Skip to content

Instantly share code, notes, and snippets.

@cassc

cassc/rekt.news.bugs.md

Created October 6, 2023 04:14
Show Gist options
  • Save cassc/e7753a28752580909906ed6284b0ced4 to your computer and use it in GitHub Desktop.
Save cassc/e7753a28752580909906ed6284b0ced4 to your computer and use it in GitHub Desktop.
Download ZIP
rekt.news bugs summary by chatgpt3.5
Raw
rekt.news.bugs.md

11-rekt

  • Contract names: Eleven.finance, Nerve Finance, NRV vault, Eleven "MasterMind" farming contract
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    1. Vulnerable function (emergencyBurn()) in the intermediate vault contract
    2. Flashloan exploit
    3. Logic issue
    4. Unauthorized withdrawal

8ight-finance-rekt

  • Contract names: Olympus, 8ight Finance
  • Contract hex addresses:
    • First transaction: 0x62f7...
    • Second transaction: 0x06f43...
    • Third transaction: 0x0e351...
    • Transfer from xxca1d account to cc541: 0x3880f...
  • Bug types mentioned in the article:
    • Compromised keys
    • Poor OPSEC
    • Lack of multi-sig implementation
    • Developer accused of pocketing funds
    • Potential planned event by developers
    • Blatant disregard for cyber security

a-piece-of-art

  • Contract names: Feisty Doge, NFD (NFD tokens), EtherRock (PEBBLES)
  • Contract hex addresses: 0xdfdb7f72c1f195c5951a234e8db9806eb0635346 (Feisty Doge), unknown (NFD tokens), unknown (PEBBLES)
  • Bug types mentioned in the article:
    • Scam
    • Transparency issues
    • Quick cash grabs.

acala-network-rekt

  • Contract names and contract hex addresses:
    • iBTC/aUSD liquidity pool
    • aUSD
    • ACA
    • INTR
    • Moonbeam
    • Polkadot
    • Interlay
  • Bug types mentioned in the article:
    • Misconfiguration of the iBTC/aUSD liquidity pool
    • Error mints of a significant amount of aUSD
    • Exploitation of the situation by sending aUSD to Moonbeam, swapping for DOT and sending it to Polkadot, and swapping for iBTC and sending it to Interlay
    • Drainage of the iBTC pool
    • Transfer of "good value" off-chain
    • Wrongly minted aUSD leaving the chain
    • Disabling of stolen funds by Acala and Polkadot

agave-hundred-rekt

  • Contract names and contract hex addresses:
    • Agave DAO:
      • Contract name: AgaveLending
      • Contract hex address: 0xa262141abcf7c127b88b4042aee8bf601f4f3372
    • Hundred Finance:
      • Contract name: HundredV1
      • Contract hex address: 0x534b84f657883ddc1b66a314e8b392feb35024afdec61dfe8e7c510cfac1a098
  • Bug types mentioned in the article:
    • Reentrancy vulnerability
    • Flash loan attack
    • Nested borrow functions
    • Borrowing assets worth more than collateral supplied
    • Hidden dangers in Gnosis (xDai) design
    • Failure to consider idiosyncrasies of new environment
    • Lack of strict vetting for tokens with reentrancy vulnerabilities
    • Failure to follow "checks-effects-interactions pattern"

airdrop-hunters

  • Contract names:

    • ParaSwap
    • ENS (Ethereum Name Service)

  • Contract hex addresses:

    • ParaSwap: N/A
    • ENS: 0xed5728d76b6db03c9f792b8f30ac32951524935e

  • Bug types mentioned in the article:

    • Distributing too many tokens
    • Distributing insufficient tokens
    • Exclusion of genuine users due to strict criteria
    • Sybil attacks (creating multiple accounts to game the system)
    • Blacklisting accounts involved in airdrop farming

airdrop-hunters2

Contract names and hex addresses:

Bug types mentioned in the article:

  • Airdrops with no real product
  • Scams and malicious contracts
  • Manipulation and false verification on DEXTools
  • Unauthorized fees on transfers
  • Cash-out of donation address
  • Bots taking advantage of vulnerabilities
  • Excessive gas fees and additional transactions
  • Negative community reception and backlash

airdrop-siren

  • Contract names and contract hex addresses:
    • ETH donation wallet address: 0x165CD37b4C644C2921454429E7F9358d18A45e14
    • BTC donation wallet address: 357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P
  • Bug types mentioned in the article:
    • Airdrop exploitation
    • Sybil attack
  • Other information mentioned in the article (not bug types):
    • Spike in donations
    • Amount of wealth received by Ukraine through cryptocurrency donations
    • Use of web 3 enabled war bonds
    • Total amount of crypto raised for Ukraine
    • Cashing out of funds through Kuna.io
    • Motives of post-announcement donors
    • Importance of data placement choice in the context of elections.

akropolis-rekt

Contract names and hex addresses:

  • Akropolis protocol: 0x2eca72c64a8bdb2cb0a72f826cd69f022dec5d13
  • Attacker's contract: 0xe2307837524db8961c4541f943598654240bd62f

Bug types mentioned in the article:

  • Reentrancy attack
  • Flash loan exploit

alchemix-rekt

  • Contract names:
    • Alchemix
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Protocol assigning no debt
    • Exploitation by users
    • Reverse-rugpull
    • Undercollateralization
    • Debt repayment
    • Bug causing repayment of all debt
    • Voluntary return of withdrawn funds
    • Missing funds affecting future development of the protocol

alpha-finance-rekt

  • HomoraBankv2 contract
  • Evil spell contract
  • Uniswap pool contract
  • Cream's Iron Bank contract
  • WERC20 contract
  • sUSD bank contract
  • Aave flashloan

Bug types mentioned in the article:

  • Manipulation of internal debt numbers
  • Rounding miscalculation in borrowing function
  • resolveReserve function can increase totalDebt without increasing totalDebtShare
  • Insider information required for the attack

alphapo-rekt

  • Contract names: AlphaPo
  • Contract hex addresses:
    • ETH: 0x6dfc34609a05bc22319fa4cce1d1e2929548c0d7
    • ETH: 0x040a96659fd7118259ebcd547771f6ecb9580d17
    • ETH: 0x6d2e8a20b8afa88d92406d315b67822c01e53c38
    • ETH: 0xde374094C837D192B61972172740BDAfc4eE16E0
    • TRON: TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
    • TRON: TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
    • TRON: TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym
  • Bug types mentioned in the article:
    • Centralized exchange (CEX) spearphishing
    • Phishing techniques (used by Lazarus)
    • Compromised hot wallets
    • State-sponsored cybercriminals (Lazarus)
    • Hack/attack (by Lazarus)

ankr-helio-rekt

  • Contract names: aBNBc, HAY
  • Contract hex addresses:
    • aBNBc: 0xf3a465c9fa6663ff50794c698f600faa4b05c777
    • Ankr deployer: 0x2ffc59d32a524611bb891cab759112a51f9e33c0
    • Exploiters address: 0xf3a465c9fa6663ff50794c698f600faa4b05c777
  • Bug types mentioned in the article:
    • Private key compromise
    • Phishing campaign
    • Malicious token contract
    • Caller verification bypass
    • Token minting
    • Lack of on-chain liquidity
    • Copycat attacks
    • Price manipulation
    • Smart contract privilege vulnerabilities
    • Developer private key hack
    • Malicious smart contract update
    • Frozen assets on centralized exchange

anniversary-auction

Bug types mentioned in the article:

  • The largest exploit ever
  • Hack
  • BSC bloodbath
  • Exploit
  • Hackers
  • Bug
  • Rug pull
  • Court cases
  • Copying private company stocks
  • Volatility
  • Mirrored financial market
  • Governance protocol wars
  • Battle for power
  • Manipulation
  • Global turmoil
  • Printing machines control
  • Tokenization
  • Redundancy of the greedy middleman
  • Implementation of technology
  • Radical transition
  • Different limitations
  • Suffering
  • Non-sovereign individuals
  • Power struggle
  • Radical transformation
  • Regulatory approaches
  • Remote work challenges

anyswap-rekt

  • Contract names and addresses:
    • AnySwap v3 prototype: N/A (not mentioned)
    • V1 Router: N/A (not mentioned)
    • V2 Router: N/A (not mentioned)
  • Bug types mentioned in the article:
    • Exploit in the AnySwap v3 prototype
    • Repeated k value in the V3 Router's transactions
    • Back-calculation of private key
    • Potential security flaw in the ECDSA algorithm
    • Failure of the patch to adequately prevent future attacks

ape-tax-vid

  • Contract names: Ape Season, Ape Tax
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Mispricing bug
    • Contract reentrancy bug
    • Flash loan exploit
    • Honeypot scam
    • Front-running attack
    • Token minting vulnerability
    • Liquidity pool exploit
    • Oracle manipulation

ape-tax

  • Contract names and hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Reckless gambling
    • Over-leveraged trading
    • Impatient yield farming
    • Unrealistic expectations
    • Greed
    • Lack of strategy or security
    • High-risk behaviors
    • Risk aversion in some areas but risk-taking in others
    • Digital darwinism
    • Dumping tokens
    • "Greater fool" theory
    • Addiction to trying to win back money
    • Scams and reputation damage
    • Bagholding
    • Ape-like behavior and blindly following others

arbix-rekt

  • Contract names: Arbix Finance
  • Contract hex addresses:
    • BSC wallet: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
    • Ethereum: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
  • Bug types mentioned in the article:
    • Rug pulls
    • Theft of user funds
    • Deletion of website, Twitter, and Telegram accounts
    • Draining of vault funds
    • Minting and dumping of tokens
    • Conversion of funds to ETH and transfer to another address

arkham-asylum

  • Contract names: Arkham Intelligence's address-doxxing market
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Unencrypted reflinks inadvertently leaking email addresses
    • Lack of concern and action from Arkham Intelligence regarding leaked information
    • Potential manipulation of the market due to Arkham's role as the central arbiter
    • Financial incentives for snooping on regular users
    • Lack of transparency and labeling of Arkham-related accounts
    • Potential security implications and cross-referencing of data
    • Pseudonymity of blockchains as a bug, not a feature, for onboarding new users
    • Difficulty in convincing mainstream CEX users to join on-chain DeFi platforms with OPSEC concerns.

armor-rekt

  • Contract names: Nexus Mutual, Armor
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    1. Refusal to pay policyholders
    2. Centralised corruption
    3. Personal greed interfering with insurance policy
    4. Constant contradiction by team members
    5. Ambiguous statements in official documentation
    6. Stolen insurance NFT
    7. Secretly upgrading staking contract
    8. Misrepresentation of benefits and rules
    9. Changing rules without consent
    10. Failure to fulfill agreements
    11. Technical documentation not reflecting the product
    12. Unreliable and false statements
    13. Invalidation of statements
    14. Lack of trustworthiness in organization practices.

ascendex-rekt

  • BitMart lost ~$196M
  • AscendEX lost $77.7M
  • Compromised hot wallet
  • Claims of "compromised keys"
  • AscendEX Twitter intern deleting tweets
  • Funds drained from the hot wallet
  • Currently investigating the wallet compromise
  • Peckshield estimates losses at $60M on Ethereum, $9.2M on BSC, and $8.5M on Polygon
  • Stolen funds located in hacker's addresses on Ethereum, BSC, and Polygon
  • Bemil Coin dumped over 98% in price since the incident
  • Full reimbursement promised to affected users
  • Withdrawals suspended
  • AscendEX detailing next steps, including refunds and prioritizing users
  • Ascendex lost more than their entire series B raise
  • Tweet from AscendEX suggesting their platform is safe
  • Tweet from AscendEX about long-term support despite the loss
  • Quote from Zack Voell questioning the mainstream's readiness for private keys.

atlantis-loans-rekt

  • Atlantis Loans
  • Atlantis Loans' token contracts
  • Attacker's address: 0xEADe071FF23bceF312deC938eCE29f7da62CF45b
  • Tornado Cash
  • Beanstalk
  • Swerve
  • Flash loan-enabled governance attack
  • Lack of execution delay on proposals
  • Governance process vulnerability

atomic-wallet-rekt

  • Atomic Wallet contract names: Not mentioned in the article
  • Atomic Wallet contract hex addresses: Not mentioned in the article

Bug types mentioned in the article:

  • Vulnerabilities in the product
  • BGP hijacking
  • Leak of logged sensitive data

au-dodo-rekt

  • DODO V2 Crowdpools: WSZO, WCRES, ETHA, FUSI pools
  • DODO V2 Crowdpooling smart contract
  • init() function bug
  • fake token attack
  • sync() function
  • reserve variable
  • flash loan check
  • Individual A
  • Individual B
  • frontrunning bot
  • CHI gastoken
  • high gas prices
  • ETHA-USDT exploit
  • WSZO-USDT exploit
  • vETH-WETH exploit

audius-rekt

  • AudiusAdminUpgradabilityProxy
  • Governance contract
  • DelegateManagerV2 contracts
  • Initializable contract
  • Storage collisions

Bug types mentioned in the article:

  • Unauthorized transfer
  • Reinitializing governance contracts
  • Bypassing safeguards
  • Collision with OpenZeppelin's Initializable contract
  • Taking control of governance contract
  • Changing parameters on Audius' contracts
  • Erroneous delegation
  • Transferring tokens from the community treasury
  • Dumping tokens via Uniswap v2
  • Major slippage
  • Depositing funds into Tornado Cash

autoshark-rekt

  • Contract names: Autoshark, PancakeBunny
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
  1. Flash loan exploit
  2. Manipulation of SHARK token and BNB balance in the minter contract
  3. Minting and dumping of SHARK tokens
  4. Poorly copied code

avi-arrested

  • The contract name: Mango Markets
  • The contract hex address: Not mentioned in the article
  • Bug types mentioned in the article:
    1. Market manipulation scheme
    2. Exploit of Mango Markets
    3. Commodities fraud
    4. Commodities manipulation
    5. Price manipulation in DeFi
    6. Manipulation and other market conduct no-nos
    7. Consequences for the future of the industry
    8. Legal risks in an unregulated and experimental sector
    9. Nine figure exploit

badger-rekt

  • Badger DAO: 0x3472a5a71965499acd81997a54bba8d852c6e53d
  • Front-end attack type
  • Infinite approval bug type
  • Additional approval bug type
  • Smart contract pause bug type
  • Cloudflare account compromise bug type
  • Security vulnerability bug type
  • User approval bug type
  • Unusual feature bug type

badgers-digg-sushi

  • Contract names and hex addresses:

  • Bug types mentioned in the article:

    • Exploit
    • Loophole
    • Moment of forgetfulness
    • Lack of bridge setup
    • High slippage
    • Small amount of liquidity
    • Loss of earnings
    • Non-automated fix
    • Human error
    • Lack of automation
    • Constant watch by hackers and arbitrageurs
    • Potential pocket-picking or disruption of protocols
    • Amateur analysis

balancer-rekt

Contract names and hex addresses:

  • Exploiter addresses:
    • 0xB23711b9D92C0f1c7b211c4E2DC69791c2df38c1 (ETH)
    • 0xed187f37e5ad87d5b3b2624c01de56c5862b7a9b (ETH)
    • 0x429313e53a220c4a5693cad1da26ae5045b5762f (ETH)
    • 0x64E08fa89C2bAE9F123cc8a293775f0E6CC86760 (FTM)
    • 0xBC794F1ff9AD7711A9d2E69Be5b499e290B8fD3c (OP)

Bug types mentioned in the article:

  • Critical vulnerability
  • Potential threat
  • Rounding down logic
  • Price manipulation

bald-rekt

  • Contract names: BALD
  • Contract hex address: 0xccfa0530b9d52f970d1a2daea670ce58e4176389

Bug types mentioned in the article:

  • Rug pulling
  • Price manipulation attack
  • Public transferFeesSupportingTaxTokens() function vulnerability

bancor-lp-rekt

  • Contract names and contract hex addresses:
    • Bancor LP contract: N/A
    • BNT contract: N/A
  • Bug types mentioned in the article:
    • Impermanent loss (IL)
    • Volatility-related issues
    • Value depreciation
    • Large quantities of rewards dumped onto the market
    • Large centralized entities manipulating the market
    • Difficulty in recovering losses
    • Sell/emission loop
    • Governance blunders
    • Lack of community approval for decision-making
    • Misuse of powers granted for security reasons

banksy-pranksy-scam

  • Contract names and contract hex addresses:
    • Contract name: "Great Redistribution of the Climate Change Disaster"
    • Contract hex address: 0x495f947276749ce646f68ac8c248420045cb7b5e/769987281610794526370432769847587291321402667277633018751858935165377052673
  • Bug types mentioned in the article:
    • Hacking of the official Banksy website
    • Link redirection from the hacked website to the NFT listing
    • Scam targeting high-profile buyers
    • Sophisticated scam operation
    • Unauthorized minting of NFTs
    • Potential promotion through publicity stunt
    • Unauthorized access and redirection
    • Lack of security measures on the Banksy website
    • Vulnerability disclosure issues
    • Difficulty in contacting Banksy or their IT team.

