Ethereum hacks in 2024

$13.7M drained from UAE-based M2 Exchange hot wallets across BTC, ETH and Solana; identified, contained and customer funds restored in just 16 minutes.

Tapioca DAO lost $4.65M after a Discord member was social-engineered into connecting a hardware wallet; attacker seized TAP/USDO ownership. $2.7M recovered.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

Telegram message oracle flaw let an attacker drain $3M from 11 Banana Gun users via manual transfers on victim wallets. Team refunded victims from treasury.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

~$27M drained from Penpie after a reentrancy gap in Pendle's plugin integration let the attacker register a malicious market and pull pegged rewards in one tx.

A crypto whale lost $55.47M in DAI after signing a malicious transaction on a phishing copy of DeFi Saver's login page powered by Inferno Drainer.

A white-hat MEV bot drained $12M from Ronin's bridge via a dead-code init flaw that left minimumVoteWeight at zero. All funds returned for a $500K bounty.

WazirX lost $234.9M from a 4-of-6 Gnosis Safe at custodian Liminal when attackers exploited a mismatch between the Liminal UI and the calldata signers approved.

$11.6M drained from users who granted infinite approvals to LI.FI; a freshly deployed facet skipped a validation, letting any caller invoke arbitrary contracts.

~$55M drained from BtcTurk's hot wallets, with Binance freezing roughly $5.3M of the stolen funds mid-flight — Turkey's largest exchange compromise to date.

A flaw in Holograph's operator contract let an attacker mint 1 billion HLG tokens, worth $14.4M nominal at first mint. HLG dropped 80% within nine hours.

UwULend lost $19.4M after an attacker manipulated 5 of 11 sUSDe oracles via Curve swaps, borrowing at $0.99 then liquidating at $1.03. A $3.7M follow-up hit.

$22M (158 BTC, 2,161 ETH, plus LTC/BCH) drained from Lykke in a private-key compromise the UK exchange tried to keep quiet; later attributed to Lazarus.

Attacker took over a dormant MINTER role to mint 5B GALA ($216M), sold $21.8M before being blacklisted; the remaining 4.4B tokens are effectively burned.

$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.

ZKasino took 10,515 ETH ($33M) from 8,000+ users on a 1:1 ETH return promise, then converted it to ZKAS and staked on Lido for 15 months. Founder arrested.

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

$11M drained from Prisma Finance's Trove migration helper after the attacker bypassed migrate() and called flashloan() directly, later demanding an apology.

Attacker bought a nominal CGT stake, exploited a MakerDAO-fork flaw to amplify voting power, then minted 1B CGT (~$16M) on Curio Governance.

$2.1M drained from Unizen's DEX aggregator via an unsafe external-call vulnerability in a recent upgrade that hit users with token approvals.

$6.4M drained from Seneca users via unlimited approvals to its Chamber contract, which had no pause function. Attacker returned 80% for a 20% bounty.

A stolen admin key let the attacker add themselves as a minter and produce 1.79B PLA across two strikes — nominal $290M, only $32M successfully cashed out.

Precision/rounding bug in Abracadabra Money's Cauldron debt-accounting let an attacker drain $6.5M (2,740 ETH + 2.2M MIM) by repaying others' debts.

$3.3M drained from Socket/Bungee bridge aggregator users via an unvalidated SocketGateway route that called transferFrom on infinite-approval wallets.

~$82M drained from Orbit Chain's cross-chain bridge on New Year's Eve after seven of ten multi-sig signers were compromised; losses across Ethereum and Klaytn.