Disclaimer: Data source is web3rekt.com. Incidents may not
necessarily be in-scope for the audit.
(Excluded incident categories: poor governance, liquidity management,
front-end vulnerabilities, key management, dns/bgp, loss of
availability, compromised access control, blackmail, human)
ABDK Consulting
1 incidents
GMX
Exchange (2022-09): $ 415,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1] [2]
[3]
- Audit Report: [1]
Ackee Blockchain Security
1 incidents
Astrid
Finance (2023-10): $ 228,750 — Contract Vulnerabilities
- Method: Lack of validation of staked tokens
- Source: [1]
- Audit Report: [1]
Akira Audit
1 incidents
Opyn (2020-08):
$ 371,260 — Contract Vulnerabilities
- Method: Logic error, no real-time verification of actual
balance
- Source: [1]
- Audit Report: [1]
Ambisafe
1 incidents
Nereus Finance
(2022-09): $ 371,296 — Flash Loans
- Method: Price manipulation
- Source: [1]
- Audit Report: [1]
Arcadia Group
4 incidents
Value
DeFi (2021-05): $ 11,000,000 — Contract Vulnerabilities
Value
DeFi (2021-05): $ 5,817,780 — Contract Vulnerabilities
- Method: Lack of access control
- Source: [1]
- Audit Report: [1]
[2]
Cover
Protocol (2020-12): $ 9,400,000 — Contract Vulnerabilities
- Method: Unlimited minting
- Source: [1]
- Audit Report: [1]
Value DeFi (2020-11):
$ 6,000,000 — Flash Loans
- Method: Flash loan attack, oracle manipulation
- Source: [1]
- Audit Report: [1]
[2]
Armors Labs
2 incidents
Deus Finance
(2022-04): $ 13,400,000 — Flash Loans
- Method: Oracle manipulation
- Source: [1]
[2]
[3]
Deus
Finance (2022-03): $ 3,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
Audit Rate Tech
3 incidents
Doge Floki Coin
(2022-08): $ 99,212 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Cashera (2022-05): $ 89,212 —
Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Marvin Inu
(2022-04): $ 350,000 — Contract Vulnerabilities
- Method: Undisclosed
- Source: [1]
[2]
- Audit Report: [1]
Audits.finance Inc
1 incidents
Cashio
(2022-03): $ 50,000,000 — Contract Vulnerabilities
- Method: Lack of input validation
- Source: [1]
[2]
- Audit Report: [1]
BlockAudit
1 incidents
Limocoinswap (2022-02) — Scams
- Method: Ponzi scheme
- Source: [1]
- Audit Report: [1]
BlockHunters
1 incidents
Bacon
Protocol (2022-03): $ 1,000,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
Certik
65 incidents
Elephant Money
(2023-12): $ 163,801 — Flash Loans
- Method: Lack of access control on privileged functions and no
slippage protection on swap
- Source: [1]
- Audit Report: [1]
Fintoch
(Standard Cross Finance) (2023-10): $ 1,681,340 — Scams
The Merlin DEX
(2023-04): $ 1,906,854 — Scams
TiFi Token (2022-12): $
25,211 — Flash Loans
- Method: Price arbitrage
- Source: [1]
- Audit Report: [1]
Annex Finance
(2022-11): $ 3,000 — Flash Loans
- Method: Does not verify caller in arbitrary call
(pancakecall())
- Source: [1]
- Audit Report: [1]
BabySwap
(2022-10): $ 65,055 — Contract Vulnerabilities
- Method: Logic error with the takewithdraw function
- Source: [1]
[2]
- Audit Report: [1]
Zoom Protocol
(2022-09): $ 61,660 — Flash Loans
- Method: Price manipulation
- Source: [1]
- Audit Report: [1]
DaoSwap
(2022-09): $ 581,257 — Contract Vulnerabilities
- Method: Logic error in reward calculation, and lack of verification
of reward invitee
- Source: [1] [2]
- Audit Report: [1]
Raccoon Network
(2022-07): $ 20,000,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
ArenaPlayAPC (2022-07): $
313,200 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Quint
Token (2022-06): $ 130,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Inari Token (2022-06): $
271,262 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
XCarnival
(2022-06): $ 3,800,000 — Contract Vulnerabilities
- Method: Lack of verification of pledged nft
- Source: [1]
[2]
- Audit Report: [1]
Elvantis Token (2022-06):
$ 32,207 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Fswap
(2022-06): $ 390,000 — Contract Vulnerabilities
- Method: Flash loans, vulnerability with swap method
- Source: [1]
[2]
[3]
- Audit Report: [1]
Equalizer
Finance (2022-06): $ 72,000 — Contract Vulnerabilities
- Method: Logic error, flash loans
- Source: [1]
[2]
- Audit Report: [1]
- Method: Logic error, hardcode oracle price
- Source: [1]
[2]
- Audit Report: [1]
Venus
Protocol (2022-05): $ 13,500,000 — Contract Vulnerabilities
- Method: Price oracle manipulation
- Source: [1]
[2]
[3]
- Audit Report: [1]
Saddle
Finance (2022-04): $ 10,000,000 — Contract Vulnerabilities
- Method: Incorrect library utilized to calculate swap
- Source: [1]
[2]
[3]
- Audit Report: [1]
bDollar (2022-04): $
730,000 — Flash Loans
- Method: Price arbitrage
- Source: [1]
- Audit Report: [1]
Chedda Token (2022-04): $
1,170,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Elephant
Money (2022-04): $ 11,200,000 — Contract Vulnerabilities
- Method: Price manipulation
- Source: [1]
[2]
- Audit Report: [1]
FilDA
(2022-04): $ 1,677,000 — Contract Vulnerabilities
- Method: Does not handle flashloans of erc677 tokens properly
- Source: [1]
- Audit Report: [1]
ArivaCoin (2022-02): $ 600,000
— Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Polygon (2022-01) — Near-Miss
- Method: Logic error in migrating validators from one to another
