Frontend Hijack attacks on Ethereum

Malicious JavaScript injected into Safe{Wallet}'s signing UI drained 401,000 ETH ($1.46B) from a Bybit cold-wallet transfer, the largest crypto theft ever.

WazirX lost $234.9M from a 4-of-6 Gnosis Safe at custodian Liminal when attackers exploited a mismatch between the Liminal UI and the calldata signers approved.

Attackers hijacked curve.fi's DNS via its domain registrar and served a wallet-drainer frontend, stealing ~$575K from users while the contracts were untouched.

Compromised Cloudflare API key let attackers inject malicious approvals into BadgerDAO's frontend for two weeks, draining $120M from users' wallets.