Ethereum hacks in 2023

~$220K drained from HYPR Network after a bridge/contract flaw let an attacker extract bridged liquidity — a small but clean bridge failure.

OKX DEX aggregator users lost $2.7M after a deprecated proxy-admin key was compromised, upgrading the contract to a malicious version that swept approvals.

Single-operator compromise drained $87M from HECO's cross-chain bridge plus $12M from HTX hot wallets, hitting both Justin Sun platforms in 24 hours.

$54.7M drained from KyberSwap Elastic after a rounding error in concentrated-liquidity math let an attacker trick pools into recognising double the liquidity.

$26M drained from Taipei market maker Kronos Research after API keys (not private keys) controlling programmatic withdrawals were stolen; WOO halted trading.

$114M+ swept from Poloniex's Ethereum and Tron hot wallets after private keys were extracted from internal systems; Justin Sun pledged full reimbursement.

$3.3M of R stablecoin minted via a rounding/share-mint bug in Raft's collateral logic, but the attacker botched cash-out, burning ~1,570 ETH. R depegged.

$640K drained from Unibot users via a token-approval bug in the Telegram trading bot's new router contract. Unibot reimbursed affected users.

$200M drained from Mixin Network hot wallets after attackers compromised the cloud provider hosting Mixin's centralised database — an infrastructure wake-up.

$2.7M drained from P2P exchange Remitano's hot wallets in USDT, ANK, USDC and ETH via private-key compromise; TTPs consistent with Lazarus.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

An attacker exploited rate-provider read-only reentrancy in Balancer boosted pools after a disclosure, draining ~$2.1M before users could fully exit liquidity.

~$1.3M at risk from abandoned Swerve Finance, a dormant Curve fork whose low-participation governance let an attacker pass a proposal to seize funds.

~$2.6M of ETH stuck or at-risk on the Shibarium bridge at launch after a misconfigured contract and traffic overload left funds inaccessible.

$2.1M drained from Zunami Protocol after its zETH and UZD stablecoin prices, derived from manipulable Curve pools, were inflated by a flash-loan attacker.

A malformed reentrancy lock in three versions of the Vyper compiler exposed multiple Curve stablepools to a classic reentrancy attack.

A private-key compromise drained $60M from AlphaPo's hot wallets across Tron, Bitcoin and Ethereum. The FBI attributed the payment-processor breach to Lazarus.

Conic Finance's ETH Omnipool had reentrancy guards but assumed Curve v2 used a specific ETH address. A new CurveLPOracleV2 slipped past it, draining $3.2M.

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

$800K drained from Sturdy Finance via a Balancer read-only reentrancy that mispriced B-stETH-STABLE LP collateral. Funds returned after negotiation.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

Tornado Cash DAO was hijacked after an attacker selfdestructed a passed proposal and redeployed malicious code at the same address, seizing 1.2M votes vs ~70K.

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

A single signing-key compromise swept $23M in ETH, QNT, GALA, SHIB, HOT and MATIC from Bitrue's hot wallet, under 5% of exchange balances, before any pause.

A misconfigured legacy Yearn iEarn contract pointing at the wrong Fulcrum token minted 1.2Q yUSDT and drained $11M from Aave v1 before anyone noticed.

A missing access check in Sushi's RouteProcessor2 router let bots drain $3.3M in WETH from users with token approvals before a white-hat rescue.

A missing health check on Euler's donateToReserves function let an attacker create a self-liquidatable position and walk away with $197M — most of it returned.

Dexible users lost $2M after selfSwap made arbitrary external calls with user-supplied data, letting the attacker transferFrom any wallet that had approved it.

$3M drained from Orion on Ethereum and BSC after doSwapThroughOrionPool accepted unvalidated paths with no reentrancy guard; a fake token inflated balances.