BNB Chain — hacks & exploits

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

A Venus Protocol user was phished into delegating account control, losing ~$3.7M from their supplied position. Venus contracts were never compromised.

TMXTribe, a staking/rewards protocol, lost ~$1.4M when a distribution accounting flaw let an attacker repeatedly over-claim, draining the reward reserve.

Likely private-key theft gave attackers control of GANA Payment's BSC contract; they manipulated reward rates and drained $3.1M via the unstake function.

GriffinAI, an AI-agent crypto project, lost ~$3M after a bridge/mint flaw let an attacker mint unbacked GAIN tokens and dump them, collapsing the price.

~$2M rug-pulled from New Gold Protocol, a 'gold-backed' BNB Chain yield project whose privileged contract authority drained deposits before the team vanished.

A flaw in Credix Finance's credit-token minting logic on BNB Chain let an attacker mint and redeem against fabricated positions, draining $4.5M from the pool.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

Access-control flaw drained $3.76M from Nervos's Force Bridge on Ethereum and BNB Chain; loot was swapped to ETH and routed via Tornado Cash and FixedFloat.

$2.15M drained from MobiusDAO on BNB Chain after a double 10^18 scaling let the attacker mint 9.73 quadrillion MBU from 0.01 BNB; laundered via Tornado Cash.

$7.5M extracted from KiloEX perps on Base, opBNB and BSC after the MinimalForwarder skipped signature checks; positions opened at $100, closed at $10,000.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

$53M drained from a 3-of-11 Radiant multi-sig after macOS malware hit three signers; the Safe UI showed clean txs while hardware wallets signed upgrades.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

~$220K drained from HYPR Network after a bridge/contract flaw let an attacker extract bridged liquidity — a small but clean bridge failure.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

A hidden deployer-only withdrawFunds function in DeFiLabs' BNB Chain staking contract drained $1.6M in user deposits before the project vanished completely.

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

A quietly-passed governance proposal on BNB Chain granted attackers token-spend approval over every Atlantis Loans user wallet, draining $2.5M from depositors.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

Level Finance on BNB Chain lost $1.1M because LevelReferralControllerV2 paid out referral rewards without marking the epoch claimed, allowing repeated claims.

SafeMoon lost $8.9M from its WBNB pool after an upgrade left burn() public, letting anyone burn other users' SFM. Burning pool LP pumped SFM, then drained WBNB.

$3M drained from Orion on Ethereum and BSC after doSwapThroughOrionPool accepted unvalidated paths with no reentrancy guard; a fake token inflated balances.

Stolen Ankr developer key let an attacker mint 60 trillion aBNBc, which Helio accepted as collateral to lend out $16M of HAY before Binance froze $3M.

A flawed Merkle proof verification in BSC's native bridge let the attacker forge withdrawals for 2M BNB before validators paused the chain.

Transit Swap users with infinite approvals lost $21M when claimTokens failed to validate which token to call transferFrom on. 70% returned after on-chain talks.

Gym Network on BNB Chain lost $2.1M after a deposit function accepted a referrer signature without validating it, letting the attacker mint huge GYMNET rewards.

Fortress Protocol on BNB Chain lost $3M after the attacker manipulated FTS via a thin oracle and used a governance proposal to set arbitrary collateral factors.

DEUS DAO lost $13.4M after pricing DEI collateral from a Solidly DEI/USDC pool that a flash-loan attacker moved, borrowing out the lending reserves.

~$1.7M drained from Paraluni on BNB Chain after the deposit function accepted an unvalidated token with no reentrancy guard, letting a fake token re-enter.

A private-key compromise drained $10M from Dego Finance across Ethereum and BNB Chain, sweeping liquidity pools and user wallets with active token approvals.

Meter Passport bridge lost $4.4M when its deposit handler trusted a wrapped-token transfer amount that could be set without backing, minting bridged BNB/ETH.

An attacker tricked Qubit's BSC bridge into minting 77,162 qXETH ($185M nominal) without depositing any ETH, borrowing 206,809 BNB ($80M).

Rug pull drained ~$1.75M from 8ight Finance after operators used privileged contract authority to empty pooled deposits, then deleted all presence.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

Phishing email with a malicious Word macro on a dev's machine let Lazarus-linked attackers drain $55M from bZx's Polygon and BSC deployments.

An admin private-key compromise let the attacker withdraw $139M of pooled DEX liquidity from BXH on BSC, one of 2021's largest yet under-remembered losses.

Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.

$13M+ drained from THORChain across two attacks one week apart, both exploiting fake-deposit flaws in the Bifrost Ethereum bridge weeks into Chaosnet.

Vulnerability in ChainSwap's Ethereum-BSC bridge let an attacker mint arbitrary amounts of 20+ supported tokens; $4M drained, affected tokens crashed 95%+.

Attacker detected a repeated k-value in two BSC signatures, back-calculated Anyswap V3's MPC private key, and drained $7.9M from its cross-chain router pools.

Flaw in Eleven Finance's nerveBUSD vault emergencyBurn/withdraw path let funds be withdrawn without burning shares, draining ~$4.5M on BNB Chain.

~$3.7M drained from Impossible Finance on BNB Chain via a swap-router flaw that let an attacker repeatedly swap against stale reserves in one tx.

Wault Finance on BNB Chain lost ~$1M when a flash-loan manipulation of WUSD/WEX pricing let the attacker mint and redeem at skewed rates, draining reserves.

Flash loans of $385M manipulated one Belt Finance beltBUSD strategy, distorting share-price calculation to extract $6.23M of $50M total vault losses.

BurgerSwap on BNB Chain didn't validate swap-path tokens, letting a fake token's transfer callback re-enter the pool mid-swap and drain $7.2M in reserves.

Multiple 2021 exploits (~$680K+) of Merlin Labs on BNB Chain, a yield optimizer whose strategy and reward pricing were repeatedly manipulated via flash loans.

A flash-loan SHARK/BNB price manipulation inflated AutoShark's minted reward, draining ~$745K on BSC in a near-exact replay of the PancakeBunny pattern.

$45M extracted from PancakeBunny when a $704M flash loan manipulated the BUNNY/BNB oracle and minted ~7M BUNNY from thin air; BUNNY fell 95% in minutes.

Spartan Protocol lost $30M on BSC via a flawed liquidity-share calculation, the first major flash-loan attack on BSC and a turning point for its DeFi sector.

$57.2M extracted from Uranium Finance via a misplaced constant in v2.1 migration contracts (1,000,000 vs 10,000), letting 1 wei swap for 98% of pools.

Flash loan manipulated TRUNK/BUSD and ELEPHANT pricing in Elephant Money's BNB-Chain buy/sell mechanism, letting attacker mint/redeem for ~$22M at skewed rates.

DODO's V2 Crowdpools lost $3.8M after the attacker re-called init() with a fake token; the pools had no re-initialization guard. MEV bots front-ran ~$1.9M.

Flash-loan manipulation of gToken/stkToken pricing in Growth DeFi's yield strategy let an attacker extract ~$1.3M of reserves at skewed rates ('The Big Combo').