2023The year in breaches

~$220K drained from HYPR Network after a bridge/contract flaw let an attacker extract bridged liquidity — a small but clean bridge failure.

Levana Protocol on Osmosis lost ~$1.15M after attackers induced chain congestion to lag price feeds, then opened and closed perpetuals at mispriced moments.

OKX DEX aggregator users lost $2.7M after a deprecated proxy-admin key was compromised, upgrading the contract to a malicious version that swept approvals.

Single-operator compromise drained $87M from HECO's cross-chain bridge plus $12M from HTX hot wallets, hitting both Justin Sun platforms in 24 hours.

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

$26M drained from Taipei market maker Kronos Research after API keys (not private keys) controlling programmatic withdrawals were stolen; WOO halted trading.

$114M+ swept from Poloniex's Ethereum and Tron hot wallets after private keys were extracted from internal systems; Justin Sun pledged full reimbursement.

$3.3M of R stablecoin minted via a rounding/share-mint bug in Raft's collateral logic, but the attacker botched cash-out, burning ~1,570 ETH. R depegged.

$640K drained from Unibot users via a token-approval bug in the Telegram trading bot's new router contract. Unibot reimbursed affected users.

~$2.2M drained from Platypus Finance in a cluster of October exploits hitting the Avalanche stableswap via flawed solvency/withdrawal logic.

$2.9M drained from Stars Arena, an Avalanche friend.tech-style SocialFi app, via a share-price/withdrawal logic flaw at the peak of the SocialFi hype.

$200M drained from Mixin Network hot wallets after attackers compromised the cloud provider hosting Mixin's centralised database — an infrastructure wake-up.

$2.7M drained from P2P exchange Remitano's hot wallets in USDT, ANK, USDC and ETH via private-key compromise; TTPs consistent with Lazarus.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

An attacker exploited rate-provider read-only reentrancy in Balancer boosted pools after a disclosure, draining ~$2.1M before users could fully exit liquidity.

Attacker passed a fake market and forged permit to Exactly Protocol's DebtManager on Optimism; leverage() validated neither, draining $7.3M from 117 accounts.

~$1.3M at risk from abandoned Swerve Finance, a dormant Curve fork whose low-participation governance let an attacker pass a proposal to seize funds.

~$2.6M of ETH stuck or at-risk on the Shibarium bridge at launch after a misconfigured contract and traffic overload left funds inaccessible.

$869K drained from RocketSwap on Base after a server breach yielded both the encrypted private keys and the automation script's decryption logic.

$2.1M drained from Zunami Protocol after its zETH and UZD stablecoin prices, derived from manipulable Curve pools, were inflated by a flash-loan attacker.

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

The BALD memecoin developer pulled liquidity from Coinbase's Base testnet, netting $5.9M in dev profit and $23M in investor losses while denying any rug pull.

A malformed reentrancy lock in three versions of the Vyper compiler exposed multiple Curve stablepools to a classic reentrancy attack.

A hidden deployer-only withdrawFunds function in DeFiLabs' BNB Chain staking contract drained $1.6M in user deposits before the project vanished completely.

EraLend on zkSync Era lost $3.4M to a read-only reentrancy: the attacker manipulated the USDC oracle price mid-callback during a SyncSwap pool operation.

A private-key compromise drained $60M from AlphaPo's hot wallets across Tron, Bitcoin and Ethereum. The FBI attributed the payment-processor breach to Lazarus.

Conic Finance's ETH Omnipool had reentrancy guards but assumed Curve v2 used a specific ETH address. A new CurveLPOracleV2 slipped past it, draining $3.2M.

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

Kannagi Finance, a zkSync Era yield farm, rug-pulled $2.1M after its closed-source upgradeable staking contract was swapped to a malicious implementation.

A quietly-passed governance proposal on BNB Chain granted attackers token-spend approval over every Atlantis Loans user wallet, draining $2.5M from depositors.

$800K drained from Sturdy Finance via a Balancer read-only reentrancy that mispriced B-stETH-STABLE LP collateral. Funds returned after negotiation.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

$7.5M extracted from Jimbo's Protocol on Arbitrum after a slippage-control failure in JimboController.shift() let a flash loan drain the floor-defense ETH.

Tornado Cash DAO was hijacked after an attacker selfdestructed a passed proposal and redeployed malicious code at the same address, seizing 1.2M votes vs ~70K.

$3M rug-pulled from Swaprum on Arbitrum, an Arbiswap fork whose audited contracts hid an upgradeable proxy with a backdoor add() function.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

Level Finance on BNB Chain lost $1.1M because LevelReferralControllerV2 paid out referral rewards without marking the epoch claimed, allowing repeated claims.

Merlin DEX on zkSync lost $1.82M hours after launch when a back-doored owner role let insiders pull liquidity. CertiK's audit flagged the centralization risk.

Hundred Finance on Optimism lost $7M to a donation-attack variant: a rounding bug in the Compound v2 fork's exchange-rate code let tiny hWBTC drain the pool.

A single signing-key compromise swept $23M in ETH, QNT, GALA, SHIB, HOT and MATIC from Bitrue's hot wallet, under 5% of exchange balances, before any pause.

A misconfigured legacy Yearn iEarn contract pointing at the wrong Fulcrum token minted 1.2Q yUSDT and drained $11M from Aave v1 before anyone noticed.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

SafeMoon lost $8.9M from its WBNB pool after an upgrade left burn() public, letting anyone burn other users' SFM. Burning pool LP pumped SFM, then drained WBNB.

Kokomo Finance, an Optimism Compound fork, rug-pulled $4M by pausing cBTC, pointing rewards at a malicious implementation, draining WBTC and deleting socials.

A missing health check on Euler's donateToReserves function let an attacker create a self-liquidatable position and walk away with $197M — most of it returned.

Hedera Hashgraph pools lost ~$515K to a Smart Contract Service decompiler bug that let an attacker pull HTS tokens from accounts. Hedera paused the network.

Hope Finance lost $1.86M at its Arbitrum launch after the deployed contract differed from the audited one; funds went straight to Tornado Cash.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.

$8.5M drained from Platypus on Avalanche via a flash-loan exploit of emergencyWithdraw(), which let attackers pull staked collateral pre-repayment.

Curve read-only reentrancy on remove_liquidity drained $3.65M from dForce's wstETH/ETH pool on Arbitrum and Optimism. White hat returned all funds.

$3M drained from Orion on Ethereum and BSC after doSwapThroughOrionPool accepted unvalidated paths with no reentrancy guard; a fake token inflated balances.

Reporting an absurd WALBT price to BonqDAO's Tellor oracle (cost: 10 TRB, under $1K) minted $120M and collapsed protocol TVL by 99.66% in a single transaction.

Midas Capital on Polygon lost $660K to a Curve read-only reentrancy that mispriced jBRL/BRZ LP collateral, letting the attacker borrow against inflated value.