Smart Contract Bug attacks in 2021

A reward-distribution accounting flaw in Bent Finance let one address claim ~$1.7M in rewards far beyond its entitlement before the bug was caught and paused.

$31M drained from MonoX's single-token pools after the attacker swapped a token with itself, pumping MONO in the protocol's own oracle until pools emptied.

$90M drained from Terra-based Mirror Protocol via duplicate-ID collateral unlocks; the loss went unnoticed for seven months until Terra's collapse exposed it.

A bug in Compound's Proposal 62 governance upgrade paid out up to $147M of unintended COMP rewards. Most was returned voluntarily; a portion was kept by users.

An unprotected init() function in DAO Maker's vesting contracts let an attacker seize ownership and call emergencyExit, draining $4M across multiple user pools.

Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.

$9M drained from Punk Protocol minutes after launch via a delegatecall to Initialize setting the attacker as forge address; $5M recovered by white-hats.

~$248K drained from SafeDollar on Polygon via a reward-calculation flaw that emptied SDO/USDC reserves and broke the algorithmic stablecoin's peg.

Flaw in Eleven Finance's nerveBUSD vault emergencyBurn/withdraw path let funds be withdrawn without burning shares, draining ~$4.5M on BNB Chain.

~$3.7M drained from Impossible Finance on BNB Chain via a swap-router flaw that let an attacker repeatedly swap against stale reserves in one tx.

A deployment script bug created phantom Alchemix vaults that misdirected $6.5M in rewards to pay off users' debts. The team froze minting within 15 minutes.

$57.2M extracted from Uranium Finance via a misplaced constant in v2.1 migration contracts (1,000,000 vs 10,000), letting 1 wei swap for 98% of pools.

DODO's V2 Crowdpools lost $3.8M after the attacker re-called init() with a fake token; the pools had no re-initialization guard. MEV bots front-ran ~$1.9M.

Furucombo users lost $14M after the attacker tricked the proxy into delegatecalling a malicious 'Aave v2 implementation' that swept every approved balance.

Saddle Finance lost ~$276K within an hour of launch when a flawed stableswap let arbitrageurs swap at badly mispriced rates, draining LP value day one.