beanstalk-rekt

  • Contract names: Beanstalk, Synapse Protocol bridge, Tornado Cash, Ukraine War Fund
  • Contract hex addresses:
    • Hacker: 0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
    • Hacker Contract: 0x79224bc0bf70ec34f0ef56ed8251619499a59def
    • BIP18: 0xe5ecf73603d98a0128f05ed30506ac7a663dbb69
    • Propose BIP18 tx: 0x68cdec0ac76454c3b0f7af0b8a3895db00adf6daaf3b50a99716858c4fa54c6f
  • Bug types mentioned in the article:
    • Governance attack
    • Flash loans
    • Absence of delay on proposal execution

bearn-rekt

  • bEarnFi's BvaultsBank contract
  • ibBUSD token contract (hex address: 0x7c9e73d4c71dae564d41f78d56439bb4ba87592f)
  • BUSD token contract (hex address: 0xe9e7cea3dedca5984780bafc599bd69add087d56)
  • CREAM flashloan contract (not mentioned in the article)
  • Alpaca Vault contract (not mentioned in the article)
  • Alpaca FairLaunch contract (not mentioned in the article)

Bug types mentioned in the article:

  • Bug in the internal withdraw logic
  • Inconsistent asset denominations between BvaultsBank and BvaultsStrategy contract

belt-rekt

  • Contract names: bEllipsisBUSD strategy, bVenusBUSD strategy
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article: flash loan exploit, vulnerability to attacks

bent-finance

  • Contract names and hex addresses:
    • Bent Finance cvxCRV contract: 0x270b6aff561284ef380cdd6d8b036f4981049a86
    • Exploiter's address: 0xd23cfffa066f81c7640e3f0dc8bb2958f7686d1f
    • Exploiter's secondary address: 0x9e966a54082427d7ac56aeaee4baae7d11a6e468
  • Bug types mentioned in the article:
    • Manual adjustment of balance to assign enormous rewards beyond what is justified
    • Lack of detection of the exploit for almost three weeks
    • Funds being washed through Tornado Cash for money laundering
    • Suspected inside job or rogue team member

big-if-truebit

  • Contract names: TrueBit protocol
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Lack of recent development
    • Suspicion of imposter contract
    • Lack of communication from the team
    • Absence of official Telegram or Discord channels
    • Price swings and volatility
    • Misunderstanding of the bonding curve
    • Panic selling by a whale leading to price crash
    • Lack of marketing and promotion
    • Lack of communication leading to speculation and uncertainty

big-phish

  • Contract names: Ronin Network, Poly Network
  • Contract hex addresses: N/A
  • Bug types mentioned in the article:
    1. Phishing attacks
    2. Compromised network validator signatures
    3. Social engineering
    4. Malicious documents shared via Google Drive
    5. Browser-in-the-browser (BitB) attacks
    6. Google Docs comments exploit
    7. Malicious wallet application
    8. Spearphishing
    9. Remote access trojan (RAT)
    10. Indicators of Compromise (IOCs) mentioned in the CISA report

bitclout

  • Contract names: Bitclout
  • Contract hex addresses: 1PuXkbwqqwzEYo9SPGyAihAge3e9Lc71b
  • Bug types mentioned:
    1. Use of people's images without their consent
    2. Tokenizing people and putting them up for sale
    3. Legal threats leading to the takedown of certain profiles
    4. Tokens supposed to be purchased via Bitcoin with shared values
    5. VC involvement and lack of transparency regarding founders
    6. Lawsuits filed against Nader Al-Naji
    7. Illegal activities and moral implications
    8. Founder pretending to be anonymous after raising venture capital
    9. Crude and disrespectful monetization of reputation
    10. Tokenizing people against their will
    11. Investors and tokenized individuals feeling scammed
    12. Bitclout's association with failed or disreputable projects
    13. Reputation damage to all involved parties
    14. Projects building for creators should empower them instead of feeding off their work
    15. Uncertainty about the future and potential adjustment to this business model
    16. Strange new forms of monetization in the future.

bitmart-rekt

  • Contract names: BitMart, Celsius, BadgerDAO
  • Contract hex addresses:
    • BitMart Ethereum Hot Wallet: 0x68b22215ff74e3606bd5e6c1de8c2d68180c85f7
    • BitMart BSC Hot Wallet: 0x8c128dba2cb66399341aa877315be1054be75da8
    • Attacker Ethereum Address 1: 0x39fb0dcd13945b835d47410ae0de7181d3edf270
    • Attacker Ethereum Address 2: 0x4bb7d80282f5e0616705d7f832acfc59f89f7091
    • Attacker BSC Address: 0x25fb126b6c6b5c8ef732b86822fa0f0024e16c61
  • Bug types mentioned in the article:
    • Security breach
    • Hot wallet vulnerability
    • Attack on front-end
    • Loss of funds
    • Basic OPSEC error
    • Granting unlimited approvals to an EOA (external owned account)
    • Risk of "bank run"
    • Middlemen profiting from losses
    • Refund for affected users.

blood-in-the-streets-II

  • Contract names and contract hex addresses: Not mentioned in the article.
  • Bug types mentioned in the article:
    • "bull market, bear development"
    • Liquidations
    • Gas fees
    • Market crashes
    • Anti-scam scams

blood-in-the-streets

  • Contract names: Not mentioned in the article.
  • Contract hex addresses: Not mentioned in the article.

Bug types mentioned in the article:

  • Market manipulation
  • Total incompetence
  • Overleveraging
  • Ignoring fundamentals
  • Excessive loans
  • High liquidation ratio

bnb-bridge-rekt

  • Contract names: BSC Token Hub, Venus Protocol
  • Contract hex addresses: 0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec
  • Bug types mentioned in the article:
    1. Exploiting the BNB bridge
    2. Falsifying proofs of deposit
    3. Vulnerable IAVL verification
    4. Forgery of arbitrary messages
    5. Deposit funds as collateral
    6. High-slippage swaps
    7. Tether blacklisting funds
    8. Moving funds across different chains
    9. Pressing pause on a heavily-used network
    10. Potential justification issues regarding chain halts
    11. Setting a dangerous precedent
    12. Contemplating rolling back the Bitcoin network
    13. Impact on BNB's credibility in DeFi.

bondly-rekt

  • Contract names: not mentioned in the article
  • Contract hex addresses:
    • Mint address: 0x58a058ca4b1b2b183077e830bc929b5eb0d3330c
    • Associated wallet: 0xc433d50dd0614c81ee314289ec82aa63710d25e8
  • Bug types mentioned in the article:
    • Infinite mint exploit
    • Rug pull
    • Chainswap exploit
    • Compromised wallet
  • Other mentions:
    • PolkaPets Trading Card Game
    • Digital collectibles
    • Brands, influencers, and artists
    • Price of BONDLY falling by 80%
    • $4.8 million DAI sent to Tornado
    • $1.1 million in DAI and BONDLY remaining on the compromised address

bonq-rekt

  • BonqDAO smart contract: 0x8f55d884cad66b79e1a131f6bcb0e66f4fd84d5b
  • Attacker's address: 0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642
  • Example attack tx: 0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19

Bug types mentioned in the article:

  • Oracle manipulation
  • Using instant price feeds for collateral valuation

bsc-the-bridge-to-defi

  • Contract names and hex addresses: there is no mention of specific contract names or hex addresses in the article.
  • Bug types mentioned in the article:
    • Congestion issue on the Ethereum network
    • Centralisation of decentralised finance
    • High gas fees on Ethereum
    • Adoption of Binance Smart Chain potentially impacting the adoption of more decentralised products
    • Binance's motive to reduce gas fees for their users
    • Binance Smart Chain allowing for wrapping and custody of mainnet assets
    • Binance Smart Chain not being trustless but cheap
    • Binance Smart Chain being populated with scams and meme coins
    • Difficulty for newcomers to find correct information in the crypto market

burgerswap-rekt

  • Contract names: BurgerSwap, PancakeSwap, univ2pair
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    1. Drive-thru convenience exploit
    2. Flash swap
    3. Reentrancy attack
    4. Missing x*y=k check

bzx-rekt

  • Contract names: bZx contracts
  • Contract hex addresses:
    • Polygon: 0xafad9352eb6bcd085dd68268d353d0ed2571af89
    • BSC:
      • 0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5
      • 0x74487eed1e67f4787e8c0570e8d5d168a05254d4
      • 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
    • Ethereum: 0x74487eEd1E67F4787E8C0570E8D5d168a05254D4
  • Bug types mentioned in the article:
    • Phishing attack
    • Compromised personal wallet keys
    • Code update enabling extraction of tokens
    • Unauthorized borrowing of assets
    • Vulnerable contract leading to loss of control and funds
    • Individual wallets drained after initial attack

cashio-rekt

cat-and-mouse

  • Tornado Cash: Contract name and hex address not mentioned in the article.
  • Privacy Pools0: Contract name and hex address not mentioned in the article.
  • Bug types mentioned in the article:
    1. Sanctions on Tornado Cash by the US Treasury
    2. Arrests of developers
    3. Address screening
    4. Metamorphic contract hidden in a proposal
    5. The issue of deciding "good" actors from "bad" actors
    6. Compliance with regulations
    7. Integration of mixed funds into a regulated system
    8. Transaction fees for on-chain proofs
    9. Gatekeeping by compliance organizations
    10. Privacy and regulatory compliance perceived as incompatible
    11. Middlemen becoming obsolete
    12. States trying to retain power over new technologies
    13. Technological ignorance and resistance to new tech
    14. Non-compliance despite attempts to comply.

cefi-rekt

  • No specific contract names or contract hex addresses mentioned in the article.
  • Bug types mentioned in the article include:
    1. Cyber espionage
    2. Hacking
    3. Exploits
    4. Denial of accusations
    5. Collateral damage
    6. Cyberattacks
    7. Theft/Robbery

celsius-rekt

  • Contract names: Celsius, Eth2 Deposit Contract, Curve pool, MakerDAO, WBTC, Aave
  • Contract hex addresses: No contract hex addresses mentioned in the article
  • Bug types mentioned in the article:
    • Illiquidity
    • Insolvency
    • Liquidation risk
    • Unbalanced pool
    • Gambling user deposits
    • Hoarding illiquid assets
    • OTC dealings
    • Liquidation engines making profits
    • Potential lender profit from Celsius' desperation
    • Celsius' liquidation point brought down
    • Potential loss of funds for Celsius investors
    • Scammers exploiting the situation

chainswap-rekt

  • Contract names: Factory contract, NFT platform WilderWorld.
  • Contract hex address: 0xEda5066780dE29D00dfb54581A707ef6F52D8113
  • Bug types mentioned in the article:
    1. Exploiting the contract and minting tokens directly into different addresses.
    2. Dodging the sloppy auth check system using a new address as signature each transaction.
    3. Paying 0.005 ETH chargeFee.
    4. Setting the parameter to the desired address, which receives the minted volume.
    5. Repeating the process several times.
    6. Depleting the WILD/WBNB pool.
    7. Transferring freshly minted tokens via the ChainSwap bridge.
    8. Cashing out ETH bridged from BSC via 1inch.
    9. Cross-chain attack utilizing the bridge as an escape route.
    10. Email correspondence claiming to be from the attacker.
    11. Hacker funding his wallet with money from Tornado and changing his bounty into a centralized stablecoin such as USDT.
    12. Speculation about a ChainSwap insider or someone with "fake KYC accounts" being involved.
    13. Money not being laundered yet.

coinbase-the-oracle

  • Contract names: NEO, ORACLE
  • Contract hex addresses: N/A
  • Bug types mentioned in the article:
    • Manipulation of price oracles
    • Error or manipulation of the Coinbase oracle
    • Liquidation vulnerabilities and exploits
    • Reliance on a single oracle (Coinbase)
    • Centralization of data sources as price oracles

coinex-rekt

  • Contract names and contract hex addresses mentioned in the article:

    • ETH 1: 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE
    • ETH 2: 0x483D88278Cbc0C9105c4807d558E06782AEFf584
    • ETH 3: 0xCC1AE485b617c59a7c577C02cd07078a2bcCE454
    • TRON: TPFUjxQzG88Vwynrpj2W61ZAkQ9W2QYgAQ
    • BSC: 0x6953704e753C6FD70Eb6B083313089e4FC258A20
    • XRP: rpQxVcjVF2fC23r3xKyJS53jw8d5SRhZQf
    • BTC: 1DSvdmVZGKpCxAR4XexkywxM1whbcvHzbA
    • SOL: G3udanrxk8stVe8Se2zXmJ3QwU8GSFJMn28mTfn8t1kq
    • XDAG: 15VY3MadZvLpXhjzFXwCUmtZcHszju6L9
    • KDA: k:a9f3672d7ad7a1e4592702d73b220cbc61db1fa17f89a56131d965bc03959913
    • ARB: 0xfEec9F846E2FE529B765d832EBa988a399Fe3cD6
    • XLM: GBPIDVKDSNF74OAGVBSPKLW73CSCGISBOBRB3ODROTMOEENZFC6WJFPN
    • BCH: qrgxyhj8rzl4l7fgauu6q6vtu2grct4jeyrnaq2s75
    • MATIC: 0x4515bE0067E60d8e49b2425D37e61c791C9B95e9
    • OP: 0x964c192e54E5eF4176626875BB53071956579fca

  • Bug types mentioned in the article:

    • Hot wallet breach
    • Suspicious outflows
    • Security breach
    • Compromised keys

compound-errors

  • Contract name: UniswapAnchoredView
  • Contract hex address: 0xad47d5a59b6d1ca4dc3ebd53693fda7d7449f165

Bug types mentioned in the article:

  • Reverted transactions for ETH borrowers and suppliers
  • Differences between cTokens cErc20 and cEther
  • cETH does not have an underlying() method
  • getUnderlyingPrice function returns empty bytes that cannot be decoded
  • Contract shutdown and bricking 661K USDC on Solana mainnet (OptiFi Labs)
  • Accidental transfer of $10M instead of $100 (Crypto.com)

compound-rekt

  • Contract names: Compound Comptroller vault, Reservoir vault, Timelock
  • Contract hex addresses:
    • Compound Comptroller vault: 0x[hex address]
    • Reservoir vault: 0x[hex address]
    • Timelock: 0x6d903f6003cca6255D85CcA4D3B5E5146dC33925
  • Bug types mentioned in the article:
    • Vulnerability in the Compound Comptroller vault
    • Incorrect distribution of COMP tokens
    • Ability for any user to call drip() on the Reservoir vault, leading to more incorrect COMP distribution
    • Refilling of the Comptroller vault with additional funds
    • Loss of funds due to a "bank error"
    • Difficulty in recovering the lost funds
    • Potential legal and financial ramifications in decentralized finance (DeFi)

conic-finance-rekt

  • Contract names: Conic Finance, CurveLPOracleV2

  • Contract hex addresses:

    • Exploiter address (1st attack): 0x8d67db0b205e32a5dd96145f022fa18aae7dc8aa
    • Secondary address (1700 ETH): 0x3d32c5a2e592c7b17e16bddc87eab75f33ae3010
    • Exploit tx (1st attack): 0x8b74995d...
    • Original failed tx (1st attack): 0x97a8315e...
    • Original exploiter address (1st attack): 0x10db234e02c3889d8e408c7084e8ce10892bdad7
    • Exploiter address (2nd attack): 0xb6369f59fc24117b16742c9dfe064894d03b3b80
    • Example hack tx: 0x37acd17a...
    • Frontrunning bot (returned 81 ETH): 0xd050e0a4838d74769228b49dff97241b4ef3805d

  • Bug types mentioned in the article:

    1. Read-only reentrancy vulnerability
    2. Sandwich attack on imbalanced pools

cover-rekt

  • Infinite mint loophole
  • Exploiting the contract
  • Poor OPSEC
  • Storage/memory issue

cream-rekt-2

  • Exploiter wallets: Address A, Address B
  • Bug types mentioned in the article:
    • Pricing vulnerability
    • Flash loan attack
    • Manipulation of token price
    • Price oracle manipulation
    • Borrowing and defaulting assets

cream-rekt

crema-finance-rekt

  • Contract names: Crema Finance
  • Contract hex addresses:
    • Exploiter's SOL address: Esmx2QjmDZMjJ15yBJ2nhqisjEt7Gqro4jSkofdoVsvY
    • Exploiter's ETH address: 0x8021b2962dB803b73Aa874030B0B42c202E8458F

