Loopscale hacked for $5.8 million two weeks after launch
A new Solana-based defi protocol called Loopscale, backed by Coinbase Ventures and Solana Labs, suffered a $5.8 million exploit only two weeks after its launch. The stolen funds represented 12% of the protocol's TVL. The project blamed the exploit on a bug in the protocol's pricing calculations. Although the project had been audited in February by OShield, the audit evidently did not detect the flaw.
KiloEx exploited for $7.5 million
KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx's pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.
KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.
KiloEx later announced that the recovery had been successful, and that they would pay out the 10% "bounty".
zkLend thief gets robbed
The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.
On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."
The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.
There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.
- On-chain messages between zkLend and thief
- Tweet by zkLend [archive]
HyperLiquid loses $13.5 million in alleged JELLYJELLY manipulation incident
HyperLiquid's Hyperliquidity Provider market making vault suffered a $13.5 million loss after an alleged market manipulation incident involving a memecoin called JELLYJELLY. A trader holding nearly $5 million (notional) of the token used a combination of shorts and spot purchases to force HyperLiquid to take on the short position. By forcing the token price up with large spot purchases, HLP suffered an unrealized loss of $13.5 million.
HyperLiquid validators voted to delist the JELLY token. They also evidently overrode the JELLY price provided by the market oracle in an attempt to reduce their losses, leading an unrelated crypto executive to question "Is that even legal?"
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
zkLend hacked for around $9.5 million
The Starknet-based lending platform zkLend was exploited for around $9.5 million. zkLend paused the protocol after the attack was discovered, and began working with various crypto security groups to try to trace the stolen funds and identify the thief. zkLend also sent a message to the attacker, offering a 10% "bounty" and a "release from any and all liability" if they returned 90% of the funds. As of twelve hours after the hack, no reply had been made.
ThorChain is insolvent
The ThorChain project is in crisis amid news that the project is insolvent. In order to prevent what would effectively be a bank run and likely death spiral, the project has paused portions of the protocol while determining how best to handle the problem. According to Twitter user TCB, the project has almost $200 million in liabilities, with only $107 million in assets — assets which can be quickly withdrawn or depleted in the case of a panic.
The team has announced that the pause will last for 90 days as they explore options to save the project.
- Tweet thread by TCB [archive]
UniLend exploited for almost $200,000
The UniLend project, which advertises itself as a "unified platform for all things AI and defi", was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.
UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.
Moby Trade loses over $1 million to private key leak
The Moby Trade defi options protocol suffered a $1 million loss, narrowly avoiding the loss of another nearly $1.5 million. The project team stated that a hacker had "identified and exploited a vulnerability in the key management system" that was supposed to protect a private key used by the project. Using the private key, they were able to perform contract upgrades that then allowed them to drain about almost $1.1 million in wBTC, wETH, and USDC.
Another $1.47 million in assets were vulnerable as a result, but the whitehat blockchain security firm Seal911 successfully drained those funds to later be returned to the protocol once it was secured.
- "Moby Post-Mortem Report / Growth Plan", Moby Trade blog [archive]
- Moby Trade, Rekt [archive]
Orange Finance hacked
The Arbitrum-based liquidity management project Orange Finance suffered at least $840,000 in losses after hackers compromised the project's admin address, then used it to upgrade the project's smart contracts and transfer funds.
"The team is not sure what happened," wrote Orange Finance in a tweet announcing the hack, encouraging people to revoke contract approvals for the compromised addresses.
Orange Finance attempted to negotiate with the attacker via on-chain message, writing, "If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack."