BonkDAO Governance Takeover
An attacker spent about $4M quietly buying BONK to capture BonkDAO's vote, then pushed a malicious Realms proposal that drained roughly $20M from the treasury.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
An attacker spent about $4M quietly buying BONK to capture BonkDAO's vote, then pushed a malicious Realms proposal that drained roughly $20M from the treasury.
A flash-loan attacker manipulated share accounting in Summer.fi's Lazy Summer USDC vault, redeeming inflated assets to drain about $6 million on Ethereum.
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
A flash-loan-funded attacker inflated Edel Finance's internal wGOOGLx exchange rate ~78x, borrowing against phantom tokenized-Google-stock collateral to leave about $403,000 in bad debt.
A compromised third-party vendor injected a malicious script into Polymarket's frontend, phishing approvals that drained about $2.94M in PUSD from user wallets.
A predictable-randomness flaw in SecondFi's Cardano wallet-generation software let attackers drain about $2.4M in ADA from 178 wallets, with up to $20M more potentially at risk.
A leaked SGX signing key in Taiko's public GitHub let an attacker forge bridge proofs and drain about $1.7M from the L1 Bridge and ERC20Vault on Ethereum.
A deflationary-burn flaw in the OLPC token created a reserve mismatch on a PancakeSwap V2 pool, letting an attacker buy out LABUBU at a distorted price and drain about $1.1M.
A counter-MEV honeypot tricked Ethereum's most active sandwich bot, jaredfromsubway.eth, into approving 66 fake-token contracts, draining about $7.5M in WETH, USDC and USDT.
An attacker minted a worthless EVIL token to distort mySwap's concentrated-liquidity pool accounting on Starknet and drained about $305K of residual LP funds.
An IBC transfer-logic flaw let an attacker sweep roughly $600,000 of shielded assets from Namada's Multi-Asset Shielded Pool, briefly masked by a stale indexer.
A zero-value transferFrom bypassed an allowance check and triggered an unauthorized reward mint into the PancakeSwap pair, letting an attacker drain about $378,000 from Little Boy Plus.
An attacker drained roughly $2.16M from Aztec's deprecated Private Rollup Bridge via an unguarded escapeHatch and spoofed proof data — Aztec's second hack in a week.
A missing return statement in the DIP token's _transfer function let an attacker desync its PancakeSwap reserves with skim/sync and drain roughly $111,000 in USDC.
An integer-division rounding bug in a long-deprecated Thetanuts Finance vault let an attacker mint option tokens for free and drain about $2.1M on Ethereum; white-hats clawed back roughly $2M.
An attacker drained roughly $2.1M from the deprecated Aztec Connect bridge by exploiting incomplete proof validation, withdrawing unbacked balances from immutable contracts.
An attacker drained roughly $1.34M from five dormant Raydium AMM V3 pools on Solana by minting a fake LP token that bypassed the deprecated program's withdrawal checks.
A flawed Secret Network bridge contract let an attacker forge IBC packets and mint unbacked saTokens, draining roughly $4.67M of Axelar-bridged assets.
A compromised Humanity Foundation key let an attacker drain wallets and mint 100M H tokens on BNB Chain, netting about $32M and crashing $H nearly 90%.
An attacker acquired a majority of TOP supply, then created, voted and executed an Aragon governance proposal in one transaction to mint ~10 billion tokens and drain 944 WETH from a Balancer V1 pool.
A proof-validation flaw in Syscoin's cross-chain bridge let an attacker mint roughly 5 billion unauthorized SYS — over five times the supply — worth just under $10M.
A signature-verification flaw in the Zodiac Delay Module let an attacker bypass Gnosis Pay's time-delay and drain roughly $1.5 million from 5,281 user Safes; Gnosis restored 100% of funds.
An attacker with control of privileged minting rights created 99 million TSR tokens on BNB Chain and dumped them for roughly $2.5 million, crashing the token nearly 99%.
An attacker drained roughly $480K from AFI Protocol's afiUSD vault on Ethereum, swapping DAI to ETH and routing about 150 ETH through Tornado Cash; the root cause was not immediately disclosed.
An attacker submitted forged guardian VAAs to Alephium's Wormhole-fork TokenBridge, draining about $815,000 of custody assets from Ethereum and BNB Chain in roughly seven minutes.
Gravity Bridge, the Cosmos-Ethereum cross-chain bridge, was drained of roughly $5.4 million after attackers apparently compromised validator signing keys and forged unauthorized withdrawals.
An attacker controlling a legacy DxSale liquidity-locker contract on BNB Chain drained roughly $7.3 million of BNB from more than 1,400 locked pools, amid strong suspicions of insider involvement.
A confused-deputy access-control flaw in New Market Trading's third-party SquidRouterModule let an attacker drain roughly $3.8 million from 88 Gnosis Safe wallets across Ethereum, Base, and Arbitrum.
An attacker minted 1,000 unbacked eBTC (~$76.7M nominal) on Echo Protocol via an admin-key compromise, used it as Curvance collateral, and extracted ~$821K through Tornado Cash before containment.
Verus-Ethereum bridge paid out $11.58M after an attacker submitted a 0.02 VRSC export — no source/destination value-binding check on either side.
~$10.8M drained from THORChain Asgard vaults across nine chains via a suspected GG20 threshold-signature flaw exploited by a malicious node operator.
Cross-chain aggregator Transit Finance lost ~$1.88M in DAI on May 13, 2026 — a second multi-million-dollar incident after its October 2022 proxy-approval breach.
Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.
Volo Protocol's Sui vaults lost $3.5M after social engineering compromised the admin key. The team froze $500K in 30 minutes and blocked a $2.1M WBTC bridge.
$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.
Rhea Finance on NEAR lost $18.4M after a two-day setup of fake tokens, 423 wallets and 8 Ref pools exploited a slippage-summing flaw in margin trading.
1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.
DPRK social-engineers tricked Drift Security Council members into blind-signing durable-nonce txs that handed over admin control, draining $285M on Solana.
Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.
Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.
A Venus Protocol user was phished into delegating account control, losing ~$3.7M from their supplied position. Venus contracts were never compromised.
$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.
~$1.78M drained from Moonwell on Base after a newly listed market used a price feed with a decimals mismatch, mis-valuing collateral so attackers borrowed out.
YieldBlox's Stellar lending pool lost $10.2M after a single USTRY-for-USDC sell at 501x market rate defined the Reflector oracle price in a quiet 15-min window.
Step Finance lost 261,854 SOL ($27M) from treasury and fee wallets to a 'sophisticated' actor. STEP fell 96%; Step, SolanaFloor and Remora all shut down.
$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.
SagaEVM lost $7M in 11 minutes when an Ethermint bug let crafted messages bypass validation, minting Saga Dollar (D) without collateral and bridging to ETH.
TMXTribe, a staking/rewards protocol, lost ~$1.4M when a distribution accounting flaw let an attacker repeatedly over-claim, draining the reward reserve.
Truebit lost $26.4M when an integer overflow in TRU's five-year-old bonding-curve contract let the attacker mint TRU near-free and sell back for 8,500 ETH.