Bug types mentioned in the article:

  • Faulty owner validation on one of the protocol's accounts storing price tick data
  • Lack of sufficient validation in the claim method

Note: The article does not mention any other bug types.

cryptocom-rekt

  • Contract name: ErgoBTC
  • Contract hex address: bc1q7cyrfmck2ffu2ud3rn5l5a8yv6f0chkp0zpemf
  • Contract name: BTC tumbler
  • Contract hex address: bc1qk8wlwypvvr6v5lmsngg5a248k2a9cgrsrw5jsq
  • Bug types mentioned:
    1. Unauthorized activity in users' accounts
    2. Bypassing users' 2FA
    3. Bypassing email withdrawal approvals
    4. Theft of funds from users' wallets
    5. Loss of ETH
    6. Exploit against SOC2 audit security measures

curve-finance-rekt

curve-vyper-rekt

curve-wars

  • Contract names and hex addresses:

    • veCRV token: 0x5f3b5DfEb7B28CDbD7FAba78963EE202a494e2A2
    • Curve Finance DAO: 0x431e81e5dfb5a24541b5ff8762bdef3f32f96354

  • Bug types mentioned in the article:

    • Centralization of voting power
    • Protocol competition and feuds
    • Forking accusations
    • Aggressive promotion and lobbying
    • Accumulation strategies
    • Migration of Curve pools
    • Unpredictability of future outcomes

cy-ops

  • Contract names and contract hex addresses:
    • No contract names or hex addresses are mentioned in the article.
  • Bug types mentioned in the article:
    • DDoS attacks
    • Data-wiping malware
    • Hacking
    • Propaganda campaign
    • Fake news
    • Exploitation of mobile signals for targeting
    • Sanctions evasion through cryptocurrency
    • Nation-state-sponsored hacking
    • Stolen crypto funding banned missile development
    • Lack of regulation on cryptocurrencies
    • State surveillance through blockchain analysis
    • Lack of privacy in blockchain transactions

dao-maker-community-investigates

  • Contract names: USDR, DAO
  • Contract hex addresses:
    • USDR: 0xbc60ff90497f99cbf6fb84ce1e31845637033445
    • DAO: not provided
  • Bug types mentioned in the article:
    • Attempt to use protocol governance to halt the refund process
    • Trying to get out of the initial commitment to affected users
    • Potential negative price action strategy
    • Shirk responsibility for the compensation plan
    • Using governance to go back on the promised compensation plan
    • Alleged recommendation to buy USDR below the value of $1.10 as a safe arb at the time of redemption
    • Removal of remaining USDR/USDC liquidity by the team

daomaker-rekt

  • Contract names: DAO Maker
  • Contract hex addresses:
    • 0x6e70c88be1d5c2a4c0c8205764d01abe6a3d2e22
    • 0xd6c8dd834abeeefa7a663c1265ce840ca457b1ec
    • 0xdd571023d95ff6ce5716bf112ccb752e86212167
    • 0xa43b89d5e7951d410585360f6808133e8b919289

Bug types mentioned in the article:

  • Vulnerability in the init() function
  • Unauthorized access to token contracts
  • Exploiting the emergencyExit() function
  • Unauthorized token withdrawal
  • Unauthorized ownership transfer

deathbed-confessions-c3pr

  • Contract names: Compounder.finance
  • Contract hex addresses: 0x944f214a343025593d8d9fd2b2a6d43886fb2474, 0x079667f4f7a0b440ad35ebd780efd216751f0758
  • Bug types mentioned in the article:
    1. Rug pull
    2. Treasury control by a timelock offering no protection
    3. Deletion of site and Twitter account
    4. Lack of transparency and communication from the admins
    5. Exploitation of trust in auditors
    6. Loss of funds from large players
    7. Lack of security measures for user funds
    8. Anonymous and untraceable nature of transactions

decentralised-monopoly

  • Pickle, CREAM, COVER, Akropolis, and Sushi are mentioned as contract names in the article.
  • The contract hex addresses are not provided in the article.
  • Bug types mentioned in the article:
    1. Aggressive acquisition of market share in a decentralized industry.
    2. Governance issues regarding YFI token holders' job description and decision-making power.
    3. Concerns about centralization and monopolization of the industry.
    4. Potential security vulnerabilities in Yearn v1 and the resilience of Yearn v2.
    5. Potential risks and vulnerabilities of forks and rekt protocols being acquired by Yearn.
    6. The need to balance decentralization with solid foundations and high security levels.
    7. Challenges in determining the best method of protocol control.
    8. Decentralization of the production process of DeFi without needing permission.

deepfake

  • Contract name: DeTrade Fund
  • Contract hex address: 0x746adfded7d3996ad83b5ed5a68eea0993b541ee

Bug types mentioned in the article:

  • Fake identity and offline presence
  • Disinformation
  • Deepfake technology
  • Misuse of AI technology
  • Trust manipulation
  • Scamming
  • Deception
  • Identity theft
  • Fraud

defilabs-rekt

  • Contract names: vPoolv6 contract
  • Contract hex addresses:
    • Exploiter address: 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2
    • Rug contract: 0xdEDbd1804569F369e33e453Ee311F0F97dCd0Bde
    • Funds consolidated here: 0x53ccFbC90A3fCDAfe9a2a50F798bEE7CcB5461b6

Bug types mentioned in the article:

  • Backdoor function in the staking contract
  • Drainage of user deposits from the staking contract
  • Lack of audit coverage for the vPoolv6 contract
  • Centralization issues
  • Ruggability issues
  • Unexpected issue during maintenance and updates
  • Paused withdrawals without mentioning the draining of the staking contract
  • Multiple repetitions of the same bug
  • Compromised keys leading to loss of funds
  • Hacks and rugs on little-known BSC projects.

dego-finance-rekt

Contract names and contract hex addresses:

Bug types mentioned in the article:

  • Compromised keys
  • Incompetence or bad intentions

deribit-rekt

  • Contract names: Deribit hot wallets on the Ethereum and Bitcoin networks
  • Contract hex addresses:
    • Ethereum hot wallet: 0x58f56615180a8eea4c462235d9e215f72484b4a3
    • Attacker's ETH address: 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd
    • Attacker's BTC address: bc1qw5g8lw4kzltpdcraehy2dt6dqda8080xd6vhl4kg4wwsypwerg9s3x6pvk
  • Bug types mentioned in the article:
    • Compromised keys
    • Phishing attack
    • Hacks from compromised hot wallets
    • Bridge hacks
    • State-sponsored attackers

deus-dao-r3kt

  • Contract names: DEI token contract
  • Contract hex addresses:
    • Attacker's address (Arbitrum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
    • Frontrunner address (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474
    • Attacker's address (Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
  • Bug types mentioned in the article:
    • Implementation error in the DEI token contract
    • Misconfigured burnFrom function
    • Public burn vulnerability
    • Manipulation of DEI holders' approvals
    • Transfer of assets to the attacker's address
    • Losses on Arbitrum, BSC, and Ethereum

deus-dao-rekt-2

  • Contract names: Deus DAO
  • Contract hex addresses: Not mentioned in the article

Bug types mentioned in the article:

  • Oracle manipulation
  • Flashloan exploit
  • Collateral price manipulation
  • Manipulated price in flash-swaps
  • Inadequate filtering of swaps

deus-dao-rekt

  • Contract names and hex addresses:

    • DEI lending contract: 0xec1fc57249cea005fc16b2980470504806fca20d
    • Attacker's contract: 0xb8f5c9e18abbb21dfa4329586ee74f1e2b685009

  • Bug types mentioned in the article:

    • Flash loan attack
    • Manipulation of balance in the Solidex USDC/DEI pool
    • Insolvency of user positions
    • Contract liquidation
    • Flashloan repayment
    • Burning of liquidated LP token
    • Token swapping
    • Repayment of flashloan as hack profit
    • Unauthorized fund transfer via Multichain
    • Transfer of funds to Tornado Cash

Note: The bug types mentioned in the article are primarily related to the attack and its execution, rather than specific vulnerabilities or weaknesses in the contracts themselves.

dexible-rekt

  • Contract names: Dexible
  • Contract hex addresses: 0x684083f312ac50f538cc4b634d85a2feafaab77a
  • Bug types mentioned in the article:
    1. Lack of timely response to the hack
    2. Tone-deaf and indifferent message in response to the hack
    3. Failure to verify the router address on-chain, allowing the hacker to call a token contract instead of a DEX smart contract
    4. Releasing unaudited code
    5. Overlooking security vulnerabilities in the code
    6. Lack of formal audit on the contracts before release

dforce-network-rekt

Contract names and hex addresses:

  1. dForce Network: Website
    • Hex address: Not mentioned in the article

Bug types mentioned in the article:

  1. Reentrancy vulnerability

Note: The article does not mention any other contract names or hex addresses.

easyfi-rekt

  • Contract name: EasyFi
  • Contract hex address: 0xa2AE337e81f02891a8cfae4bA858a1D73707041a
  • Bug types mentioned in the article:
    • Compromised machine leading to total loss of liquidity
    • Lack of maximum security measures
    • Poor OPSEC
    • Single admin key capable of draining all liquidity with no timelock

elephant-money-rekt

Contract names and contract hex addresses:

Bug types mentioned in the article:

  • Price manipulation vulnerability
  • Flash loan attack
  • Loss of tokens
  • Vulnerable contract
  • Swapping of tokens
  • Minting process vulnerability
  • Profit from flash loans
  • Funds sent to various accounts
  • Bridging to Ethereum
  • Funds sent to Tornado Cash

eminence-refund-do-or-dai

  • EMN contract
  • EMN contract hex address
  • Uniswap LP distribution code
  • Merkle tree implementation
  • $ENM hacker
  • The contract from which the hacker withdrawn
  • Address of creator of the contract
  • Address which funded creator
  • $UNI
  • Sophisticated hack
  • Exploit of unfinished code
  • 400 UNI stolen
  • Refunds distributed at a rate of $250,000 per minute
  • Claiming refund as a 100% tip

eminence-rekt-in-prod

  • Eminence project
  • EMN token contracts
  • eYFI token contract
  • eAAVE token contract
  • eSNX token contract
  • yEarn finance address contract
  • Yearn: Deployer contract
  • Flash loan attack
  • Price manipulation
  • Bonding curve vulnerability
  • Inside job speculation

epic-hack-homie

  • Contract names and hex addresses:
    • 0x00600423c03ec4b46f9b8a28c66d42bdd1b19c36
    • 0xf519e276958c3ef2dffd9b6b2d87d26859526505
  • Bug types mentioned in the article:
    • Theft of funds
    • Money laundering
    • Brute force attack
  • Tokens that were sold by the hacker:
    • OCEAN
    • SNX
    • COMP
    • LINK
    • DIA
  • Projects that have taken action against the hacker:
    • Velo
    • Tether
    • Orion
    • KardiaChain
    • Ocean Protocol
    • Ampleforth
    • VIDT Datalink
    • NOIA Network
    • Aleph
    • Covesting
    • Opacity
    • SilentNotary

eralend-rekt

Contract names and contract hex addresses:

Bug types mentioned in the article:

  • Read-only reentrancy bug

ethcc-detychey-vs-touts

  • Contract names: Wrapped EthCC Tickets
  • Contract hex address: 0x76284b7b2f7c363779fd7338a41a202e4c8cd43a
  • Bug types mentioned in the article:
    • Non-transferable tickets
    • Exploiting the refund mechanism
    • Lack of ticket registration metadata

euler-rekt

  • Contract names and hex addresses:

  • Bug types mentioned in the article:

    • Exploited vulnerability in the donateToReserves function
    • Incorrect donation mechanism
    • Unaccounted donator's debt health
    • Unbacked DToken debt

Note: The article does not provide specific contract hex addresses or names for all the contracts mentioned.

euro-last-stand

  • Contract names and hex addresses are not provided in the article.
  • Bug types mentioned in the article:
    • Misinformation or disinformation
    • Inflation
    • Trade deficit
    • Monetary policy failures
    • Lack of trust in currency
    • Budget deficits
    • Diverging monetary policies

everyone-rekt

exactly-protocol-rekt

(Note: The article does not explicitly mention any other bug types.)

eye-of-the-storm

  • Contract names: Tornado Cash
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Sanctioning a piece of code
    • Confusion between Tornado Cash and the Lazarus Group
    • Ban on a neutral tool affecting privacy for regular users
    • Unclear impact on addresses tainted by funds from banned contracts
    • Entire Tornado Cash repo banned by GitHub
    • Freezing of funds by Circle under governmental pressure
    • Potential damage to decentralized finance due to actions of centralised stablecoins
    • Need for a safe decentralised stablecoin and secure anonymous system
    • Outlawing anonymity in cryptocurrency
    • Prioritizing privacy in crypto community

fed-rekt

  • Fedwire
  • Check 21
  • FedCash
  • Fedwire
  • National settlement service

Bug types mentioned in the article:

  • Operational error (inside job)
  • Service disruption/Outage
  • Centralized system vulnerability
  • System failure/delay
  • Inefficiency of the traditional financial system
  • Corruption in centralized systems

fei-rari-rekt

  • Contract names and hex addresses:
    • Fuse pools: 8, 18, 27, 127, 144, 146, 156
    • Attack contracts: 0xE39f3C... and 0x32075b...
  • Bug types mentioned in the article:
    • Re-entrancy vulnerability
    • Flash loan attack

fei-rekt

  • Contract names: Hayek Money, Seigniorage Shares, Ampleforth, Empty Set Dollar, Maker (DAI)
  • Contract hex addresses: N/A (not mentioned in the article)
  • Bug types mentioned in the article:
    1. Failure to maintain peg
    2. Drop in protocol governance token value
    3. Imprisonment and punishment of users for founders' failures
    4. Lack of stability in stablecoin creation attempts
    5. Capital inefficiency and risk in collateral reserve models
    6. Limited adoption due to overcollateralization requirement
    7. Inability to execute closed cycle arbitrage
    8. Scaling issues
    9. Loss of initial peg due to selling pressure
    10. Punishment for selling FEI below the peg
    11. Vulnerabilities in incentive calculation
    12. Decrease in demand due to the penalty mechanism
    13. Narrowed feasibility envelope for the coin
    14. Controversial suggestion to allocate PCV to Yearn

few-gets-rekt

  • Contract names: $FEW, $MEME, $ALEX
  • Contract hex address (token):
    • $FEW: 0x8d588b66b9c605bd1f6e9b75cb9365aad5b97140
    • $MEME: 0xd5525d397898e5502075ea5e830d8914f6f0affe
  • Bug types mentioned in the article:
    • Attempt to hype up and pump the price of a token
    • No coding knowledge, website, or planned use case for the token
    • Gathering well-known people to shill the token to those who didn't receive the airdrop
    • Failure to implement the 1-year vesting period
    • Airdrop of 95.5% of the total supply to members of a Telegram group
    • Setting aside 4.5% of the total supply for liquidity in a Uniswap Pool that never opened
    • Creation of fake $FEW pools on Uniswap
    • Opportunities for scammers to take advantage of the situation
    • Backpedaling and excuses from group members after their intentions were made public
    • Burning of $FEW tokens by some holders
    • Lack of public apology and self-investigation by most involved
    • Media coverage and lack of condemnation by The Defiant, Bankless, and The Block
    • Reflection on employee behavior and conflict of interest
    • Responsibility of experts in the space to behave in a way that benefits the industry
    • Arrogance and smugness of some crypto Twitter users
    • Pretending to be part of a secret club and posting vague content for attention

flip-a-coin

  • Contract names: Ramp Network, Binance
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article: Not mentioned in the article

fomo-on-meme-street1

  • Contract names: Firdaos, $ZPAE, $FDO
  • Contract hex addresses: 0x6a9853d80533a70b7b85659949757246e5b52c6b
  • Bug types mentioned:
    1. Greed
    2. Careless gambling
    3. Short sales
    4. Fading celebrity endorsements
    5. Conspicuously bad tokens
    6. Paid promotions
    7. Speculation
    8. Incompetence
    9. Pump and dump schemes
    10. Frontrunning
    11. Lack of technical fundamentals for valuation
    12. Emotional investing
    13. Overly enthusiastic investors
    14. Whales' manipulation.

fomo-on-meme-street2

  • SHIB contract address: 0x95ad61b0a150d79219dcf64e1e6cc01f0b64c4ce
  • AKITA contract address: not provided
  • LEASH contract address: not provided
  • KISHU contract address: not provided
  • DOGE2 contract address: not provided

Bug types mentioned:

  • Rug pull
  • Wash trading
  • Sandwich bot
  • Backrunning

force-rekt

Bug types mentioned in the article:

  • A bug in the FORCE/xFORCE contract
  • Failure to check the return value on transferFrom
  • Usage of the outdated MiniMeToken contract

fortress-rekt

  • Contract names: Fortress Protocol
  • Contract hex addresses:
  • Bug types mentioned in the article:
    • Vulnerable price oracle
    • Manipulation of collateral price
    • Malicious governance proposal
    • Oracle vulnerability in the code not detected by auditors

ftx-terms-and-commissions

  • Contract names: PAX, USDP
  • Contract hex addresses: N/A (not mentioned in the article)
  • Bug types mentioned in the article:
    1. Failure to inform users about the rebranding of the coin symbol PAX to USDP
    2. Incorrect labels on the deposit page, showing PAX instead of USDP
    3. Misleading users to deposit USDP (Unit Protocol) instead of USDPaxos (PAX) due to similar names
    4. Lack of notification about important announcements, such as coin name change
    5. iOS app displaying incorrect coin label (PAX instead of USDP)
    6. Failure to respond to customer support inquiries and appeals
    7. Failure to follow their own "Wrong Address or Chain" policy by charging a higher fee (15%) instead of the stated fee (5%)
    8. Breaking customer trust and not taking action to fix the issue.

ftx-yikes

  • Contract names and hex addresses:

    • Not mentioned in the article.