- Source: [1]
- Audit Report: [1]
Arbix Finance (2022-01):
$ 10,000,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
VultureSwap Finance
(2021-12): $ 446,572 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Visor
Finance (2021-12): $ 8,200,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
[2]
- Audit Report: [1]
Polygon
(2021-12): $ 1,600,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
[2]
- Audit Report: [1]
Visor Finance
(2021-11): $ 975,720 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Lever (2021-11): $ 652,942 —
Flash Loans
- Method: Decimal point check problem
- Source: [1]
- Audit Report: [1]
AutoShark
Finance (2021-10): $ 2,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Polygon Plasma Bridge
(2021-10) — Near-Miss
- Method: Logic error in handling of burn transactions
- Source: [1]
- Audit Report: [1]
Harvest Finance (2021-10) —
Near-Miss
- Method: Uninitialized proxies bug
- Source: [1]
- Audit Report: [1]
PancakeHunny
(2021-10): $ 1,934,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
AutoShark
Finance (2021-10): $ 580,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Vee
Finance (2021-09): $ 35,000,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Neko
Network (Maze Protocol) (2021-08): $ 3,800,000 — Contract
Vulnerabilities
- Method: Protocol vulnerabilities
- Source: [1]
[2]
[3]
- Audit Report: [1]
Popsicle
Finance (2021-08): $ 20,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Levyathan
(2021-07): $ 1,500,000 — Contract Vulnerabilities
- Method: Unlimited mint
- Source: [1]
[2]
[3]
- Audit Report: [1]
THORChain
(2021-07): $ 76,000 — Contract Vulnerabilities
- Method: Contract backdoor
- Source: [1]
- Audit Report: [1]
THORChain
(2021-07): $ 8,000,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
[2]
- Audit Report: [1]
THORChain
(2021-07): $ 5,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
[2]
- Audit Report: [1]
THORChain
(2021-06): $ 140,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Eleven Finance
(2021-06): $ 4,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Visor Finance (2021-06):
$ 504,845 — Unknown
- Method: Unknown
- Source: [1]
- Audit Report: [1]
Alchemix
(2021-06): $ 6,530,000 — Contract Vulnerabilities
MCDEX (2021-06) — Rewards
- Bug Bounties
- Method: Mcdex’s broker.sol contract has a batchtrade() function that
does not validate user input against external data
- Source: [1]
- Audit Report: [1]
PancakeHunny
(2021-06): $ 112,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
AutoShark
Finance (2021-05): $ 750,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Spartan
Protocol (2021-05): $ 30,000,000 — Contract Vulnerabilities
- Method: Logic error, use slippage correction mechanism
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-04): $ 1,800,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
DODO (2021-03): $ 1,920,000
— Flash Loans
- Method: Flash loan attack
- Source: [1]
Yearn Finance
(2021-02): $ 2,800,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
Akropolis
(2020-11): $ 2,030,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
Harvest Finance
(2020-10): $ 21,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-09) — Contract Vulnerabilities
- Method: Withdraw logic error
- Source: [1]
- Audit Report: [1]
bZx (2020-09): $
8,000,000 — Contract Vulnerabilities
bZx (2020-02): $ 645,000 —
Flash Loans
bZx (2020-02): $
350,000 — Contract Vulnerabilities
- Method: Safety checks did not work
- Source: [1]
- Audit Report: [1]
[2]
[3]
[4]
bZx (2019-09) — Scams
- Method: Sandwich attack, oracle price manipulation
- Source: [1]
- Audit Report: [1]
[2]
[3]
[4]
Certona
1 incidents
Optics (2021-11) —
Contract Vulnerabilities
- Method: Unauthorized function activation
Chainsulting
1 incidents
Agave
Finance (2022-03): $ 5,500,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
CoinInspect
3 incidents
Vesper
Finance (2021-12): $ 1,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
Vesper
Finance (2021-11): $ 3,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
Vesper Finance
(2021-03) — Rewards - Bug Bounties
- Method: A malicious user could have stolen the yield generated by
vesper’s strategies through intercepting the rebalance swap from the
weth/vsp pool on uniswap.
- Source: [1]
Coinsult
3 incidents
JUMPN Finance (2022-10): $
692,429 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
JUMPN Finance (2022-10):
$ 1,155,810 — Scams
- Method: Rug pull
- Source: [1]
[2]
- Audit Report: [1]
Social2E (2022-09): $ 52,821 —
Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Consensys Diligence
6 incidents
Fei
Protocol (2022-04): $ 80,000,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
Meter.io
(2022-02): $ 7,700,000 — Contract Vulnerabilities
- Method: Incorrect token wrap and unwrapping validation
- Source: [1]
[2]
- Audit Report: [1]
Definer
(2021-12): $ 10,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Fei Procotol
(2021-05) — Rewards - Bug Bounties
- Method: The issue is that anyone can call allocate(), which takes
the protocol-controlled value (eth controlled by the protocol, pcv) and
puts it into the uniswap pool at the prevailing market rate (and not the
eth/usd oracle price, as designed).
