awesome-smartcontract-hacking

• Project: Firo (formely Zcoin)
  Date: 2021-01-19
  Summary: 51% attack for 36 hours with 306 blocks reorged.
  Impact: 866K FIRO ($4M) double spent on Binance. Firo froze attacker's funds and forked to compensate exchanges.
  References:

  • Firo 51% attack post mortem and vote on attackers’ funds by Firo Team

• Project: Nano
  Date: 2021-01-21
  Summary: Ongoing spam attack.
  Impact: Network slow down.
  References:

  • Spam attack (test?) on NANO this morning. 60,000 transactions dumped in 10 minutes... by u/Qwahzi
  • Recent DoS nano network attack and V21.3 fixes by Nano

• Project: Verge
  Date: 2021-02-15
  Summary: 51% attack with 560K block orphaned (200 days worth)
  Impact: Unknown
  References:

  • The Verge Re-Org Attempt: Aftermath by Verge

• Project: Hardhat
  Date: 2021-02-19
  Summary: Project NPM package targeted with a similarly named package.
  Impact: Unknown
  References:

  • Announcement Tweet
  • How MetaMask’s Latest Security Tool Can Protect Developers From Theft

• Project: Kava
  Date: 2021-05-21
  Summary: Market volatility and network congestions caused by the liquidator bots prevent users from re-collaterizing borrow positions.
  Impact: Many users liquidated
  References:

  • May 19th Market Volatility by Kava

• Project: yCredit Finance
  Date: 2021-01-01
  Summary: Minting vulnerability exploited
  Impact: $11M lost
  Type: Hack
  References:

  • Deposit Less, Get More: yCredit Attack Details by BlockSecTeam
  • Exploit PoC by Banteg

• Project: Saddle Finance
  Date: 2021-01-19
  Summary: Price arbirtrage due to high slippage.
  Impact: 7.9 BTC ($275K) lost
  Type: Hack
  References:

  • Saddle Finance - REKT by rekt
  • 2021-1 Saddle Finance Arbitrage by Origin Protocol

• Project: SushiSwap
  Date: 2021-01-19
  Summary: Misconfiguration exploited to manipulate DIGG-WETH price.
  Impact: 81 ETH ($100K) attacker profit Type: Hack
  References:

  • SushiSwap was attacked for the second time by SlowMist
  • Badgers DIGG SUSHI by rekt
  • Replaying Ethereum Hacks - Sushiswap BadgerDAO's Digg by cmichel

• Project: Yearn
  Date: 2021-02-04
  Summary: Yearn V1 yDAI vault exploited.
  Impact: $11M lost Type: Hack
  References:

  • Vulnerability disclosure 2021-02-04 by Yearn Security
  • The yDAI Incident Analysis: Forced Investment by PeckShield
  • A brief analysis of yearn finance being hacked by SlowMist
  • Inside the Yearn v1 yDAI Hack (Feb 2021) by Halborn
  • Yearn - REKT by rekt
  • Yearn Exploit by Origin Protocol
  • Attacker TX on Etherscan
  • Tether Freezes $1.7 Million in Profits From Yearn Finance Hack by Robert Stevens (Decrypt)

• Project: Growth DeFi
  Date: 2021-02-09
  Summary: rAAVE pool exploited by forcing an LP with a fake token.
  Impact: $1.3M (ETH) stolen. Type: Hack
  References:

  • rAAVE Farming Contract Exploit explained by Growth DeFi
  • The Big Combo (Growth DeFi - REKT) by rekt
  • Growth DeFi Exploit by Origin Protocol

• Project: BT Finance
  Date: 2021-02-09
  Summary: Exploit similar to Yearn hack.
  Impact: $1.7M stolen. Type: Hack
  References:

  • BT.Finance Exploit analysis report by BT Finance
  • BT.Finance Exploit by Origin Protocol

• Project: Alpha Homora
  Date: 2021-02-12
  Summary: Smart contract exploited.
  Impact: $38M (USDC, DAI, USDT, WETH) stolen. Type: Hack
  References:

