Smart Contract Bug attacks in 2025

An oracle upgrade created an 18-vs-8 decimal precision mismatch in Aevo's legacy Ribbon DOV vaults, draining $2.7M. Aevo shut down vaults hours later.

USPD, a newer decentralized stablecoin, lost ~$1M via a mint/collateral flaw that allowed minting against insufficient backing, briefly depegging the token.

Yearn's yETH StableSwap pool minted 235 septillion yETH from a 16-wei deposit after a liquidity removal reset supply to zero but left cached virtual balances.

Access-control oversight and rounding error in Balancer v2's invariant logic drained ~$120M across stable pools, the largest DeFi exploit of 2025.

Rounding error in Bunni DEX's withdraw function drained $8.4M on Ethereum and Unichain after devs misjudged how idle balances would move. Protocol shut down.

Odin.fun, a Bitcoin memecoin launchpad, lost ~$7M when attackers manipulated bonding-curve liquidity accounting to drain BTC pools. Founder paused trading.

A fee/reward-distribution flaw let an attacker repeatedly extract value from BetterBank's PulseChain liquidity pools, draining $5M with partial recovery later.

A flaw in Credix Finance's credit-token minting logic on BNB Chain let an attacker mint and redeem against fabricated positions, draining $4.5M from the pool.

Reentrancy-adjacent flaw in GMX v1's GLP pricing logic let an attacker drain ~$42M, most returned within days in exchange for a white-hat bounty.

$9.8M drained from Resupply in under 90 minutes when a $4,000 flash loan exploited a 2-hour-old wstUSR vault via an ERC-4626 donation attack.

A self-listing verification flaw drained $8.37M (up to $16.2M with ALEX tokens) from ALEX Protocol on Stacks, the team's second major incident in 13 months.

Attacker drained $12M (3,761 wstETH) from Cork Protocol by creating a market referencing another's DS, bypassing auth via a malicious Uniswap v4 hook.

Overflow-guard flaw in Sui's largest DEX let an attacker inject a tiny liquidity position that read as gigantic, draining $223M before validators intervened.

$2.15M drained from MobiusDAO on BNB Chain after a double 10^18 scaling let the attacker mint 9.73 quadrillion MBU from 0.01 BNB; laundered via Tornado Cash.

$355K (entire TVL) drained from leveraged-trading protocol SIR.trading via transient-storage misuse that spoofed the uniswapV3SwapCallback caller check.

Attacker drained $13M (6,260 ETH) from Abracadabra's GM Cauldrons by engineering a failing GMX deposit, self-liquidating, then reborrowing the collateral.

A legacy Fusion v1 resolver bug let an attacker craft calldata to drain $5M from 1inch resolver TrustedVolumes. Core protocol and user funds were unaffected.

ZeroLend lost ~$371K to a classic empty-market share-inflation donation attack on a freshly-listed market that lacked a protective initial deposit.

$9.5M drained from zkLend on Starknet via a precision-rounding bug in its safeMath library; repeated rounding inflated raw_balance until pools emptied.

The Idols NFT lost ~$324K when a staking-rewards accounting flaw let an attacker repeatedly claim weighted rewards far beyond entitlement, draining the pool.