Home Web3 SecurityCrypto Hacks Directory List of Crypto Hacks in the Month of April

List of Crypto Hacks in the Month of April

by ImmuneBytes

April 1

😈On April 1, 2024, the permissionless defi protocol @OpenLeverage has been exploited for ~$236K. The attacker was funded by Tornado Cash.

Popular Decentralized Coin Mixers Used by Hackers in 2024

OpenLeverage protocol has acknowledged the breach and has paused the protocol while the hack is being investigated.

Team OpenLeverage has assured its users that any losses suffered in the exploit would be compensated using the accumulated insurance and buyback funds.

Hack Txn: https://bscscan.com/tx/0xf08b6d36dc6f650c030344b6307ae94528f77a01db11d1284ed966e7e44337d3

Addresses Involved in the Exploit:


April 2

😈 On April 2, 2023, the multichain token bridge—AllBridge @Allbridge_io was hit by a flash loan exploit on the BNB chain.

This targeted the stablecoin pools containing USDT and BUSD, resulting in hackers stealing away around $650k from both BNB Chain liquidity pools.

The issue stemmed from a logic flaw within the withdraw function, which permitted manipulation of the pool’s swap price.

By exploiting this flaw, the attacker assumed the roles of both liquidity provider and swapper, thereby gaining the ability to manipulate the price and deplete the pool’s funds.

Attack Txn: https://bscscan.com/tx/0x7ff1364c3b3b296b411965339ed956da5d17058f3164425ce800d64f1aef8210

The stolen funds (1500 BNB) were later returned by the exploiter in exchange for a bug bounty on April 3, 2023.

The same exploiter
https://bscscan.com/address/0xc578d755cd56255d3ff6e92e1b6371ba945e3984 was also involved in the exploit of ~90K USDC from UF DAO of @xdaoapp on Jan 11, 2023.

😈On April 2, 2022, the defi protocol Inverse Finance @InverseFinance on the #Ethereum chain was exploited for $15.6 million in various cryptocurrencies, which comprised 1588 ETH, 94 WBTC, 4M DOLA, and 39.3 YFI.

Hack Txn: https://etherscan.io/address/0x8b4c1083cd6aef062298e1fa900df9832c8351b3

The Reason for the Hack:
The TWAP (Time Weighted Average Price) oracle for INV, utilized by Keep3r, was compromised through a strategic and capital-heavy manipulation of the INV/WETH (Wrapped Ethereum) price oracle on the Sushiswap platform.

This manipulation led to an abrupt increase in the price of INV, which in turn allowed the attacker to secure loans valued at $15.6 million in various cryptocurrencies, including DOLA, ETH (Ethereum), WBTC (Wrapped Bitcoin), and YFI.

The exploiter was initially funded with 901 ETH by Tornado Cash.

What are Oracle Manipulation Attacks in Blockchain?

😈On April 2, 2022, the public chain Phantasma @PhantasmaChain was hacked using vulnerabilities in the protocol to mint a large number of KCAL and SOUL tokens on BNBChain.

By the time the attack was discovered, the exploiter had already bridged 500,000 SOUL and 20 million KCAL from the BNB Chain to Ethereum and later sold the SOUL. The total asset loss in the exploit was ~💰$438K.

Crypto hackers frequently use flash loan attacks to manipulate defi protocols. Know more about these attacks at: What Is A Flash Loan Attack, And How To Prevent It?

April 8

😈On April 8, 2024, $UPS on BNB Chain lost ~$30K in an exploit. The exploit is currently under investigation, and the analysis report will be available once the investigations are completed.

Hack Txn: https://bscscan.com/tx/0xafea61edb932f816550ef7241e62355d4d50be1bdb7727d69a7a9fb4d510482e


Attack contract:

Target contract:
https://bscscan.com/address/0x3da4828640ad831f3301a4597821cc3461b06678 (UPS)

Post exploit, the attacker deposited 50 $BNB to Tornado Cash

Top Tornado Cash Alternatives in 2024

April 9

😈On April 9, 2024, XBL token mining app @xblast_app on the Arbitrum chain suffered an exploit of ~23 $ETH ( ~$84.5K).

The exploiter transferred XBL tokens by exploiting the project’s main wallet to their wallet

How the exploiters carried out the hack is still not clear, but the hack is currently being investigated to answer these questions.

Meanwhile, @xblast_app has acknowledged the hack through a post on its X handle and assured its users that it will deploy a new XBL token to restore liquidity and will award fair compensation to the users affected by this hack.

April 10

😈On April 10, 2023, the defi platform Terraport Finance @Terraport on the #TerraClassic network was hacked, and all of its liquidity was drained.

In this staggering hacking incident, a substantial sum of nearly 💰$4 million worth of Terra Classic (LUNC), TerraClassicUSD (USTC), and TERRA was illicitly taken.

The analysis showed that the funds were drained in multiple transactions.

In the first transaction:

  • 9,148,426 TERRA (worth $1.8 million),
  • 15,100,861,997 LUNC tokens (worth $1.88 million)

And, In the second transaction,

  • 576,736 TERRA (worth $115K)
  • 5,487,381 USTC (worth $117K)

were stolen in quick succession. The hacker later moved the stolen funds to KuCoin and MEXC exchanges, and the stolen funds could never be recovered.

Hack Txn: https://finder.terra.money/classic/tx/BEE71FBD0F343127D90D87FDFD1488354848C4D4AC4EEC59220A9D7833033408

The Hack Aftermath

The Terraport team officially acknowledged the hack on their Telegram channel and assured the community that it would survive the debacle.

Post hack, the Terraport smart contract was holding a mere 2.8 million LUNC worth $362.

It is believed that despite the raising of concerns by several community members about the security and stability of the project’s codebase, it was never audited by a reputable smart contract audit firm.

An Interesting Coincidence

Just two days before the hack on April 8, 2023, Terraport revealed that it had burned 100 million LUNC tokens without providing transaction proof.

This move was frowned upon by the community members, who asked the project to share the transaction proof to make everything more transparent.

Due to this, speculations were rife that the project was actually being rug-pulled under the pretext of the hack.

April 11

😈On April 11, 2022, the CF (Creat Future) token suffered an exploit of ~$1.9M when a hacker exploited a vulnerability in its smart contract.

$CF was the native token of Creat Future, an early-stage defi project.

During the hack analysis, it was discovered that the contract’s transfer function had an access control flaw and was defined as public instead of private.

On top of that, no validation checks were set up for the caller, allowing anyone to transfer tokens from any wallet at their will.

The hacker knew about it and hence drained millions of $CF tokens from multiple wallets and swapped them for other cryptocurrencies in an attempt to hide the tracks of the stolen funds.

The hack caused the value of $CF to crash dramatically and lost 90% of its value almost instantly.

It was also rumored that the hack was actually a rug pull, and the vulnerabilities were intentionally kept to carry out the theft.

Rug pull or not, a detailed and serious audit by a team of credible smart contract auditors would have caught the vulnerability then and there.

What are Centralization Risks in Crypto, and How to Tackle Them

April 15

😈On April 15, 2023, the cross-chain lending protocol @HundredFinance on the Optimism chain came under a flash loan attack and lost $7.4 million worth of crypto assets.

The hacker cleverly manipulated the project’s native token’s exchange rate between hWBTC and WBTC by donating large amounts of WBTC to the empty hWBTC contract, resulting in the draining of the protocol.

The attack was further facilitated by the presence of a rounding error vulnerability in the redeeming function.

Hundred Finance Detailed Hack Analysis

April 17

😈On April 17, 2022, the defi Beanstalk Finance (@BeanstalkFarms) on the #ethereum chain was exploited for ~$181M in a flash loan attack leveraged by the lack of execution delay, used to push through a malicious governance proposal.

Governance Risks Associated With Blockchains

The analysis showed that the hacker executed two Beanstalk Improvement Proposals: BIP18 (to transfer all funds to the attacker) and Bip19 (to send $250k worth of $BEAN tokens to Ukraine’s official crypto donation address) a day before the hack to bypass 1-day delay period set for an emergency action on the Beanstalk governance proposals.

How Could Hacker Execute the Proposals?

Due to a flaw in the governance mechanism, which allowed users to obtain voting rights in proportion to the value of tokens that they held, the hacker managed to get two-thirds voting power by flash-loaning a staggering $1 billion from Aave, Uniswap, and SushiSwap.

After getting the required liquidity pool tokens to deposit to the Beanstalk protocol, the hacker got the necessary voting power to call emergencyCommit function and executed the malicious BIPS to transfer funds to their address.

How this Attack Could Have Been Prevented?

This could have been avoided if the smart contract developers and auditors were wary of the centralization risks and had taken precautionary measures to address them.

An extensive smart contract audit from a reliable and experienced smart contract audit firm would have discovered the vulnerability way before project going live on the mainnet.

April 19

😈On April 19, 2020, http://Lendf.Me, an # Ethereum-based defi platform, was exploited for ~$25 Million through a re-entrancy attack.

Reentrancy Attack: The Ultimate Guide

In the exploit, several cryptocurrencies were stolen, including WETH, WBTC, CHAI, HBTC, HUSD, BUSD, PAX, TUSD, USDC, USDT, USDx, and imBTC.

The exploit took advantage of a vulnerability in the smart contract, which bloated the internal record of the attacker’s imBTC collateral amount without them actually depositing the amount.

Hack Txn: https://etherscan.io/tx/0xae7d664bdfcc54220df4f18d339005c6faf6e62c9ca79c56387bc0389274363b

For the stolen fund’s obfuscation, the hacker converted stolen cryptocurrencies to ETH and other tokens using different DEX platforms such as http://1inch.exchange, ParaSwap, and Tokenlon.

Mitigation Steps for Re-entrancy Attacks

  • Conduct thorough security audits and formal verification of smart contracts before deployment to identify and address potential re-entrancy vulnerabilities.
  • External audits by reputable smart contract security audit firms can provide valuable insights into potential vulnerabilities.
  • Minimize the number of external calls made within a contract, especially before state changes are finalized. This reduces the attack surface for re-entrancy vulnerabilities.
  • Implement the withdrawal pattern, where funds are transferred to the recipient before any state changes are made. This ensures that re-entrancy attacks cannot manipulate the state of the contract after funds have been withdrawn.
  • Follow the Checks-Effects-Interactions pattern, where checks are performed first, followed by state changes, and then interactions with external contracts or addresses. This sequence prevents re-entrancy attacks by ensuring that state changes are finalized before interacting with external contracts.
  • Employ mutexes or locks within smart contracts to prevent re-entrancy by ensuring that critical sections of code cannot be re-entered while they are still executing. This helps to serialize access to shared resources and prevent concurrent re-entrant calls. OpenZeppelin’s ReentrancyGuard is one such lock.
    How to Shield Smart Contracts With a Reentrancy Guard?
  • Be cautious about relying solely on gas limits to prevent re-entrancy attacks. Attackers may manipulate gas limits to prolong an attack’s execution. Instead, gas limits can be used as a supplementary measure along with other mitigation strategies.

April 23

😈On April 23, 2024, the cross-chain infrastructure Magpie Protocol @magpieprotocol got exploited for ~$129k belonging to 221 wallets.

After the exploit was detected, Magpie Protocol asked its users to revoke approvals for the MagpieRouterV2 contract on multiple chains.

Magpie Contract Addresses at the risk of fund loss and advised to be revoked permission for:

  • Ethereum 0xcf32c5bb41f7a302298a2d2072155800871baad3
  • Polygon 0xcf32c5bb41f7a302298a2d2072155800871baad3
  • BSC 0xcf32c5bb41f7a302298a2d2072155800871baad3
  • Avalanche 0x746b0ca3762e229d4dcbd22b4a10906aa788d396
  • Arbitrum 0xcf32c5bb41f7a302298a2d2072155800871baad3
  • Optimism 0xcf32c5bb41f7a302298a2d2072155800871baad3
  • Polygon zkEVM 0x59b37ed62599f3d2f9a593be0153ef08702cb370
  • Base 0x6a1431bb23e08e3209dae3130b441863855fc14b
  • zkSync 0x5fe556bcf5fc7db6e075ca6f4cd4f8bbee2a3e54
  • Blast 0x956df8424b556f0076e8abf5481605f5a791cc7f
  • Blast 0x956df8424b556f0076e8abf5481605f5a791cc7f

Update on the Exploit

As per the latest update, the exploited MagpieRouterV2 contract has since been locked to contain the exploit, and revoking the approval to the contract is no longer necessary.

The hack is currently being investigated, and a compensation plan for the affected users is being worked out.

You may also like