Poloinex lost $123M due to a private key compromise.
Unibot and Maestro were exploited due to lack of input validation.
Astrid Finance hacked for over $502K.
Hacks
Hacks Analysis
Poloinex | Amount Lost: $123M
On November 10th, the Poloinex exploit on multiple chains resulted in a $123M loss due to the compromise of private keys. The attacker drained $57 million worth of ETH, $47 million worth of TRON, and $19 million worth of BTC. Poloinex confirmed the exploit and stated that a portion of the stolen assets has been frozen, ensuring affected customers would be reimbursed. Additionally, a 5% bounty was offered to the hackers. In response to the incident, Poloinex temporarily suspended deposits and withdrawals, which resumed on November 15th.
On October 31st, the Unibot exploit on the Ethereum Mainnet resulted in a $640K loss. The root cause of the hack was the lack of input validation in Unibot's router contract, which had been deployed on October 28th. The attacker called the 0xb2bd16ab() function with an arbitrary address, triggering the transferFrom() function and enabling the unauthorized draining of funds. The Unibot router contract remains unverified on the Ethereum blockchain.
On October 28th, the Astrid Finance exploit on the Ethereum Mainnet resulted in a $228K loss due to logic vulnerability. The exploit's root cause was the attacker's ability to mint and deploy fake tokens through the call to the withdraw() function in the AstridProtocol contract. This action enabled the attacker to claim allowance and generate a profit. The Astrid Finance team acknowledged the exploit, refunded the affected users, and provided a 20% bounty to the hackers.
On October 24th, the Maestro exploit on the Ethereum Mainnet resulted in a $502K loss. The root cause of the hack is similar to the root cause of the Unibot incident, where the router contract lacked input validation. The attacker called the 0x9239127f() function with an arbitrary address, triggering the transferFrom() function and enabling the unauthorized draining of funds. Maestro confirmed the exploit and suspended the functionalities of their router contract.
