2020The year in breaches

A Solidity storage/memory bug in Cover's Blacksmith contract minted 40 quintillion COVER, crashing price from $700 to under $5. A white-hat returned all funds.

Warp Finance lost $7.8M valuing Uniswap LP-token collateral from manipulable spot reserves; a flash loan inflated LP value and let the attacker over-borrow.

Compounder Finance team pushed a malicious strategy-contract upgrade that swapped pool logic for a drain function, rug-pulling $12M of user deposits.

Compound liquidated $89M in over-collateralised positions after DAI briefly traded at $1.30 on Coinbase Pro, the oracle's sole price source. No hack needed.

$19.76M DAI drained from Pickle Finance after the attacker created two fake 'Jar' contracts and exploited a missing whitelist check in swapExactJarForJar.

$7.7M drained from the OUSD stablecoin vault two months after launch via a fake-stablecoin reentrancy bug introduced when a gas-saving refactor dropped a check.

Value DeFi's MultiStables vault lost $7M to a flash-loan manipulation of the Curve 3pool price used by its strategy, an early canonical case of the pattern.

A fake ERC-20 with a reentrant transferFrom let an attacker re-enter Akropolis's deposit flow and mint $2M in pool shares without delivering real collateral.

Thirty Curve YPool price-manipulation loops funded by a $50M USDC flash loan extracted $24M from Harvest Finance; the exploit triggered a $570M bank run.

Andre Cronje's unreleased Eminence lost $15M to a flash-loan bonding-curve exploit hours after a teaser drew depositors to the unaudited contract. $8M returned.

$281M drained from KuCoin hot wallets across BTC, ETH and ERC-20s — the third-largest exchange hack ever, a Lazarus operation; ~84% later recovered.

The first known flash-loan attack drained ~$954K from bZx twice in four days, using uncollateralised Aave loans to manipulate Uniswap oracle prices.