  • Bug types mentioned in the article:

    • Predatory tactics
    • Overdependence on FTT
    • Shady nature of the partnership
    • Balance sheet FUD (Fear, Uncertainty, and Doubt)
    • Mismanagement of user funds
    • Alleged mishandling of customer funds
    • Alleged US agency investigations

furucombo-rekt

  • Furucombo proxy contract: 0x17e8Ca1b4798B97602895f63206afCd1Fc90Ca5f
  • Aave V2 implementation contract: 0x86765dde9304bea32f65330d266155c4fa0c4f04
  • Attacker contract: 0xb624E2b10b84a41687caeC94BDd484E48d76B212

Bug types mentioned in the article:

  • Evil contract exploit
  • Delegatecall vulnerability
  • Trusting overly permissive smart contracts
  • Insecure token approval
  • Exploiting a delegatecall between the Furucombo proxy contract and Aave V2 implementation contract

gamestonk

  • No specific contract names or contract hex addresses are mentioned in the article.
  • Bug types mentioned in the article:
    • Blatant hypocrisy
    • Insider trading
    • Manipulation of the market
    • Excess profit through short selling
    • Market manipulation
    • Freezing trading activity
    • Seizing capital from suspected market manipulators
    • Fragile and unfair financial system
    • Hidden or exaggerated risks
    • Exclusion of retail investors
    • Centralization of power
    • Pressure from external entities to close trading activity
    • Trampling on the rules for the rich while screwing over the rest
    • Tragedy of justice in the financial system

gone-phishing

  • Contract names: Atomic Wallet, AlphaPo, Stake, CoinEx, Ronin, Pink Drainer, Monkey Drainer, Venom, Inferno
  • Contract hex addresses:
  1. Atomic Wallet: Unknown
  2. AlphaPo: Unknown
  3. Stake: Unknown
  4. CoinEx: Unknown
  5. Ronin: Unknown
  6. Pink Drainer: 0x4eF6f0d3f94fF609ACef88068b1FC66a1184b3f3
  7. Monkey Drainer: Unknown
  8. Venom: Unknown
  9. Inferno: Unknown

Bug types mentioned in the article:

  • Phishing for allowances
  • Social engineering
  • SIM-swapping
  • Wallet drainers
  • Disguised malware
  • Address poisoning
  • Spearphishing
  • Pig-butchering scam
  • Fake mining scam
  • SIM-swap attack
  • Scam-as-a-Service
  • Malware

(Note: The contract hex addresses for some contracts mentioned in the article are not provided.)

grim-finance-rekt

  • Contract names and hex addresses:
    • GrimBoostVault: 0xdefc385d7038f391eb0063c2f7c238cfb55b206c
  • Bug types mentioned in the article:
    • Reentrancy vulnerability

grudgematch-sec

  • Contract names: Binance, CZ, BAM Trading Services Inc., Coinbase
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Operating an unlicensed securities exchange
    • Offering unregistered securities
    • Failing to control market manipulation
    • Allowing wash trading
    • Encouraging clients to KYC offshore and use a VPN
  • Shady behavior of Binance
  • Staking programs offered by Binance and Coinbase
  • Native tokens of alternative L1 networks being labeled as securities

gymnet-rekt

hack-epidemic

  • Contracts mentioned in the article:
    • Cheese Bank
    • Origin Protocol
    • Harvest
    • Value DeFi
    • Akropolis
  • Bug types mentioned in the article:
    • Flashloan AMM oracle attack
    • Faketoken re-entrancy

harmony-rekt

  • Harmony ETH Bridge contract: 0xf9fb1c508ff49f78b60d3a96dea99fa5d7f3a8a6
  • Harmony ERC20 Bridge contract: 0x2dCCDB493827E15a5dC8f8b72147E6c4A5620857
  • Harmony BUSD Bridge contract: 0xfd53b1b4af84d59b20bf2c20ca89a6beeaa2c628
  • Exploiter address: 0x0d043128146654c7683fbf30ac98d7b2285ded00

Bug types mentioned in the article:

  1. Compromised private keys
  2. Hot wallets with plaintext private keys
  3. Lax security measures for securing funds
  4. Vulnerability to spearphishing campaigns

harvest-finance-rekt

  • Contract names: FARM_USDT, FARM_USDC, DFI-PERP
  • Contract hex addresses:
    • FARM_USDT: 0x53f
    • FARM_USDC: 0x53f
  • Bug types mentioned in the article:
    • Flash loan exploit
    • Price manipulation through swapping funds and stretching stable coin prices
    • Exploit in LP deposits and withdrawals price calculation mechanism
    • Arbitrage opportunity due to price manipulation
    • Tolerance value for arbitrage check function was not high enough
    • Default slippage tolerance value was too high
    • Profit sharing among liquidity providers and developers
    • Increase in Curve trading fees
    • Spike in Uniswap trade volume

hedera-rekt

  • Contract names and hex addresses mentioned in the article:

    • HTS (Hedera Token Service)
    • Uniswap v2-derived contract code
    • Pangolin
    • Heliswap

  • Bug types mentioned in the article:

    • Network irregularities
    • Exploit in the network's Smart Contract Service code
    • Attacker targeting accounts used as liquidity pools on DEXs
    • Burning bridged/wrapped tokens
    • Removing LP positions from affected DEXs
    • Losses from the attack
    • Alleged addresses containing stolen funds (HBAR, HTS stablecoins, ETH)
    • MyAlgo wallet-draining fiasco
    • Damage to claims of legitimacy as a DeFi platform

helloworld

  • Contract names: Not mentioned in the given text
  • Contract hex addresses: Not mentioned in the given text
  • Bug types mentioned in the article: Not mentioned in the given text

hope-finance-rekt

Contract names and hex addresses mentioned in the article:

  1. Hope Finance Multisig: 0x8ebd0574d37d77bdda1a40cdf3289c9770309aa7
  2. GenesisRewardPool contract: 0x1fc2ac2651e1959d9ae86c6b2270aaf3d799e56c
  3. Rug puller prep address: 0xdfcb9a03fbe9f616ee6827cd1b753238d53c6145
  4. Rug puller receiving address (ETH and ARBI): 0x957d354d853a1ff03dda608f3577d24ea18fcece

Bug types mentioned in the article:

  1. Rugging the project
  2. Faked KYC
  3. Fake router deployment
  4. Unauthorized approval of rug transaction
  5. Setting variable to wallet address
  6. Sending USDC to the wrong address
  7. Deliberately leaving the _uSDC address empty
  8. Transferring tokens to the wrong address

Note: It is important to conduct a thorough analysis and review of the article to identify any other bug types that may be mentioned.

hopium-dd-vid

  • Contract names and hex addresses:

    • Hopium Token: 0x4684B5777f2807317ba0869583eb965ae3E80E29
    • Decentralized Excessive Trading Platform (DETP): 0x7B2bE98e6c291A4625bf911Ed450977964d43F73
    • Liberal Liberalist Contract: 0x1dB7A918CDB667DB4f8E38E95e9ceA13cD771Bfe
    • The United Futurist States of Earth (UFSE) Constitution: 0x8Fbe0CB8822930C8A0D3A403Ff5fE6cA70d3F23D
    • Citadel: 0x4e9ceCBF65B45c54FafF759B49CEf3f603cD01A3
    • The Debt Strike Manifesto (DSM): 0x7d81bC54dd9C4D11c616241A74c61c020D706Add

  • Bug types mentioned in the article:

    • Re-entrancy vulnerability
    • Integer overflow vulnerability
    • Uninitialized storage vulnerability
    • Incorrect access control vulnerability
    • Coding errors
    • Misuse of third-party libraries

hopium-diaries-dystopian-dreams

  • Contract names and hex addresses: N/A
  • Bug types mentioned in the article:
    1. Greedy middleman
    2. Uncensorable code
    3. Complex game theory manipulation
    4. Decentralized currencies increasing instability
    5. Interference from attacking states
    6. Restriction on tools of the industry exposed to regulation
    7. Tribalism and conflict
    8. Financial ruin due to tokenization of real-world assets
    9. Court cases related to tokenized assets
    10. Volatility in mirrored financial markets
    11. Inflation in the economic environment

hundred-rekt2

  • Contract names: Hundred Finance
  • Contract hex addresses:
    • Attacker's address: 0x155da45d374a286d383839b1ef27567a15e67528
    • Hack tx 1: 0x6e9ebcde...
    • Hack tx 2: 0x15096dc6...
  • Bug types mentioned in the article:
    • Rounding error in the redeemUnderlying function
    • Manipulation of exchange rate by donating a large amount of WBTC to the hWBTC contract
    • Exploiting a general flaw in the code

hype-and-hashmasks

  • Contract names: Hashmask
  • Contract hex addresses: 0xb1, 0x0, 0xbP
  • Bug types mentioned in the article:
  1. Fake token scam
  2. Scams related to the Hashmasks project
  3. Potential scams in the NFT market
  4. Crypto crime rates could potentially rise with increased adoption.

indexed-finance-rekt

Bug types mentioned in the article:

  • Flash loan attack
  • Manipulation of pool weights
  • Discrepancy in pool value calculation
  • Over-weighting of SUSHI tokens in the pool
  • Mass inflation of DEFI5 tokens
  • Theft of assets from the pool

infura-issue-of-consensus

  • Contract names and hex addresses:

    • geth nodes: N/A
    • Infura API: N/A
    • Binance: N/A
    • Blockchair: N/A

  • Bug types mentioned in the article:

    • Consensus flaws
    • Vulnerabilities
    • Chain split
    • Invalid merkle root
    • Unannounced hard fork
    • Dependency on a centralised node provider
    • Centralized single points of failure
    • Failure of consensus

inverse-finance-rekt

  • Contract names: Inverse Finance, Tornado Cash, Disperse, SushiSwap, Keeper Network
  • Contract hex addresses: not provided in the article
  • Bug types mentioned:
    1. Manipulation of price of INV
    2. Exploit to withdraw funds from Tornado Cash
    3. Deployment of fake smart contracts
    4. Price manipulation through spamming transactions
    5. Use of SushiSwap TWAP as an oracle
    6. Borrowing funds using inflated price of INV
    7. Market manipulation risks due to reliance on a single thinly traded DEX trading pair with a short time sample

inverse-rekt2

  • Flashloan attack
  • Oracle manipulation
  • Front-running bot attack

iron-alpha

  • Contract names: Iron Bank, Alpha Homora, ALPHA collateral, escrow contract
  • Contract hex addresses: not provided in the article
  • Bug types mentioned in the article:
    • Exploited contract
    • Undercollateralization
    • Debt default
    • Funds held hostage
    • Rugging of user funds
    • Protocol upgrades without DAO approval

iron-finance-rekt

  • Contract Names: Iron Finance, IRON stablecoin, TITAN token
  • Contract Hex Addresses: Not mentioned in the article
  • Bug Types:
    • Overpricing of TITAN token
    • Volatile price of TITAN token
    • Loss of peg for IRON stablecoin
    • Arbitrage opportunity with minting new TITAN tokens
    • Flooding of market with freshly minted TITAN causing panic sale
    • Difficulty in regaining the $1 peg
    • Continuous drop in TITAN value
    • Fractional value of TITAN
    • Design flaw in the minting protocol
    • Lack of notice or action regarding the flaw
    • Continuation of fees despite disaster situation

jaypegs-automart-rekt

  • Contract names: MISO auction for "JayPegs Automart"
  • Contract hex addresses:
    • Hacker OG address: 0x3dDD8b6D092df917473680d6C41F80F708C45395
    • 0x3dD funded by: 0xe5f7ae14f02894fcf46ffcb225cc4db38f3c4962
    • 0xe5f funded by: 0xba6f4f83329b9500672c6955fd5082c9434aaf74
    • 0xba6f funded by: 0x482c9f85644f1686c490d38291511657da767e61
  • Bug types mentioned in the article:
    • Supply chain attack
    • Front-end attack
    • Doxxing

jimbo-rekt

  • Jimbo’s Protocol
  • JimboController contract (0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7)
  • Attacker’s address (0x102be4bccc2696c35fd5f5bfe54c1dfba416a741)
  • Location of stolen funds (ETH) (0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)
  • Attack tx (0x3c6e053faecd331883641c1d23c9d9d37d065e4f9c4086e94a3c34bf8702618a)

Bug types mentioned in the article:

  • Lack of slippage control in the shift() function of the JimboController contract.

kannagi-finance-rekt

  • Contract names: Kannagi Finance
  • Contract hex addresses: 0x95ec03b821f164ce55cbb26f23f591a9bd40d6c1

Bug types mentioned in the article:

  • Rug pull
  • Scam
  • Incomplete audits
  • Rubber-stamping protocols
  • Potential rugs and scams
  • Unverified contracts
  • Centralized aspects present
  • No external vulnerabilities identified
  • Users not taking notice of audit findings

kokomo-finance-rekt

  • Contract names and hex addresses mentioned in the article:

    • KOKO Token deployer address: 0x41BE
    • Attack contract cBTC: 0x05b2957591a4d1334b230f8c56fd62ddee17b52e
    • Address that approved cBTC contract: 0x5a2d0e3d6f862ee155f52ab65b6b22e1d80f5716
    • Address that received WBTC: 0x5C8db6eea11896065ec7dcfc67f458c54ccf7bff
    • Address with rugged funds (1): 0x8C0eCD7BACCed114729F8269B459E0A4D5e95C3b
    • Address with rugged funds (2): 0xB74C5e41E748BaBC32ce33813549E2503CDaB762
    • Address with rugged funds (3): 0xC2AE8D3b0fb159cCD331a01A8C3632B95dB23CF5
    • Address with rugged funds (4): 0x88340ff2292506D0D93934CbBFEA5ED1804CDa0d

  • Bug types mentioned in the article:

    • Deployment of a malicious contract
    • Unauthorized approval of contract spending
    • Transfer of funds to an unauthorized address
    • Swap of funds for profit

lcx-rekt

  • Contract names: LCX hot wallet, Hacker's wallet
  • Contract hex addresses:
    • LCX hot wallet: 0x4631018f63d5e31680fb53c11c9e1b11f1503e6f
    • Hacker's wallet: 0x165402279f2c081c54b00f0e08812f3fd4560a05
  • Bug types mentioned in the article:
    • Private key exploit
    • Hot wallet security vulnerability

ledger-recover

  • Contract names: Ledger Recovery
  • Contract hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
  1. Data breach
  2. Identity theft
  3. SIM swapping
  4. Phishing attacks
  5. Private key leaks
  6. Backdoor vulnerability

ledger-rekt

  • Contract names and contract hex addresses are not mentioned in the article.
  • Bug types mentioned in the article:
    1. Exploited attack vector
    2. Data breach
    3. Phishing attempts
    4. Physical attacks or burglary
    5. SIM swapping attacks
    6. Obscuring severity of the incident
    7. Dependence on third parties for data storage
    8. Risk of centralised storage
    9. GDPR violation
    10. Incompetency or dishonesty in handling customer requests
    11. Data breach prevention.

