Flash Loan Attack attacks on Ethereum

$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.

Zunami Protocol lost ~$500K in a second incident, 2 years after its 2023 Curve-pool exploit, again from manipulable price derivation in its stablecoin strategy.

$11M drained from Prisma Finance's Trove migration helper after the attacker bypassed migrate() and called flashloan() directly, later demanding an apology.

Precision/rounding bug in Abracadabra Money's Cauldron debt-accounting let an attacker drain $6.5M (2,740 ETH + 2.2M MIM) by repaying others' debts.

$2.1M drained from Zunami Protocol after its zETH and UZD stablecoin prices, derived from manipulable Curve pools, were inflated by a flash-loan attacker.

A $1B flash loan bought 67% of Beanstalk governance in one block, long enough to pass a proposal that drained the treasury. Attacker netted $76M of $182M lost.

Flash-loan price manipulation of yUSD let an attacker borrow against $1B in fake collateral and drain $130M from Cream, its third successful exploit of 2021.

$16M drained from DEFI5 and CC10 index pools via a flash-loan exploit of the rebalancing math; the teen attacker mounted a 'code is law' defense in Canada.

$20.7M drained from Popsicle's Sorbetto Fragola pool after flash loans plus share transfers tricked the contract into owing the attacker rewards equal to TVL.

xToken lost $24M when xSNXa and xBNTa priced from manipulable pools; a flash loan let the attacker mint strategy tokens cheaply and redeem the real underlying.

Flash-loan manipulation of gToken/stkToken pricing in Growth DeFi's yield strategy let an attacker extract ~$1.3M of reserves at skewed rates ('The Big Combo').

A custom 'spell' contract exploited a borrow-share rounding bug to accrue zero shares against real cySUSD debt, draining $37.5M from Alpha Homora and Iron Bank.

Yearn's yDAI vault lost $11M (attacker netted $2.8M) when an 11-tx flash-loan sequence skewed Curve 3pool DAI price, forcing bad cycles. Tether froze $1.7M.

Warp Finance lost $7.8M valuing Uniswap LP-token collateral from manipulable spot reserves; a flash loan inflated LP value and let the attacker over-borrow.

Value DeFi's MultiStables vault lost $7M to a flash-loan manipulation of the Curve 3pool price used by its strategy, an early canonical case of the pattern.

Thirty Curve YPool price-manipulation loops funded by a $50M USDC flash loan extracted $24M from Harvest Finance; the exploit triggered a $570M bank run.

Andre Cronje's unreleased Eminence lost $15M to a flash-loan bonding-curve exploit hours after a teaser drew depositors to the unaudited contract. $8M returned.

The first known flash-loan attack drained ~$954K from bZx twice in four days, using uncollateralised Aave loans to manipulate Uniswap oracle prices.