Polygon — hacks & exploits

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

Reporting an absurd WALBT price to BonqDAO's Tellor oracle (cost: 10 TRB, under $1K) minted $120M and collapsed protocol TVL by 99.66% in a single transaction.

Midas Capital on Polygon lost $660K to a Curve read-only reentrancy that mispriced jBRL/BRZ LP collateral, letting the attacker borrow against inflated value.

$8.7M drained from Superfluid after a malicious 'context' passed to its host contract let the attacker spoof the caller and execute privileged streams.

148 Vulcan Forged user wallets lost 4.5M PYR ($140M) after attackers compromised Venly custody holding their private keys. Refunded in full from treasury.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

$31M drained from MonoX's single-token pools after the attacker swapped a token with itself, pumping MONO in the protocol's own oracle until pools emptied.

Phishing email with a malicious Word macro on a dev's machine let Lazarus-linked attackers drain $55M from bZx's Polygon and BSC deployments.

Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.

~$248K drained from SafeDollar on Polygon via a reward-calculation flaw that emptied SDO/USDC reserves and broke the algorithmic stablecoin's peg.

Attackers compromised the CEO's machine, pulled keys from his MetaMask admin wallet, then minted EASY and drained $80M+ from liquidity pools on Polygon.