Unizen platform hacked for $2.1 million

The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract.

The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.

WOOFi hacked for $8.75 million

An attacker was able to use a flash loan attack to manipulate an oracle on the WooFi DEX implementation on the Arbitrum network. By manipulating the price of $WOO, they were able to steal around $8.5 million.

Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".

"The AI Protocol" burns tokens after holder suffers $4.3 million theft

Someone who held over 111.6 million ALI tokens from a project called The AI Protocol was phished by someone using a wallet drainer service using a permit phishing technique. The tokens were priced at around $4.3 million.

Blockchain sleuth zachxbt was able to coordinate with the project to organize a community governance vote to burn the stolen tokens before the attacker was able to cash out. Although this doesn't return the stolen funds to their original owner, it at least keeps the attacker from profiting.

Shido exploited for at least $3.3 million

The Shido blockchain suffered an exploit of their staking smart contract, in which an attacker was able to transfer ownership of the contract to another address and then upgrade the contract with a function that allowed them to withdraw staked tokens. Altogether, the attacker withdrew all 4.3 billion staked $SHIDO tokens — over half the entire circulating supply.

Although the stolen tokens were nominally priced at $35 million, the massive theft caused the price to plummet 94%. The attacker has converted the stolen tokens to around 956 ETH ($3.3 million).

The Shido team announced that they would be trying to offer a "bounty" to the hacker.

Seneca Protocol bug enables at least $3 million in stolen user funds

A bug in Seneca Protocol's smart contract has allowed attackers to steal funds from users who had approved the contract. So far, around $3 million has been stolen across the Ethereum blockchain and Arbitrum layer-2.

Making things worse, although the project's smart contract inherits the Pausable module that should allow the Seneca team to halt the malfunctioning code, they never implemented the function, meaning there's no way for them to stop the thefts. Instead, individual users must each revoke access to the flawed contract.

"Crypto inheritence" project Serenity Shield hacked, token price plummets 99%

Serenity Shield, a project aiming to solve "crypto inheritence", has been hacked. Although the project prominently claims to help "ensur[e] your financial and personal security", they seem to have some trouble ensuring their own.

An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.

Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.

The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.

According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).

Scammers hack Twitter account of late actor Matthew Perry, solicit "donations" for "substance abuse charity"

Matthew PerryMatthew Perry (attribution)
There are evidently no lows to which crypto scammers will not sink.

Some scammers were able to compromise the Twitter account belonging to the Friends star Matthew Perry, who passed away in October 2023. He had spent much of his life battling addiction, and his death was drug-related.

The scammers took advantage of this to share crypto addresses that they claimed would funnel donations to the real Matthew Perry Foundation, which actually tries to help those battling addiction. However, in a post on Perry's other social media accounts, the Foundation clarified that they had nothing to do with the wallets or the Twitter posts, and described the website as "fraudulent".

tea.xyz causes a flood of spam pull requests to open source projects

This crypto skeptic I've heard of once said "Show me the incentive and I will show you the outcome."

A project called tea.xyz promised people they could "get rewards for [their] open-source contributions", complete with a flashy website describing how it would "enhance the sustainability of open-source software".

So far, it's achieved the exact opposite. Promising to reward open source contributors with crypto tokens, the project asked users to verify their access to open source projects by merging in a YAML file containing their crypto wallet address. This kicked off a flood of pull requests to prominent, often non-crypto-related open source projects by people who had never contributed to the project (or, often, any open source project), but who wished to merge in a file describing them as a "code owner".

Particularly impacted by this project was the open source blogging platform Ghost, which was used as an example in the demo video released by tea.xyz, and which received several PRs of this kind. A somewhat flummoxed maintainer of the repository replied to one PR: "[I]n practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work. ... This why people hate on crypto." A maintainer of another unrelated open source project called "ghost" also reported receiving an influx of spam PRs.

This is not the first time crypto has generated massive Github spam, although another recent incident was (blessedly) mostly limited to open-source crypto projects and didn't waste the time of non-crypto-related projects as this one has.

$440,000 stolen as MicroStrategy's Twitter account is hacked

Michael Saylor sitting in front of a large model shipMichael Saylor (attribution)
MicroStrategy, the company founded and chaired by Bitcoin maximalist Michael Saylor, suffered a Twitter account compromise on February 26. Although MicroStrategy ostensibly develops software, it's better known for its massive Bitcoin holdings, driven by Saylor.

Although Saylor has been publicly critical of Ethereum, that didn't seem to raise flags among those eager to receive an airdrop of the Ethereum-based "MSTR" token that the company's Twitter account claimed they had just launched. Those who fell for the phishing link were redirected to a website that spoofed the real MicroStrategy website, with malicious code that drained funds.

Around $440,000 was stolen thanks to the fake announcement, with the majority of it coming from one wallet that was drained of a variety of tokens notionally worth around $425,000.

Dechat announces its token launch with a link to the wrong token

The user experience in crypto is apparently so bad that platforms can't even keep their own tokens straight. A web3 messaging project, Dechat, announced with some fanfare that the Dechat token would begin trading. In their social media post, however, they erroneously linked to the wrong token on the PancakeSwap cryptocurrency exchange. Instead of linking to the token they had developed, they included a link to a honeypot: that is, a malicious smart contract that aims to entice people to deposit funds that can then be stolen.

"You clowns literally linked a honeypot for your own token launch," wrote crypto sleuth zachxbt. Some users replied that they had lost money to the erroneous link.

Dechat quickly removed the post and created a new one with a corrected link. They also promised to reimburse users who had lost money to the honeypot.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.