Home Web3 SecurityCrypto Hacks Directory List of Crypto Hacks in the Month of May

List of Crypto Hacks in the Month of May

by ImmuneBytes

May 5

😈On May 5, 2024, the decentralized computing platform @GnusAi was hacked for ~$1.27m when an attacker minted a fake GNUS token on the Fantom chain and sold it on the #ethereum chain.

The reason for the hack is not clear, but it is speculated that the hacker obtained illegal access, using which they copied the token manager’s salt deployed on the Ethereum and redeployed it on Fantom.

Subsequently, the attacker minted around 500k GNUS tokens, which were later bridged (using Axelar Bridge
) to the Ethereum and Polygon chains and sold for 407 ETH ($1.27M).

The Hack Aftermath

Team @GnusAi acknowledged the hack through their X handle and stated that they would take a snapshot of the block before the exploit took place and issue a new token shortly.

It also strongly advised its users not to purchase $GNUS tokens, as these could be counterfeit tokens created by hackers.

Attacker address: https://ftmscan.com/address/0x548c63a6a7299ab54762e1bfa6b56c1b94c2a820

Mint fake $GUNS Txn:

Bridging Minted Tokens to #Ethereum Txn:

Bridge Txn: https://etherscan.io/tx/0x28ae708cb7d05392fb260f465fd7170fe79a657328b775cca5c4ad76246d8672

May 8

😈On May 8, 2024, the $GPU token on the #BNB chain was exploited for ~$32K when the attacker exploited a smart contract vulnerability. Reacting to the news of the exploit, the price of $GPU crashed by 100%.

The vulnerability is rooted in the _balance update function, a crucial component of the smart contract, which allowed the attacker to manipulate the token transfer process. This was possible because the _balances for the recipient could overwrite _balances for the sender, a flaw that was exploited.

This means when transferring money to yourself, the balance will increase by the amount of the transfer.

Exploit Txn: https://bscscan.com/tx/0x2c0ada695a507d7a03f4f308f545c7db4847b2b2c82de79e702d655d8c95dadb


Malicious contract:

Exploited contract:

May 10

😈On May 10, 2024, @GalaxyFoxToken on Ethereum mainnet was exploited for ~$330K.

It appears the exploiter was able to rake in profits by falsely claiming 1.33 GFOX tokens, worth 108 WETH, by exploiting a smart contract vulnerability. This led to a massive 77% drop in the token prices.

The attack included 2 transactions with the same target contract: 0x11a4a5733237082a6c08772927ce0a2b5f8a86b6

Attacker 1:

Attack contract 1:

Attack transaction 1, loss of 100 ETH (~$300K):

Attacker 2:

Attack contract 2:

Attack transaction 2, loss of ~27M $GFOX, swapped to 2.32ETH (~$7K):

May 14

😈The Bitcoin Defi @ALEXLabBTC lost ~$4.3m worth of assets in an exploit on May 14, 2024.

The cause of the exploit is speculated to be a private key compromise, as initial analysis shows that the deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b carried out four malicious upgrades to the proxy contract associated with @ALEXLabBTC

The upgrades caused the address of the bridge endpoint contract to change to an unverified bytecode.

Attacker address:

The attacker involved in this exploit was also involved in the attack on another defi

Within an hour after the upgrade, the following withdrawals were made under these attack transactions.

  • https://bscscan.com/tx/0x94746d33792aeb27d2066b6d8f3c8a8c7410fe15c9500059f35e0b21c9bfb416
  • https://bscscan.com/tx/0x47e123af93add709bc2516f6a5db057dfbb1d66a75b693cd7980cd3eb28c7357

A total of $4.3 million worth of digital assets were transferred to:

  • https://bscscan.com/address/0xa747af2a527e72ce303353b458a1c51ebcd53188
  • https://bscscan.com/address/0x27055ae433e9dcb30f6ebcc1a374cf5cc03c484e

It is worth noting that these two addresses received their funding from Tornado Cash.

The Hack Aftermath

@ALEXLabBTC confirmed the hack through a post on their official X handle and communicated that a significant portion of stolen funds had been frozen with the close collaboration of crypto exchanges, partners, and contributors.

Team ALEX has also announced a 10% white hat bug bounty for the exploiter in return for the stolen funds by 18 May at 0800 UTC.

If the funds are not returned by the stated deadline, Team ALEX will go ahead with all possible legal remedies to find and punish the culprit responsible for the hack.

😈On May 14, 2024, the decentralized exchange @predyfinance on the ARB chain was attacked, resulting in the loss of $464K worth of crypto assets from its lending pool.

The attacker was funded by @FixedFloat 45 days ago.
Ref. https://arbiscan.io/address/0xe1783b01639818ec1069890eff251f26ea936653

The Hack Aftermath

Predy Finance acknowledged the hack through an official post on its X handle.