- Source: [1]
- Audit Report: [1]
Fei Protocol
(2021-05) — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Fei Procotol
(2021-04) — Rewards - Bug Bounties
- Method: Manipulation of peg and reward
- Source: [1]
- Audit Report: [1]
Contract Checker
1 incidents
SuperStep (2022-07): $ 250,000
— Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Cryptonics
4 incidents
Mirror
Protocol (2022-05): $ 2,000,000 — Contract Vulnerabilities
- Method: Oracle price bug
- Source: [1]
Anchor Protocol
(2022-04): $ 134,897 — Scams
- Method: Phishing, google ads
- Source: [1]
[2]
Mirror Protocol
(2021-12): $ 73,700 — Scams
- Method: Phishing, fake governance voting
- Source: [1]
Mirror
Protocol (2021-10): $ 90,000,000 — Contract Vulnerabilities
Cyber Unit
3 incidents
Mirror
Protocol (2022-05): $ 2,000,000 — Contract Vulnerabilities
- Method: Oracle price bug
- Source: [1]
Mirror Protocol
(2021-12): $ 73,700 — Scams
- Method: Phishing, fake governance voting
- Source: [1]
Mirror
Protocol (2021-10): $ 90,000,000 — Contract Vulnerabilities
Cyberscope
4 incidents
USDT Defi (2022-11): $ 428,456
— Scams
- Method: Rug pull
- Source: [1]
[2]
- Audit Report: [1]
PokemonFi (2022-08): $ 708,000
— Scams
- Method: Rug pull
- Source: [1]
[2]
- Audit Report: [1]
Nut2Earn (2022-08): $ 138,940 —
Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Hospo LP
(2022-04): $ 260,000 — Contract Vulnerabilities
- Method: Visibility issue, price manipulation
- Source: [1]
- Audit Report: [1]
Dedaub
1 incidents
Mochi Inu (2021-11) —
Governance
- Method: Governance exploit
- Source: [1]
- Audit Report: [1]
DefiSafety
27 incidents
SushiSwap (2023-03): $
28,400 — Flash Loans
- Method: Price oracle manipulation
- Source: [1]
[2]
- Audit Report: [1]
Compound (2022-08) —
Contract Vulnerabilities
- Method: Price oracle error
- Source: [1]
- Audit Report: [1]
Inverse
Finance (2022-06): $ 1,260,000 — Contract Vulnerabilities
- Method: Price oracle manipulation
- Source: [1]
[2]
[3]
- Audit Report: [1]
Inverse
Finance (2022-04): $ 15,600,000 — Contract Vulnerabilities
- Method: Price oracle manipulation
- Source: [1]
- Audit Report: [1]
Vesper
Finance (2021-12): $ 1,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Visor
Finance (2021-12): $ 8,200,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
[2]
- Audit Report: [1]
Visor Finance
(2021-11): $ 975,720 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
dYdX (2021-11):
$ 211,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Curve Finance
(2021-11): $ 30,000,000 — Governance
- Method: Governance exploit
- Source: [1]
- Audit Report: [1]
Vesper
Finance (2021-11): $ 3,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Alpha
Finance (2021-10): $ 164,000 — Contract Vulnerabilities
- Method: Sandwich attack
- Audit Report: [1]
PancakeHunny
(2021-10): $ 1,934,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Compound
(2021-10): $ 68,800,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
AutoShark
Finance (2021-10): $ 580,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Compound
(2021-09): $ 89,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
dYdX (2021-09):
$ 1,798,784 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Visor Finance
(2021-06): $ 504,845 — Unknown
- Method: Unknown
- Source: [1]
- Audit Report: [1]
Iron
Finance (2021-06): $ 280,000 — Contract Vulnerabilities
- Method: Logic error, reentrancy attack
- Source: [1]
- Audit Report: [1]
PancakeHunny
(2021-06): $ 112,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Pancake Bunny
(2021-05): $ 45,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Iron
Finance (2021-03): $ 170,000 — Contract Vulnerabilities
- Method: Change the reward rate integer
- Source: [1]
- Audit Report: [1]
Vesper Finance
(2021-03) — Rewards - Bug Bounties
- Method: A malicious user could have stolen the yield generated by
vesper’s strategies through intercepting the rebalance swap from the
weth/vsp pool on uniswap.
- Source: [1]
- Audit Report: [1]
Curve Finance
(2021-03) — Contract Vulnerabilities
- Method: Pool factory v1 vulnerability
- Audit Report: [1]
SushiSwap
(2021-01): $ 103,842 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
SushiSwap
(2020-11): $ 15,000 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
Compound (2020-11) —
Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Curve Finance (2020-10): $ 20
— Scams
- Method: Phishing attack
- Audit Report: [1]
DPTech
1 incidents
Roco
Finance (2022-01): $ 70,000 — Contract Vulnerabilities
- Method: Manipulation of reward values
- Source: [1]
- Audit Report: [1]
Entropy
1 incidents
Float
Protocol (2022-01): $ 25,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Ether Authority
2 incidents
10mb Finance (2022-07) — Scams
- Method: Rug pull
- Audit Report: [1]
Fortress
Loans (2022-05): $ 2,957,364 — Contract Vulnerabilities
- Method: Oracle price manipulation
- Source: [1]
- Audit Report: [1]
FairyProof
1 incidents
FilDA
(2022-04): $ 1,677,000 — Contract Vulnerabilities
- Method: Does not handle flashloans of erc677 tokens properly
- Source: [1]
- Audit Report: [1]
FP Complete
1 incidents
Hedera
(2023-03): $ 600,000 — Contract Vulnerabilities
- Method: Escalate privileges using delegate call to precompiled
contract
- Source: [1] [2]
[3]
[4]
- Audit Report: [1]
Hack MD
1 incidents
Alethea AI (2022-03): $
1,800,000 — Scams
- Method: Phishing, discord
- Source: [1]
[2]
- Audit Report: [1]
Hacken
6 incidents
Paribus
(2023-04): $ 70,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
[2]
- Audit Report: [1]
ArivaCoin (2022-02): $
600,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Bent Finance (2021-12) —
Insider Theft
- Method: Malicious backdoor, insider theft
- Source: [1]
Merlin
