Summer.fi Lazy Summer Vault Accounting Exploit
A flash-loan attacker manipulated share accounting in Summer.fi's Lazy Summer USDC vault, redeeming inflated assets to drain about $6 million on Ethereum.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
A flash-loan attacker manipulated share accounting in Summer.fi's Lazy Summer USDC vault, redeeming inflated assets to drain about $6 million on Ethereum.
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
A flash-loan-funded attacker inflated Edel Finance's internal wGOOGLx exchange rate ~78x, borrowing against phantom tokenized-Google-stock collateral to leave about $403,000 in bad debt.
A compromised third-party vendor injected a malicious script into Polymarket's frontend, phishing approvals that drained about $2.94M in PUSD from user wallets.
A leaked SGX signing key in Taiko's public GitHub let an attacker forge bridge proofs and drain about $1.7M from the L1 Bridge and ERC20Vault on Ethereum.
A counter-MEV honeypot tricked Ethereum's most active sandwich bot, jaredfromsubway.eth, into approving 66 fake-token contracts, draining about $7.5M in WETH, USDC and USDT.
An attacker drained roughly $2.16M from Aztec's deprecated Private Rollup Bridge via an unguarded escapeHatch and spoofed proof data — Aztec's second hack in a week.
An integer-division rounding bug in a long-deprecated Thetanuts Finance vault let an attacker mint option tokens for free and drain about $2.1M on Ethereum; white-hats clawed back roughly $2M.
An attacker drained roughly $2.1M from the deprecated Aztec Connect bridge by exploiting incomplete proof validation, withdrawing unbacked balances from immutable contracts.
A flawed Secret Network bridge contract let an attacker forge IBC packets and mint unbacked saTokens, draining roughly $4.67M of Axelar-bridged assets.
A compromised Humanity Foundation key let an attacker drain wallets and mint 100M H tokens on BNB Chain, netting about $32M and crashing $H nearly 90%.
An attacker acquired a majority of TOP supply, then created, voted and executed an Aragon governance proposal in one transaction to mint ~10 billion tokens and drain 944 WETH from a Balancer V1 pool.
An attacker drained roughly $480K from AFI Protocol's afiUSD vault on Ethereum, swapping DAI to ETH and routing about 150 ETH through Tornado Cash; the root cause was not immediately disclosed.
An attacker submitted forged guardian VAAs to Alephium's Wormhole-fork TokenBridge, draining about $815,000 of custody assets from Ethereum and BNB Chain in roughly seven minutes.
Gravity Bridge, the Cosmos-Ethereum cross-chain bridge, was drained of roughly $5.4 million after attackers apparently compromised validator signing keys and forged unauthorized withdrawals.
A confused-deputy access-control flaw in New Market Trading's third-party SquidRouterModule let an attacker drain roughly $3.8 million from 88 Gnosis Safe wallets across Ethereum, Base, and Arbitrum.
An attacker minted 1,000 unbacked eBTC (~$76.7M nominal) on Echo Protocol via an admin-key compromise, used it as Curvance collateral, and extracted ~$821K through Tornado Cash before containment.
Verus-Ethereum bridge paid out $11.58M after an attacker submitted a 0.02 VRSC export — no source/destination value-binding check on either side.
~$10.8M drained from THORChain Asgard vaults across nine chains via a suspected GG20 threshold-signature flaw exploited by a malicious node operator.
Cross-chain aggregator Transit Finance lost ~$1.88M in DAI on May 13, 2026 — a second multi-million-dollar incident after its October 2022 proxy-approval breach.
Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.
$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.
1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.
Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.
Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.
$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.
$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.
SagaEVM lost $7M in 11 minutes when an Ethermint bug let crafted messages bypass validation, minting Saga Dollar (D) without collateral and bridging to ETH.
Truebit lost $26.4M when an integer overflow in TRU's five-year-old bonding-curve contract let the attacker mint TRU near-free and sell back for 8,500 ETH.