  • Alpha Homora V2 Post Mortem by Alpha Homora
  • Alpha Finance - REKT by rekt

• Project: CryptoPunks
  Date: 2021-02-24
  Summary: Auction was front-run using flash loans.
  Impact: Punk #1737 won for 1 Wei. Type: Hack
  References:

  • Announcement Tweet

• Project: Furucombo
  Date: 2021-02-27
  Summary: Exploited by tricking it to use fake AAVE implementation.
  Impact: $15M stolen. Type: Hack
  References:

  • Furucombo Post-Mortem March 2021 by Furucombo
  • Analysis of the Furucombo Hack by SlowMist
  • Furucombo - REKT by rekt
  • Furucombo exploit internals by Kurt Barry
  • Replaying Ethereum Hacks - Furucombo by Cmichel
  • 2021-2-27 Furucombo Attack by Origin Protocol

• Project: Yield Finance
  Date: 2021-02-27
  Summary: Whitehat hack, $166K DAI lost and later recovered.
  Impact: N/A. Type: Hack
  References:

  • Announcement Tweet

• Project: Zerion
  Date: 2021-03-04 Summary: Tricked into listing a malicious Balancer clone.
  Impact: $30K
  Type: Hack
  References:

  • Post mortem on Zerion’s asset phishing attack by Evgeny Yurtaev

• Project: PAID Network
  Date: 2021-03-05
  Summary: Private keys compromised Impact: $160M (PAID) minted and sold. Type: Hack
  References:

  • PAID Network Attack Postmortem, March 7, 2021 by PAID
  • Analysis of Paid Network’s Hacked Event by SlowMist

• Project: Kava
  Date: 2021-03-05
  Summary: Flaw in accounting logic exploited. Impact: No funds were lost. Type: Hack
  References:

  • Kava 5 Launch Post-Mortem by Kava

• Project: DODO
  Date: 2021-03-09
  Summary: Initialization function was left callable. Impact: $3.8M lost
  Type: Hack
  References:

  • DODO Pool Incident Postmortem: With a Little Help from Our Friends by DODO Breeder
  • DODO - REKT by rekt

• Project: True Seigniorage Dollar
  Date: 2021-03-13
  Summary: Upgrade forced by taking over DAO. Impact: 11.8B TSD minted and sold
  Type: Hack
  References:

  • Announcement Tweet

• Project: Roll
  Date: 2021-03-14
  Summary: Private keys compromised. Impact: $5.7M lost
  Type: Hack
  References:

  • Roll - REKT by rekt
  • A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall by Tim Hakki (Decrypt)

• Project: Cream Finance
  Date: 2021-03-15
  Summary: DApp attacked by hijacking DNS
  Impact: Unknown
  Type: Hack
  References:

  • Announcement Tweet
  • Postmortem Report of DNS Hijacking by CREAM

• Project: PancakeSwap Finance
  Date: 2021-03-15
  Summary: DApp attacked by hijacking DNS
  Impact: Unknown
  Type: Hack
  References:

  • Announcement Tweet

• Project: Nifty Gateway
  Date: 2021-03-15
  Summary: Account hijacking
  Impact: NFTs stolen
  Type: Hack
  References:

  • Announcement Tweet

• Project: Iron Finance
  Date: 2021-03-16
  Summary: vFarm reward misconfiguration
  Impact: 170K SIL lost
  Type: Hack
  References:

  • Iron Finance vFarms incident Post-mortem (16 March 2021) by Iron Finance

• Project: SIL Finance
  Date: 2021-03-18
  Summary: Contract permissions exploited.
  Impact: $12.1M lost and later returned
  Type: Hack
  References:

  • Follow Up on the Service Outage & All Funds Are SAFU by SIL finance

• Project: Uniswap Info
  Date: 2021-03-30
  Summary: Transaction volume spam by Delta Finance.
  Impact: N/A
  Type: Hack
  References:

  • $11 Billion in ‘Fake’ Uniswap Volume Causes DeFi Project and DEX to Clash by Jeff Benson (Decrypt)
  • Exploit analysis by Igor Igamberdiev

