Résumé
On April 19, 2024, Hedgey Finance was drained of about $44.7 million (notional) across Arbitrum (~$42.6 million, mostly BONUS tokens) and Ethereum (~$2.1 million in USDC, ETH and other tokens). The root cause was an unvalidated attacker-controlled address combined with a stale token allowance in the ClaimCampaigns contract. createLockedCampaign granted an ERC-20 allowance via SafeERC20.safeIncreaseAllowance(IERC20(campaign.token), claimLockup.tokenLocker, campaign.amount) without validating that the caller-supplied tokenLocker was a legitimate Hedgey vesting contract, so the attacker passed their own address and obtained spend approval. cancelCampaign then refunded the deposited tokens but never called safeDecreaseAllowance, leaving the dangling allowance live after capital was returned. Funding the deposit with a Balancer flash loan, the attacker looped create-then-cancel to accumulate approvals, then called the token's transferFrom directly to drain funds belonging to other campaigns out of the contract.
Comment l’éviter dans votre code
- Validate any caller-supplied address (e.g. tokenLocker) against a whitelist of trusted contracts before granting approvals.
- Revoke allowances on cancel/refund paths with safeDecreaseAllowance to eliminate dangling approvals.
- Prefer exact-amount, single-use approvals over standing allowances; reset to zero after use.
- Audit pairs of individually-safe functions for unsafe interactions (create grants, cancel must revoke).
- Account funds per-campaign so one campaign's transferFrom cannot reach another's deposited balance.
Références
Vulnérabilités liées
Tout Web3 →- CRITICALWEB3-KILOEX-2025
On April 14, 2025 the perpetuals DEX KiloEx lost about $7.5 million across BNB Chain, Base, opBNB, and Taiko to what was reported as oracle price manipulation but was really an access-control failure. KiloEx's price feed (KiloPriceFeed.setPrices) was meant to be reachable only through a keeper-gated call chain, but the top-level MinimalForwarder.execute function was publicly callable and validated an attacker-supplied signature against attacker-supplied data, letting anyone forge a trusted call that reached setPrices and write an arbitrary price. The attacker set a market price far below true value, opened a leveraged position, then set the price far above value and closed it in the same flow, extracting fabricated profit from the vault; the sequence was repeated across all four chains, with a single transaction netting $3.12M. Reporting that framed it as flash-loan oracle manipulation was imprecise: no market liquidity was moved, the price was simply written directly through the unprotected forwarder. After KiloEx offered a 10% (~$750K) whitehat bounty and no legal action, the attacker returned essentially all of the funds by April 18, 2025.
- CRITICALWEB3-RADIANT-2024
On October 16, 2024, the cross-chain lending protocol Radiant Capital lost roughly $50M (about $53M across Arbitrum and BSC) after attackers compromised the devices of at least three of its multisig signers. Initial access began September 11, 2024 via a Telegram message spoofing a trusted former contractor, delivering a ZIP with a decoy PDF that was actually a macOS application carrying INLETDRIFT backdoor malware. The malware sat between the signers' browsers and their hardware wallets, so the Safe (Gnosis) UI and Tenderly simulations displayed correct data while the signers blind-signed a malicious transferOwnership() call on the LendingPoolAddressesProvider contract; the 3-of-11 threshold was met and the attacker then upgraded the pools to a malicious implementation and drained them. Mandiant assessed with high confidence the attack was conducted by North Korea-linked UNC4736 (aka Citrine Sleet/AppleJeus), part of the Lazarus cluster. Funds were not recovered and the protocol later wound down.
- HIGHWEB3-VOW-2024
On August 13, 2024 the Vow (Vowcurrency) protocol lost about $1.2 million (~452 ETH) when its own admin temporarily misconfigured a price setter and an MEV bot pounced. Vow's usdRateSetter admin key called setUSDRate and changed the VOW-to-vUSD exchange rate from 1 to 100 - the team later said it was testing the rate-setter while preparing a lending pool - then reverted it. The function had no input validation and no rate-change delay or timelock, and the inflated rate was readable on-chain for the window between the two transactions. An attacker-controlled MEV bot, its contract deployed 110 days earlier and funded via Tornado Cash, detected the change and within two blocks swapped VOW into vUSD at the 100x rate, minting roughly 148.7 million vUSD far above its backing, then dumped it for ETH and USDT on Uniswap. The VOW token fell 80-87%. The root cause was an unbounded, unprotected privileged setter exposed without a timelock, turning a careless admin action into instantly exploitable on-chain state.
- CRITICALWEB3-VELOCORE-2024
On June 2, 2024, the DEX Velocore was drained of about $6.8 million from its constant-product (volatile) pools on Linea and zkSync Era. The root cause combined a missing access-control modifier with an unchecked arithmetic underflow in the ConstantProductPool fee math: velocore__execute performed Vault-only state changes but had no onlyVault check, so anyone could call it directly. The pool's feeMultiplier, which increases per withdrawal and resets each block to deter free swaps, fed an effective fee computed as fee1e9 * feeMultiplier / 1e9 with no upper bound and inside an unchecked block. By repeatedly invoking velocore__execute to inflate feeMultiplier, the attacker drove effectiveFee1e9 above 100% (> 1e9), so the growth term 1e18 - ((1e18 - k) * effectiveFee1e9) / 1e9 underflowed and wrapped to a huge unsigned value, causing a small single-token withdrawal to be accounted as a massive deposit and mint excessive LP tokens. Linea controversially paused its sequencer for about an hour to stop the remaining funds from bridging out.
- CRITICALWEB3-GALA-2024
On May 20, 2024, the GALA token contract on Ethereum was abused to mint 5,000,000,000 GALA (nominally ~$200 million), of which the attacker sold 592 million GALA for 5,952 ETH (~$21.8 million) before being blocklisted. The GALA v2 contract did gate minting behind a MINTER role (OpenZeppelin AccessControl-style onlyRole check), so this was not an unprotected mint function; the root cause was a compromised, over-privileged minter account that had sat dormant for roughly 180 days without rotation or revocation. Holding a legitimately privileged role, the attacker called the privileged mint path to issue billions of tokens to their own address. This is improper privilege management and privileged-key compromise at the operational layer rather than a missing on-chain role check. Gala used a pre-existing blocklist function to freeze billions of the minted GALA within about 45 minutes, and the attacker later returned 5,913.2 ETH (~$22.3 million).
- CRITICALWEB3-MUNCHABLES-2024
On March 26, 2024, Munchables, an NFT game on the Blast Layer-2, was exploited for about $62.5M by a rogue insider developer (suspected but not officially confirmed to be North Korea/Lazarus-linked, and likely a single person posing as four hires using GitHub identities such as NelsonMurua913, Werewolves0493, BrightDragon0719 and Super1114). The contract was a dangerously upgradeable proxy whose deployer/owner address the developer controlled rather than the protocol. Before the audited implementation was upgraded in on March 21, the developer manipulated the proxy's storage slots to assign their own address a deposited balance of 1,000,000 ETH; because proxy upgrades replace logic but not storage, this pre-seeded fake balance persisted through the later upgrade to the secure version. Once total value locked grew large enough, the attacker invoked the legitimate-looking withdrawal path against the fake balance to drain the funds. After ZachXBT publicly exposed the developer, they returned the private keys unconditionally and the full ~$62M was recovered to a multisig held by Blast core contributors.