Labs (2021-06): $ 300,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
[2]
- Audit Report: [1]
Merlin Labs (2021-05):
$ 550,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Merlin Labs (2021-05):
$ 680,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Haechi
8 incidents
Rodeo
Finance (2023-06): $ 541,500 — Contract Vulnerabilities
- Method: Balance manipulation and untrusted external call
- Source: [1]
[2]
- Audit Report: [1]
Harvest Finance (2021-10)
— Near-Miss
- Method: Uninitialized proxies bug
- Source: [1]
- Audit Report: [1]
Belt Finance
(2021-08) — Rewards - Bug Bounties
- Method: Logic error causing issuance of excess shares for new
deposits
- Source: [1]
- Audit Report: [1]
PancakeBunny
(2021-07): $ 2,400,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Belt Finance
(2021-05): $ 6,230,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Pancake Bunny
(2021-05): $ 45,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Harvest
Finance (2020-10): $ 21,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-09) — Contract Vulnerabilities
- Method: Withdraw logic error
- Source: [1]
- Audit Report: [1]
Halborn
8 incidents
SushiSwap (2023-03): $
28,400 — Flash Loans
- Method: Price oracle manipulation
- Source: [1]
[2]
- Audit Report: [1]
Avalanche (2022-09) —
Rewards - Bug Bounties
- Method: Bypassing validation checks relating to native asset call
unique to avalanche c-chain
- Source: [1]
[2]
- Audit Report: [1]
[2]
[3]
[4]
[5]
Stader
NearX (2022-08): $ 830,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
MonoX
(2021-11): $ 31,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Tidal Finance
(2021-07) — Rewards - Bug Bounties
- Method: Logic error in reward calculation allowing malicious user to
take rewards generated from staking that they are not entitled to.
- Source: [1]
- Audit Report: [1]
SushiSwap
(2021-01): $ 103,842 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
SushiSwap
(2020-11): $ 15,000 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
Bancor
(2020-06): $ 135,229 — Contract Vulnerabilities
- Method: Logiccal error, incorrect visibility method
- Source: [1]
- Audit Report: [1]
Hash0x
1 incidents
Fortress
Loans (2022-05): $ 2,957,364 — Contract Vulnerabilities
- Method: Oracle price manipulation
- Source: [1]
- Audit Report: [1]
Hats Finance
1 incidents
Raft Finance
(2023-11): $ 6,700,000 — Flash Loans
HazeCrypto
1 incidents
BNB Brokers (2022-04): $
140,730 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Hexlant
2 incidents
PancakeBunny
(2021-07): $ 2,400,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Pancake Bunny
(2021-05): $ 45,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
InterFi Network
4 incidents
SheepFarm
(2022-11): $ 83,497 — Contract Vulnerabilities
- Method: Incorrect user validation
- Source: [1]
- Audit Report: [1]
Day of Defeat (2022-05):
$ 1,350,000 — Scams
BNB Defi (2022-03): $ 111,180 —
Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Day of
Defeat (2022-03): $ 140,000 — Contract Vulnerabilities
- Method: Logic error, opening conditions, possible loop holes
- Source: [1]
- Audit Report: [1]
IOActive
1 incidents
Pando
(2022-11): $ 20,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation attack
- Source: [1]
- Audit Report: [1]
KnownSec
1 incidents
SashimiSwap
(2021-12): $ 335,000 — Contract Vulnerabilities
- Method: Logic error, swap function error
- Source: [1] [2]
- Audit Report: [1]
Kudelski Security
2 incidents
Solend (2022-11): $
1,260,000 — Flash Loans
- Method: Oracle attack
- Source: [1]
- Audit Report: [1]
Solend
(2021-08): $ 16,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
LeastAuthority
4 incidents
Pando
(2022-11): $ 20,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation attack
- Source: [1]
Harvest Finance (2021-10)
— Near-Miss
- Method: Uninitialized proxies bug
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-10): $ 21,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-09) — Contract Vulnerabilities
- Method: Withdraw logic error
- Source: [1]
- Audit Report: [1]
Lunaray
1 incidents
PandoraDAO (2022-06): $
128,122 — Flash Loans
- Method: Price manipulation
- Source: [1]
[2]
- Audit Report: [1]
Lunaray Technology
1 incidents
El
Dorado Exchange (2023-05): $ 683,915 — Contract Vulnerabilities
Machine Learning Mike
1 incidents
CrossWiseFi
(2022-01): $ 879,000 — Contract Vulnerabilities
- Method: Expose privilege function, hijack owner
- Source: [1]
- Audit Report: [1]
MarketMove
1 incidents
Robot Shib (2022-08): $ 14,517
— Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Maxsam
1 incidents
Cover
Protocol (2020-12): $ 9,400,000 — Contract Vulnerabilities
- Method: Unlimited minting
- Source: [1]
1 incidents
Bent Finance (2021-12) —
Insider Theft
- Method: Malicious backdoor, insider theft
- Source: [1]
- Audit Report: [1]
MixBytes
3 incidents
Convex Finance
(2022-03) — Contract Vulnerabilities
- Method: Logic error, allow expired locks to relock
- Source: [1]
- Audit Report: [1]
Yearn Finance
(2021-02): $ 2,800,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Cover
Protocol (2020-12): $ 9,400,000 — Contract Vulnerabilities
- Method: Unlimited minting
- Source: [1]
- Audit Report: [1]
Monoceros Alpha
2 incidents
Xave Finance
(2023-11) — Contract Vulnerabilities
- Method: Unknown
- Source: [1]
- Audit Report: [1]
Xave Finance
(2022-10) — Contract Vulnerabilities
- Method: Lack of access control to daomodule
- Source: [1]
- Audit Report: [1]
Neodyme AG
3 incidents
Mango Market
(2022-10): $ 116,000,000 — Flash Loans
- Method: Price manipulation
- Source: [1]
[2]
- Audit Report: [1]
Wormhole Network (2022-02)
— Near-Miss
- Method: Logic error allowing obligation collateral to be liquidated
at a quicker pace than the borrow is being repaid.