level-finance-rekt

  • LevelReferralControllerV2 contract
  • 0x977087422C008233615b572fBC3F209Ed300063a
  • Bug types mentioned in the article:
    1. Repeated referral reward claims within the same epoch
    2. Vulnerability introduced in an upgrade to LevelReferralControllerV2 contract
    3. Exploiter creating many referrals and using flash loans to increase reward tier
    4. Lack of check in the claimMultiple function that prevents reuse of epoch

levyathan-rekt

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Private keys left on Github
    • Minting and dumping tokens
    • Bug in withdrawal mechanism
    • Bug in emergencyWithdraw() logic
    • Users receiving more tokens than expected
    • Depleting the contract
    • Funds returned to incorrect addresses

lodestar-rekt

  • Contract names: GLPOracle, GlpDepositor
  • Contract hex addresses: 0xc29d94386ff784006ff8461c170d1953cc9e2b5c, 0xc523c6307b025ebd9aef155ba792d1ba18d5d83f97c7a846f267d3d9a3004e8c, 0x7093486a8b4624b9f5501b7cd7a60545e02e9164, 0xb50f58d50e30dfdaad01b1c6bcc4ccb0db55db13
  • Bug types mentioned in the article:
    1. Manipulation of price oracle
    2. Flash loan attack
    3. Incorrect calculation of assets in the GlpDepositor contract
    4. Instantaneous change of oracle within the same block

luna-rekt

  • No specific contract names or hex addresses mentioned in the article.
  • Bug types mentioned in the article:
    • Crisis in the UST peg
    • Potential de-pegging of UST
    • Panic and rush to exit Anchor protocol
    • Liquidations in Degenbox
    • Market cap flipping of UST and LUNA
    • Deposits cut in half in Anchor protocol
    • Suspension of Terra Network withdrawals
    • Frenzy and liquidity dumping on Curve
    • Price stabilization of UST at a lower value
    • Teased recovery plan
    • Rumors/leaks of a bailout
    • Freefall of UST
    • Desperation and previous failed stablecoin attempts by Do Kwon
    • UST rescue plan proposal
    • Rapid decrease in LUNA's price.

madmeerkat-finance-rekt

  • Mad Meerkat Finance (MM.finance)
  • Contract hex address: 0x145677FC4d9b8F19B5D56d1820c48e0443049a30

Bug types mentioned in the article:

  • DNS attack;
  • Malicious contract address injection;
  • DNS vulnerability;
  • Exploit redirecting users to a cloned version of the site;
  • Bad SSL certificate.

mango-markets-rekt

  • Contract name: Mango Markets
  • Contract hex address: N/A

Bug types mentioned in the article:

  • Market manipulation
  • Price spiking
  • Unrealized profit used as collateral
  • Short liquidations caused by price manipulation
  • Bad debt due to drained lending pools
  • Governance vote manipulation

Note: The article does not mention specific contract names or hex addresses. It discusses the attack on the Mango Markets protocol and the actions of the attacker.

meerkat-finance-bsc-rekt

  • Meerkat Finance Deployer upgraded 2 vaults of the project
  • Attacker address called permissionless initialization function through the Vault proxies
  • Attacker drains Vaults by calling a function with signature 0x70fcb0a7
  • Both affected Vaults used OpenZeppelin's Transparent Proxy Upgrade pattern
  • Meerkat Finance Deployer called upgradeTo() two times
  • New functions init(address owner) and 0x70fcb0a7(address _param1) were added to the updated Vault implementations
  • The newly added function init() becomes the ultimate backdoor into the Vaults
  • Funds have been split among various addresses and sent to Binance Bridge
  • Timeline of events during the exploit is provided
  • The balance of power is different on different chains
  • Binance's response to the situation is uncertain
  • Protocols on BSC are no more secure than Ethereum

meltdown

  • Contract names and hex addresses are not mentioned in the article, so there are no specific contracts to list.
  • Bug types mentioned in the article:
    • Transatlantic neoliberalism perpetuates moral hazard.
    • Systemic issues in the US wreak havoc.
    • TradFi instability poses a threat to DeFi.
    • SVB's failure due to exposure to a crypto industry in crisis.
    • SVG's long-maturity bonds proved a losing bet.
    • Bank run resulted in attempted withdrawals.
    • USDC lost its peg and caused panic.
    • Concerns about USDC being unbacked.
    • Chaos and casualties in the market.
    • Systemic threat to stablecoins.
    • Existential threat of centralised fiatcoins.
    • Risks of fractional reserve banking.
    • Regulators exploiting recent events in the industry.

merlin-dex-rekt

  • Contract names: Merlin (DEX native to zksync L2), Feeto address
  • Contract hex addresses: 0x2744d62a1e9ab975f4d77fe52e16206464ea79b7 (attacker address), [contract addresses not mentioned in the article]
  • Bug types mentioned in the article:
  1. Rug mechanism (draining liquidity pools)
  2. Max approvals granted to the Feeto address
  3. Draining assets from the pool and bridging them to ETH
  4. Low-effort cash grabs
  5. Phishing campaign targeting zksync's Twitter handle
  6. Lack of decentralized mechanism or smart-contract-based accounts with enhanced security practices
  7. Intentional backdoor (claimed)
  8. Centralization issues in protocols
  9. Overlooking centralization issues due to FOMO and airdrop hunting

merlin2-rekt

  • Contract names: priceCalculator
  • Contract hex addresses: 0xf6f6cc59ca893bd11180654b285b1a0652fca36a
  • Bug types mentioned in the article:
    1. Exploit
    2. Mispricing

merlin3-rekt

  • Contract names: Alpaca single asset vaults
  • Contract hex address: Not specified in the article
  • Bug types mentioned in the article:
    • Economic exploit
    • Public availability of a vault that was not supposed to be launched
    • Trickery of the contract by depositing 0.1WBNB and manually transferring 1000BNB to produce MERL rewards
    • Conversion of BNB to WBNB for profit calculation
    • Direct deposit of BNB to the contract for harvesting rewardable profit
    • Loss of funds through a transfer to ETH and then Tornado

merlinlabs-rekt

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Exploit attack
    • Unauthorized access/hacking
    • Manipulation of wallet balances
    • Tampering with profit (performanceFee)
    • Failure of auditors

meter-rekt

  • Contract Name: Meter_io Passport
  • Contract Hex Address: N/A (not provided in the article)

Bug Types mentioned in the article:

  • Malicious minting of BNB and wETH tokens
  • Assumption that wrapped Native token doesn't burn or lock
  • Unguarded deposit method
  • Collateral damage to Hundred Finance
  • Reduced price purchase of BNB.bsc and use as collateral
  • Impact on MIM and FRAX assets due to compromised collateral
  • Bridge attack vulnerability for lending protocols
  • Opportunistic loans taken on Hundred Finance
  • Stolen funds moved to Tornado Cash
  • Unclear identity of the hacker

midas-capital-rekt

  • Contract names: Midas Capital, Jarvis Network
  • Contract hex addresses:
    • Midas Capital: 0x5bca7ddf1bcccb2ee8e46c56bfc9d3cdc77262bc
    • Attacker address: 0x1863b74778cf5e1c9c482a1cdc2351362bd08611
  • Bug types mentioned in the article:
    • Read-only reentrancy vulnerability
    • Flash loan attack
    • Manipulation of LP token's virtual price
    • Incorrect calculation of collateral position
    • Outdated self.D variable causing overestimation of position
    • Borrowing excessive assets against inflated collateral

midas-rekt2

  • Contract names: Midas Capital, Hundred Finance, Tropykus
  • Contract hex addresses:
    • Midas Capital: Undefined
    • Hundred Finance: Undefined
    • Tropykus: Undefined
  • Bug types mentioned in the article:
    • Rounding vulnerability in the redeem counter affecting interest rate calculation
    • Known issue/exploit
    • Weaknesses in interconnected web of composable protocols and forked code

mirror-rekt

  • Lock contract: [08DD2B70F6C2335D966342C20C1E495FD7A8872310B80BAF3450B942F79EBC1F]
  • Mirror-wrapped stocks (mAssets): mBTC, mETH, mDOT, mGLXY
  • Bug Types mentioned in the article:
    1. Logic bug
    2. Mispricing
    3. Out-of-date oracle

mixin-rekt

Note: The article does not mention any specific bug types other than these.

monkey-business

  • Contract names: Bored Ape Yacht Club, ApeCoin
  • Contract hex addresses: N/A (not mentioned in the article)
  • Bug types mentioned in the article:
    • Phishing scams
    • Exploiting bugs in the OpenSea UI
    • BAYC Discord being compromised
    • Instagram hack
    • Failed transactions during the Otherdeeds mint
    • Gas optimization issues with the mint contract.

monox-rekt

  • Contract names and hex addresses:

    • Monoswap contract (Polygon): 0x3826367A5563eCE9C164eFf9701146d96cC70AD9
    • Monoswap contract (Ethereum): 0xC36a7887786389405EA8DA0B87602Ae3902B88A1
    • Exploit contract (Polygon): 0x119914de3ae03256fd58b66cd6b8c6a12c70cfb2
    • Exploit contract (Ethereum): 0xf079d7911c13369e7fd85607970036d2883afcfd
    • Stolen funds address (Polygon): 0x8f6a86f3ab015f4d03ddb13abb02710e6d7ab31b
    • Stolen funds address (Ethereum): 0x8f6a86f3ab015f4d03ddb13abb02710e6d7ab31b

  • Bug types mentioned in the article:

    • Pricing bug
    • Code vulnerability/exploit in swap contract
    • Lack of restriction on using the same asset for both tokenIn and tokenOut

moola-markets-rekt

  • Contract names:

    • Moola Market
    • MOO (protocol's native token)

  • Contract hex addresses:

    • Moola multisig: 0xd7f77169d5e6a32c5044052f9a49eb94697b25ed
    • Attacker's address: 0x95b5579b323ddc6cd290bd4da6e56ba019588efc

  • Bug types mentioned in the article:

    • Price manipulation
    • Collateral asset manipulation
    • Draining liquidity

multichain-r3kt

  • Contract names and hex addresses:
    • Multichain: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b
    • Fantom: 0x6b6314f4f07c974600d872182dcde092c480e57b
  • Bug types mentioned in the article:
    • Insider dumping tokens
    • Loss of functionality on bridging routes
    • Hack
    • Rescue operation
    • Depegging of assets
    • Front end not accessible
    • Lack of access to domain account
    • Unforgivable off-chain security set-up
    • Lack of coverage of security practices in audits
    • Test-in-prod-from-idolised-devs era
    • Shortcut in auditing process
    • Cronje Curse

multichain-rekt2

  • Contracts and Their Hex Addresses:
    • FTM bridge contract: 0xc564ee9f21ed8a2d8e7e76c085740d5e4c5fafbe
    • Moonriver bridge contract: 0x10c6b61dbf44a083aec3780acf769c77be747e23
  • Bug Types:
    • An approvals draining attack
    • Bridging delays
    • Potential insider dumping
  • Other information:
    • The project was previously known as Anyswap
    • The team responded to the incident with vague explanations and mentioned "force majeure"
    • Fantom, which relies on Multichain for various assets, had no answers regarding the incident
    • The attacker was able to control the addresses directly
    • Possible attack vectors include a back-end breach, spearphishing, or the actions of a malicious insider
    • Funds have not been moved or swapped after being drained, possibly indicating involvement of a whitehat
    • Tether and Circle could potentially freeze $65 million of the funds
    • This is the second bridge hack in a week, following the Poly Network multisig compromise
    • Vitalik Buterin warned about the risks of cross-chain bridges and suggested a multi-chain future
    • Multichain is linked to Andre Cronje's decentralized monopoly project
    • Multichain joins other rekt projects on the leaderboard

nft-digital-art-enthusiast

  • Contract names and hex addresses mentioned in the article are not provided.
  • Bug types mentioned in the article are not explicitly mentioned.

nirvana-rekt

  • Contract names: Solend (lending protocol), Nirvana's Treasury contract
  • Contract hex addresses:
    • Attacker's address: 76w4SBe2of2wWUsx2FjkkwD29rRznfvEkBa1upSbTAWH
    • Attack tx: LyUnvdY9KBQiVRFqmSzGUfCuPGqYX1xNHCWLWxWZ4MvgLcNis2Kui6T25Ayai5UzpTAFkSRSgriKb3pM8tAoeR5?cluster=mainnet-qn1
    • Nirvana's Treasury contract: CxuuSEv67PzNkMxqCvHeDUr6HKaadoz8NhTfxbQSJnaG

Bug types mentioned in the article:

  • Flash loan attack
  • Exploiting the price of ANA through inflating and cashing out
  • Bridging stolen funds via Wormhole to the attacker's ETH address

nomad-rekt

  • Nomad Bridge
  • Replica contract (0xB92336759618F55bd0F8313bd843604592E27bd8)
  • Moonbeam
  • EVMOS
  • Milkomeda
  • Rari Capital (Arbitrum)
  • 0x56D8B635A7C88Fd1104D23d632AF40c1C3Aac4e3
  • 0xBF293D5138a2a1BA407B43672643434C43827179
  • 0xB5C55f76f90Cc528B2609109Ca14d8d84593590E

Bug types mentioned in the article:

  • Fatal security flaw
  • Messages read as valid by default
  • Invalid transactions read as trusted root
  • Lack of validation requirement
  • Delayed response time
  • Vulnerabilities pointed out in Quantstamp audit

Note: The article does not explicitly label these as "bug types," but they are mentioned in the context of security flaws and vulnerabilities.

nxm-hugh-speaks-out

  • Contract names: Nexus Mutual, Coinbene
  • Contract hex addresses: N/A
  • Bug types mentioned in the article:
    1. Compromised machine
    2. Malware
    3. Hacker attack
    4. Fraud
    5. Credit card fraud
    6. International coordination challenges
    7. Lack of experience in dealing with crypto-related cases
    8. Potential for insurance scams
    9. Lack of secure personal wallets with user-friendly interfaces

on-flash-loans

  • Contract names and hex addresses:
    • Value: 0xBlahBlah
    • Flash Loans: 0xBlahBlah
    • ERC20 projects: 0xBlahBlah
    • Furucombo: 0xBlahBlah
    • DeFiSaver: 0xBlahBlah
  • Bug types mentioned in the article:
    • Flash loan powered exploits
    • Weak projects in DeFi
    • Incentivizing unethical behavior
    • Security vulnerabilities in DeFi projects

orion-protocol-rekt

Contract names and contract hex addresses:

  1. ExchangeWithAtomic contract: 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (ETH), 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (BSC)
  2. Attacker address 1: 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (ETH), 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1 (BSC)
  3. Attacker address 2: 0x837962b686fd5a407fb4e5f92e8be86a230484bd (ETH), 0x837962b686fd5a407fb4e5f92e8be86a230484bd (BSC)

Bug types mentioned in the article:

  1. Reentrancy exploit
  2. Vulnerabilities in mixing third-party libraries

overcompensated

  • Comptroller contract: 0x3d9819210a31b4961b30ef54be2aed79b9c9cd3b
  • EXP bug
  • Incorrect calculations in the comptrollerImplementation contract
  • ">"
  • ">="

paid-rekt

  • Contract names: Burn, Mint
  • Contract hex addresses: 0xd500aa2cffb70f460f4da6afa038ce35bed029bc, 0x18738290af1aaf96f0acfa945c9c31ab21cd65be
  • Bug types mentioned in the article:
    1. Rugged Amount
    2. Compromised private keys
    3. Suspected inside job
    4. Mint capability warning
    5. Dumping of tokens
    6. Price manipulation
    7. Hack or exploit

pancakebunny-rekt

  • Contract names: Pancake Bunny Finance, VaultFliptoFlip
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Bug in the protocol that uses PancakeSwap to retrieve prices of PancakeSwap liquidity providers
    • Flash loan attack
    • Manipulation of prices on PancakeSwap pools
    • Skewed calculation of BUNNY from the VaultFliptoFlip vault
    • Minting and selling of large amounts of BUNNY tokens
    • Price drop of BUNNY token
    • Vulnerability to flash loan attack despite undergoing a Haechi audit
    • Non-audited and changeable external contracts
    • Weakness in the "helper" function to flash loans' attack

pancakebunny2-rekt

  • Contract name: polyBUNNY minter
  • Contract hex address: 0xa6021d8c36b2de6ceb4fe281b89d37d2be321431
  • Bug types mentioned in the article:
    1. Exploiting the polyBUNNY minter
    2. Depositing a small amount in one of the Bunny Vaults and a large amount directly to MiniChefV2 (SushiSwap)
    3. Calling the function withdrawAll to execute the attack
    4. Generating a performance fee and minting polyBUNNY to the attacker
    5. Dumping polyBUNNY for WETH
    6. Repaying AAVE's flashloan and exiting the attack
    7. Price manipulation leading to a decrease in the price of polyBunny

pickle-finance-rekt

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Vulnerability involving fake "Pickle Jars"
    • Lack of whitelist for allowed Jars
    • Fake Pickle Jar creation
    • Failure of "withdrawAll" transaction
    • 12-hour timelock in the Governance DAO
    • Copycat attacks
    • Exploit in "swapExactJarForJar" function in "controller-v4.sol"

platypus-finance-rekt

  • Contract names: Platypus Finance, USP (Platypus stablecoin)
  • Contract hex addresses:
    • Attacker's address: 0xeff003d64046a6f521ba31f39405cb720e953958
    • Attack tx: 0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
    • Attack contract: 0x67afdd6489d40a01dae65f709367e1b1d18a5322
  • Bug types mentioned in the article:
    • Flaw in USP solvency check mechanism
    • Faulty check mechanism when withdrawing collateral
    • Neglecting to check the effect of borrowed funds when withdrawing collateral
    • Draining liquidity from other stablecoins through swaps
    • Depegging of USP by over 50%
    • Freezable loot left in centralised stables
    • Potentially inexperienced amateur hacker
    • Lack of OPSEC by the hacker

politics-and-prescience

  • No specific contract names or contract hex addresses are mentioned in the article, so none can be provided.
  • Bug types mentioned in the article:
    • Uncertainty in prediction
    • Lack of mainstream adoption for decentralised prediction market platforms
    • Low liquidity in decentralised prediction markets
    • Disparity in predictions between different platforms and traditional models
    • Possible influence of election meddling and voter suppression on predictions
    • Limited access to prediction markets for statistical/politics experts
    • Potential inefficiency of political polls compared to prediction markets
    • Lack of inside information in the current election
    • Possibility of statisticians being proven wrong again in the future
    • Speculation on how a Biden victory may affect Bitcoin and the crypto market
    • Debate on whether a "hands-off" approach or regulatory involvement is preferable for the crypto industry
    • Drifting apart of Bitcoin and DeFi sectors
    • Growing demand for alternative currencies
    • Scarcity for sports gamblers leading to interest in cryptocurrency-based prediction markets
    • Importance of data and AI in prediction markets.

