage of a bug in one of the platform's smart contracts.
Four.Meme suffers second hack in as many months
After suffering an $183,000 loss to an attack in February, the BNB-based Four.Meme memecoin launchpad has been hacked again, this time for around $130,000. Four.Meme aims to be BNB's version of pump.fun, the popular Solana-based memecoin platform.
Four.Meme acknowledged the latest theft on Twitter, writing that they intended to reimburse users who lost money.
Zoth RWA restaking platform hacked
Zoth, a restaking platform for "real world assets" (or RWAs), was hacked for around $285,000 when an exploiter discovered a bug in the platform's collateral calculations. This allowed them to mint ZeUSD, the platform's stablecoin token, without depositing sufficient collateral.
- "Zoth Hack Analysis", SolidityScan
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
Wemix Foundation bridge hacked for $6.2 million
The Wemix Foundation, which runs the blockchain gaming platform WEMIX, suffered a $6.2 million hack of their blockchain bridge. Although the hack occurred on February 28, the company did not disclose the theft until four days after the incident, leading some to accuse Wemix of attempting to cover up the hack. Wemix has denied those allegations, claiming that the delay was in hopes of preventing market panic, and to ensure they had time to patch any security vulnerabilities before publicly disclosing a breach.
Founder of the Mask Network loses more than $4 million to a wallet hack
Suji Yan, the founder of the Mask Network, suffered the loss of more than $4 million in various cryptocurrency assets to an apparent wallet hack. According to Yan, the theft happened on his birthday while he was at a party. "[E]ither the private key was leaked same day as my birthday and hacker manual[ly transferred assets] out or it might be an offline attack. I was in a private gathering with dozen friends and my phone was away for some minutes when I using the restroom etc."
Almost $50 million stolen from Infini "stablecoin neobank"
Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".
Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.
The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."
Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.
- "0xInfini Incident Analysis", CertiK
- Tweet by Infini [archive]
- Messages from Infini to the exploiter
$1.5 billion taken from Bybit crypto exchange
In what is looking like largest ever theft from a cryptocurrency exchange, attackers took control of a hot wallet belonging to the Bybit cryptocurrency exchange and moved a massive amount of ETH-based tokens amounting to approximately $1.5 billion in notional value (though it should be noted that that quantity of stolen tokens could not be quickly cashed out for that many dollars without affecting the ETH price).
Bybit CEO Ben Zhou confirmed the attack on Twitter, writing that an attacker used an advanced phishing technique to take control of the hot wallet. Zhou also promised "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."
Around 9,000 wallets used with Cardex fantasy trading card game compromised
Around $400,000 in ETH was stolen from around 9,000 wallets on the Abstract layer-2 network, which is built by the same company that makes the Pudgy Penguins NFTs. It appears that the affected wallets had all been used to play Cardex, a fantasy trading card game that had launched only a week prior.
Attackers compromised a private key belonging to the game's creators, which allowed them to drain wallets that still had an active session with the game.