The attacker leveraged a design flaw in the swap() function that allowed arbitrary executor calls, resulting in the theft from users who had granted unlimited approvals.

The presumably leaked validator signing keys and a flash loan allowed the attacker to gain exclusive voting power. Having control over the validators, the attacker used bridge funds in the same block to buy BONE, delegate it for validator power, sign fraudulent checkpoints, and then repay the "loan" with the stolen assets.

The attacker used a compromised private key from a proxy administrator account to update a smart contract to a malicious version. The attacker then used the malicious version of the smart contract to drain the balance of the contract itself, as well as the wallets of users who had approved this smart contract.

Unauthorized access to the Kiln API, a staking partner of SwissBorg, led to a $41.5 million theft from the SOL Earn staking program. Attackers manipulated stake account authorities without the need for multi-signature confirmations. This allowed them to transfer authority silently while keeping the Withdrawer role, which helped them evade standard monitoring tools that focus on withdrawal events. The breach was an off-chain API exploit that gave attackers control over on-chain assets.

A Nemo developer introduced a new, unaudited feature into the codebase after the initial security audit but before the final revised report was complete. Consequently, a version of the contract containing this unaudited code was deployed to the mainnet. The governance root cause was the protocol's reliance on a single-signature address for upgrades, which failed to prevent the deployment of code that hadn't undergone a thorough security review. Additionally, the developer deployed a different version of the code than the one confirmed by the audit company. An attacker exploited these unaudited functions to manipulate the internal state and successfully drain a substantial amount of assets from the liquidity pool.

The attackers used a malicious Zoom client to gain privileges on the victim’s machine. They exploited this access to trick the victim into submitting a transaction that approved the attacker as a valid Venus delegate of their account, allowing the attacker to borrow and redeem on the victim’s behalf.

Attackers gained access to a multisig wallet with 32 million AIO tokens. The funds were moved and exchanged for $2 million.

The attacker exploited a vulnerability in the connector contract, which automatically converts yield-bearing tokens (such as aUSDC) into USDC during withdrawals. Using this flaw, the hacker executed a withdrawal on behalf of another user and siphoned $427,000 USDC from Aave.

The attacker exploited a lack of proper validation to mint an unsecured FAVOR tokens. The attacker used a fabricated smart contract as a liquidity provider (LP), then executed a bulk swap to get a significant bonus that could be converted into real money. The auditor, zokyo, had previously reported vulnerabilities directly related to this hack. However, due to an insufficient in-depth analysis, the severity of these findings was downgraded to a low level.

The Turkish crypto exchange BTCTurk was exploited for $48 million. The attack involved the leaking of private keys, allowing attackers to drain funds from hot wallets across seven different blockchains. The exchange suspended crypto services.

Odin.fun, a Bitcoin-based memecoin launchpad and trading platform, suffered an exploit. The attack exploited a flaw in the platform’s automated market-making tool introduced in the latest update. Attackers carried out a liquidity manipulation scheme by adding tokens such as SATOSHI to drive up prices, then pulling their liquidity to cash out in Bitcoin.

An attacker used the BRIDGE role to issue tokens without proper collateral. These tokens were then used as collateral for loans in other tokens. The borrowed funds (secured by the uncollateralized tokens) were withdrawn and laundered on the Ethereum network.

The access control in the updateMerkleRoot() function was configured incorrectly. Instead of checking that the calling address IS the owner, the code checked that it IS NOT the owner. This smart contract coding error allowed an attacker to form a fake Merkle root and update the smart contract with it. The fabricated root allowed the attacker to withdraw tokens from the smart contract.

An attacker compromised a developer's device using a phishing attack. Access was gained to the development environment. The attacker initiated the withdrawal of funds from 9 user accounts.

The incident involved unauthorized access to an operational wallet used for liquidity provisioning on a partner exchange.

A supply chain attack that compromised production network, allowing attackers to modify the operational logic of account and risk control servers.

The protocol had a circuit breaker system that was triggered when the malicious contract was deployed. However, a built-in mechanism designed to prevent the protocol from being paused indefinitely was used by the attacker against the protocol. When the team ran simulations with the malicious smart contract and found no possible exploit paths, they unpaused the protocol. The attacker's subsequent actions were not stopped because of the previously described limiter on re-pausing the protocol. The attacker used flash loans and malicious calldata to drain the victims' accounts. The root cause of the hack was a lack of calldata validation.

A critical backdoor was discovered in thousands of contracts that use ERC1967Proxy. A hacker was able to front-run initialization and install a hacker proxy in between and remain undetected due to a bug in Block explorers. The hacker minted 110,000 K tokens and started the attack to drain both the Morpho Vault and the Uniswap v4 pool.

