Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.
Aperture Finance users lose at least $3.4 million
An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled "instant liquidity management" features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their "intents".
DeltaPrime loses $4.8 million in second hack
The DeltaPrime defi protocol was hacked for the second time in two months, losing $4.8 million in Arbitrum and Avalanche tokens. The attacker appeared to have exploited a flaw in one of the platform's smart contracts that enabled them to borrow more than they put up in collateral.
DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.
DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform's stablecoin deposit receipts.
"Peripheral" Aave smart contract hacked for $56,000
The popular defi lending platform, Aave, suffered a smart contract exploit that allowed an attacker to steal around $56,000. A smart contract outside of the core Aave protocol, which is used to allow people to use existing collateral to repay their loans, had gradually accrued a balance of tokens leftover from slippage. These small leftover token amounts are sometimes called "dust". Altogether, these tokens amounted to around $70,000 across several blockchain networks.
An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar".
Dwight Howard's NFT project flops
NBA star Dwight Howard is clearly at least a year (probably two) late to the time when celebrities and star athletes could drop some low-effort NFTs and sell out the whole batch immediately. After announcing his "Ballers" project on January 20, offering 3,000 NFTs for a mint price of 2 AVAX (~$60) apiece, he only managed to sell about 300 of them within a day or so.
After the dismal launch, Howard tried a few somewhat desperate-seeming moves to try to attract interest in the project: promising to send free crypto to some holders, redoing all the art after criticism of its quality, and slashing the NFT supply to 1,500. Despite all that, only 465 NFTs have sold (15% of the original supply, netting Howard 930 AVAX — around $28,400).
The flop was so bad that a member of the team behind the Avalanche blockchain put out a tweet distancing themselves from the project, stating that they didn't even know about the project until he announced it. "Gone are the days that individuals/Brands with large followings can just drop IP related NFTs out of nowhere and expect it to do well," they wrote, seemingly criticizing Howard's approach by writing that NFT creators must "mak[e] sure to do it in an organic way with proper intentions."
Platypus Finance hacked for a third time this year
At this point, they should probably just have a form email ready to go. Platypus Finance has suffered a cumulative $2.23 million in losses thanks to several attacks on the platform over the course of several hours. This set of hacks followed a $8.5 million hack in February, and another hack of at least $150,000 in July.
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.
Stars Arena exploited for $3 million
Stars Arena, an Avalanche-based dupe of the popular Friend.Tech project, suffered a serious exploit in which an attacker drained tokens priced at around $3 million.
Avalanche co-founder and CEO Emin Gün Sirer drew widespread mockery when announcing that "the amount lost is only $3m", apparently not perceiving that $3 million is a massive sum to most people. He also didn't mention that it constituted almost the entire total TVL of the Stars Arena project, which was left with less than $1 in tokens following the attack.
Stars Arena was fortunate, in that the hacker ultimately contacted them offering to make a deal. The attacker returned 90% of the funds, keeping $300,000 as a "bounty".
Platypus Finance hacked for the second time
Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.
This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
0xSifu loses more than $2.7 million to SushiSwap hack
0xSifu, also known as Michael Patryn, also known as Omar Dahani, is the once-pseudonymous chief developer of the Wonderland protocol. His identity was discovered by zachxbt in January 2022, when the crypto sleuth revealed that "0xSifu" was Patryn, a man with a history of financial crimes who was previously involved with QuadrigaCX, an exchange which lost over $150 million in customer funds in 2018.
Today, Sifu himself was the victim of a theft as a bug in the SushiSwap decentralized exchange allowed a hacker to make off with around 1,800 ETH (more than $3.3 million) belonging to him. According to SushiSwap leader Jared Grey, around 300 ETH (~$557,000) of Sifu's funds were subsequently recovered.
Analysts have found that almost 200 addresses on the Ethereum network have approved the vulnerable contract, and around 2,000 addresses approved the vulnerable contract on Arbitrum, Polygon, and other chains. It's not yet clear how much was stolen in total. SushiSwap leader Grey urged users via Twitter to revoke approval for the vulnerable smart contract.
Turkish electric vehicle company Togg announces presale via NFT, then scraps the plan after customers have already bought in
Turkish electric vehicle startup Togg announced that interested customers would be able to buy obtain pre-order rights for the limited run of their "100 Year Special Series" cars if they purchased one of the 2023 NFTs they planned to mint on the Avalanche blockchain. Based on rarity, NFTs began minting at between 10 and 30 AVAX ($200-$600) depending on rarity, which prospective customers purchased at its ~$20 price in anticipation of the early February sale. Many customers purchased considerably more AVAX, anticipating fierce bidding wars.
However, shortly after the NFT sales began, the platform crashed. Then, very soon after the sale began and Togg began addressing the issues with the platform, a series of earthquakes devastated portions of Turkey. As a result, Togg announced they would be postponing the sale until a later announcement.
On March 8, Togg announced that they had canceled their plans to conduct the pre-order process by NFT drawing, and that any NFT holders would not be prioritized in the pre-order.
This infuriated some customers who had purchased AVAX solely intending to use it to obtain a pre-order slot — particularly because AVAX is now priced below $15, meaning those who've been holding AVAX since purchasing it have lost 25%.
- "Togg to sell pre-order rights with NFTs", Hurriyet Daily News
- Tweet by Togg
Platypus Finance stablecoin exploited for $8.5 million ten days after launch
Platypus USD, a stablecoin issued by the Platypus Finance defi protocol, was exploited only ten days after it first launched. The loss was estimated to be around $8.5 million, although crypto researcher zachxbt observed that Tether had blacklisted the attacker contract shortly after the theft.
The exploit was a flash loan attack that allowed them to drain some protocol pools, also causing the stablecoin to lose its dollar peg and drop to around $0.48. A team member reported on the project's Discord that "all operations are paused until we get more clarity".
The following day, the project reported they had recovered $2.4 million of the stolen funds, and were working with crypto sleuth zachxbt, who had leads as to the hacker's identity. Later that month, Platypus announced that French police had arrested two suspects, who had tried to withdraw stolen funds through Binance — to whom they had submitted identification documents for KYC purposes.