Flash Loan Attack

$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.

Zunami Protocol lost ~$500K in a second incident, 2 years after its 2023 Curve-pool exploit, again from manipulable price derivation in its stablecoin strategy.

$11M drained from Prisma Finance's Trove migration helper after the attacker bypassed migrate() and called flashloan() directly, later demanding an apology.

Precision/rounding bug in Abracadabra Money's Cauldron debt-accounting let an attacker drain $6.5M (2,740 ETH + 2.2M MIM) by repaying others' debts.

Gamma Strategies on Arbitrum lost $6.1M after a weak deposit-proxy price check let a flash-loan attacker deposit at a skewed ratio and withdraw outsized value.

$2.1M drained from Zunami Protocol after its zETH and UZD stablecoin prices, derived from manipulable Curve pools, were inflated by a flash-loan attacker.

$7.5M extracted from Jimbo's Protocol on Arbitrum after a slippage-control failure in JimboController.shift() let a flash loan drain the floor-defense ETH.

$8.5M drained from Platypus on Avalanche via a flash-loan exploit of emergencyWithdraw(), which let attackers pull staked collateral pre-repayment.

A $1B flash loan bought 67% of Beanstalk governance in one block, long enough to pass a proposal that drained the treasury. Attacker netted $76M of $182M lost.

Flash-loan price manipulation of yUSD let an attacker borrow against $1B in fake collateral and drain $130M from Cream, its third successful exploit of 2021.

$16M drained from DEFI5 and CC10 index pools via a flash-loan exploit of the rebalancing math; the teen attacker mounted a 'code is law' defense in Canada.

$20.7M drained from Popsicle's Sorbetto Fragola pool after flash loans plus share transfers tricked the contract into owing the attacker rewards equal to TVL.

Wault Finance on BNB Chain lost ~$1M when a flash-loan manipulation of WUSD/WEX pricing let the attacker mint and redeem at skewed rates, draining reserves.

Flash loans of $385M manipulated one Belt Finance beltBUSD strategy, distorting share-price calculation to extract $6.23M of $50M total vault losses.

Multiple 2021 exploits (~$680K+) of Merlin Labs on BNB Chain, a yield optimizer whose strategy and reward pricing were repeatedly manipulated via flash loans.

A flash-loan SHARK/BNB price manipulation inflated AutoShark's minted reward, draining ~$745K on BSC in a near-exact replay of the PancakeBunny pattern.

$45M extracted from PancakeBunny when a $704M flash loan manipulated the BUNNY/BNB oracle and minted ~7M BUNNY from thin air; BUNNY fell 95% in minutes.

xToken lost $24M when xSNXa and xBNTa priced from manipulable pools; a flash loan let the attacker mint strategy tokens cheaply and redeem the real underlying.

Spartan Protocol lost $30M on BSC via a flawed liquidity-share calculation, the first major flash-loan attack on BSC and a turning point for its DeFi sector.

Flash loan manipulated TRUNK/BUSD and ELEPHANT pricing in Elephant Money's BNB-Chain buy/sell mechanism, letting attacker mint/redeem for ~$22M at skewed rates.

Flash-loan manipulation of gToken/stkToken pricing in Growth DeFi's yield strategy let an attacker extract ~$1.3M of reserves at skewed rates ('The Big Combo').

A custom 'spell' contract exploited a borrow-share rounding bug to accrue zero shares against real cySUSD debt, draining $37.5M from Alpha Homora and Iron Bank.

Yearn's yDAI vault lost $11M (attacker netted $2.8M) when an 11-tx flash-loan sequence skewed Curve 3pool DAI price, forcing bad cycles. Tether froze $1.7M.

Warp Finance lost $7.8M valuing Uniswap LP-token collateral from manipulable spot reserves; a flash loan inflated LP value and let the attacker over-borrow.

Value DeFi's MultiStables vault lost $7M to a flash-loan manipulation of the Curve 3pool price used by its strategy, an early canonical case of the pattern.

Thirty Curve YPool price-manipulation loops funded by a $50M USDC flash loan extracted $24M from Harvest Finance; the exploit triggered a $570M bank run.

Andre Cronje's unreleased Eminence lost $15M to a flash-loan bonding-curve exploit hours after a teaser drew depositors to the unaudited contract. $8M returned.

The first known flash-loan attack drained ~$954K from bZx twice in four days, using uncollateralised Aave loans to manipulate Uniswap oracle prices.