Avalanche — hacks & exploits

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

~$55M drained from BtcTurk's hot wallets, with Binance freezing roughly $5.3M of the stolen funds mid-flight — Turkey's largest exchange compromise to date.

~$2.2M drained from Platypus Finance in a cluster of October exploits hitting the Avalanche stableswap via flawed solvency/withdrawal logic.

$2.9M drained from Stars Arena, an Avalanche friend.tech-style SocialFi app, via a share-price/withdrawal logic flaw at the peak of the SocialFi hype.

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

$8.5M drained from Platypus on Avalanche via a flash-loan exploit of emergencyWithdraw(), which let attackers pull staked collateral pre-repayment.

An owner-key compromise added a fake collateral token to Defrost Finance on Avalanche, liquidating all positions for ~$12M. Most funds were returned to users.

A routine upgrade marked the zero hash as a valid root, turning every Nomad message into a withdrawal anyone could copy-paste.

Avalanche memecoin SDOG lost $18M to insiders who knew the 'challengeKey' needed to trade on its DEX during the buyback, draining it before retail could react.

Vee Finance on Avalanche lost $35M a week after launch when Pangolin price manipulation bypassed a slippage check with a decimals bug SlowMist had pre-flagged.