This is Yearn's fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.
Yearn Finance suffers fourth exploit only weeks after third
Only weeks after losing $6.6 million to an infinite mint exploit, a Yearn Finance smart contract has again been exploited, allowing an attacker to make off with around 103 ETH (~$300,000). The affected contract is a legacy contract that was part of the Yearn v1 project (once known as iearn). The attacker used a flash loan to manipulate the price of tokens in the vault, allowing them to withdraw the iearn assets, which they then swapped for ETH.
Shibarium bridge hit with $2.4 million flash loan attack
A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.
The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
Polter Finance exploited for $12 million
The Fantom-based Polter Finance defi project was exploited for $7 million when an attacker was able to perform an oracle manipulation attack. By artificially increasing the price of the $BOO token, which is a governance token used by the SpookySwap project, they were then able to use that token to drain Polter's liquidity pools using a flash loan. The attacker successfully drained the entire $12 million worth of tokens on the platform.
The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.
Hacker steals $1.45 million from CUT token liquidity pool
An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.
Minterest hacked for $1.4 million
An attacker stole $1.4 million from the defi lending project Minterest. Using a flash loan attack, they manipulated the exchange rate calculated by the project, allowing them to withdraw more tokens than they originally loaned.
Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.
Dough Finance hacked for $1.9 million
Defi platform Dough Finance was hacked for 608 ETH ($1.8 million) by a hacker using a flash loan attack funded through the Railgun privacy service.
Dough Finance sent an on-chain message to the attacker, asking them to return the "misappropriated funds", threatening that they would "pursue all criminal, legal, and administrative avenues available" in the event that the attacker did not do so.
UwU Lend suffers almost $20 million hack
The defi lending protocol UwU Lend was hacked for around $20 million. After various blockchain security firms observed suspicious outflows of funds, the protocol acknowledged there had been a "situation" on their Twitter account, and wrote that they had paused the protocol while they were investigating.
UwU Lend was founded by Michael Patryn, aka Omar Dhanani, aka "0xSifu" — a co-founder of the ill-fated QuadrigaCX exchange and ex-con. He also pseudonymously ran the defi cryptocurrency project Wonderland until his identity was revealed after the protocol suffered a meltdown.
Velocore decentralized exchange exploited for $6.8 million, Linea blockchain halts in response
The Velocore DEX, built on the Linea Ethereum layer-2 blockchain, was exploited for around $6.8 million in ETH. The hacker was able to take advantage of a bug in the project's smart contract in the logic to calculate swap fees. Using a flash loan attack funded through Tornado Cash, the attacker drained most of the tokens from the pool, bridged the tokens back to the Ethereum mainnet, and then tumbled the stolen funds back through Tornado.
In an unusual move, the operators of the Linea layer-2 blockchain chose to unilaterally halt the chain in order to stop the outflow of stolen assets. Because Linea — like many layer-2 chains — is highly centralized, it was possible for the Linea team to unilaterally stop the production of blocks.
This was very controversial, as a single operator being able to unilaterally control the operation of a blockchain goes against much of the cryptocurrency ethos. Following their action, they tried to explain that "Linea's goal is to decentralize our network - including the sequencer. When our network matures to a decentralized, censorship-resistant environment, Linea's team will no longer have the ability to halt block production and censor addresses - this is a primary goal of our network".
"Normie" memecoin plummets 99% after exploit
An attacker perpetrated a flash loan attack on the "Normie" memecoin on the Base layer-2 blockchain to drain millions of NORMIE tokens. The vulnerability was evidently discovered in March, but never patched.
Although the token claimed to have a market cap of $42 million, the attacker was only able to cash out around 224 wETH (~$882,000). However, the losses to some holders of the token were much more substantial. One individual had put around $1.16 million into $NORMIE, and those holdings are now priced at around $150.
The attacker has been negotiating the possible return of funds to the project team, who has expressed interest in relaunching the token.