Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.
Cork Protocol exploited for $12 million
Cork Protocol, a defi project aimed at "tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens", suffered a $12 million loss after an attacker exploited a bug in how the project's smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.
Cetus DEX exploited for $223 million; some funds "paused"
An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $163 million of the funds had been frozen, leaving around $60 million unaccounted for.
This led some to question how decentralized the project truly is if the funds can be frozen in such a way.
Sui validators later voted to return the frozen assets to the Cetus project. Cetus also announced that users would be fully compensated, and that they would cover the $60 million gap with project treasury funds and a loan from the Sui Foundation.
Curve Finance website and Twitter account hacked
The website and Twitter accounts belonging to the Curve Finance defi projects were compromised in quick succession. On May 5, an attacker compromised the Twitter account belonging to the project, posting a scam in which they appeared to announce an airdrop.
Then, on May 12, the project posted a warning that the website for the Curve frontend was "hijacked" in an apparent domain takeover.
This is not the first such compromise for Curve, which suffered a frontend compromise in August 2022 that resulted in $620,000 in losses (later recovered with the help of some exchanges).
Loopscale hacked for $5.8 million two weeks after launch
A new Solana-based defi protocol called Loopscale, backed by Coinbase Ventures and Solana Labs, suffered a $5.8 million exploit only two weeks after its launch. The stolen funds represented 12% of the protocol's TVL. The project blamed the exploit on a bug in the protocol's pricing calculations. Although the project had been audited in February by OShield, the audit evidently did not detect the flaw.
KiloEx exploited for $7.5 million
KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx's pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.
KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.
KiloEx later announced that the recovery had been successful, and that they would pay out the 10% "bounty".
zkLend thief gets robbed
The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.
On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."
The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.
There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.
- On-chain messages between zkLend and thief
- Tweet by zkLend [archive]
HyperLiquid loses $13.5 million in alleged JELLYJELLY manipulation incident
HyperLiquid's Hyperliquidity Provider market making vault suffered a $13.5 million loss after an alleged market manipulation incident involving a memecoin called JELLYJELLY. A trader holding nearly $5 million (notional) of the token used a combination of shorts and spot purchases to force HyperLiquid to take on the short position. By forcing the token price up with large spot purchases, HLP suffered an unrealized loss of $13.5 million.
HyperLiquid validators voted to delist the JELLY token. They also evidently overrode the JELLY price provided by the market oracle in an attempt to reduce their losses, leading an unrelated crypto executive to question "Is that even legal?"
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
zkLend hacked for around $9.5 million
The Starknet-based lending platform zkLend was exploited for around $9.5 million. zkLend paused the protocol after the attack was discovered, and began working with various crypto security groups to try to trace the stolen funds and identify the thief. zkLend also sent a message to the attacker, offering a 10% "bounty" and a "release from any and all liability" if they returned 90% of the funds. As of twelve hours after the hack, no reply had been made.
ThorChain is insolvent
The ThorChain project is in crisis amid news that the project is insolvent. In order to prevent what would effectively be a bank run and likely death spiral, the project has paused portions of the protocol while determining how best to handle the problem. According to Twitter user TCB, the project has almost $200 million in liabilities, with only $107 million in assets — assets which can be quickly withdrawn or depleted in the case of a panic.
The team has announced that the pause will last for 90 days as they explore options to save the project.
- Tweet thread by TCB [archive]