WEB3-EULER-2023

On September 3, 2024, Penpie, a yield protocol built on Pendle, was drained of about $27.3 million (11,113.6 ETH in wstETH, sUSDe, egETH and rswETH) across Ethereum and Arbitrum. The root cause was a cross-function reentrancy enabled by permissionless market registration: registerPenpiePool trusted any market from Pendle's PendleMarketFactoryV3 without validating the Standardized Yield (SY) token, so the attacker registered a fake market whose SY was their own contract. PendleStakingBaseUpg.batchHarvestMarketRewards (and its internal _harvestBatchMarketRewards) snapshotted reward-token balances before and after calling the market's redeemRewards, but lacked a nonReentrant guard. The malicious SY's claimRewards callback re-entered PendleStakingBaseUpg.depositMarket with flash-loaned Pendle LP tokens mid-accounting, so the deposit was misattributed as harvested rewards, inflating the attacker's reward balance. Although depositMarket itself carried a nonReentrant modifier, the two functions did not share a lock, so the unguarded harvest path let the attacker re-enter the guarded deposit path and claim the inflated rewards via MasterPenpie.multiclaim.

Between February 9 and 12, 2024, the South Korean crypto gaming and NFT platform PlayDapp was exploited twice for about $290M after a privileged-key compromise. Around January 16, 2024 the attacker spear-phished the PLA token deployer with a domain-spoofed email whose attachment installed a remote-access tool, giving control of the deployer's machine and its private key. PLA used a custom MinterRole/Ownable mint-permission pattern, so the attacker called addMinter(address) (method ID 0x983b2d56) on the PLA contract (0x3a4f40631a4f906c2BaD353Ed06De7A5D3fCb430) to authorize their own address as an authorized minter, then minted over 200 million PLA (~$36.5M) on February 9 and a further 1.59 billion PLA (~$253.9M) on February 12. PlayDapp's $1M return offer was ignored; PLA trading was suspended and exchanges worked to freeze funds, with most of the inflated supply effectively unsellable due to thin liquidity.

On July 30, 2023 several Curve Finance native-ETH stable pools were exploited via a compiler/toolchain supply-chain bug in specific Vyper versions (0.2.15, 0.2.16, 0.3.0). The compiler's storage-slot allocator assigned every @nonreentrant(key) decorator its own unique storage slot instead of reusing one shared slot per key, so functions meant to share a single reentrancy lock each got an independent, separately-set lock. This left the guard effective against single-function reentrancy but defeated cross-function reentrancy, letting an attacker re-enter a different guarded function via the native-ETH transfer callback while balances were mid-update. WETH-paired pools were unaffected; the exploited native-ETH pools included CRV/ETH, pETH/ETH, msETH/ETH and alETH/ETH, impacting Alchemix, JPEG'd and Metronome. Gross losses were around $61M; white-hat actors and MEV bots such as c0ffeebabe.eth returned a significant portion, reducing net losses to roughly $52M.

On 21 July 2023 Conic Finance's ETH Omnipool on Ethereum lost roughly 1,700 ETH, about $3.6 million, to a read-only reentrancy attack. The attacker flash-loaned around $134 million, deposited into the Curve rETH pool, then called Curve's remove_liquidity(), which sends ETH to the recipient before the pool's totalSupply and balances are finalized, triggering the attacker contract's fallback during an inconsistent intermediate state. Inside that callback the attacker re-entered ConicEthPool.withdraw(), causing Conic's Curve LP oracle to value the LP token from Curve's virtual price and totalSupply while the pool was mid-operation, returning an inflated price. Conic's reentrancy guard was bypassed because its _isETH check assumed Curve v2 ETH pools list the native ETH placeholder address (0xEeee...EEeE) as a coin, whereas they actually use the WETH address, so the guard never fired. The inflated valuation let the attacker mint excess cncETH and withdraw more than deposited.

On June 24, 2022, Harmony's Horizon bridge was exploited for approximately $99.7 million. The Ethereum-side bridge was secured by a 5-validator multisig configured at a low 2-of-5 threshold, so compromising just two keys gave full control of the funds. Per Harmony's post-mortem the private keys were not stored in plaintext but were doubly encrypted via a passphrase and a key management service, with no single machine holding multiple plaintext keys; the attacker nonetheless breached Harmony's hot signing infrastructure and was able to access and decrypt several keys, including those used to sign the unauthorized transfers, because the decryption capability lived within reach of the compromised environment. With two decrypted keys meeting the threshold, the attacker signed and confirmed the drain across 11 transactions (the 2 refers to the signature threshold, not the transaction count). The FBI and Elliptic attributed the theft to North Korea's Lazarus Group (APT38); the stolen assets were swapped to Ether and laundered through Tornado Cash and later RAILGUN.

On 30 April 2022 the Rari Capital / Fei Protocol Fuse lending pools on Ethereum lost approximately $80 million (about $79.7 million across ETH, FEI, DAI, LUSD and USDC). Fuse pools were a fork of Compound's CToken, but the CEther contract sent ETH using low-level call.value() instead of Compound's gas-capped transfer(), forwarding all remaining gas to the recipient's fallback. The borrow() function called doTransferOut(), which performed that call.value() ETH transfer to the borrower before the borrow and collateral accounting was finalized, violating checks-effects-interactions. The attacker's fallback re-entered the Comptroller's exitMarket() while the deposited collateral was still counted as backing the loan, freeing the collateral while keeping the borrowed ETH; the Comptroller's reentrancy guard did not cover exitMarket on the affected pools. Funded by Balancer flash loans, this cross-contract reentrancy drained seven pools.