Arbitrum — hacks & exploits

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

UXLINK, a Web3 social protocol, lost roughly $41M after attackers compromised the project's multi-sig keys and exploited an unrestricted delegatecall path.

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

Reentrancy-adjacent flaw in GMX v1's GLP pricing logic let an attacker drain ~$42M, most returned within days in exchange for a white-hat bounty.

Attacker drained $13M (6,260 ETH) from Abracadabra's GM Cauldrons by engineering a failing GMX deposit, self-liquidating, then reborrowing the collateral.

Moby Trade, an Arbitrum options protocol, lost ~$1M after a privileged key was compromised and used to rig option settlement. SEAL white-hats limited damage.

$53M drained from a 3-of-11 Radiant multi-sig after macOS malware hit three signers; the Safe UI showed clean txs while hardware wallets signed upgrades.

DeltaPrime lost $6M on Arbitrum after a single private key was extracted; the team ran multi-sig on Avalanche but not Arbitrum. ZachXBT linked it to Lazarus.

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

WOOFi Swap on Arbitrum lost $8.75M after the attacker realised WOO's Chainlink oracle was never configured and the sPMM accepted any manipulated price.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

Orange Finance on Arbitrum lost ~$844K after its admin key was compromised, used to alter strategy contracts and withdraw managed Uniswap v3 positions.

Gamma Strategies on Arbitrum lost $6.1M after a weak deposit-proxy price check let a flash-loan attacker deposit at a skewed ratio and withdraw outsized value.

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

$7.5M extracted from Jimbo's Protocol on Arbitrum after a slippage-control failure in JimboController.shift() let a flash loan drain the floor-defense ETH.

$3M rug-pulled from Swaprum on Arbitrum, an Arbiswap fork whose audited contracts hid an upgradeable proxy with a backdoor add() function.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

Hope Finance lost $1.86M at its Arbitrum launch after the deployed contract differed from the audited one; funds went straight to Tornado Cash.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.

Curve read-only reentrancy on remove_liquidity drained $3.65M from dForce's wstETH/ETH pool on Arbitrum and Optimism. White hat returned all funds.

Lodestar on Arbitrum lost $6.5M after its plvGLP oracle ignored donate() inflating GLP assets, letting the attacker borrow against 83%-inflated collateral.

Lodestar on Arbitrum lost $6.5M after the attacker manipulated the plvGLP oracle, which read GLP pool state directly, to inflate collateral and borrow reserves.

~$1.4M of NFTs stolen from TreasureDAO's marketplace after the buy function failed to check that quantity produced a non-zero price, enabling free buys.

Certik-audited Arbix Finance on Arbitrum minted 10M ARBX to attacker addresses, drained $10M in user deposits, and erased its entire web and social presence.