awesome-smartcontract-hacking
- Project: Firo (formely Zcoin)
Date: 2021-01-19
Summary: 51% attack for 36 hours with 306 blocks reorged.
Impact: 866K FIRO ($4M) double spent on Binance. Firo froze attacker's funds and forked to compensate exchanges.
References:
*
Firo 51% attack post mortem and vote on attackers’ funds by Firo Team
Date: 2021-01-21
Summary: Ongoing spam attack.
Impact: Network slow down.
References:
*
Spam attack (test?) on NANO this morning. 60,000 transactions dumped in 10 minutes... by u/Qwahzi
*
Recent DoS nano network attack and V21.3 fixes by Nano
Date: 2021-02-15
Summary: 51% attack with 560K block orphaned (200 days worth)
Impact: Unknown
References:
*
The Verge Re-Org Attempt: Aftermath by Verge
Date: 2021-02-19
Summary: Project NPM package targeted with a similarly named package.
Impact: Unknown
References:
*
Announcement Tweet
*
How MetaMask’s Latest Security Tool Can Protect Developers From Theft
Date: 2021-05-21
Summary: Market volatility and network congestions caused by the liquidator bots prevent users from re-collaterizing borrow positions.
Impact: Many users liquidated
References:
*
May 19th Market Volatility by Kava
Date: 2021-01-01
Summary: Minting vulnerability exploited
Impact: $11M lost
Type: Hack
References:
*
Deposit Less, Get More: yCredit Attack Details by BlockSecTeam
*
Exploit PoC by Banteg
Date: 2021-01-19
Summary: Price arbirtrage due to high slippage.
Impact: 7.9 BTC ($275K) lost
Type: Hack
References:
*
Saddle Finance - REKT by rekt
*
2021-1 Saddle Finance Arbitrage by Origin Protocol
Date: 2021-01-19
Summary: Misconfiguration exploited to manipulate DIGG-WETH price.
Impact: 81 ETH ($100K) attacker profit
Type: Hack
References:
*
SushiSwap was attacked for the second time by SlowMist
*
Badgers DIGG SUSHI by rekt
*
Replaying Ethereum Hacks - Sushiswap BadgerDAO's Digg by cmichel
Date: 2021-02-04
Summary: Yearn V1 yDAI vault exploited.
Impact: $11M lost
Type: Hack
References:
*
Vulnerability disclosure 2021-02-04 by Yearn Security
*
The yDAI Incident Analysis: Forced Investment by PeckShield
*
A brief analysis of yearn finance being hacked by SlowMist
*
Inside the Yearn v1 yDAI Hack (Feb 2021) by Halborn
*
Yearn - REKT by rekt
*
Yearn Exploit by Origin Protocol
*
Attacker TX on Etherscan
*
Tether Freezes $1.7 Million in Profits From Yearn Finance Hack by Robert Stevens (Decrypt)
Date: 2021-02-09
Summary: rAAVE pool exploited by forcing an LP with a fake token.
Impact: $1.3M (ETH) stolen.
Type: Hack
References:
*
rAAVE Farming Contract Exploit explained by Growth DeFi
*
The Big Combo (Growth DeFi - REKT) by rekt
*
Growth DeFi Exploit by Origin Protocol
Date: 2021-02-09
Summary: Exploit similar to Yearn hack.
Impact: $1.7M stolen.
Type: Hack
References:
*
BT.Finance Exploit analysis report by BT Finance
*
BT.Finance Exploit by Origin Protocol
Date: 2021-02-12
Summary: Smart contract exploited.
Impact: $38M (USDC, DAI, USDT, WETH) stolen.
Type: Hack
References:
*
Alpha Homora V2 Post Mortem by Alpha Homora
*
Alpha Finance - REKT by rekt
Date: 2021-02-24
Summary: Auction was front-run using flash loans.
Impact: Punk #1737 won for 1 Wei.
Type: Hack
References:
*
Announcement Tweet
Date: 2021-02-27
Summary: Exploited by tricking it to use fake AAVE implementation.
Impact: $15M stolen.
Type: Hack
References:
*
Furucombo Post-Mortem March 2021 by Furucombo
*
Analysis of the Furucombo Hack by SlowMist
*
Furucombo - REKT by rekt
*
Furucombo exploit internals by Kurt Barry
*
Replaying Ethereum Hacks - Furucombo by Cmichel
*
2021-2-27 Furucombo Attack by Origin Protocol
Date: 2021-02-27
Summary: Whitehat hack, $166K DAI lost and later recovered.
Impact: N/A.
Type: Hack
References:
*
Announcement Tweet
Date: 2021-03-04
Summary: Tricked into listing a malicious Balancer clone.
Impact: $30K
Type: Hack
References:
*
Post mortem on Zerion’s asset phishing attack by Evgeny Yurtaev
Date: 2021-03-05
Summary: Private keys compromised
Impact: $160M (PAID) minted and sold.
