Arbitrum hacks in 2023

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

$7.5M extracted from Jimbo's Protocol on Arbitrum after a slippage-control failure in JimboController.shift() let a flash loan drain the floor-defense ETH.

$3M rug-pulled from Swaprum on Arbitrum, an Arbiswap fork whose audited contracts hid an upgradeable proxy with a backdoor add() function.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

Hope Finance lost $1.86M at its Arbitrum launch after the deployed contract differed from the audited one; funds went straight to Tornado Cash.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.

Curve read-only reentrancy on remove_liquidity drained $3.65M from dForce's wstETH/ETH pool on Arbitrum and Optimism. White hat returned all funds.