poly-network-rekt2

  • Contract names: EthCrossChainManager
  • Contract hex addresses:
    • Attacker’s main ETH address: 0xe0Afadad1d93704761c8550F21A53DE3468Ba599
    • Example tx: 0x1b8f8a38895ce8375308c570c7511d16a2ba972577747b0ac7ace5cc59bbb1c4 (deposit on ETH), 0x5c70178e6dc882fba1663400c9566423f8942877a0d42bb5c982c95acc348e31 (withdrawal on BSC)
    • EthCrossChainManager contract: 0x14413419452aaf089762a0c5e95ed2a13bbc488c

Bug types mentioned in the article:

  • Compromised keys
  • Multisig vulnerability

polynetwork-rekt

popsicle-rekt

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Lack of proper fee accounting when LP tokens are transferred
    • Exploitation of the RewardDistribution bug
    • Flashloan attack
  • Other points mentioned:
    • $20 million TVL lost
    • Peckshield audited the code and published a post-mortem
    • Peckshield's decision to publish the post-mortem instead of Popsicle Finance
    • Criticism of auditors for missing a known bug.

punkprotocol-rekt

  • Contract names:

    • Punk Protocol
    • CompoundModel.sol

  • Contract hex addresses:

    • Malicious contract: 0x1695ce70da4521cb94dea036e6ebcf1e8a073ee6
    • Wallet: 0x1d5a56402425c1099497c1ad715a6b56aaccb72b
    • Attacker's contract: 0x597d11c05563611cb4ad4ed4c57ca53bbe3b7d3fefc37d1ef0724ad58904742b
    • Recovered funds: 0xec36e96739b0fe73f5d078952850d1fc608e7652

  • Bug types mentioned in the article:

    • Missing Modifier in the initialize() function
    • Use of delegateCall() to replace forgeAddress with a malicious contract
    • Lack of an "initializer" Modifier allowing execution of manipulated function
    • Failure of OnlyForge Modifier to detect abnormality

qubit-rekt

  • Contract names: Qubit Finance, QBridgeHandler
  • Contract hex addresses: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
  • Bug types mentioned in the article:
    1. Logic bug in the code allows xETH to be used on BSC without depositing ETH on Ethereum.
    2. The tokenAddress.safeTransferFrom() function does not revert when the tokenAddress is the zero address (0x0).
    3. The deposit function should not have been used after the development of depositETH, but it remained in the contract.

rari-capital-rekt

  • Contract names: Rari Capital governance token ($RGT), BNB, Alpaca Finance, PancakeSwap, SushiSwap, Alpha Homora, vSafeWBNB, Anyswap
  • Contract hex addresses: Rari Capital ETH pool (https://etherscan.io/tx/0xb7faca63a73d5d0490dda1c390577db3f30414cd91ce462e45c1e7f37c258519)
  • Bug types mentioned in the article:
    1. Exploitation of fake token creation and pooling
    2. Exploitation of approve() function vulnerability
    3. Conversion of vSafeWBNB to WBNB
    4. Transfer of WBNB to Ethereum through Anyswap
    5. Fake token and pool creation on SushiSwap
    6. Exploitation of payload in Alpha Homora for obtaining ibETH
    7. Conversion of ibETH to ETH in Rari ETH pool
    8. Gas manipulation for transaction cancellation
    9. Similar attack technique to Evil Pickle Jar exploit
    10. Interoperability between DeFi protocols leading to easier exploits.

raydium-rekt

reef-vs-alameda

  • Contract names and hex addresses:
    • REEF token contract: 0x94e509b0f855297c0b99ab61bff027e0ad114121
    • Other transaction contracts:
      • 0xbff3f0abed08da6b49797ca955fe7fc09cebf66657c97cdbc007e8c5d71b895d
      • 0xec84307077d8285acedc1429e06a291ffc13e0987378b9d783d0e791087ba4bd
      • 0x2fa47499170c7c97c8c416d4679b8c3c3e8e4131d32475c488567e841d79f31c
      • 0x46ec76555f114b5247a18c194f5f93900d12890329a355ac5d380c5ff6c58062
      • 0xcf55423dcc16830fab59b218aa12c21ac30bab8ece60c605d1bb0ece4325f616
      • 0x30d4a0c0e33d9e902ad31946d24365a502e424f283c63eb29f678bdbdadc5882
      • 0x713fe44dd00562d2357daf0116c18013ca2b1a1697d326be86372781c1486c3d
  • Bug types mentioned in the article:
    • Instant selling of tokens received at a discount
    • Shaky deal confirmation
    • Backtracking on a trade
    • Unethical behavior (if within the contract)
    • Emotional decision-making
    • Deleted tweets and poll
    • Threatening to delist based on a deal gone wrong
    • Centralized systems vs decentralization debate

rekt-is-one

Contract names and contract hex addresses:

  1. "rekt.news genesis" NFTs: No specific contract names or addresses provided.
  2. "Poly Network" NFT: No specific contract name or address provided.
  3. "Pancake Bunny" NFT: No specific contract name or address provided.
  4. "Meerkat Finance" NFT: No specific contract name or address provided.

Bug types mentioned in the article:

  1. None mentioned in the article.

rekttv-sbf-vs-julien-bouteloup

  • Contract names and hex addresses mentioned in the article:

    • FTT token (hex address not provided)
    • C.R.E.A.M (hex address not provided)
    • Yearn (hex address not provided)
    • Blue Kirby ICO (hex address not provided)
    • Serum (hex address not provided)
    • Ethereum (hex address not provided)
    • Solana (hex address not provided)
    • Loopring (hex address not provided)

  • Bug types mentioned in the article:

    • Inaccurate information
    • One-sided takes
    • Unexpected interaction
    • Keys of SushiSwap obtained without knowledge
    • Shorting
    • Sensitive customer information
    • Putting FTT on a centralized token
    • Multi-sig access
    • Attempt to rugpull
    • Forking a smart contract
    • Layer 2 and layer 1 networks
    • Bitcoin maximalist perspective

Note: No specific hex addresses were provided for the mentioned contracts.

remitano-rekt

  • Contract names: Stake, CoinEx, Lazarus, Remitano
  • Contract hex addresses:
    1. ETH: 0x74530e81e9f4715c720b6b237f682cd0e298b66c
    2. TRON: TEDNf1aqk8YJEUdNH9NRd4MqibZmdP49Fm
  • Bug types mentioned in the article:
    1. Private key compromise
    2. Data breach
    3. Slow response to the attack
    4. Incomplete industry response
    5. Funds with clear links to Lazarus freely moving in and out of exchanges
    6. Failure to secure wallets
    7. Lawless cryptosphere stereotype
    8. Lack of action by well-respected exchanges
    9. Flaws in industry technology

return-to-the-dark-forest

  • Contract names and hex addresses:
    • No contract names or hex addresses are mentioned in the article.
  • Bug types mentioned in the article:
    • Frontrunning
    • Pay-to-play infrastructure
    • Mining collusion

revest-finance-rekt

  • Financial NFT platform Revest Finance fell victim to a reentrancy attack
  • The attack was reported by the BLOCKS DAO development team
  • Significant losses were also suffered by EcoFi and RENA Finance
  • The Revest team halted transfers of RVST tokens to prevent further losses
  • The attack impacted the price of BLOCKS and ECO tokens
  • The root-cause of the attack was a reentrancy vulnerability in the ERC1155 minting contract
  • The mintAddressLock function was used to create new Smart Vaults
  • The attack exploited a delay in updating the fnftId parameter, allowing for additional funds to be added to an existing position
  • The attacker used multiple transactions to open and overwrite positions with zero value tokens
  • The attacker then used the withdrawFNFT function to withdraw a large amount of Rena tokens
  • Approximate losses included 350k RENA, 715M BLOCKS, and 7.7M ECO tokens
  • Smaller amounts of ConstitutionDAO and LUKSO tokens were also stolen
  • After swapping the stolen tokens for ETH, the attacker deposited the funds into Tornado Cash
  • The vulnerability was not identified in the project's audit
  • Revest's quick response and post-mortem report are promising signs

ripmevbot

Contract names and contract hex addresses mentioned in the article:

Bug types mentioned in the article:

  • Flaw in the bots arbitrage contract code
  • Improper protection of the function used to execute the dYdX flashloans
  • Code allowing for arbitrary execution, leading to unauthorized approval of WETH
  • Message sent threatening the attacker
  • Return funds demand by the attacker

rocketswap-rekt

  • Contract names:
    • RocketSwap
    • Base
  • Contract hex addresses:
    • Attacker's address: 0x96c0876F573e27636612CF306C9db072d2B13DE8
  • Bug types mentioned in the article:
    • Compromised private keys
    • Brute force attack
    • High-risk permissions
    • Transfer of assets
    • Redeploying farming contracts directly
    • Relinquishing minting privileges
    • Bridging ETH back to Ethereum
    • Launching a memecoin
    • Messy start
    • Quick rugs
    • Rugged project

roll-rekt

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Possible private key compromise or inside job
    • Fixed token supply model with trust assumptions
    • Poor management decisions
    • Audit oversight

ronin-rekt

Contract names and contract hex addresses mentioned in the article:

  • Ronin Network
  • Sky Mavis
  • Axie DAO
  • Ronin Bridge contract: 0x1a2a1c938ce3ec39b6d47113c7955baa9dd454f2
  • Attacker's address: 0x098b716b8aaf21512996dc57eb0615e2383e2f96

Bug types mentioned in the article:

  • Security breach
  • Vulnerability
  • Compromised validators
  • Unauthorized access
  • Lack of monitoring
  • Lack of awareness
  • Failure to revoke access
  • Unauthorized transactions
  • Theft
  • Lack of decentralization

saddle-finance-rekt

  • Contract names: Saddle Finance, Curve Finance
  • Contract hex addresses: not provided in the article
  • Bug types mentioned in the article:
    • Lack of innovation
    • Copying an existing product without adding value
    • High slippage warnings
    • Security issues identified in the Quantstamp audit
    • Lack of understanding of gas optimization
    • Difficulty in merging changes from Curve Finance
    • Lackluster porting of code from Vyper to Solidity
    • Reduction of CRV rewards to the tBTC pool

saddle-finance-rekt2

safedollar-rekt

  • Contract name: SafeDollar
  • Contract hex address: 0x742ad5057abd4c3ed4f851085297ff15f865438d
  • Bug types mentioned in the article:
    • Infinite mint exploit
    • Manipulation of accSdoPerShare value
    • Deduction of fees from rewarder balance instead of user balance
    • Skewed rewards system

safemoon-rekt

  • Contract names: Safemoon, Safemoon: Deployer
  • Contract hex addresses:
    • Safemoon: Deployer - 0x678ee23173dce625a90ed651e91ca5138149f590
    • Token contract - 0x42981d0bfbaf196529376ee702f2a9eb9092fcb5
    • New implementation contract - 0xeb11a0a0bef1ac028b8c2d4cd64138dd5938ca7a
  • Bug types mentioned in the article:
    • Vulnerability in the burn() function allowing anyone to burn SFM tokens from any address
    • Exploitation of the vulnerability to inflate the price of SFM tokens in the pool and drain BNB liquidity

sbf-mask-off

  • Contract names and hex addresses:

    1. FTX.com (hex address not mentioned)
    2. Alameda (hex address not mentioned)
    3. FTX Accounts Drainer (hex address: 0x59abf3837fa962d6853b4cc0a19513aa031fd32b)

  • Bug types mentioned in the article:

    1. Compromised systems integrity
    2. Faulty regulatory oversight
    3. Concentration of control in the hands of inexperienced, unsophisticated, and potentially compromised individuals
    4. Misuse of customer funds
    5. Unsecured group email account used to access confidential private keys
    6. Absence of daily reconciliation of positions on the blockchain
    7. Use of software to conceal the misuse of customer funds
    8. Secret exemption of Alameda from certain aspects of FTX.com's auto-liquidation protocol
    9. Absence of independent governance between Alameda and FTX.com.

sbf-regulator

  • Contract names and Hex addresses:

    • No specific contract names or hex addresses mentioned in the article.

  • Bug types mentioned in the article:

    • Threatening the concept of decentralization
    • Requiring front-ends to register as broker-dealers with KYC obligations
    • Stifling the growth and innovation of the industry
    • Positioning oneself as a gatekeeper and regulatory authority
    • Favoring compliance and regulation over the core ethos of DeFi
    • Consolidating power and handicapping competition
    • Transitioning from CeFi to DeFi with TradFi-friendly proposals
    • Focusing on regulation and regulated crypto access
    • Creating a career in RegFi while offering demo-version DeFi for others.

schrodingers-stolen-nft

  • SuperMassive
  • Schrödinger’s cat
  • The Rug Pull
  • Prisoner's dilemma
  • Exploited code
  • Digital art heist
  • Copenhagen interpretation
  • Open to interpretation
  • Bug types are not specifically mentioned in the article

sheeple

  • Contract names and hex addresses are not provided in the article.
  • No specific bug types are mentioned in the article.

shibarium-bridge-rekt

  • Contract names: Shibarium (ETH bridge), Shibarium (BONE bridge)
  • Contract hex addresses:
    • ETH bridge: 0xc3897302ab4b42931cb4857050fa60f53b775870
    • BONE bridge: 0x885fcE983b6a01633f764325B8c3c5D31032C995

Bug types mentioned in the article:

  • Faulty bridge
  • Transactions stalled
  • Chain stopped producing blocks
  • Inability to initiate withdrawals from the L2 side
  • Upgradeability bug

shitcoins

  • Contract names and contract hex addresses mentioned in the article:
    1. Safemoon: 0x8076c74c5e3f5852037f31ff0093eeb8c8add8d3
    2. Scamcoin: No specific contract address mentioned
    3. $Ass: 0x55d398326f99059ff775485246999027b3197955
    4. $Cummies: No specific contract address mentioned
  • Bug types mentioned in the article:
    1. Cash grabs and scams
    2. Low quality projects
    3. Tokens with no purpose
    4. Tokens solely built to gain attention
    5. Lack of effort in project development
    6. Lack of long-term vision
    7. Chaotic and volatile market
    8. Gambling mentality
    9. Marketing surpassing technology
    10. Permanent record of wallet transactions
    11. Poor financial decisions

sifu-scandal

  • Contract names and hex addresses are not mentioned in the article.
  • Bug types mentioned in the article:
  1. Mismanagement of funds
  2. Lack of transparency
  3. Mixing personal wallets with treasury funds
  4. Centralized decision-making
  5. Fraudulent activity
  6. Conspiracy to commit credit card fraud, burglary, grand larceny, and computer fraud

silvergate-rekt

  • Contract names: N/A
  • Contract hex addresses: N/A
  • Bug types mentioned in the article:
    • Financial losses
    • Lack of due diligence
    • Regulatory pressure
    • Collapse of business relationships
    • Trustworthiness of financial institutions

skyward-rekt

  • Contract names: RedeemSkyward
  • Contract hex address: 5ebc5ecca14a44175464d0e6a7d3b2a6890229cd5f19cfb29ce8b1651fd58d39

Bug types mentioned in the article:

  • Lack of proper verification of the token_account_ids parameter
  • Ability for the attacker to repeatedly pass their withdrawal within the transaction

snowdog-rekt

  • Contract Names: Snowdog, Snowbank
  • Contract Hex Addresses:
    • Snowdog: Not mentioned in the article.
    • Snowbank: Not mentioned in the article.
  • Bug types mentioned in the article:
    • Price manipulation
    • Inside job suspicion
    • Deception
    • Sniping bots
    • ChallengeKey source of suspicion
    • Failed botted transactions
    • Bubble popping

sovryn-rekt

  • Contract names and hex addresses:
    • RBTC (RSK-bridged BTC) pool: Hex address not mentioned
    • USDT pool: Hex address not mentioned
  • Bug types mentioned in the article:
    • Exploit due to the "external call of callTokensToSend function"
    • Attack contract deployment and use of flashloan
    • Manipulation of side tokens and Load tokens
    • Use of mint function in the attack contract
    • Inaccurate calculation of Load token price in tokenPrice function
    • Use of burn function to convert Load tokens to side tokens
    • Stolen funds deposited into Tornado cash

spartan-rekt

  • Contract names: Spartan pool, Peckshield
  • Contract hex addresses: N/A (not mentioned in the article)
  • Bug types mentioned in the article:
    1. Flawed logic in calculating liquidity shares
    2. Flash loan exploit
    3. Inflating the balance of the pool
    4. Manipulation of liquidity share calculation
    5. Slippage leading to decreased profit

spotlight-on-solana

  • Contract names: Wormhole, Gulf Stream
  • Contract hex addresses: Not mentioned in the article.
  • Bug types mentioned in the article:
    • Lack of on-chain user activity on Solana.
    • Potential centralization of Solana due to a large percentage of token supply being owned by VCs and insiders.
    • Artificially inflated transaction numbers on Solana due to the majority of transactions being voting "transactions" rather than real transactions.
    • Congestion issues on Solana when reaching around 50% capacity.
    • Comparisons and competition between Ethereum and Solana in terms of scaling and decentralization.
    • Replication of successful Ethereum projects on Solana without offering anything new.
    • Questioning the value and importance of decentralization in the face of cheaper and faster but centralized chains.

stable-coins-the-empire-strikes-back

  • Contract names and hex addresses:
    • G7: No specific contract name or hex address mentioned in the article.
    • Diem (rebranded Facebook currency): No specific contract name or hex address mentioned in the article.
    • STABLE act: No specific contract name or hex address mentioned in the article.
    • Tether: No specific contract name or hex address mentioned in the article.
  • Bug types mentioned in the article:
    • Attempts to regulate stablecoins and prevent mass adoption
    • Smearing the industry and slowing progress through legislation
    • Exploiting public's fear of the pandemic and desire for racial equality
    • Violence in the digital age (metaphorical reference)
    • Fall of Tether due to US regulation
    • Monitoring of on and off ramps to cryptocurrency by jealous governments
    • Inevitable stablecoin adoption
    • Competition between nations and corporations to release widely adopted and regulated stablecoins
    • Strategy behind the STABLE act that may not be immediately apparent
    • Globalisation of culture, currency, and commerce
    • Brain drain and movement of brightest minds to countries with favorable financial regulation
    • Governments' adaptability and their ability to please the masses and the new financial elite
    • Money 3.0 and its flexibility in different jurisdictions
    • Government adaptation and the falling of non-adapting governments
    • The power dynamics in cyberspace.

stablemagnet-rekt

  • StableMagnet contract hex address: unknown
  • SwapUtils library contract hex address: 0xE25d05777BB4bD0FD0Ca1297C434e612803eaA9a
  • BUSD sent to Binance hot wallet contract hex address: 0x2bac04457e5de654cf1600b803e714c2c3fb96d7
  • Tether received on ETH chain contract hex address: 0xDF5B180c0734fC448BE30B7FF2c5bFc262bDEF26
  • Tether changed to DAI contract hex address: 0xe5daac909a3205f99d370bc2b32b1810a4912a07

Bug types mentioned in the article:

  • Rugpull attack
  • Unverified source code
  • Exploit in SwapUtils library
  • Funds drained from pairs
  • Tokens transferred to everyone who had approved StableMagnet
  • Stolen funds split between multiple addresses
  • Binance KYC process questioned
  • Draining of users' wallets
  • Multiple rugpulls by the same group
  • Techrate audit not verifying deployed contract
  • Auditor becoming the number one suspect
  • Stolen funds converted to DAI

stake-rekt

  • Contract names: Stake
  • Contract hex addresses:
    • Ethereum: 0x974caa59e49682cda0ad2bbe82983419a2ecc400
    • Polygon: 0x019d0706d65c4768ec8081ed7ce41f59eef9b86c
    • BSC: 0xfa500178de024bf43cfa69b7e636a28ab68f2741
  • Bug types mentioned in the article:
    • Compromised private keys
    • Loss of funds
    • Suspicious transactions
    • User withdrawals suspended
    • Delay in communication
    • Omissions in official comms
    • Drained funds into hacker addresses
    • Non-native assets swapped to native tokens
    • Lack of disclosure of access to private keys in CeFi platforms
    • Holding large sums in hot wallets with a single set of private keys

steadefi-rekt

  • Contract names and hex addresses:

    • Deployer address: not specified
    • USDC vault on Arbitrum: in the tx 0x1e94a17f392c77fd897b4bfb66a1364b5508de6b2a36f3b0227a4a9ca4a657f0
    • Attacker's address: 0x9cf71F2ff126B9743319B60d2D873F0E508810dc

  • Bug types mentioned in the article:

    • Compromised deployer address
    • Account compromise
    • Phishing (potential state-sponsored phisherman)
    • Inability to withdraw funds due to paused farms contract

sturdy-rekt

  • Contract names: SturdyOracle, Attack contract
  • Contract hex addresses:
    • SturdyOracle: 0x1e8419e724d51e87f78e222d935fbbdeb631a08b
    • Attack contract: 0x0b09c86260c12294e3b967f0d523b4b2bcdfbeab
  • Bug types mentioned in the article:
    • Price manipulation exploit
    • Flash loan attack
    • Reentrancy vulnerability
    • Oracle vulnerability

superfluid-rekt

  • Attacker’s address: 0x1574f7f4c9d3aca2ebce918e5d19d18ae853c090
  • Exploit tx: 0xdee86cae2e1bab16496a49b2ec61aae0472a7ccf06f79744d42473e96edd6af6
  • Assets taken:
    • 19.4M QI (sold in four transactions for a total of 2.3k WETH)
    • 24.4 WETH
    • 563k USDC (sold for 173 WETH)
    • 45k SDT (sold for ~17 WETH)
    • 24k STACK (sold for ~6.2 WETH)
    • 39k sdam3CRV (swapped to am3CRV, then to ~44k amDAI)
    • 1.5M MOCA (1M sold for 173 WETH)
    • 11k MATIC (not yet sold)
  • 6 hours after the attack, Superfluid patched the bug with help from Mudit Gupta.
  • The vulnerability allowed the attacker to craft calldata to impersonate other accounts.
  • The exploit contract demonstrated how the vulnerability could be used to close open streams and drain funds from other accounts.
  • The chain of function calls involved deleteAnyFlowBad, Superfluid.callAgreement, ConstantFlowAgreementV1.createFlow, and AgreementLibrary.authorizeTokenAccess.
  • The fake ctx injected by the attacker caused the agreement contract to ignore the legitimate ctx.
  • Superfluid has reached out to the attacker on-chain and has a $1M bounty remaining for the return of the funds.
  • Most of the affected accounts have already been refunded, and larger losses will be compensated more gradually.
  • The exploit affected other protocols, causing negative price impacts on their tokens.
  • The DAO infrastructure presents more targets for anonymous attackers in DeFi.

sushi-yoink-rekt

  • Contract names: RouteProcessor2 contract, Univ3 pool
  • Contract hex addresses: 0x044b75f554b886A065b9567891e45c79542d7357
  • Bug types mentioned in the article:
    1. Insufficient protection against accepting arbitrary data
    2. Fake liquidity pool insertion
    3. Drain/stealing of tokens from approved addresses
    4. Bad callback function
    5. Impersonation of V3Pool
    6. Lack of check on the pool deployer
    7. No-op swap
    8. Arbitrary ERC20 token transfer

sushiswap-grey-area

  • Contract names and hex addresses:
    • Goldentree: 0x9C2ba3E13616e27eC15E799797424B0c3D00cEB1
  • Bug types mentioned in the article:
    • Rug pulling
    • Copyright infringement
    • Shady marketing techniques
    • Unauthorized access to user funds
    • Lack of oversight in wallet software release
    • Malpractice accusations

sushiswap-saved-0xmaki-speaks-out

  • contract names: SushiSwap, Sushibar
  • contract hex addresses: 0x1925e832c22522e0d9947ee4677120b2f28e4cd4
  • Bug types mentioned in the article:
    • Exploit/bug in the Sushibar smart contract
    • Bypassing the boring app
    • Unauthorized claiming of LP tokens instead of claiming sushi
    • Stealing funds
    • Automation of transactions

sushiswap-scandal

  • Hex addresses of mentioned contracts are not provided in the article.

Bug types mentioned in the article:

  • Internal conflict
  • Mismanagement of funds
  • Uneven distribution of bonuses
  • Use of community funds without approval
  • Gross incompetence
  • Toxic workplace behavior

swaprum-rekt

  • Contract names: Swaprum, Merlin DEX
  • Contract hex addresses:
  • Bug types mentioned in the article:
    • Rug pull
    • Backdoor function
    • Theft of funds by draining liquidity
    • Compromise of the owner account
    • Malicious insiders
    • External threats
    • Change in contract implementation
  • Certik's security score for Swaprum: "Exit Scam"

teamfinance-rekt

templedao-rekt

  • Contract names:

    • TempleDAO's STAX
    • StaxLPStaking

  • Contract hex addresses:

    • TempleDAO's STAX: 0xd2869042e12a3506100af1d192b5b04d65137941
    • Attacker's contract: 0x2df9c154fe24d081cfe568645fb4075d725431e0
    • Attacker's address: 0x9c9fb3100a2a521985f0c47de3b4598dafd25b01
    • Funds forwarded address: 0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0

  • Bug types mentioned:

    • Lack of valid checks when executing the migrateStake() function
    • Exploiting the ability to specify an arbitrary deposit amount and address
    • Unauthorized access to funds
    • Basic oversight in contract code
    • Reputation damage to the project

the-big-combo

the-crooked-swerve

  • Contract name: Swerve Finance
  • Contract hex address: Unknown

Bug types mentioned in the article:

  • Pump and dump scheme
  • Excess distribution
  • Whales dumping tokens
  • Governance vote struggles
  • Lack of long-term value
  • Founder token allocation stripped out
  • Premine
  • Token binge
  • Unaudited code
  • Unknown developer
  • Questionable investments
  • Potential loss of funds
  • Decreased A factor without warning
  • Incompetence in managing the protocol
  • Permanent loss for users
  • Struggling to pass quorum on governance votes
  • Asking for help from VCs
  • False claims of being community-owned
  • Public humiliation
  • Potential deception of users

the-feast-of-defi-summer-is-over

  • Uniswap
  • Curve
  • SNX
  • YFI

Bug types mentioned in the article:

  • Price to earnings ratio (P/E)
  • Network Value to Transactions (NVT)
  • Tokenomics
  • Governance
  • Trading volume
  • Yield farming
  • Inflation schedule
  • Proxy trade tool
  • Volatility

the-return-of-cronje

  • EMN contract (no hex address provided)
  • LBI contract (no hex address provided)
  • Blue Kirby daemon (no hex address provided)

Bug types mentioned in the article:

  • Hack/exploit
  • Sudden decrease in price
  • Accidental loss of funds
  • Editing of Medium article
  • Deposit of funds into risky contract

the-second-layer

  • Contract names and hex addresses:
  • Bug types mentioned in the article:
    • Scalability challenge
    • Maintaining decentralization and security
    • High transaction fees
    • Need for L2 scalability
    • Uncertainty regarding the future reliance on L1 and L2
    • Early stages of technology development
    • Competition among different protocols
    • First mover advantage
    • Future of finance being cross chain
    • Progress made despite constraints of high gas costs and low transactions per second
    • Need for decreasing transaction costs and increasing TPS

the-whitepaper

  • Contract names: Yellow papers, Thirty pages, Thirty six pages, HEX whitepaper
  • Contract hex addresses: N/A
  • Bug types mentioned in the article:
    • Vapourware and empty promises
    • Market implosion
    • Perceived value melting away
    • Unpopular decisions leading to forked protocols
    • Untrustworthy forks turning into "blue chip" products
    • Code with more holes due to quick shipping
    • DeFi hacks
    • Seeking freedom and power through anonymity in DeFi

thorchain-rekt

  • Attacker Wallet: 0x3a196410a0f5facd08fd7880a4b8551cd085c031
  • Contract Address: 0x4a33862042d004d3fc45e284e1aafa05b48e3c9c
  • Tornado Address: 0x4b713980d60b4994e0aa298a66805ec0d35ebc5a
  • Bug located within the ETH Bifrost (bridge) code
  • Over-ride loop in the code designed for vaultTransferEvent transactions
  • Hacker manipulated the over-ride loop through their own contract
  • Mistakenly read the transaction's msg.value as the txvalue()
  • Exploit used in a loop to drain liquidity in various coins
  • Vulnerability left open despite explicit comment in the code
  • Fix is to make the over-ride only happen if it specifically is a vaultTransferEvent

thorchain-rekt2

  • THORChain Router contract address: 0xc145990e84155416144c532e31f89b840ca8c2ce
  • THORChain Vault contract address: 0xf56cba49337a624e94042e325ad6bc864436e370
  • Attack contract address: 0x700196e226283671a3de6704ebcdb37a76658805
  • Attack wallet address: 0x8c1944fac705ef172f21f905b5523ae260f76d62

Bug types mentioned in the article:

  • Lack of proper multi-event handling
  • Vulnerability in the RUNE token contract code due to the use of tx.origin instead of msg.sender
  • Vulnerability in granting approval to a protocol to spend UniH, resulting in theft of RUNE balances.

three-arrows

  • Contract names and contract hex addresses: None mentioned in the article.
  • Bug types mentioned in the article: None mentioned in the article.

time-as-money

  • Contract names and their hex addresses:

  • Bug types mentioned in the article:

    • Value of NFTs being meaningless without inseparability from the artwork
    • The potential for footage to be easily swapped or manipulated
    • Lack of response from bidders and the creator of the NFT
    • Lack of permanence in some NFTs being sold today

tomb-finance-rekt

  • The raid of Tomb Finance
  • The contract names and contract hex addresses are not explicitly mentioned in the article.
  • Bug types mentioned in the article:
    • Exploiting the protocol's Gatekeeper fee system
    • Tax evasion
    • Deactivating the Gatekeeper
    • Losing the peg
    • Plummeting token price
    • Social media FUD frenzy
    • Rug or exploit (mentioned in the reader's report)
  • There may be other bug types not explicitly mentioned in the article.

tornado-gov-rekt

  • Exploiter address 1: 0x092123663804f8801b9b086b03b98d706f77bd59
  • Exploiter address 2: 0x592340957ebc9e4afb0e9af221d06fdddf789de9
  • The bug types mentioned in the article are:
    • Trojan horse proposal
    • Control takeover
    • Rerouting deposits/withdrawals
    • Admin status control
    • Self-destruct function
    • Metamorphic contracts
    • Unlocking and withdrawal from the vault
    • Full control of governance

tradfi-takeover

Contract names and contract hex addresses mentioned in the article:

  • Blackrock (Bitcoin ETF) - [hex address not provided]
  • WisdomTree (Bitcoin ETF) - [hex address not provided]
  • Valkyrie (Bitcoin ETF) - [hex address not provided]
  • Citadel-backed exchange - [hex address not provided]
  • Deutsche Bank (digital asset license) - [hex address not provided]
  • OPNX (CEX) - [hex address not provided]
  • 3AC Ventures (ecosystem partner) - [hex address not provided]
  • Prometheum (securities exchange) - [hex address not provided]

Bug types mentioned in the article:

  • Instinct to strike when prey is vulnerable
  • Tarnished industry reputation
  • Regulatory aggression
  • Compliance contradictions
  • Dismissive attitude of TradFi
  • Amateur behavior in faking volume and launching justice tokens
  • US regulatory battles for control
  • Surveillance and control concerns
  • Watering down of crypto's original goal

transit-swap-rekt

  • Transit Swap lost $21M to a vulnerability
  • The vulnerability allowed an unknown attacker to drain the wallets of users who had approved the protocol's swap contracts
  • Over $1M was lost in transit
  • The team paused the affected contracts
  • The attacker's IP, email address, and associated on-chain addresses were uncovered
  • Over 70% of the funds have been returned
  • The vulnerability was in the use of the transferFrom() function
  • Tokens approved for trading on Transit Swap could be transferred directly to the attacker's address
  • The attacker's address on ETH and BSC is 0x75f2aba6a44580d7be2c4e42885d4a1917bffd46
  • The vulnerable contract is 0xed1afc8c4604958c2f38a3408fa63b32e737c428
  • The returned funds have been consolidated into the address 0xD989f7B4320c6e69ceA3d914444c19AB67D3a35E
  • Stolen funds include 3180 ETH, 1500 Binance-pegged ETH, and 50k BNB
  • The exploiter's BSC address still holds over $3.5M in stolen BNB
  • Closed-source contracts make it difficult for users to DYOR and for whitehats to spot vulnerabilities
  • Closed-source code breeds suspicion and raises questions about insider involvement

treasure-dao-rekt

  • Contract name: Treasure DAO
  • Contract hex address: Not mentioned in the article

Bug types mentioned in the article:

  • Logic bug in the Marketplace's buyItem function
  • The logic bug allowed existing listings to be "bought" for no fee
  • Exploiter called buyItem() with zero quantity, paid 0, and still received the NFT
  • The simple fix to prevent the attack was to require that the quantity is greater than 0

Note: The article does not provide specific contract hex addresses for the Treasure DAO contract or the exploiter accounts mentioned.

ultravolatile

  • Contract Names and Hex Addresses:

    • Not mentioned in the article.

