Arbitrum hacks in 2024

$53M drained from a 3-of-11 Radiant multi-sig after macOS malware hit three signers; the Safe UI showed clean txs while hardware wallets signed upgrades.

DeltaPrime lost $6M on Arbitrum after a single private key was extracted; the team ran multi-sig on Avalanche but not Arbitrum. ZachXBT linked it to Lazarus.

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

WOOFi Swap on Arbitrum lost $8.75M after the attacker realised WOO's Chainlink oracle was never configured and the sPMM accepted any manipulated price.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

Orange Finance on Arbitrum lost ~$844K after its admin key was compromised, used to alter strategy contracts and withdraw managed Uniswap v3 positions.

Gamma Strategies on Arbitrum lost $6.1M after a weak deposit-proxy price check let a flash-loan attacker deposit at a skewed ratio and withdraw outsized value.