The exploit originated from the malicious smart contract crafted by the attacker, which was used to create and hijack execution during order fulfillment. The root cause includes the implicit assumption in executeDecreaseOrder() that the _account parameter is an Externally Owned Account (EOA), when in fact it can be a malicious smart contract. This vulnerability led to a sophisticated multi-step attack where the attacker was able to artificially inflate the protocol’s AUM, redeem GLP for more assets than deserved.

An attacker was able to exploit the rebalance feature of the Texture Vaults contract to trigger a transfer. The attacker provided their own token account, which the Vault mistakenly filled with LP tokens during rebalancing. The attacker then redeemed these LP tokens for real liquidity.

A low liquidity pool was used by a user as an oracle when configuring a pod. The attacker was able to manipulate this pool using a flash loan, and then an undercollateralized loan was taken.

The attacker targeted the ResupplyPair contract which uses the manipulated rate, just hours after its deployment. The root cause was an exchange rate manipulation bug triggered via a classic ERC4626 “first donation” vault attack, resulting in a division-by-large-value scenario that collapsed the exchangeRate to zero. This manipulated rate was used to compute the borrower’s LTV in the _isSolvent() check. Since ltv = 0 when exchangeRate = 0, the attacker bypassed the solvency check and borrowed $10 million reUSD using just 1 wei of collateral.

The exploit pertained to an smart contract for an unreleased leverage feature deployed for testing purposes. It targeted a peripheral contract using fillQuote to call silo.borrow(), manipulating parameters to target a Silo Core Team test wallet.

Hacken bridge exploited. A private key associated with an account with minting rights was exposed, allowing attackers to mint huge amounts of HAI tokens and then quickly sell them on decentralized exchanges. The private key was associated with minting roles on the Ethereum and BNB Chain networks. The attackers were able to mint around 900 million HAI tokens.

The attacker exploited critical integer underflow vulnerability in BankrollNetworkStack.sell() function to manipulate dividend accounting and drain funds from users who had previously interacted with or approved the contract.

Nobitex, Iran’s largest cryptocurrency exchange, was the target of a significant cyberattack claimed by the pro-Israel hacking group Gonjeshke Darande, also known as Predatory Sparrow. The group alleged that Nobitex supported Iran’s military activities and helped users bypass international sanctions, framing the act as a symbolic message related to escalating tensions between Israel and Iran. The hack involved the theft of cryptocurrency from Nobitex’s hot wallets across multiple Ethereum Virtual Machine (EVM) and Tron-compatible blockchains. The hacking group appears to have burned the crypto assets, effectively destroying them rather than taking them for their own profits.

The vulnerability stemmed from the failure to override or restrict the publicly exposed base mint() function inherited from OpenZeppelin’s ERC4626Upgradeable standard, which allowed attackers to mint 9701 mpETH without providing any ETH.

The exploit originated from a vulnerability within the verification logic of the self-listing feature. The attacker exploited a critical flaw in the create2 function's verification logic by referencing a failed transaction, allowing a malicious token to bypass checks and transfer funds from liquidity pools.

The attacker carried out a supply chain attack to exfiltrate private keys. The leaked keys were then used to unlock funds from bridge smart contracts. The supply chain attack targeted the validator code, the malicious code was injected into the Docker image at build time.

A Mendi-to-Malda migrator contract was exploited. The contract allowed the Mendi Comptroller address to be passed dynamically, rather than being hardcoded. The attacker used a feature that was designed solely to allow Mendi protocol users to migrate directly to Malda. The attacker deployed a fake Mendi Comptroller contract, allowing him to create a fraudulent Malda position and withdraw funds against it.

The core issue behind the exploit stems from two critical flaws in the Cork protocol. First, the protocol’s configuration contract (CorkConfig) allowed users to create markets with arbitrary redemption assets (RA), enabling the attacker to designate DS as the RA. Second, the CorkHook contract’s beforeSwap function lacked proper access control and input validation, allowing anyone to invoke it with custom hook data for CorkCall operations. By leveraging these weaknesses, the attacker created a malicious market using DS as the RA and used valid DS tokens from a legitimate market to deposit into this fake market. In return, they received both DS and CT tokens. Due to the absence of restrictions on RA types and insufficient validation of the caller and input data, the attacker was able to manipulate liquidity and perform unauthorized redemptions draining the original market. This manipulation allowed them to acquire a large quantity of derivatives, which they ultimately redeemed for 3,761 wstETH. The fundamental cause of the exploit lies in the protocol's failure to strictly validate user-supplied data and enforce proper restrictions on market creation.

The attacker exploited a situational vulnerability in the deposit path of the usUSDS++ vault, a beta vault built on top of the Sky Protocol. The vulnerability centered around the unwrap process, where USD0++ is converted to USD0 during deposits. By manipulating vault’s deposit route, specifically the capped and limited conversion from USD0++ to USD0, the attacker executed an arbitrage strategy and made a profit of approximately $42,800. The vault has undergone 4 security audits in recent months. The exploit was not due to faulty logic. Instead, it took advantage of a behavioral edge case in the system.

The lack of validation of the Chainlink Oracle price feeds allowed the attacker to use an old, but still cryptographically valid price signature to open a position. The attacker used a significantly outdated ETH price of around $1,816, while the real market price was closer to $2,520. The difference in the asset prices was extracted as profit.

A bug in the integer overflow check method allowed an attacker to mint unsecured SUI.

A smart contract that was bugged and deprecated was still used as an oracle for the token price before the attack. The attacker used the donation to exploit the vulnerability in the code and artificially inflated the price of dGLP. The attacker then used the overvalued dGLP as collateral for borrowing.

The attack sequence relied on extensive administrative privileges obtained. An admin role was granted to an attacker’s address by the Zunami Protocol Deployer Wallet. Later the attacker executed the exploit by directly calling the withdrawStuckToken() function on Zunami's strategy, a function designed for emergency withdrawals. This single call allowed the attacker to transfer 296,456 LP tokens, representing the collateral for zunUSD and zunETH, directly to their address.

The unaudited smart contract contained a simple logical error that allowed the attacker to drain all liquidity. The root cause was the excess of the 1e18 multiplier in the deposit evaluation function.

The incident was traced to a developer unknowingly hired by the team whom turned out to be a undercover DPRK IT worker. This individual/team unlawfully accessed the project’s administrative keys and executed a series of unauthorized transactions. The attacker had deployed a modified version of the AToken & VariableDebtToken contracts. In this version, the onlyPool access control modifier was altered to permit not only the Pool contract, but also any address with the Pool Admin role to execute functions that were originally restricted. The attacker used the compromised deployer wallet to initiate the draining of all pools.

During an internal update to the tETH oracle, a mismatch in decimal precision between oracle components was introduced. This inconsistency caused incorrect price outputs for tETH. An anonymous liquidator executed liquidations during the window when the incorrect tETH price was live.

Loopscale was targeted in an attack that exploited the protocol’s pricing logic for RateX-issued tokens. By spoofing the RateX PT market programs, the attacker was able to take out a series of undercollateralized loans. The exploited code path was deployed as part of a new integration with RateX and had not yet undergone a formal third-party audit.

Exploiting flawed protocol code, the attacker created a liquidity pool away from current price and generated substantial fees through wash swaps. These fees were then used to inflate the collateral's valuation, leveraging flawed smart contract mathematics. The attacker subsequently borrowed against this overvalued collateral. However, reinvestment later reduced the collateral's value, resulting in an under-collateralized debt. This debt was then restructured without liquidation, enabling the attacker to retain the illicit funds.

The Oxya Origin deployer wallet appears to have been compromised, resulting in the ownership of the $OXYZ token being transferred to a suspicious address (0x2a00d9941ab583072bcf01ec2e644679e4579272). The attacker minted 9b $OXYZ, swapped $45K, and bridged the funds via Stargate.

A vulnerability in the overPaper function of the BTCMapp smart contract allowed an attacker to extract 1,311 ETH, which is equivalent to $2,228,700.

The attacker manipulated the price of the $NUMA token, while simultaneously opening large short and long positions, removing deposited collateral by liquidating themselves, and exiting through the vault.

The malicious developer had injected code into the staking smart contract, allowing them to execute an emergency drain of the liquidity pool, resulting in around 490 ETH worth of tokens being stolen.

The vulnerability originated in the TrustedForwarder contract, which inherited OpenZeppelin’s MinimalForwarderUpgradeable but did not override the execute method. As a result, the method remained permissionless and exposed to misuse. The attacker took advantage of this oversight by directly calling the original execute function from MinimalForwarderUpgradeable. In a single transaction, the attacker opened a position at an artificially low price and then closed it at a higher price, generating an illegitimate profit through this exploit.

The attacker used compromised admin account to mint the remaining unclaimed tokens from the ZK token Merkle distributors used for the ZKsync June 17th 2024 airdrop. The hacker successfully took control of 111881122 ZK tokens.

The private keys were compromised. The attacker then used these keys to update a function in the contract to a malicious one, allowing him to withdraw funds.