- Source: [1]
- Audit Report: [1]
Wormhole
Network (2022-02): $ 326,000,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Obelisk
1 incidents
Tomb Finance (2021-09): $
8,000,000 — Scams
- Method: Fake web site
- Source: [1] [2]
- Audit Report: [1]
Oberlisk
1 incidents
Fantasm
Finance (2022-03): $ 2,718,900 — Contract Vulnerabilities
- Method: Logic error allowing more to be redeem than should be.
- Source: [1]
- Audit Report: [1]
Omniscia
3 incidents
Beanstalk
Protocol (2022-04): $ 80,000,000 — Flash Loans
- Method: Logic error, poor governance
- Source: [1]
[2]
[3]
- Audit Report: [1]
Redacted Cartel (2022-01) —
Near-Miss
- Method: Logic error in custom approval
- Source: [1]
- Audit Report: [1]
OlympusDAO
(2021-11): $ 50,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
OpenZeppelin
12 incidents
Balancer (2022-05) — Near-Miss
- Method: Vulnerable to the usage of flash loans to create dos
- Source: [1]
- Audit Report: [1]
Fei
Protocol (2022-04): $ 80,000,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
- Audit Report: [1]
Saddle
Finance (2022-04): $ 10,000,000 — Contract Vulnerabilities
- Method: Incorrect library utilized to calculate swap
- Source: [1]
[2]
[3]
- Audit Report: [1] [2]
Optics (2021-11) —
Contract Vulnerabilities
- Method: Unauthorized function activation
- Audit Report: [1]
Alpha
Finance (2021-10): $ 164,000 — Contract Vulnerabilities
- Method: Sandwich attack
- Audit Report: [1]
Fei Procotol
(2021-05) — Rewards - Bug Bounties
- Method: The issue is that anyone can call allocate(), which takes
the protocol-controlled value (eth controlled by the protocol, pcv) and
puts it into the uniswap pool at the prevailing market rate (and not the
eth/usd oracle price, as designed).
- Source: [1]
- Audit Report: [1]
Fei Protocol
(2021-05) — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Fei Procotol
(2021-04) — Rewards - Bug Bounties
- Method: Manipulation of peg and reward
- Source: [1]
- Audit Report: [1]
Alpha Finance
(2021-02): $ 37,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Opyn
(2020-08): $ 371,260 — Contract Vulnerabilities
- Method: Logic error, no real-time verification of actual
balance
- Source: [1]
- Audit Report: [1]
[2]
Balancer (2020-06): $ 2,300
— Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Balancer
(2020-06): $ 500,000 — Contract Vulnerabilities
- Method: Deflationary token compatibility issues
- Source: [1]
- Audit Report: [1]
Paladin
1 incidents
VultureSwap
Finance (2021-12): $ 446,572 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
PeckShield
38 incidents
SushiSwap (2023-03): $
28,400 — Flash Loans
- Method: Price oracle manipulation
- Source: [1]
[2]
- Audit Report: [1]
Earning
Farm (2022-10): $ 989,250 — Contract Vulnerabilities
- Method: Logic error and lack of access control.
- Source: [1]
[2]
[3]
- Audit Report: [1]
88mph (2022-09) — Rewards
- Bug Bounties
- Method: Timelock vulnerability
- Source: [1]
- Audit Report: [1]
[2]
FilDA
(2022-04): $ 1,677,000 — Contract Vulnerabilities
- Method: Does not handle flashloans of erc677 tokens properly
- Source: [1]
- Audit Report: [1]
Superfluid
Finance (2022-02): $ 8,700,000 — Contract Vulnerabilities
- Method: Forged ctx data (sharing communication between protocols) to
spoof the contract.
- Source: [1]
[2]
- Audit Report: [1]
MonoX
(2021-11): $ 31,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
OlympusDAO
(2021-11): $ 50,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Alpha
Finance (2021-10): $ 164,000 — Contract Vulnerabilities
- Method: Sandwich attack
- Audit Report: [1]
Harvest Finance (2021-10)
— Near-Miss
- Method: Uninitialized proxies bug
- Source: [1]
- Audit Report: [1]
88mph (2021-06) — Rewards
- Bug Bounties
- Method: Unprotected initialization function - missing onlyowner
modifier
- Source: [1]
- Audit Report: [1]
[2]
BurgerSwap
(2021-06): $ 200,000 — Contract Vulnerabilities
- Method: Reentrancy attack
- Audit Report: [1]
BurgerSwap (2021-05):
$ 7,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
PancakeSwap
(2021-05) — Rewards - Bug Bounties
- Method: Exposed api key and allowing content injection attack
- Source: [1]
- Audit Report: [1]
xToken
(2021-05): $ 25,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
Value
DeFi (2021-05): $ 11,000,000 — Contract Vulnerabilities
Value
DeFi (2021-05): $ 5,817,780 — Contract Vulnerabilities
- Method: Lack of access control
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-04) — Rewards - Bug Bounties
- Method: Lack of validation on previously claimed ticket, allowing
multiple claims on the same ticket
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-04): $ 1,800,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
DODO (2021-03): $
1,920,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
[2]
PancakeSwap
(2021-02) — Rewards - Bug Bounties
- Method: The problem is that the multibuy method, which allows users
to buy multiple tickets in the same transaction to save gas, didn’t
prevent users from buying a ticket while the lottery was still in the
drawing phase. this means that a user could see the transaction to draw
the winning lottery number, compute it, and buy that ticket.
