Wasabi Protocol Deployer EOA Compromise
Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.
Loss
5.0M
USD
Volume I · The catalog
Since 2009, more than $13.99B has been drained from blockchains and the businesses that touch them. This is the running ledger — citation-first, on-chain verifiable, and updated as we learn more.
Front page · The biggest№ 001
Bybit Heist
Malicious JavaScript injected into Safe{Wallet}'s signing UI drained 401,000 ETH ($1.46B) from a Bybit cold-wallet transfer, the largest crypto theft ever.
Recent filings
All →Volo Sui Admin Key Social Engineering
Volo Protocol's Sui vaults lost $3.5M after social engineering compromised the admin key. The team froze $500K in 30 minutes and blocked a $2.1M WBTC bridge.
Loss3.5MUSDKelpDAO rsETH LayerZero Bridge
$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.
Loss292.0MUSDRhea Finance Two-Day Margin Drain
Rhea Finance on NEAR lost $18.4M after a two-day setup of fake tokens, 423 wallets and 8 Ref pools exploited a slippage-summing flaw in margin trading.
Loss18.4MUSDHyperbridge MMR Proof Bypass
1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.
Loss2.5MUSDDrift Protocol Durable-Nonce Hijack
DPRK social-engineers tricked Drift Security Council members into blind-signing durable-nonce txs that handed over admin control, draining $285M on Solana.
Loss285.0MUSD