  • Bug Types:

    • Immaturity of the markets
    • Easily influenced by the actions of individuals
    • Fear induced by Elon Musk's Tesla and Bitcoin situation

under-the-armor

  • Azeem's Twitter post about the article
  • RobertMCForster's Twitter thread
  • Nesh_S's tweet about Azeem's reputation
  • ArmorFi's tweet about focusing on building and adoption
  • Azeem's claim that kferret relied on ambiguous statements in Discord
  • Azeem's claim that kferret staked a day before the statements he claimed to rely on
  • Azeem's claim that Armor stood firm against a social media storm
  • Azeem's claim that there were other NFTs successfully claimed without staking
  • Azeem's statement that the rights to the arNFT belong to Armor when staked
  • Azeem's guides to staking
  • Azeem's screenshot of a guide to staking
  • Azeem's claim that Armor is not centralized
  • Azeem's claim that kferret made straight up lies
  • Azeem's clarification that the NFT was sent back, not restaked, according to protocol design
  • Azeem's statement that Armor stands to profit $0 from their decisions
  • Azeem's statement that the misunderstandings are based on human elements
  • Azeem's statement that he would have sought to do absolutely nothing and let the system be executed as designed
  • Azeem's recommendation to review the provided links for important details

uniswap-flop-dharma-vote-stopped

uniswap-swindle-scammer-speaks-out

  • Contract names and hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Scams
    • Fake whitepapers
    • Fake audits
    • Fake staking pools
    • Lack of research
    • Gas fees
    • Missed opportunities
    • Guilt
    • Morality
    • Greed
    • Fear of the law
    • Financial transaction card fraud
    • Credit card fraud
    • Computer crimes

uniswap-v3-lp-rekt

  • Contract names: Uniswap V3
  • Contract hex addresses: N/A

Bug types mentioned in the article:

  • Impermanent loss
  • Loss in trading fees
  • Inefficiency in capital utilization
  • Overcomplication of the Uniswap V3 system
  • Decreased profitability of traditional liquidity provider (LP) positions

unreal-estate

  • Contract names and hex addresses are not mentioned in the article.
  • Bugs mentioned in the article are not related to contracts.

unsolved-mystery

  • The contract names and contract hex addresses are not provided in the article, so it is not possible to list them.
  • Bug types mentioned in the article:
    • Network-wide bug
    • Leaky extensions
    • Mobile malware
    • ECDSA nonce reuse issue
    • Bug in underlying cryptography
    • iOS supply chain attack

uranium-rekt

  • Contract names: UraniumPair, MasterChef
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Math bug
    • Vulnerabilities in the MasterChef contract
    • Bug introduced in the UraniumPair contract
    • Cross chain hacks
    • Rug pulls

value-defi-rekt

  • Contracts names: Value DeFi Bank contract, Value DeFi Vault contract
  • Contracts hex addresses: Not mentioned in the article
  • Bug types mentioned in the article:
    • Exploitation through withdrawals from the Vault contract through Proxy
    • Manipulation of Curve spot price oracle
    • Using the wrong Curve function for withdrawal calculations
    • Vulnerability to flash loans

value-rekt2

  • Contract names:
    • Value DeFi
  • Contract hex addresses:
    • Exploiter: 0xef63ad578e75d498d0723e5420fa1962b1d28764
    • Affected pool contract: 0x7a8ac384d3a9086afcc13eb58e90916f17affc89
  • Bug types mentioned in the article:
    • Flash loan vulnerability
    • Copy-paste error
    • Missing initialization line in the contract code

value-rekt3

  • Value DeFi
  • vSwap AMM
  • Paid actress (co-founder)
  • Complex exponentiation power() function
  • Incorrect use of Bancor formula
  • Exploited pools with liquidity split other than 50/50
  • Stolen funds (15k BNB, 2.7k FARM, 1.7k BASv2, 8.5M BDO, 68.3k BUSD, 41.4k MDG, 945k VBOND, 1.2M BAC, 11k FIRO)
  • Attack steps:
    • Sending a small amount of a second token to pair addresses
    • Making a swap to withdraw a small amount of the first token and a large amount of the second token
    • Incorrect use of Bancor formula leading to successful swap
  • Power() function assumption violation
  • Decreasing DEX volume
  • Lack of trust in anonymous developers
  • Use of paid actress for co-founder role
  • Ape tax for users of Value DeFi
  • Lack of user safety focus and worthless security audits
  • Potential final exit scam.

veefinance-rekt

  • Contract names and hex addresses mentioned in the article:

  1. Vee Finance:

    • Exploiter ETH Address: 0xeeee458c3a5eaafcfd68681d405fb55ef80595ba
    • Exploiter AVAX Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA

  2. Zabu Finance:

    • Exploiter ETH Address: Not mentioned
    • Exploiter AVAX Address: Not mentioned
  • Bug types mentioned in the article:
  1. Exploit contract deployment
  2. Price manipulation
  3. Slippage check bypass

(Note: The article does not go into detail about specific bug types, so these are the general bug types that can be inferred from the information provided.)

venus-blizz-rekt

  • Contract names: Venus Protocol, Blizz Finance
  • Contract hex addresses:
    • Venus Protocol: 0xec72d46011d67a6ac4fa7d3f476fa2049dc807ee
    • Blizz Finance: (address not mentioned in the article)
  • Bug types mentioned in the article:
    • Inaccurate price feed
    • Lack of failsafe mechanisms
    • Failure to establish preventative measures
    • Minimum price hardcoded in the oracle contract
    • Timelock delay in reacting to the issue
    • Blame on Chainlink for pausing price feeds
    • Failure to update oracle's parameters to reflect reality
    • Lack of automated circuit-breakers in protocols
    • Potential loss of $3B of BTC belonging to the Luna Foundation

visor-finance-rekt

  • Contract names: vVISR Rewards Contract
  • Contract hex addresses: 0xc9f27a50f82571c1c8423a42970613b8dbda14ef, 0x10c509aa9ab291c76c45414e7cdbd375e1d5ace8, 0x8efab89b497b887cdaa2fb08ff71e4b3827774b2
  • Bug types mentioned:
    1. Vulnerable require() check in the vVISR Rewards Contract's deposit() function
    2. Ability for the hacker to mint unlimited shares using their own contract
    3. Attacker transferring ownership of the contract to their own address
    4. Minting of vVISR tokens by the attacker
    5. Burning of vVISR tokens for VISR
    6. Swapping of VISR for ETH via Uniswap v2
    7. Washing of ETH via Tornado Cash

voltage-finance-rekt

  • Contract A: 0x632942c9BeF1a1127353E1b99e817651e2390CFF
  • Contract B: 0x9E5b7da68e2aE8aB1835428E6E0c83a7153f6112

Bug types mentioned in the article:

  • Reentrancy vulnerability in the ERC 677 standard
  • Abuse of the callAfterTransfer() function
  • Lack of following the recommended checks-effects-interactions routine of execution in the underlying code
  • Update of internal states after an external call in the borrow() function
  • Funds frozen by Circle for USDC

vulcan-forged-rekt

  • Contract names:

    • Vulcan Forged

  • Contract hex addresses:

    • Ethereum: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
    • Polygon: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1

  • Bug types mentioned in the article:

    • Compromised keys

war-on-code

  • Tornado Cash
  • Alexey Pertsev

Bug types mentioned in the article:

  • Money laundering

warp-finance-rekt

  • Warp Oracle [0x4A224CD0517f08B26608a2f73bF390b01a6618c8]
  • Warp Control [0xBa539B9a5C2d412Cb10e5770435f362094f9541c]
  • wBTC-wETH LP Vault [0x3c37f97F7d8f705cc230f97a0668f77a0e05D0aA]
  • WETH-DAI LP Vault [0x13db1CB418573f4c3A2ea36486F0E421bC0D2427] (Affected vault)
  • USDT-WETH LP Vault [0xCDb97F4C32F065b8e93cF16BB1E5d198bcF8cA0d]
  • USDC-WETH LP Vault [0xb64dfae5122D70Fa932f563c53921FE33967B3E0]
  • DAI Vault [0x6046c3Ab74e6cE761d218B9117d5c63200f4b406]
  • USDT Vault [0xDadd9bA311192d360Df13395E137f1E673C91deB]
  • USDC Vault [0xae465FD39B519602eE28F062037F7B9c41FDc8cF]

Bug types mentioned in the article:

  • Exploitation and draining of funds from the vault
  • Use of AMM-based oracle (Uniswap) leading to price manipulation
  • Flash loan-induced price manipulation
  • Borrowing more than the collateral value
  • Under-water borrow position

whale-hunt-sbf-blue-kirby

  • Blue Kirby ICO contract: 0xA11f2dec4bab2E07de7708Dd640004Ef80cCaBCe
  • FTT collateral wallet: 0x477573f212A7bdD5F7C12889bd1ad0aA44fb82aa

Bugs mentioned in the article:

  • Blue Kirby promoted unaudited code for EMN
  • Blue Kirby sold his YFI causing disappointment and outrage
  • Blue Kirby's ICO for Off Blue lacked details and a public roadmap
  • Concerns about the use of FTT as collateral for short selling other assets on C.R.E.A.M Finance
  • Governance snapshot vote to decide if FTT should be delisted from C.R.E.A.M due to safety risks and lack of demand/impact on other users.

whale-watching-bdp

  • Contract names: Big Data Protocol (BDP)
  • Contract hex address: Not mentioned
  • Bug types mentioned in the article:
    1. Unexpected behavior in the reward mechanism in the smart contract
    2. Inability to claim rewards due to minting "0" tokens

window-of-opportunity

  • Contract names: Maker DAO, USDC, USDT, RAI
  • Bug types mentioned in the article: stability, compliance, regulatory vulnerability, frozen assets, centralization, pegged stability, systemic risk, existential threats, non-reliance on the dollar, increasing volatility, devaluation of fiat currencies.

winds-of-change

  • Contract names and hex addresses:
    • Tornado Cash
    • TRM Labs
    • Hack victims
    • Whitehats
    • Nomad incident
    • Addresses targeted by dusting attacks
  • Bug types mentioned in the article:
    • Compliance issues
    • Censorship
    • Proximity-based blocking of addresses
    • Blanket blacklisting
    • Large-scale censorship
    • CeDeFi future

winter-farming

Bug types mentioned in the article:

  • Impermanent loss
  • Market risk
  • Volatility risk
  • Impermanent loss risk

wintermute-rekt-2

  • Contract names: Wintermute's hot wallet, DeFi vault contract
  • Contract hex addresses:
    • Hot wallet: 0x0000000fe6a514a32abdcdfcc076c85243de899b
    • DeFi vault contract: 0x00000000ae347930bd1e7b0f35588b92280f9e75
  • Bug types mentioned in the article:
    • Compromised vanity address
    • Weakness in Profanity tool used for creating vanity addresses
    • Forgotten removal of an admin address from the vault contract

wintermute-rekt

  • Contract names: Wintermute multisig on Ethereum, Gnosis Safe proxy
  • Contract hex addresses:
    • Wintermute's multisig on Ethereum: 0x4f3a120e72c76c22ae802d129f599bfdbc31cb81
    • Hijacked address on Optimism: 0x4f3a120e72c76c22ae802d129f599bfdbc31cb81
  • Bug types mentioned in the article:
    • Misconfigured destination address
    • Failure to check access to funds
    • Vulnerability in Gnosis Safe proxy contract
    • Out-of-date deployment method using create opcode instead of create2
    • Lack of response to flagged alert on OP's launch day
    • Carelessness in leaving funds in an unowned address

wormhole-rekt

Bug types mentioned in the article:

  • Loophole in Wormhole bridge
  • Bypassing of guardians
  • Discrepancy in address verification
  • Fake SignatureSet
  • Fraudulent minting
  • Bridging of funds to Ethereum
  • Liquidation of funds on Solana
  • Exploit of Solana VAA verification
  • Oracle issues leading to erroneous liquidations
  • Security concerns around cross-chain protocols

xtoken-rekt-x2

  • Contract names: xSNX contract, xSNXAdmin contract
  • Contract hex addresses: not mentioned in the article
  • Bug types mentioned in the article:
    • Flash loan exploit
    • Vulnerability in the callFunction function
    • Erroneous require statement
    • Value extraction through price manipulation and arbitrage opportunities

xtoken-rekt

  • Contract Name: xToken.Market
  • Contract Hex Address: Not mentioned in the article

Bug types mentioned in the article:

  • Exploitation with flash loans
  • Draining liquidity pools
  • Flashloan from DyDx
  • Private transaction using Flashbots MEV
  • Minting vulnerability
  • Selling tokens through 1inch to ETH
  • Manipulating token prices on Uniswap
  • Using Kyber and Uniswap v2 for token swaps
  • Reverse swaps in SushiSwap and Uniswap
  • Repaying loans in Aave
  • Selling tokens on Balancer SNX/ETH/xSNXa pool
  • Issuing xBNTa multiple times
  • Swapping xBNTa to BNT

ycredit-the-ape

  • Stable AMM contract address: 0x5cB5e2d7Ab9Fd32021dF8F1D3E5269bD437Ec3Bf
  • Exchange Router contract address: 0xDD05437d7c7aF576b58262AE5ac6D37515168BE3
  • Swap Factory contract address: 0x3A4FF19554b0F997A4cEF14A8860DcF813b738a4
  • Redeployed contract address: 0x71b6296174c5f07d37cafd6e9b72ab5bb3f14fac
  • Bug types mentioned in the article:
    1. Vulnerability to exploit
    2. Lack of responsible disclosure
    3. Use of unfinished products
    4. Reliance on speculators to test products
    5. Clout chasing behavior
    6. Testing contracts in production with real funds
    7. Lack of deposit cap to limit potential risks
    8. Economic vulnerabilities in contracts
    9. Inadequacy of audits
    10. Potential security risks in audited contracts
    11. Lack of responsiveness to vulnerabilities and disclosures.

yearn-rekt

  • Yearn DAI v1 vault
  • Flash loans
  • Arbitrage attack
  • Mistake made during vault migration
  • Withdrawal fee turned off
  • Centralized refunds from Tether
  • Implied centralization of Tether through token freeze and minting
  • DeFi teams taking sides and fighting amongst themselves

yearn2-rekt

The contract names and contract hex addresses mentioned in the article are:

  • yUSDT contract hex address: 0x83f798e925bcd4017eb265844fddabb448f1707d
  • Fulcrum USDC contract hex address: 0xF013406A0B1d544238083DF0B93ad0d2cBE0f65f

Bug types mentioned in the article:

  • Misconfiguration in the yUSDT token contract
  • Copy/paste error in the yUSDT contract, using the wrong Fulcrum contract address
  • Exploiting the misconfiguration to manipulate share prices and mint a large quantity of yUSDT
  • The attacker swapping the minted yUSDT for other stables and laundering the funds
  • The test in prod attitude leading to incidents and vulnerabilities in the protocol

zunami-protocol-rekt

  • Contract names: zETH contract, UZD contract
  • Contract hex addresses:
    • zETH: 0x5f4c21c9bb73c8b4a296cc256c0cde324db146df
    • UZD: 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b
  • Bug types mentioned in the article:
    • Price manipulation issue
    • Flawed price calculation via the totalHoldings function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment