Smart Contract Bug attacks in 2024

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

A flaw in Holograph's operator contract let an attacker mint 1 billion HLG tokens, worth $14.4M nominal at first mint. HLG dropped 80% within nine hours.

Velocore's CPMM pools on zkSync and Linea lost $6.8M when a fee-multiplier overflow let the attacker mint huge LP supply against a tiny single-token withdrawal.

Sonne Finance lost $20M on Optimism to a 'donation attack', a well-known Compound v2 fork exploit hitting the gap between deploying and seeding a new market.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

$4.8M drained from Super Sushi Samurai on Blast after a transfer-function bug doubled the sender's balance on self-transfer. A white-hat saw it first.

$2.1M drained from Unizen's DEX aggregator via an unsafe external-call vulnerability in a recent upgrade that hit users with token approvals.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

$3.3M drained from Socket/Bungee bridge aggregator users via an unvalidated SocketGateway route that called transferFrom on infinite-approval wallets.