Type: Hack
References:
*
PAID Network Attack Postmortem, March 7, 2021 by PAID
*
Analysis of Paid Network’s Hacked Event by SlowMist
Date: 2021-03-05
Summary: Flaw in accounting logic exploited.
Impact: No funds were lost.
Type: Hack
References:
*
Kava 5 Launch Post-Mortem by Kava
Date: 2021-03-09
Summary: Initialization function was left callable.
Impact: $3.8M lost
Type: Hack
References:
*
DODO Pool Incident Postmortem: With a Little Help from Our Friends by DODO Breeder
*
DODO - REKT by rekt
- Project: True Seigniorage Dollar
Date: 2021-03-13
Summary: Upgrade forced by taking over DAO.
Impact: 11.8B TSD minted and sold
Type: Hack
References:
*
Announcement Tweet
Date: 2021-03-14
Summary: Private keys compromised.
Impact: $5.7M lost
Type: Hack
References:
*
Roll - REKT by rekt
*
A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall by Tim Hakki (Decrypt)
Date: 2021-03-15
Summary: DApp attacked by hijacking DNS
Impact: Unknown
Type: Hack
References:
*
Announcement Tweet
*
Postmortem Report of DNS Hijacking by CREAM
- Project: PancakeSwap Finance
Date: 2021-03-15
Summary: DApp attacked by hijacking DNS
Impact: Unknown
Type: Hack
References:
*
Announcement Tweet
Date: 2021-03-15
Summary: Account hijacking
Impact: NFTs stolen
Type: Hack
References:
*
Announcement Tweet
Date: 2021-03-16
Summary: vFarm reward misconfiguration
Impact: 170K SIL lost
Type: Hack
References:
*
Iron Finance vFarms incident Post-mortem (16 March 2021) by Iron Finance
Date: 2021-03-18
Summary: Contract permissions exploited.
Impact: $12.1M lost and later returned
Type: Hack
References:
*
Follow Up on the Service Outage & All Funds Are SAFU by SIL finance
Date: 2021-03-30
Summary: Transaction volume spam by Delta Finance.
Impact: N/A
Type: Hack
References:
*
$11 Billion in ‘Fake’ Uniswap Volume Causes DeFi Project and DEX to Clash by Jeff Benson (Decrypt)
*
Exploit analysis by Igor Igamberdiev
Date: 2021-04-04
Summary: Insufficient validation on the deposit function.
Impact: $367K stolen. Whitehat saved $9.6M
Type: Hack
References:
*
xFORCE Exploit Post Mortem by ForceDAO
*
Exploit analysis by Igor Igamberdiev
Date: 2021-04-04
Summary: Rebate mechanism exploited.
Impact: $3M (57K DOT) stolen
Type: Hack
References:
*
The response for hacker attack incident from Polkatrain team by Polkatrain
Date: 2021-04-07
Summary: Logic bug exploited.
Impact: $1.5M stolen
Type: Hack
References:
*
Uranium : post-mortem, v2, compensations by Uranium Finance
*
Exploit analysis by @ret2jazzy
- Project: PancakeSwap Lottery
Date: 2021-04-12
Summary: Lottery exploited by administrator.
Impact: $1.8M stolen
Type: Hack
References:
*
$1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool by Crypto Pwnage
*
$1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool - Part II by Crypto Pwnage
Date: 2021-04-27
Summary: Logic bug exploited.
Impact: $51M stolen
Type: Hack
References:
*
Hack announcement
*
Exploit post-mortem by Uranium Finance
*
SlowMist: Analysis of Uranium Finance’s Hacked Event by SlowMist
*
Exploit analysis by @FrankResearcher
*
Uranium Finance - REKT by rekt
- Project: Spartan Protocol
Date: 2021-05-02
Summary: Logic bug exploited.
Impact: $30M stolen
Type: Hack
References:
*
The Spartan Incident: Root Cause Analysis by PeckShield
*
Exploit analysis by @FrankResearcher
*
Spartan Pool Hack by Origin Protocol
Date: 2021-05-06
Summary: Reinitialized pool.
Impact: $10M stolen
Type: Hack
References:
*
Value DeFi - Rekt 2 by rekt
*
Exploit analysis by @FrankResearcher
Date: 2021-05-08
Summary: Incorrect use of exponents.
Impact: $11M stolen
Type: Hack
References:
*
Value DeFi - Rekt 3 by rekt
*
ValueDeFi Incident: Incorrect Weighted Constant Product Invariant Calculation by PeckShield
*
Exploit analysis by @FrankResearcher
Date: 2021-05-08
Summary: Flawed NFT generation.
Impact: Rare $700K NFT generated
Type: Hack
References:
*
Meebits Exploit Analysis and PoC by iphelix
*
Ultra-rare Meebit NFT minted via exploit sells for $765,000 by Liam Frost (Cryptoslate)
Date: 2021-05-08
Summary: Composability vuln.
