SlowMist: The total loss from security incidents last week (April 28-May 4, 2024) exceeded US$71.4 million

According to the weekly security report (April 28 - May 4, 2024) released by SlowMist, the total loss this week exceeded $71,399,000. An incident this week resulted in losses rising from the nine-digit range to the astonishing ten-digit range. Surprisingly, this was not due to complex technical flaws or sophisticated phishing scams, but a simple error that could have been easily avoided by implementing a whitelist. Multiple security incidents include:

1. Bitfinex data leak controversy: On May 4, it was reported that Bitfinex had suffered a data leak, allegedly containing information from 400,000 customers. However, Bitfinex CTO Paolo Ardoino refuted this claim, stating that the leaked data did not match Bitfinex's database and that no leaks were found after thorough analysis.

2. Whale address poisoned attack: On May 3, a whale suffered a poisoned address attack, resulting in a huge loss of 1155 WBTC, worth about $70 million.

3. Suspected "carpet bombing" attack on NOVAMIND_(NMD): On May 2, NOVAMIND_(NMD) on the Ethereum network was accused of a "carpet bombing" attack, with about 41 ETH (about $123,000) transferred to a multi-signature, and the token price plummeted by about 97%.

4. Pike Finance vulnerability continues: On April 30, Pike Finance suffered another security vulnerability, losing 99,970.48 ARB, 64,126 OP, and 479.39 ETH. Weak security measures in the Pike contract led to the vulnerability being exploited.

5. Dune's Twitter account was hacked: Blockchain data analysis platform Dune experienced a security incident on April 30, with its Twitter account hacked. A false post about a Dune airdrop circulated for about 15 minutes before the team regained control of the account.

6. Yield Protocol's Arbitrum contract was exploited: A hacker exploited a vulnerability in Yield Protocol's strategic contract on the Arbitrum blockchain, resulting in the theft of approximately $181,000 worth of encrypted assets. The vulnerability involved the difference between pool token balances and total supply, resulting in the extraction of additional pool tokens.

7. Ember Sword NFT auction exploited again: The vulnerability in the unverified Ember Sword NFT auction surfaced again, allowing 60 WETH, equivalent to about $195,000, to be extracted from 159 victims who approved the contract.