It stated that the hack is currently being investigated and advised its users (who have accessed the lending pool previously) to revoke access to the exploited contract to avoid loss of funds.

Predy Finance uses permit2 access without the need to approve Predy’s contract directly.

The contracts for which approval should be revoked are:

  • 0x02C9Ad1Aa219BCF221C3f915c45595f1d24928a1
  • 0x92027Eb7caa12EC06f9Ba149c9521A1A48921514

Users can revoke approvals by visiting the following link: https://arbiscan.io/tokenapprovalchecker?search

Predy Finance has left an on-chain message for the exploiter to urge them to return the stolen funds by May 17th at 0800 UTC for a 10% white hat bug bounty, failing in which strictest legal action will be initiated against the exploiter.

Ref: https://arbiscan.io/tx/0x3126bdf7adbd12a694f008001a0d7c9080cc7ab7ef12d436cf9104c9d595bc85

Movement of Stolen Funds

Post hack, around ~ 100 $ETH worth $293K was bridged to #ETH and is currently parked at https://etherscan.io/address/0xeDe4E01347C012BD57302ea606095FB1eC5c848E

The remaining funds of $217K $WETH is held at attacker’s address on #ARB https://arbiscan.io/address/0x76b02ab483482740248e2ab38b5a879a31c6d008

Technical Details

Attack transaction:


Attack contract:

Targeted contract:

😈Defi protocol @SonneFinance on the #Optimism chain came under a flash loan attack on May 14, 2024, and lost ~$20m worth of assets before being contained.

To contain the attack, it paused all of its markets on the Optimism chain. Team
@SonneFinance has also stated that its markets on the base chain are unaffected by this attack.

The soVELO, USDC, and WETH contracts were targeted in this attack.

Official Reason for the Exploit

Sonne Finance has released a post-mortem report for the hack, in which they have stated that the attack method was the donation attack to Compound v2 forks.

It was also made known that the exploiter could have stolen an additional ~$6.5M worth of assets if timely preventive measures had not been taken.

Team Sonne Finance is willing to negotiate a white hat bug bounty with the attacker in return for the stolen funds.

What Happened to the Stolen Funds?

At the time of writing this, the stolen funds have been parked at the following addresses:

  • 0x02FA2625825917E9b1F8346a465dE1bBC150C5B9
  • 0x5D0D99e9886581ff8fCB01F35804317f5eD80BBb
  • 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43
  • 0x6277ca71ffca08e691a6dd3ab05b98c0a8994c07

Other Addresses Involved

  • 0x4ab93fc50b82d4dc457db85888dfdae28d29b98d
  • 0xbd18100a168321701955e348f03d0df4f517c13b
  • 0x7e97b74252b6df53caf386fb4c54d4fb59cb6928
  • 0x9f09ec563222fe52712dc413d0b7b66cb5c7c795
  • 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
  • 0x6277ab36a67cfb5535b02ee95c835a5eec554c07

Technical Details:

Hack Txn: https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0


Attack contract:

Targeted contracts:

  • soVELO: https://optimistic.etherscan.io/address/0xe3b81318b1b6776f0877c3770afddff97b9f5fe5
  • SoUSDC: https://optimistic.etherscan.io/address/0xec8fea79026ffed168ccf5c627c7f486d77b765f
  • soWETH: https://optimistic.etherscan.io/address/0xf7b5965f5c117eb1b5450187c9dcfccc3c317e8e

😈On May 14, 2021, SX vault (http://vaults.sx) contract on the EOS mainnet was exploited through a re-entrancy attack and lost ~$13.5M in this security incident.

What is a re-entrancy attack in crypto here: https://immunebytes.com/blog/reentrancy-attack/

In the heist, a total of 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen. This was the biggest hack on the EOS mainnet at that time.

Exploited Contract

The exploiter carried out the attack by exploiting a vulnerability in the smart contract, which could have been identified by a detailed and careful analysis of the smart contract before its deployment on the mainnet.

May 17

😈On May 17, 2024, the crypto coin launching platform @pumpdotfun was exploited for ~$1.9M when a former employee misused their security privileges (private key compromise) and stole away ~12.3K SOL.

The Hack Flow

To misappropriate funds, the rogue employee used flash loans on a Solana lending protocol to borrow SOL, then bought various coins to inflate their bonding curves to 100%.

After reaching the 100% mark, the exploiter took access to the bonding curve liquidity and repaid flash loans taken earlier.

The Attacker

An account on X, with the handle @STACCoverflow, claimed responsibility for the attack immediately after the exploit.

He posted that he had intended to redistribute the “remaining balances of bonding curves” to certain token users rather than keeping the stolen funds.

The account allegedly belongs to a doxxed developer previously employed at Pump.Fun.

The attacker has already conducted random airdrops of $SOL, and multiple addresses have received the windfall of $SOL.

The Hack Aftermath

To contain the hack and prevent further fund loss, trading was halted on http://pump.fun at 17:00 UTC, and
@pumpdotfun upgraded the contracts so that the attacker could not continue with the exploit.

Post-hack analysis revealed that a total of $45m of liquidity in the bonding curve contracts was at risk, but the exploiter could get hold of only ~$1.9m.

The Pump.Fun team has now successfully redeployed the contracts, and trading has also been unpaused.

The Mitigation

To tackle the FUD surrounding the platform Pump.Fun has decided to offer 0% trading fees for the next 7 days.

The exploited coins (and reached the 100% mark on bonding curves) between 15:21 and 17:00 UTC (the duration of the exploit) are currently untradable until LPs are deployed for them on Raydium.

The Pump.Fun team stated that the LPs all such affected coins would be seeded with an equal or greater amount of SOL liquidity that the coin had at 15:21 UTC within the next 24 hours.

Team Pump.Fun is committed to avoiding a repeat of such security incidents, and therefore, it is collaborating with blockchain security firms to put a security mechanism in place that would minimize the risks of similar exploits in the future.

May 20

😈In yet another setback for Web3 space, on May 20, 2024, Gala Games @GoGalaGames was exploited for a staggering ~$212M.

The hack resulted from a private key (with administrator privileges) compromise.

Using this unauthorized access, the attacker minted ~5B $GALA tokens worth ~$212M at the time of the hacks.

💡How to Tackle Threats of Compromised Private Keys?

According to the latest update, the attacker has already swapped 599 million $GALA for ~5.9K $ETH (worth ~$21.8m) via the decentralized exchange Uniswap.

It was found that a total of ~12B $GALA tokens were exposed to the exploit, but due to swift containment of the hack by blocking malicious unauthorized access, the hacker managed to mint $5B tokens only.

The price of $GALA took a hit of 20% before making a marginal recovery.

The Official Version

In a tweet two hours after the hack, the CEO of Gala Games (@Benefactor0101) acknowledged the hack and confirmed that it was contained within 45 minutes of its discovery.

He also stated that it was an isolated security incident, and the unauthorized access that was used to execute the hack has been removed. He also stated that Gala Games’ ETH smart contract is unaffected by the hack and is being secured using a multi-sig wallet.

Team Gala Games is in touch with law enforcement agencies (FBI, DOJ) to identify the culprit and recover the stolen funds.

It is Not the First Time for GALA Games

In November 2021, GALA Games lost around $130 million (~8.65 billion GALA tokens) in a security incident. This theft was also deemed an inside job involving Wright Thurston, one of the company’s foundered as an inside job as well, that involved Wright Thurston, one of the founders of GALA Games.

In 2023, the SEC charged him in a case involving the alleged selling of $18 million worth of unregistered securities in the form of a cryptocurrency (called GREEN) related to a public global decentralized power grid.

In another exploit in November 2023, GALA Games experienced a $1B exploit, but fortunately, it was a white-hat hack and didn’t eventually result in the loss of funds.

Technical Details


Targeted contract:

Hack Txn: https://etherscan.io/tx/0xa6d90abe17d17743a9cecab84bcefb0fd0bbfa0c61bba60fd2f680b0a2f077fe

May 22

😈$YON on BNB Chain was exploited on May 22, 2024, and lost 190 $BNB worth ~$118K as a result. The reason for the exploit was found to be the access control vulnerability.

The Vulnerability

The vulnerability in the transferFrom function of the target contract (YON) allowed the attacking contract to directly transfer $YON to the LP contract.

👀Must Read

👉What are Access Control Vulnerabilities in Smart Contracts?

👉List of Access Control Vulnerability Hacks

May 24

😈On May 24, 2021, Autoshark Finance was exploited in a flash loan attack to steal a massive 💰$745k.

The attack on Autoshark was not an isolated incident. It was preceded by a similar hack on PancakeBunny, executed on May 19, 2021, 10:34:28 PM +UTC, using the same modus operandi.

The Hack Flow & Vulnerability

The primary reason for the exploit was a flaw in the incentive reward mechanism set in the SharkMinter contract.

The exploiter made a small deposit to the SHARK-BNB Vault, and borrowed 100K BNB of flash loan from PancakeSwap.

Out of 100K BNB, the attacker used 50K BNB to swap them for the SHARK token.

The remaining 50K BNB and swapped SHARK tokens were later sent to the SharkMinter contract by the hacker.

This huge amount of tokens sent to the contract confused the system and made it believe that it made the profits and became all set to generate rewards as per the defined business logic.

By calling the getReward function, the hacker manipulated the system to mint 100M SHARK as a reward, in addition to 15M for the dev and 20M for the referrer.

The hacker sold these collectively minted 135K SHARK tokens for 102K WBNB, thus making a profit of 2.2K WBNB.

Exploit Txn:


You may also like