- Source: [1]
- Audit Report: [1]
Alpha Finance
(2021-02): $ 37,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
BT Finance (2021-02):
$ 1,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Yearn Finance
(2021-02): $ 2,800,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
SushiSwap
(2021-01): $ 103,842 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
Cover
Protocol (2020-12): $ 9,400,000 — Contract Vulnerabilities
- Method: Unlimited minting
- Source: [1]
SushiSwap
(2020-11): $ 15,000 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
88mph (2020-11) —
Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
[2]
Value DeFi
(2020-11): $ 6,000,000 — Flash Loans
- Method: Flash loan attack, oracle manipulation
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-10): $ 21,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Harvest
Finance (2020-09) — Contract Vulnerabilities
- Method: Withdraw logic error
- Source: [1]
- Audit Report: [1]
bZx (2020-09):
$ 8,000,000 — Contract Vulnerabilities
- Method: Token duplication
- Source: [1]
- Audit Report: [1]
Opyn
(2020-08): $ 371,260 — Contract Vulnerabilities
- Method: Logic error, no real-time verification of actual
balance
- Source: [1]
- Audit Report: [1]
Bancor
(2020-06): $ 135,229 — Contract Vulnerabilities
- Method: Logiccal error, incorrect visibility method
- Source: [1]
- Audit Report: [1]
MakerDAO
(2020-03): $ 7,900,000 — Abnormal Interactions
- Method: Abnormal liquidation
- Audit Report: [1]
bZx (2020-02): $ 645,000 —
Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
bZx (2020-02):
$ 350,000 — Contract Vulnerabilities
- Method: Safety checks did not work
- Source: [1]
- Audit Report: [1]
bZx (2019-09) — Scams
- Method: Sandwich attack, oracle price manipulation
- Source: [1]
- Audit Report: [1]
MakerDAO (2019-08) —
Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Pessimistic
3 incidents
Value
DeFi (2021-05): $ 11,000,000 — Contract Vulnerabilities
Value
DeFi (2021-05): $ 5,817,780 — Contract Vulnerabilities
- Method: Lack of access control
- Source: [1]
- Audit Report: [1]
Value DeFi
(2020-11): $ 6,000,000 — Flash Loans
- Method: Flash loan attack, oracle manipulation
- Source: [1]
- Audit Report: [1]
pickax
1 incidents
DFX
Finance (2022-11): $ 4,000,000 — Contract Vulnerabilities
- Method: Lack of reentrancy protection
- Source: [1]
[2]
[3]
- Audit Report: [1]
Quantstamp
14 incidents
Teleport DAO (2023-11): $
194,251 — Unknown
- Method: Unknown
- Source: [1] [2]
- Audit Report: [1]
SushiSwap (2023-03): $
28,400 — Flash Loans
- Method: Price oracle manipulation
- Source: [1]
[2]
- Audit Report: [1]
Nomad
Bridge (2022-08): $ 190,000,000 — Contract Vulnerabilities
- Method: Lack of validation of the input of transaction
- Source: [1]
[2]
[3]
[4]
[5]
- Audit Report: [1]
Saddle
Finance (2022-04): $ 10,000,000 — Contract Vulnerabilities
- Method: Incorrect library utilized to calculate swap
- Source: [1]
[2]
[3]
- Audit Report: [1]
[2]
[3]
Alpha
Finance (2021-10): $ 164,000 — Contract Vulnerabilities
- Method: Sandwich attack
- Audit Report: [1]
Lido Finance
(2021-10) — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
xToken (2021-08): $
4,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Popsicle
Finance (2021-08): $ 20,000,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
MCDEX (2021-06) —
Rewards - Bug Bounties
- Method: Mcdex’s broker.sol contract has a batchtrade() function that
does not validate user input against external data
- Source: [1]
- Audit Report: [1]
Rari
Capital (2021-05): $ 11,000,000 — Contract Vulnerabilities
Alpha Finance
(2021-02): $ 37,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
SushiSwap
(2021-01): $ 103,842 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
Rari Capital
(2020-11) — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Audit Report: [1] [2]
[3]
[4]
SushiSwap
(2020-11): $ 15,000 — Contract Vulnerabilities
- Method: Manipulate the exchange price of trading pairs
- Source: [1]
- Audit Report: [1]
RD Auditors
2 incidents
Pokemoney (Neko
Gold) (2022-05): $ 3,500,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Linked
Finance World (2022-04): $ 219,000 — Contract Vulnerabilities
- Method: Logic error, k invariant error in swap function
- Source: [1]
- Audit Report: [1]
RugFreeCoins
2 incidents
MaxAPYFinance (2022-05): $
130,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
MaxAPYFinance (2022-04): $
440,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Runtime Verification
4 incidents
Maiar
Exchange (2022-06): $ 113,000,000 — Contract Vulnerabilities
Tinyman
Pools (2022-01): $ 3,500,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
MakerDAO
(2020-03): $ 7,900,000 — Abnormal Interactions
- Method: Abnormal liquidation
- Audit Report: [1]
MakerDAO (2019-08)
— Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Sec3
1 incidents
Nirvana Finance
(2022-07): $ 3,490,000 — Flash Loans
- Method: Logic error
- Source: [1] [2]
- Audit Report: [1]
Security Network
1 incidents
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Security Research Labs
1 incidents
Acala
Network (2022-08): $ 342,100 — Contract Vulnerabilities
Several
1 incidents
ParaSpace (2023-03)
— Contract Vulnerabilities
- Method: Flawed logic allowing more borrow than deposit
- Source: [1]
[2]
[3]
[4]
- Audit Report: [1]
Sherlock
1 incidents
Euler Finance
(2023-03): $ 197,000,000 — Flash Loans
- Method: Lack of checking liquidity the donatetoreserves()
function
- Source: [1]
[2]
[3]
[4]
[5]
- Audit Report: [1]
Sigma Prime
4 incidents
Aurora Engine
(2022-06) — Rewards - Bug Bounties
- Method: Withdrawn function logic error
- Source: [1]
- Audit Report: [1]
Aurora Engine
(2022-06) — Rewards - Bug Bounties
- Method: Improper input sanitization allowing exploiter to manipulate
&args inputs
- Source: [1]
- Audit Report: [1]
Aurora Engine
(2022-06) — Rewards - Bug Bounties
- Method: Inifinite minting
- Source: [1]
[2]
- Audit Report: [1]
Lido Finance
(2021-10) — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
SlowMist
14 incidents
Multichain
(Anyswap) (2023-11): $ 260,636 — Contract Vulnerabilities
- Method: Lack of access control
- Source: [1]
- Audit Report: [1]
ForTube
Finance (2023-04): $ 78,890 — Contract Vulnerabilities
- Method: Logic error, failure to account for changes to
totalsupply
- Source: [1]
- Audit Report: [1]
Earning
Farm (2022-10): $ 989,250 — Contract Vulnerabilities
- Method: Logic error and lack of access control.
