BNB Chain hacks in 2021

Rug pull drained ~$1.75M from 8ight Finance after operators used privileged contract authority to empty pooled deposits, then deleted all presence.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

Phishing email with a malicious Word macro on a dev's machine let Lazarus-linked attackers drain $55M from bZx's Polygon and BSC deployments.

An admin private-key compromise let the attacker withdraw $139M of pooled DEX liquidity from BXH on BSC, one of 2021's largest yet under-remembered losses.

Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.

$13M+ drained from THORChain across two attacks one week apart, both exploiting fake-deposit flaws in the Bifrost Ethereum bridge weeks into Chaosnet.

Vulnerability in ChainSwap's Ethereum-BSC bridge let an attacker mint arbitrary amounts of 20+ supported tokens; $4M drained, affected tokens crashed 95%+.

Attacker detected a repeated k-value in two BSC signatures, back-calculated Anyswap V3's MPC private key, and drained $7.9M from its cross-chain router pools.

Flaw in Eleven Finance's nerveBUSD vault emergencyBurn/withdraw path let funds be withdrawn without burning shares, draining ~$4.5M on BNB Chain.

~$3.7M drained from Impossible Finance on BNB Chain via a swap-router flaw that let an attacker repeatedly swap against stale reserves in one tx.

Wault Finance on BNB Chain lost ~$1M when a flash-loan manipulation of WUSD/WEX pricing let the attacker mint and redeem at skewed rates, draining reserves.

Flash loans of $385M manipulated one Belt Finance beltBUSD strategy, distorting share-price calculation to extract $6.23M of $50M total vault losses.

BurgerSwap on BNB Chain didn't validate swap-path tokens, letting a fake token's transfer callback re-enter the pool mid-swap and drain $7.2M in reserves.

Multiple 2021 exploits (~$680K+) of Merlin Labs on BNB Chain, a yield optimizer whose strategy and reward pricing were repeatedly manipulated via flash loans.

A flash-loan SHARK/BNB price manipulation inflated AutoShark's minted reward, draining ~$745K on BSC in a near-exact replay of the PancakeBunny pattern.

$45M extracted from PancakeBunny when a $704M flash loan manipulated the BUNNY/BNB oracle and minted ~7M BUNNY from thin air; BUNNY fell 95% in minutes.

Spartan Protocol lost $30M on BSC via a flawed liquidity-share calculation, the first major flash-loan attack on BSC and a turning point for its DeFi sector.

$57.2M extracted from Uranium Finance via a misplaced constant in v2.1 migration contracts (1,000,000 vs 10,000), letting 1 wei swap for 98% of pools.

Flash loan manipulated TRUNK/BUSD and ELEPHANT pricing in Elephant Money's BNB-Chain buy/sell mechanism, letting attacker mint/redeem for ~$22M at skewed rates.

DODO's V2 Crowdpools lost $3.8M after the attacker re-called init() with a fake token; the pools had no re-initialization guard. MEV bots front-ran ~$1.9M.

Flash-loan manipulation of gToken/stkToken pricing in Growth DeFi's yield strategy let an attacker extract ~$1.3M of reserves at skewed rates ('The Big Combo').