Impact: $10M stolen
Type: Hack
References:
*
5/8/2021: Rari Capital Ethereum Pool — Post-Mortem by Davic Lucid (Rari Capital)
*
(5/8/21) Rari Capital Exploit Timeline & Analysis by Nipun Pitimanaaree (Alpha Finance)
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
*
Price manipulation attack in reality (again): RariCapital incident by BlockSecTeam
*
Rari Capital - REKT by rekt
*
Hacker mocking Rari Capital by @dudesahn and @bantg
*
Why the Attack Was Possible by @banescusebi and @ridesolo5
*
ETH and
BSC attacker addresses.
Date: 2021-05-14
Summary: Incorrect price calculation.
Impact: $25.5M
Type: Hack
References:
*
Initial Report on xBNTa, xSNXa Exploit by Michael J. Cohen (xToken)
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
*
xToken - REKT by rekt
Date: 2021-05-14
Summary: Reentrancy exploit.
Impact: $13.5M
Type: Hack
References:
*
EOS vaults.sx hack by cmichel
Date: 2021-05-16
Summary: Withdrawal logic vulnerability.
Impact: $11M
Type: Hack
References:
*
bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan by bEarn Fi
*
Bearn.Fi Incident: Inconsistent Asset Denomination Between Vault & Strategy by PeckShield
*
bEarn - REKT by rekt
*
Bearn.Fi Hack by Origin Protocol
Date: 2021-05-18
Summary: Price manipulation
Impact: $200M+ liquidated $100M+ debt
Type: Hack
References:
*
Venus Protocol — Incident Post Mortem by Venus Protocol
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
Date: 2021-05-19
Summary: Minting vulnerability exploited
Impact: 114,631 BNB ($41.8M), 697,245 BUNNY ($8M); 6.97M BUNNY minted and sold, token price collapsed
Type: Hack
References:
*
Official Post Mortem by Pancake Bunny
*
PancakeBunny Incident: Root Cause Analysis by PeckShield
*
BSC attacker address.
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
*
SlowMist: PancakeBunny Hack Analysis by SlowMist
*
BSC PancakeBunny Exploit Post Mortem by Christoph Michel
*
PancakeBunny - REKT by rekt
*
Knownsec Blockchain Lab|Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis by Knownsec Blockchain Lab
*
The PancakeBunny Bunny Performance Fee Minting Incident Analysis by WatchPug
*
Hack Track: Pancake Bunny Hack by Merkle Science
*
Attacker donates to Rekt by rekt
Date: 2021-05-22
Summary: Minting vulnerability
Impact: $3.6M
Type: Hack
References:
*
BOG Flash Loan Attack: What Happened, and what’s next — Token Migration by Bogged Finance
*
Bogged Finance Incident: Root Cause Analysis by PeckShield
*
Bogged Finance Hack by Origin Protocol
- Project: AutoShark Finance
Date: 2021-05-24
Summary: Minting vulnerability exploited
Impact: $750K (2.2K WBNB)
Type: Hack
References:
*
Autoshark Performance Fee Minting Incident Analysis by WatchPug
*
How AutoShark got economically exploited by AutoShark
*
AutoShark - REKT by rekt
Date: 2021-05-26
Summary: Minting vulnerability exploited
Impact: $680K
Type: Hack
References:
*
Our Road Ahead by Merlin Lab
*
Merlin Lab Enhanced Security Measures by Merlin Lab
*
Merlin Labs - REKT by rekt
*
Exploit Analysis by Peckshield
Date: 2021-05-26
Summary: Price calculation error
Impact: $540K
Type: Hack
References:
*
Our Road Ahead by Merlin Lab
*
Merlin Labs - REKT 2 by rekt
Date: 2021-05-27
Summary: Reentry vulnerability
Impact: $7.2M
Type: Hack
References:
*
BurgerSwap - REKT by rekt
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
*
Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
*
Exploit Analysis by Hayden Adams (@haydenzadams)
*
Exploit Analysis by PeckShield
Date: 2021-05-27
Summary: Contract reinitialized
Impact: $700K
Type: Hack
References:
*
Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
*
Exploit Analysis by Anish Agnihortri (@_anishagnihotri)
Date: 2021-05-27
Summary: Price manipulation using flashloans
Impact: $700K
Type: Hack
References:
*
Flash Loan Farming / JULb / BNB by JustLiquidity (JulSwap)
*
JulSwap V2 Upgrading Its Oracle Mechanism to Chainlink by JustLiquidity (JulSwap)
*
Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
*
Exploit Analysis by PeckShield
*
Exploit Analysis by WatchPug
Date: 2021-05-29
Summary: Price manipulation using flashloans
Impact: $6.2M
Type: Hack
References:
*
May 29 Incident Report by Belt Finance
*
Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
*
Exploit Analysis by PeckShield
*
Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
*
Exploit Analysis by Christoph Michel (@cmichelio)
*
Belt Finance Attack Event Analysis by Knownsec Blockchain Lab
*
Belt - REKT by rekt