- Source: [1]
[2]
[3]
- Audit Report: [1]
FilDA
(2022-04): $ 1,677,000 — Contract Vulnerabilities
- Method: Does not handle flashloans of erc677 tokens properly
- Source: [1]
- Audit Report: [1]
Umbrella
Network (2022-03): $ 700,000 — Contract Vulnerabilities
- Method: Integer underflow
- Source: [1]
- Audit Report: [1]
Flurry
Finance (2022-02): $ 250,668 — Contract Vulnerabilities
- Method: External dependencies
- Source: [1]
- Audit Report: [1]
Multichain
(Anyswap) (2022-01): $ 1,340,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Lever (2021-11): $ 652,942
— Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
[3]
Vee
Finance (2021-09): $ 35,000,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-05) — Rewards - Bug Bounties
- Method: Exposed api key and allowing content injection attack
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-04) — Rewards - Bug Bounties
- Method: Lack of validation on previously claimed ticket, allowing
multiple claims on the same ticket
- Source: [1]
- Audit Report: [1]
PancakeSwap
(2021-04): $ 1,800,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
[2]
[3]
PancakeSwap
(2021-02) — Rewards - Bug Bounties
- Method: The problem is that the multibuy method, which allows users
to buy multiple tickets in the same transaction to save gas, didn’t
prevent users from buying a ticket while the lottery was still in the
drawing phase. this means that a user could see the transaction to draw
the winning lottery number, compute it, and buy that ticket.
- Source: [1]
- Audit Report: [1]
Cheese Bank
(2020-11): $ 3,300,000 — Flash Loans
- Method: Flash loan attack, oracle manipulation
- Source: [1]
[2]
[3]
Smart state
1 incidents
Neko
Network (Maze Protocol) (2021-08): $ 3,800,000 — Contract
Vulnerabilities
- Method: Protocol vulnerabilities
- Source: [1]
[2]
[3]
- Audit Report: [1]
soken
2 incidents
Teddy Doge (2022-07): $
4,500,000 — Scams
- Method: Rug pull
- Source: [1]
[2]
- Audit Report: [1]
NOVO Protocol
(2022-05): $ 85,000 — Flash Loans
- Method: Arbitrage
- Source: [1]
- Audit Report: [1]
Solidified
3 incidents
Anchor Protocol
(2022-04): $ 134,897 — Scams
- Method: Phishing, google ads
- Source: [1]
[2]
Ola
Finance (Voltage Finance) (2022-03): $ 3,500,000 — Contract
Vulnerabilities
- Method: Reentrancy attack
- Source: [1]
[2]
- Audit Report: [1]
Sandbox (2022-02) —
Contract Vulnerabilities
- Method: Unguarded burn function
- Source: [1]
- Audit Report: [1]
[2]
[3]
Solidity Finance
17 incidents
Elephant Money
(2023-12): $ 163,801 — Flash Loans
- Method: Lack of access control on privileged functions and no
slippage protection on swap
- Source: [1]
- Audit Report: [1]
SAFUU Token (2022-09): $
6,073,083 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Reaper
Farm (2022-08): $ 1,698,704 — Contract Vulnerabilities
- Method: Lack of verification, faulty erc-4626 implementation
- Source: [1]
[2]
[3]
- Audit Report: [1]
Feed Every
Gorilla (FEG) (2022-05): $ 590,000 — Flash Loans
- Method: Logic error, unchecked spending
- Source: [1]
- Audit Report: [1]
Scream
Protocol (2022-05): $ 35,000,000 — Contract Vulnerabilities
- Method: Incorrect price oracle, hardcode stablecoin price
- Source: [1]
[2]
[3]
- Audit Report: [1]
Feed Every
Gorilla (FEG) (2022-05): $ 1,300,000 — Flash Loans
- Method: Logic error, unchecked spending
- Source: [1]
[2]
- Audit Report: [1]
Pragma Money (2022-05): $
1,503,506 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
Deus Finance
(2022-04): $ 13,400,000 — Flash Loans
- Method: Oracle manipulation
- Source: [1]
[2]
[3]
- Audit Report: [1]
Elephant
Money (2022-04): $ 11,200,000 — Contract Vulnerabilities
- Method: Price manipulation
- Source: [1]
[2]
- Audit Report: [1]
Starstream
Finance (2022-04): $ 8,200,000 — Contract Vulnerabilities
- Method: Visibility issue
- Source: [1]
- Audit Report: [1]
Revest
Finance (2022-03): $ 2,200,000 — Contract Vulnerabilities
- Method: Lack of input validation, reentrancy
- Source: [1]
[2]
- Audit Report: [1]
Deus
Finance (2022-03): $ 3,000,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Royal Protocol
(2022-03): $ 412,000 — Insider Theft
- Method: Private key leak, hot wallet, insider theft
- Source: [1]
- Audit Report: [1]
Titano
Finance (2022-02): $ 1,900,000 — Contract Vulnerabilities
- Method: Logic error
- Source: [1]
- Audit Report: [1]
Grim
Finance (2021-12): $ 30,000,000 — Contract Vulnerabilities
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Eleven Finance
(2021-06): $ 4,500,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
- Audit Report: [1]
Compounder Finance
(2020-12): $ 10,800,000 — Scams
- Method: Backdoor rugpull from rogue developers
- Source: [1]
- Audit Report: [1]
SolidProof
3 incidents
Corgi Finance (2022-09): $
120,582 — Scams
- Method: Rug pull
- Source: [1]
[2]
- Audit Report: [1]
CryptosTribe (2022-07): $
226,844 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
DecentraWorld (2022-05):
$ 1,278,995 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
SOOHO
2 incidents
Belt Finance
(2021-08) — Rewards - Bug Bounties
- Method: Logic error causing issuance of excess shares for new
deposits
- Source: [1]
Belt Finance
(2021-05): $ 6,230,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
[2]
Sovryn
2 incidents
Sovryn (2022-10): $
1,109,645 — Flash Loans
- Method: Price manipulation
- Source: [1] [2]
- Audit Report: [1]
[2]
Sovryn (2021-03) —
Rewards - Bug Bounties
- Method: A malicious user could call borrow(), pass a valid
loanid/borrower pair (each loanid maps to a borrower address), and then
enter an arbitrary address for the receiver parameter.
- Source: [1]
- Audit Report: [1]
[2]
Spade Solidity
2 incidents
2omb Finance
(2022-04): $ 81,671 — Flash Loans
- Method: Arbitrage
- Source: [1]
- Audit Report: [1]
Unicorn Nodes (2022-04): $
364,116 — Scams
Taka Security
1 incidents
Definer
(2021-12): $ 10,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Tech Audit
1 incidents
Starstream
Finance (2022-04): $ 8,200,000 — Contract Vulnerabilities
- Method: Visibility issue
- Source: [1]
- Audit Report: [1]
TechRate
4 incidents
Transhuman
Coin (2022-11): $ 11,232 — Contract Vulnerabilities
- Method: Logic error in reward calculation
- Source: [1]
- Audit Report: [1]
Saitama
Inu (2022-03): $ 1,512,310 — Contract Vulnerabilities
- Method: Arbitrage attack
- Source: [1]
- Audit Report: [1]
StableMagnet (2021-06): $
22,314,000 — Scams
- Method: Rug pull
- Source: [1]
- Audit Report: [1]
EvoDefi (2021-06): $
1,000,000 — Flash Loans
- Method: Flash loan attack
- Audit Report: [1]
Theori
1 incidents
Qubit
Finance (2022-01): $ 80,000,000 — Contract Vulnerabilities
- Method: Lack of validation
- Source: [1]
- Audit Report: [1]
Trail of Bits
13 incidents
Raft Finance
(2023-11): $ 6,700,000 — Flash Loans
Bribe Protocol
(2022-09): $ 5,500,000 — Scams
- Method: Rug pull
- Source: [1] [2]
- Audit Report: [1]
Goldfinch
Finance (2022-06): $ 541,000 — Flash Loans
- Method: Price arbitrage
- Source: [1]
- Audit Report: [1]
[2]
Multichain
(Anyswap) (2022-01): $ 1,340,000 — Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Definer
(2021-12): $ 10,000 — Contract Vulnerabilities
- Method: Oracle manipulation
- Source: [1]
- Audit Report: [1]
Cream Finance
(2021-10): $ 130,000,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Cream Finance
(2021-08): $ 18,800,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Cream Finance
(2021-06) — Rewards - Bug Bounties
- Method: Logic error to validate whether a given user making a
rewards claim had participated in their liquidity mining program from
the appropriate time
- Source: [1]
- Audit Report: [1]
DODO (2021-03): $
1,920,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
- Audit Report: [1]
Yearn Finance
(2021-02): $ 2,800,000 — Flash Loans
- Method: Flash loan attack
- Source: [1]
Opyn
(2020-08): $ 371,260 — Contract Vulnerabilities
- Method: Logic error, no real-time verification of actual
balance
- Source: [1]
- Audit Report: [1]
MakerDAO
(2020-03): $ 7,900,000 — Abnormal Interactions
- Method: Abnormal liquidation
- Audit Report: [1]
MakerDAO (2019-08)
— Contract Vulnerabilities
- Method: Contract vulnerabilities
- Source: [1]
- Audit Report: [1]
Unknown
1 incidents
Bistroo
(2022-05): $ 47,000 — Contract Vulnerabilities
- Method: Reentrancy attack, erc777
- Source: [1]
- Audit Report: [1]
VeriChains
2 incidents
DragonSB
Finance (2022-04) — Contract Vulnerabilities
Bomb Crypto
(2022-02): $ 1,000 — Contract Vulnerabilities
- Method: Unguarded function
- Source: [1]
- Audit Report: [1]
Zokyo
1 incidents
Team
Finance (TrustSwap) (2022-10): $ 14,500,000 — Contract
Vulnerabilities
- Method: Logic error, lack of access control
- Source: [1]
[2]
[3]
[4]