Damages from crypto project hacks totaled $349 million in November

What’s new? According to SlowMist, a blockchain audit company, the damage from hacker attacks on crypto projects amounted to $349 million in November. Of that, 15,8% was due to liquidity pool exploits, 7,5% to API key leaks, and 4,2% to instant loan and market manipulation attacks, but the nature of most of the incidents remains unknown.

SlowMist’s report

November’s biggest attacks. During the month, 47 incidents were recorded, in particular, the following projects were affected:

• On November 1, the Onyx lending DeFi protocol lost 1165 ETH worth $2,1 million. Hackers manipulated interest rates to borrow more funds and launch an attack, then transferred the funds to the Tornado Cash crypto mixer, which has been under US sanctions since last August.

• On November 6, the staking contract of the cross-chain fundraising platform TrustPad was attacked. A hacker exploited a vulnerability to repeatedly call the staking rewards function and then withdrew $155 000.

• On November 7, TheStandard.io, the DeFi protocol for stablecoin lending, lost $290 000. The attacker took advantage of low liquidity in the PAXG pool to manipulate the market. In this, he returned $265 000 to the project on November 9.

• On November 8, 1238 ETH worth $2,5 million was withdrawn from the hot wallet of the Australian crypto exchange CoinSpot, the alleged reason being a private key leak.

• On November 11, an attack on the Raft protocol on the Ethereum network resulted in the release of 6,7 million stablecoins R and the loss of $3,3 million in ETH. The reason was the vulnerability of the coin issuance mechanism.

• On November 14, a hacker hacked into the Exzo network administrator’s wallet and assigned his address the right to manage the XZO native coin contract. He then issued a large volume of XZO and withdrew 169 ETH worth $310 000 from the XZO/ETH liquidity pool on the Uniswap exchange.

• On November 18, the dYdX exchange was forced to allocate $9 million from its insurance fund to cover liquidations of user positions in the YFI token, whose marketplace, according to management, was under a targeted attack.

• On November 19, market maker Kronos Research lost 13 007 ETH worth $26 million due to a leak of API keys and was forced to suspend trading, which in turn crippled the WOO exchange. Kronos was WOO’s main liquidity provider, and the trading suspension led to the liquidation of exchange users’ positions, but the damage has already been compensated to them.

• On November 10 and 22, the Poloniex and HTX exchanges and the Heco cross-chain protocol, led by Justin Sun, lost over $243 million in two attacks, with SlowMist not specifying a possible reason for the hacks. Sun’s team is also investigating and has already announced an airdrop among users of both exchanges following the full resumption of trading.

HTX and Poloniex to conduct airdrop after hack worth more than $210 million

The event will be timed to coincide with the full resumption of deposit and withdrawal functions

Read more

• On November 23, the KyberSwap exchange lost $54,7 million due to a vulnerability in the token exchange mechanism. In the course of negotiations, the attacker refused remuneration in exchange for the return of most of the funds and demanded to give him control over the project. He said he would buy out management’s stakes in the company, double employee salaries and pay 50% to liquidity providers, but the holders of native tokens would be left with nothing as a result of their depreciation.

“It is also more than you deserve.” KyberSwap hacker demands to transfer complete control over the protocol to him

In this case, he promised to buy out the shares of the executives and double the salaries of the employees

Read more

Separately, the analysts also mentioned fraud cases. During the month, they recorded 24 schemes realized by the Rug Pull method, when developers stole all investors’ funds. Most of the incidents occurred on the networks of Binance Smart Chain and Ethereum.