• Project: ForceDAO
  Date: 2021-04-04
  Summary: Insufficient validation on the deposit function.
  Impact: $367K stolen. Whitehat saved $9.6M
  Type: Hack
  References:

  • xFORCE Exploit Post Mortem by ForceDAO
  • Exploit analysis by Igor Igamberdiev

• Project: Polkatrain
  Date: 2021-04-04
  Summary: Rebate mechanism exploited.
  Impact: $3M (57K DOT) stolen
  Type: Hack
  References:

  • The response for hacker attack incident from Polkatrain team by Polkatrain

• Project: Uranium Finance
  Date: 2021-04-07
  Summary: Logic bug exploited.
  Impact: $1.5M stolen
  Type: Hack
  References:

  • Uranium : post-mortem, v2, compensations by Uranium Finance
  • Exploit analysis by @ret2jazzy

• Project: PancakeSwap Lottery
  Date: 2021-04-12
  Summary: Lottery exploited by administrator.
  Impact: $1.8M stolen
  Type: Hack References:

  • $1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool by Crypto Pwnage
  • $1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool - Part II by Crypto Pwnage

• Project: Uranium Finance
  Date: 2021-04-27
  Summary: Logic bug exploited.
  Impact: $51M stolen
  Type: Hack
  References:

  • Hack announcement
  • Exploit post-mortem by Uranium Finance
  • SlowMist: Analysis of Uranium Finance’s Hacked Event by SlowMist
  • Exploit analysis by @FrankResearcher
  • Uranium Finance - REKT by rekt

• Project: Spartan Protocol
  Date: 2021-05-02
  Summary: Logic bug exploited.
  Impact: $30M stolen
  Type: Hack
  References:

  • The Spartan Incident: Root Cause Analysis by PeckShield
  • Exploit analysis by @FrankResearcher
  • Spartan Pool Hack by Origin Protocol

• Project: Value DeFi
  Date: 2021-05-06
  Summary: Reinitialized pool.
  Impact: $10M stolen
  Type: Hack
  References:

  • Value DeFi - Rekt 2 by rekt
  • Exploit analysis by @FrankResearcher

• Project: Value DeFi
  Date: 2021-05-08
  Summary: Incorrect use of exponents.
  Impact: $11M stolen
  Type: Hack
  References:

  • Value DeFi - Rekt 3 by rekt
  • ValueDeFi Incident: Incorrect Weighted Constant Product Invariant Calculation by PeckShield
  • Exploit analysis by @FrankResearcher

• Project: Meebits
  Date: 2021-05-08
  Summary: Flawed NFT generation.
  Impact: Rare $700K NFT generated
  Type: Hack
  References:

  • Meebits Exploit Analysis and PoC by iphelix
  • Ultra-rare Meebit NFT minted via exploit sells for $765,000 by Liam Frost (Cryptoslate)

• Project: Rari Capital
  Date: 2021-05-08
  Summary: Composability vuln.
  Impact: $10M stolen
  Type: Hack
  References:

  • 5/8/2021: Rari Capital Ethereum Pool — Post-Mortem by Davic Lucid (Rari Capital)
  • (5/8/21) Rari Capital Exploit Timeline & Analysis by Nipun Pitimanaaree (Alpha Finance)
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Price manipulation attack in reality (again): RariCapital incident by BlockSecTeam
  • Rari Capital - REKT by rekt
  • Hacker mocking Rari Capital by @dudesahn and @bantg
  • Why the Attack Was Possible by @banescusebi and @ridesolo5
  • ETH and BSC attacker addresses.

