Ethereum hacks in 2021

A reward-distribution accounting flaw in Bent Finance let one address claim ~$1.7M in rewards far beyond its entitlement before the bug was caught and paused.

Visor Finance's staking contract lost $8.2M to a reentrancy in the delegateTransferERC20 path. VISR fell 95% same-day; Visor migrated to a new token.

148 Vulcan Forged user wallets lost 4.5M PYR ($140M) after attackers compromised Venly custody holding their private keys. Refunded in full from treasury.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

Compromised Cloudflare API key let attackers inject malicious approvals into BadgerDAO's frontend for two weeks, draining $120M from users' wallets.

$31M drained from MonoX's single-token pools after the attacker swapped a token with itself, pumping MONO in the protocol's own oracle until pools emptied.

Flash-loan price manipulation of yUSD let an attacker borrow against $1B in fake collateral and drain $130M from Cream, its third successful exploit of 2021.

$16M drained from DEFI5 and CC10 index pools via a flash-loan exploit of the rebalancing math; the teen attacker mounted a 'code is law' defense in Canada.

A bug in Compound's Proposal 62 governance upgrade paid out up to $147M of unintended COMP rewards. Most was returned voluntarily; a portion was kept by users.

JayPegs Automart, an Ethereum NFT 'automated trading' scheme, exit-scammed users for ~$3.1M when operators drained deposits and vanished during the NFT mania.

An unprotected init() function in DAO Maker's vesting contracts let an attacker seize ownership and call emergencyExit, draining $4M across multiple user pools.

$18.8M drained from Cream Finance v1 lending markets via a reentrancy bug in the AMP token's ERC-777 transfer hook — the second of Cream's three 2021 exploits.

~$97M drained from Japan-based Liquid Global's warm wallets across ETH, XRP, BTC and stablecoins; FTX extended a $120M emergency loan, then acquired it.

Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.

$9M drained from Punk Protocol minutes after launch via a delegatecall to Initialize setting the attacker as forge address; $5M recovered by white-hats.

$20.7M drained from Popsicle's Sorbetto Fragola pool after flash loans plus share transfers tricked the contract into owing the attacker rewards equal to TVL.

$13M+ drained from THORChain across two attacks one week apart, both exploiting fake-deposit flaws in the Bifrost Ethereum bridge weeks into Chaosnet.

Compromised deployer key let an attacker mint ~373M BONDLY (~$5.9M) and dump into liquidity, collapsing the token before the team migrated contracts.

Vulnerability in ChainSwap's Ethereum-BSC bridge let an attacker mint arbitrary amounts of 20+ supported tokens; $4M drained, affected tokens crashed 95%+.

Attacker detected a repeated k-value in two BSC signatures, back-calculated Anyswap V3's MPC private key, and drained $7.9M from its cross-chain router pools.

A deployment script bug created phantom Alchemix vaults that misdirected $6.5M in rewards to pay off users' debts. The team froze minting within 15 minutes.

xToken lost $24M when xSNXa and xBNTa priced from manipulable pools; a flash loan let the attacker mint strategy tokens cheaply and redeem the real underlying.

2,600 ETH ($10M, 60% of pool) drained from Rari's Ethereum Pool after its Alpha Finance ibETH integration allowed arbitrary external calls enabling reentrancy.

Attackers compromised the CEO's machine, pulled keys from his MetaMask admin wallet, then minted EASY and drained $80M+ from liquidity pools on Polygon.

$5.7M drained from Roll's hot wallet, collapsing dozens of independent 'social money' creator tokens at once via a single private-key compromise.

DODO's V2 Crowdpools lost $3.8M after the attacker re-called init() with a fake token; the pools had no re-initialization guard. MEV bots front-ran ~$1.9M.

PAID Network had $27M+ minted after a compromised deployer key re-minted ~59M PAID; the attacker dumped ~2.5M for $3M before the team paused. PAID fell ~85%.

Furucombo users lost $14M after the attacker tricked the proxy into delegatecalling a malicious 'Aave v2 implementation' that swept every approved balance.

Flash-loan manipulation of gToken/stkToken pricing in Growth DeFi's yield strategy let an attacker extract ~$1.3M of reserves at skewed rates ('The Big Combo').

A custom 'spell' contract exploited a borrow-share rounding bug to accrue zero shares against real cySUSD debt, draining $37.5M from Alpha Homora and Iron Bank.

Yearn's yDAI vault lost $11M (attacker netted $2.8M) when an 11-tx flash-loan sequence skewed Curve 3pool DAI price, forcing bad cycles. Tether froze $1.7M.

Saddle Finance lost ~$276K within an hour of launch when a flawed stableswap let arbitrageurs swap at badly mispriced rates, draining LP value day one.