BnbLabubu OLPC/LABUBU Reserve-Mismatch Exploit
A deflationary-burn flaw in the OLPC token created a reserve mismatch on a PancakeSwap V2 pool, letting an attacker buy out LABUBU at a distorted price and drain about $1.1M.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
A deflationary-burn flaw in the OLPC token created a reserve mismatch on a PancakeSwap V2 pool, letting an attacker buy out LABUBU at a distorted price and drain about $1.1M.
A zero-value transferFrom bypassed an allowance check and triggered an unauthorized reward mint into the PancakeSwap pair, letting an attacker drain about $378,000 from Little Boy Plus.
A missing return statement in the DIP token's _transfer function let an attacker desync its PancakeSwap reserves with skim/sync and drain roughly $111,000 in USDC.
A compromised Humanity Foundation key let an attacker drain wallets and mint 100M H tokens on BNB Chain, netting about $32M and crashing $H nearly 90%.
An attacker with control of privileged minting rights created 99 million TSR tokens on BNB Chain and dumped them for roughly $2.5 million, crashing the token nearly 99%.
An attacker submitted forged guardian VAAs to Alephium's Wormhole-fork TokenBridge, draining about $815,000 of custody assets from Ethereum and BNB Chain in roughly seven minutes.
An attacker controlling a legacy DxSale liquidity-locker contract on BNB Chain drained roughly $7.3 million of BNB from more than 1,400 locked pools, amid strong suspicions of insider involvement.
~$10.8M drained from THORChain Asgard vaults across nine chains via a suspected GG20 threshold-signature flaw exploited by a malicious node operator.
1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.
A Venus Protocol user was phished into delegating account control, losing ~$3.7M from their supplied position. Venus contracts were never compromised.
TMXTribe, a staking/rewards protocol, lost ~$1.4M when a distribution accounting flaw let an attacker repeatedly over-claim, draining the reward reserve.