Reentrancy

A reentrancy in Clober DEX's Rebalancer withdraw path on Base let an attacker re-enter before LP accounting settled, draining $500K in excess liquidity.

~$27M drained from Penpie after a reentrancy gap in Pendle's plugin integration let the attacker register a malicious market and pull pegged rewards in one tx.

Attacker extracted $6.4M from Astroport on Terra via an IBC-hooks reentrancy patched in April, then reintroduced in a June upgrade. ASTRO fell 60%.

An attacker exploited rate-provider read-only reentrancy in Balancer boosted pools after a disclosure, draining ~$2.1M before users could fully exit liquidity.

EraLend on zkSync Era lost $3.4M to a read-only reentrancy: the attacker manipulated the USDC oracle price mid-callback during a SyncSwap pool operation.

Conic Finance's ETH Omnipool had reentrancy guards but assumed Curve v2 used a specific ETH address. A new CurveLPOracleV2 slipped past it, draining $3.2M.

$800K drained from Sturdy Finance via a Balancer read-only reentrancy that mispriced B-stETH-STABLE LP collateral. Funds returned after negotiation.

Curve read-only reentrancy on remove_liquidity drained $3.65M from dForce's wstETH/ETH pool on Arbitrum and Optimism. White hat returned all funds.

$3M drained from Orion on Ethereum and BSC after doSwapThroughOrionPool accepted unvalidated paths with no reentrancy guard; a fake token inflated balances.

Midas Capital on Polygon lost $660K to a Curve read-only reentrancy that mispriced jBRL/BRZ LP collateral, letting the attacker borrow against inflated value.

Reentrancy on exitMarket() drained $80M from Rari Capital's Fuse lending pools, a function the team forgot to protect when patching reentrancy the prior month.

Voltage Finance's Fuse lending market lost $4M when ERC-677 tokens' transferAndCall hook enabled a reentrancy into the borrow function before debt was recorded.

$2M drained from Revest Finance via a reentrancy in mintAddressLock/depositAdditionalToFNFT that let the attacker mint over-valued NFTs and redeem them.

A joint cross-function reentrancy exploit drained ~$11M from Agave and Hundred Finance on Gnosis Chain via wETH/wXDAI's ERC-677-style transfer callback.

~$1.7M drained from Paraluni on BNB Chain after the deposit function accepted an unvalidated token with no reentrancy guard, letting a fake token re-enter.

Visor Finance's staking contract lost $8.2M to a reentrancy in the delegateTransferERC20 path. VISR fell 95% same-day; Visor migrated to a new token.

Grim Finance vaults on Fantom lost $30M to a 5-loop reentrancy in depositFor that faked extra deposits mid-call. TVL collapsed from $98.9M to $4.2M.

$18.8M drained from Cream Finance v1 lending markets via a reentrancy bug in the AMP token's ERC-777 transfer hook — the second of Cream's three 2021 exploits.

BurgerSwap on BNB Chain didn't validate swap-path tokens, letting a fake token's transfer callback re-enter the pool mid-swap and drain $7.2M in reserves.

2,600 ETH ($10M, 60% of pool) drained from Rari's Ethereum Pool after its Alpha Finance ibETH integration allowed arbitrary external calls enabling reentrancy.

$7.7M drained from the OUSD stablecoin vault two months after launch via a fake-stablecoin reentrancy bug introduced when a gas-saving refactor dropped a check.

A fake ERC-20 with a reentrant transferFrom let an attacker re-enter Akropolis's deposit flow and mint $2M in pool shares without delivering real collateral.

The DAO lost 3.6M ETH ($50M) to the textbook reentrancy bug, the heist that split Ethereum into ETH and Ethereum Classic and rewrote smart-contract development.