• Project: xToken Market
  Date: 2021-05-14
  Summary: Incorrect price calculation.
  Impact: $25.5M
  Type: Hack References:

  • Initial Report on xBNTa, xSNXa Exploit by Michael J. Cohen (xToken)
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • xToken - REKT by rekt

• Project: Vault.sx
  Date: 2021-05-14
  Summary: Reentrancy exploit.
  Impact: $13.5M
  Type: Hack References:

  • EOS vaults.sx hack by cmichel

• Project: Bearn Finance
  Date: 2021-05-16
  Summary: Withdrawal logic vulnerability.
  Impact: $11M
  Type: Hack References:

  • bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan by bEarn Fi
  • Bearn.Fi Incident: Inconsistent Asset Denomination Between Vault & Strategy by PeckShield
  • bEarn - REKT by rekt
  • Bearn.Fi Hack by Origin Protocol

• Project: Venus Protocol
  Date: 2021-05-18
  Summary: Price manipulation
  Impact: $200M+ liquidated $100M+ debt
  Type: Hack References:

  • Venus Protocol — Incident Post Mortem by Venus Protocol
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)

• Project: Pancake Bunny
  Date: 2021-05-19
  Summary: Minting vulnerability exploited
  Impact: 114,631 BNB ($41.8M), 697,245 BUNNY ($8M); 6.97M BUNNY minted and sold, token price collapsed
  Type: Hack
  References:

  • Official Post Mortem by Pancake Bunny
  • PancakeBunny Incident: Root Cause Analysis by PeckShield
  • BSC attacker address.
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • SlowMist: PancakeBunny Hack Analysis by SlowMist
  • BSC PancakeBunny Exploit Post Mortem by Christoph Michel
  • PancakeBunny - REKT by rekt
  • Knownsec Blockchain Lab｜Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis by Knownsec Blockchain Lab
  • The PancakeBunny Bunny Performance Fee Minting Incident Analysis by WatchPug
  • Hack Track: Pancake Bunny Hack by Merkle Science
  • Attacker donates to Rekt by rekt

• Project: Bogged Finance
  Date: 2021-05-22
  Summary: Minting vulnerability Impact: $3.6M Type: Hack
  References:

  • BOG Flash Loan Attack: What Happened, and what’s next — Token Migration by Bogged Finance
  • Bogged Finance Incident: Root Cause Analysis by PeckShield
  • Bogged Finance Hack by Origin Protocol

• Project: AutoShark Finance
  Date: 2021-05-24
  Summary: Minting vulnerability exploited
  Impact: $750K (2.2K WBNB) Type: Hack
  References:

  • Autoshark Performance Fee Minting Incident Analysis by WatchPug
  • How AutoShark got economically exploited by AutoShark
  • AutoShark - REKT by rekt

• Project: Merlin
  Date: 2021-05-26
  Summary: Minting vulnerability exploited
  Impact: $680K
  Type: Hack
  References:

  • Our Road Ahead by Merlin Lab
  • Merlin Lab Enhanced Security Measures by Merlin Lab
  • Merlin Labs - REKT by rekt
  • Exploit Analysis by Peckshield

• Project: Merlin
  Date: 2021-05-26
  Summary: Price calculation error
  Impact: $540K
  Type: Hack
  References:

  • Our Road Ahead by Merlin Lab
  • Merlin Labs - REKT 2 by rekt

• Project: BurgerSwap
  Date: 2021-05-27
  Summary: Reentry vulnerability
  Impact: $7.2M
  Type: Hack
  References:

  • BurgerSwap - REKT by rekt
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Hayden Adams (@haydenzadams)
  • Exploit Analysis by PeckShield

• Project: Wild Credit
  Date: 2021-05-27
  Summary: Contract reinitialized
  Impact: $700K
  Type: Hack
  References:

  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Anish Agnihortri (@_anishagnihotri)

• Project: JulSwap
  Date: 2021-05-27
  Summary: Price manipulation using flashloans
  Impact: $700K
  Type: Hack
  References:

  • Flash Loan Farming / JULb / BNB by JustLiquidity (JulSwap)
  • JulSwap V2 Upgrading Its Oracle Mechanism to Chainlink by JustLiquidity (JulSwap)
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by PeckShield
  • Exploit Analysis by WatchPug

• Project: Belt Finance
  Date: 2021-05-29
  Summary: Price manipulation using flashloans
  Impact: $6.2M
  Type: Hack
  References:

  • May 29 Incident Report by Belt Finance
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Exploit Analysis by PeckShield
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Christoph Michel (@cmichelio)
  • Belt Finance Attack Event Analysis by Knownsec Blockchain Lab
  • Belt - REKT by rekt