Smart Contract Bug attacks in 2023

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

$3.3M of R stablecoin minted via a rounding/share-mint bug in Raft's collateral logic, but the attacker botched cash-out, burning ~1,570 ETH. R depegged.

$640K drained from Unibot users via a token-approval bug in the Telegram trading bot's new router contract. Unibot reimbursed affected users.

~$2.2M drained from Platypus Finance in a cluster of October exploits hitting the Avalanche stableswap via flawed solvency/withdrawal logic.

$2.9M drained from Stars Arena, an Avalanche friend.tech-style SocialFi app, via a share-price/withdrawal logic flaw at the peak of the SocialFi hype.

Attacker passed a fake market and forged permit to Exactly Protocol's DebtManager on Optimism; leverage() validated neither, draining $7.3M from 117 accounts.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

Level Finance on BNB Chain lost $1.1M because LevelReferralControllerV2 paid out referral rewards without marking the epoch claimed, allowing repeated claims.

Hundred Finance on Optimism lost $7M to a donation-attack variant: a rounding bug in the Compound v2 fork's exchange-rate code let tiny hWBTC drain the pool.

A misconfigured legacy Yearn iEarn contract pointing at the wrong Fulcrum token minted 1.2Q yUSDT and drained $11M from Aave v1 before anyone noticed.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

SafeMoon lost $8.9M from its WBNB pool after an upgrade left burn() public, letting anyone burn other users' SFM. Burning pool LP pumped SFM, then drained WBNB.

A missing health check on Euler's donateToReserves function let an attacker create a self-liquidatable position and walk away with $197M — most of it returned.

Hedera Hashgraph pools lost ~$515K to a Smart Contract Service decompiler bug that let an attacker pull HTS tokens from accounts. Hedera paused the network.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.