Goledo Finance hacked for $1.7 million

Goledo Finance, an Aave-based lending protocol, was exploited through a flash loan attack. The attacker stole assets estimated by CertiK at around $1.7 million.

Goledo Finance contacted the attacker to offer a 10% "bounty" for the return of the remaining assets. In a message on January 29, the attacker wrote: "I hacked Goledo and want to negotiate".

Platypus Finance hacked for a third time this year

At this point, they should probably just have a form email ready to go. Platypus Finance has suffered a cumulative $2.23 million in losses thanks to several attacks on the platform over the course of several hours. This set of hacks followed a $8.5 million hack in February, and another hack of at least $150,000 in July.

Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.

Zunami Protocol exploited for more than $2.1 million

The Zunami Protocol stablecoin-focused yield farming aggregator was exploited for more than $2.1 million when an attacker was able to perform a price manipulation attack on the project's primary pool. Zunami attracted users by promising "the highest APY on the market": around 14%. The project had been audited by Ackee and HashEx.

The attack was a "classic price manipulation" exploit, according to the Ironblocks security firm. The attacker was able to steal 1,152 ETH ($2.13 million) from the protocol. They then tumbled the stolen funds through Tornado Cash.

Uwerx crypto-based freelancer platform exploited

Uwerx is a nascent project intending to build a blockchain-based freelancer marketplace, because what better concepts to combine than blockchains and the gig economy? Sadly for them, just after completing their token presale, it was hit with a flash loan exploit that enabled an attacker to siphon 176 ETH (~$324,000) from the platform.

The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".

Platypus Finance hacked for the second time

Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.

This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.

Arcadia Finance exploited

Arcadia Finance is a defi margin trading protocol that launched on Ethereum and the Optimism Ethereum layer 2 protocol in March 2023. On July 9, an attacker used a flash loan to drain liquidity pools in the lending portion of the project, resulting in a total loss to the project of around 160 ETH and $163,000 in stablecoins for a total loss of almost $460,000.

The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".

Themis Protocol hacked shortly after going live

Themis Protocol is a lending platform that has had somewhat of an excruciating rollout, with users waiting ever longer for the platform to finally go live as they endured multiphased airdrops but no usable product. On June 16, the project finally launched in beta on Arbitrum, an Ethereum layer 2.

Only eleven days later, on June 27, the team boasted that the project "has grown to over $1m TVL in 2 working days". An hour after that, they announced that they would be suspending the protocol and beginning an immediate investigation into an apparent theft. Themis boasts in its documentation that "security is the highest priority" of the project, and lists multiple audits from PeckShield.

An attacker was apparently able to exploit the project, draining around 220 Themis-wrapped ETH (nominally worth ~$417,000). Due to liquidity issues, they could only swap these for around 94 ETH (~$178,000) and almost $190,000 in stablecoins, for a total haul of around $368,000.

Jimbos Protocol exploited for $7.5 million

Three days after the launch of its v2 protocol, the Arbitrum-based Jimbos Protocol was exploited for 4,090 ETH (~$7.5 million). The project had not properly controlled for slippage, which enabled an attacker to use a flash loan to manipulate the trading pairs on the project. The attacker then bridged the stolen funds to the Ethereum chain.

After the attack, Jimbos Protocol tweeted "We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals. We will release further information when possible." They also sent an on-chain message to the exploiter, offering to stop all investigations if the hacker returns 90% of the stolen funds.

Brand new $CS token exploited for almost $700,000

An attacker exploited the brand new $CS token for almost $700,000 using a flash loan exploit. They then swapped the funds into around 383 ETH ($689,400) and laundered them through Tornado Cash.

0VIX Protocol exploited for $2 million

The 0VIX defi protocol on the Polygon blockchain was exploited for around $2 million. This was a substantial portion of the project's roughly $6.4 million TVL around the time of the hack. The attack was perpetrated by an attacker who manipulated an oracle, which then allowed them to execute a flash loan attack on the project.

The protocol was paused following the attack. 0VIX later tweeted that they had been collaborating with security firms to investigate the hack, and had offered to let the attacker keep $125,000 if they returned the remaining funds in a bug bounty agreement that would also involve 0VIX not pursuing legal action.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.