Smart Contract Bug attacks on Arbitrum

Reentrancy-adjacent flaw in GMX v1's GLP pricing logic let an attacker drain ~$42M, most returned within days in exchange for a white-hat bounty.

Attacker drained $13M (6,260 ETH) from Abracadabra's GM Cauldrons by engineering a failing GMX deposit, self-liquidating, then reborrowing the collateral.

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.

~$1.4M of NFTs stolen from TreasureDAO's marketplace after the buy function failed to check that quantity produced a non-zero price, enabling free buys.