April 29, 2022

Monthly Recap: More than 21 Typical Security Incidents Occurred in April 2022

t’s time for another monthly security stocktaking! According to Beosin EagleEye, in April 2022, the number of various security incidents decreased compared to March. There were more than 21 more typical security incidents in April. Losses from attack-type security incidents were $280 million.

DeFi

9Typical Security Incidents

1. On April 2, the lending platform Inverse Finance suffered a price manipulation attack and lost about $15 million.

2. On April 8, Starstream, a revenue aggregator on the Ethernet Layer 2 network Metis, had $4 million stolen due to a contract vulnerability.

3. The Creat future (CF) token contract was fundamentally flawed, allowing anyone to consume another person’s $CF balance, resulting in a loss of approximately $1.8 million due to the contract.

4. Marvin Inu’s cross-chain bridge was hacked due to a private key compromise, resulting in a loss of approximately $350,000.

5. On April 13, the stablecoin platform Elephant Money suffered a flashloan attack with a loss of $22 million.

6. Meta-universe DeFi protocol Rikkei Finance was hacked on April 15, and the attackers exploited a contract vulnerability to launch an oracle attack and made a profit of about $1.1 million.

7. On April 17, Beanstalk Farms, a stablecoin protocol, suffered a flashloan attack, with the protocol losing about $182 million and the hackers actually profiting about $80 million.

8. On April 21, the DeFi protocol ZEED was hacked. The attackers made a total profit of over $1 million, but set the contract to auto-destruct without taking it out, resulting in the profitable funds being locked in the contract forever.

9. On April 28, Deus Finance, a multi-chain derivatives protocol, was attacked by flashloan, and the hackers made about $13.4 million in profits. The project also suffered an attack on March 15, losing about $3 million.

Fraudulent / Encryption Scam

6Typical Security Incidents

1. P2E game Crypto Klash has run away and the project has now deleted its social accounts. 800 BNBs were transferred to Tornado Cash by Crypto Klash scammers.

2. Rug Pull occurred on MaxAPY Finance, an automated pledge agreement on BNB Chain, and now its official Twitter account and Telegram group have been deleted.

3. Project ANA on BNB Chain suffered a Rug Pull and Token price dropped by 91%.

4. Universe, a meta-universe real estate project on Avalanche, suffered a Rug Pull and the contract deployer minted and sold about 16 trillion UNIVs.

5. Rug Pull occurred on MetalSwap on BNB Chain, token Metal dropped 99% in a short period of time

6. Rug Pull occurred on BNB Chain project BuccaneerFi, the project’s social media accounts and community have been deleted, and about 841 BNBs have been transferred to Tornado Cash.

NFT

4Typical Security Incidents

1. On April 7, the NFT game WonderHero was attacked by a private key compromise, resulting in a loss of about $2.8 million.

2. On April 23, NFT project Akutar was permanently locked out due to two vulnerabilities in the contract, resulting in a $34 million loss to the project.

3. On April 25, BAYC’s official Instagram account was hacked and hackers posted a phishing link that led to the theft of 91 NFTs. The hackers made a profit of about $2.4

million.

4. A user lost $570,000 worth of BAYC NFTs due to a “fake verification” scam.

Others

2Typical Security Incidents

1. The U.S. Department of Justice has successfully confiscated approximately $34 million worth of cryptocurrency from a seller on the Dark Web, calling it one of the largest cryptocurrency civil forfeiture filings in U.S. history.

2. Blockchain security firm discovered a vulnerability that could have led to a $15 billion Rug Pull loss. The vulnerability has now been fixed.

Summary

In general, global blockchain security incidents in April 2022 were down from March. The total amount of losses from attack-type security incidents was about $280 million.