Blockchain security researcher Specter has suggested there may be links between this attack and a $50 million theft from the Infini "stablecoin neobank" a year ago.
IoTeX bridge exploited for $2 million after private key compromise
IoTeX, a platform to connect IoT devices to blockchain networks, lost around $2 million after a private key compromise enabled an attacker to drain funds from the project's token safe. Initial loss estimates were as high as $8.8 million, although IoTeX CEO Raullen Chai stated that the actual loss was closer to $2 million.
CrossCurve users exploited for around $3 million
Hackers exploited a bug in smart contracts deployed by the defi protocol CrossCurve to steal an estimated $3 million across multiple blockchains. The thief was able to spoof cross-chain messages, causing the CrossCurve bridge to release assets not belonging to them.
CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, "These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent." (Who among us hasn't accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.
Seedify launchpad project suffers bridge exploit
An attacker exploited bridges for SFUND, the token issued by the Seedify launchpad and incubator. It appears the exploiter has profited around $1.7 million from the theft. Seedify issued a statement announcing the theft, and said the bridge contracts that were exploited had been deployed for three years. The SFUND token crashed in price by around 80% before recovering somewhat.
Seedify has been a launchpad for blockchain games, NFT projects, and other web3 products. The team recently has embraced "vibe coding" — a practice in which people rely heavily on AI to generate code.
Shibarium bridge hit with $2.4 million flash loan attack
A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.
The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.
Wemix Foundation bridge hacked for $6.2 million
The Wemix Foundation, which runs the blockchain gaming platform WEMIX, suffered a $6.2 million hack of their blockchain bridge. Although the hack occurred on February 28, the company did not disclose the theft until four days after the incident, leading some to accuse Wemix of attempting to cover up the hack. Wemix has denied those allegations, claiming that the delay was in hopes of preventing market panic, and to ensure they had time to patch any security vulnerabilities before publicly disclosing a breach.
NoOnes hacked for almost $8 million
After crypto sleuth zachxbt noticed an apparent theft from the NoOnes peer-to-peer crypto trading platform on January 1, CEO Ray Youssef was forced to acknowledge the theft. He claimed that the project's Solana bridge had suffered a compromised, and explained that it had been taken offline for "exhaustive pen testing".
Youssef emphasized that user funds were safe, which led to questioning from others on how that could be possible when nearly $8 million had been stolen. Youssef claimed he had reimbursed the stolen assets himself.
- Telegram post by zachxbt [archive]
- Tweet by Ray Youssef [archive]
Feed Every Gorilla hacked again for over $1 million
The "Feed Every Gorilla" project has once again been hacked, after suffering a pair of flash loan attacks in May 2022 amounting to $1.9 million in losses. The protocol also suffered losses later in 2022, thanks to an issue with a token locking service that cost FEG $2 million (though around $1.9 million was ultimately returned by the exploiter).
This time, the FEG project team blamed an issue with the project's bridge, which is a tool used to deposit and withdraw tokens from the project. An attacker was able to maliciously withdraw a large amount of FEG tokens via the flaw in the bridge, which they then sold off for around $1.07 million, tanking the FEG token price by 99% in the process. The bridge had been audited by the PeckShield blockchain security firm.
$12 million taken by whitehats from Ronin bridge
The Ronin bridge, which bridges crypto assets to the Ronin Network used by Axie Infinity and other gaming projects, has once again suffered a breach — though a considerably smaller one than the recordbreaking $625 million theft in March 2022. An update to the bridge code introduced a flaw with respect to how transactions were confirmed.
Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.
The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.
Socket service and its Bungee bridge suffer $3.3 million theft
The Socket cross-chain infrastructure protocol was hacked for around $3.3 million in an attack that exploited its Bungee bridge. The thieves were able to exploit a bug that allowed them to take assets from those who had granted approval to a portion of the system called SocketGateway.
A little over 700 victims were affected, and the highest loss from a single wallet was around $657,000. 121 wallets lost assets priced at more than $10,000.
On January 23, the protocol announced they had recovered 1,032 ETH (~$2.23 million) of the stolen funds.
Orbit Bridge hacked for $81 million
The Orbit Bridge project, a cross-chain bridge for the Orbit Chain project, was exploited on December 31 for around $81 million. The attacker made off with around 26,742 ETH (~$64 million) and $18 million in the DAI stablecoin. Orbit Chain's total value locked plummeted from $152 million to $71 million as over half the funds were drained.
Orbit began sending the attacker on-chain messages, writing that "we will track you down and restore the damage you incurred to the ecosystem. And we will not stop." Orbit also wrote on Twitter that they were working with various law enforcement agencies.