Ethereum hacks in 2022

A breach of LastPass encrypted vault backups led to a multi-year drain of victims storing seed phrases there; losses grew from $35M to over $400M.

SIM-swap operation drained $477M from FTX wallets within hours of the Chapter 11 filing, exploiting the chaos of crypto's biggest collapse since Mt. Gox.

Attacker drained $28M from Deribit BTC/ETH/USDC hot wallets; the largest crypto-options exchange covered it from its balance sheet, cold storage untouched.

Team Finance lost $15.8M in a Uniswap v2-to-v3 migration: locked tokens moved to a skewed v3 pair and refunded as 'leftover' for $2,700 in gas. $7M returned.

$2.3M drained from TempleDAO's StaxLPStaking after migrateStake() failed to validate the caller, letting anyone migrate another staker's full position.

Transit Swap users with infinite approvals lost $21M when claimTokens failed to validate which token to call transferFrom on. 70% returned after on-chain talks.

Wintermute lost $160M from a hot wallet whose Profanity-generated vanity address used a 32-bit PRNG seed that let any 'random' key be brute-forced. They knew.

Attackers hijacked curve.fi's DNS via its domain registrar and served a wallet-drainer frontend, stealing ~$575K from users while the contracts were untouched.

A routine upgrade marked the zero hash as a valid root, turning every Nomad message into a withdrawal anyone could copy-paste.

An attacker exploited an Audius contract-initializer flaw to self-delegate 10 trillion AUDIO and pass a malicious proposal that drained $6M from the treasury.

Lazarus compromised two of five operator multi-sig keys on Harmony's cross-chain bridge and drained $100M; the 2-of-5 quorum was below its risk profile.

Reentrancy on exitMarket() drained $80M from Rari Capital's Fuse lending pools, a function the team forgot to protect when patching reentrancy the prior month.

Saddle's sUSDv2 metapool lost $11.9M when a known MetaSwapUtils bug was redeployed by mistake; BlockSec's bots front-ran $3.97M to safety, cutting the net loss.

A $1B flash loan bought 67% of Beanstalk governance in one block, long enough to pass a proposal that drained the treasury. Attacker netted $76M of $182M lost.

$15.6M drained from Inverse Finance by manipulating its Keep3r INV/ETH oracle via a private mempool bundle, bypassing TWAP in a single invisible block.

$2M drained from Revest Finance via a reentrancy in mintAddressLock/depositAdditionalToFNFT that let the attacker mint over-valued NFTs and redeem them.

Validator private-key compromise drained 173,600 ETH and 25.5M USDC from the Ronin bridge — the largest crypto hack at the time.

A private-key compromise drained $10M from Dego Finance across Ethereum and BNB Chain, sweeping liquidity pools and user wallets with active token approvals.

A signature-verification bypass on Wormhole's Solana side let the attacker mint 120,000 wETH out of thin air — backed by no Ethereum collateral.

An attacker tricked Qubit's BSC bridge into minting 77,162 qXETH ($185M nominal) without depositing any ETH, borrowing 206,809 BNB ($80M).

2FA-bypass exploit drained $34M from 483 Crypto.com accounts; attackers authorised transactions without the second factor ever prompting the user.