Web3 vulnerabilities

A frontend hijack leaves the on-chain contracts untouched but replaces the Web2 surface serving the dApp UI with a wallet-drainer clone, so no Solidity audit can catch it. The recurring pattern: attackers take over the domain registrar or DNS provider account (or a CDN/tag-manager account), repoint the domain to a cloned site, and prompt visitors to sign malicious token approvals, EIP-2612 permit signatures, or transfers. Curve Finance was hit twice: on August 9-10, 2022 its curve.fi domain was DNS-hijacked via a compromised nameserver and drained ~$570K in USDC/DAI; and again around May 12, 2025 at the registrar level, after which Curve permanently migrated to curve.finance and announced an ENS move (Convex Finance and Resupply, which depend on Curve's data feeds, suffered dependency-driven outages but were not themselves compromised). In July 2024 a mass wave hit DeFi domains registered through Squarespace, whose forced migration off Google Domains stripped 2FA: Compound's frontend redirected to an Inferno Drainer clone and 100+ protocols were exposed (Celer blocked its takeover via domain monitoring). Ambient Finance's domain was hijacked through stolen registrar credentials on October 17, 2024. Most recently, on April 14, 2026 attackers used forged identity documents to social-engineer the registrar into handing over DNS control of CoW Swap's swap.cow.fi and cow.fi domains, redirecting users to a pixel-perfect drainer clone for about 90 minutes; over $1M was taken in roughly three hours, including 219 ETH (~$750K) from a single wallet, while CoW's contracts, backend APIs, and solver network were untouched. The same bucket includes CDN-account injections (KyberSwap's September 2022 Cloudflare/Google Tag Manager compromise, ~$265K) and BGP route hijacks that swap signed bundles for drainer code.

On September 2, 2025 Bunni, a liquidity manager built on Uniswap v4, was drained of roughly $8.4 million across Ethereum and Unichain (USDC, USDT, and weETH/ETH) through a rounding error in its withdrawal accounting amplified by flash loans. Bunni's Liquidity Distribution Function (LDF) tracks an 'idle balance' that is rebalanced on every swap, and the withdraw path rounded that balance in the wrong direction under specific conditions. The attacker flash-borrowed millions in USDT and executed a precisely sized sequence of swaps that pushed the pool's spot price back and forth across tick boundaries, triggering the faulty rounding repeatedly; each cycle let them withdraw more tokens than they burned in liquidity (in the USDC/USDT pool the idle balance fell 85.7% while liquidity fell only 84.4%, and that gap was the leak). The bug was application-specific accounting math, not an oracle or price-feed flaw. Unable to fund a secure relaunch, the Bunni team announced on October 23, 2025 that it was permanently shutting down, leaving withdrawals open and relicensing v2 from BUSL to MIT.

On May 22, 2025 Cetus Protocol, the leading DEX on Sui, was drained of approximately $223M. The root cause was a flawed overflow check: the checked_shlw function in the integer-mate math library built its guard mask as 0xFFFFFFFFFFFFFFFF << 192 instead of 0x1 << 192, so values above 2^192 slipped past the check and the subsequent 64-bit left shift silently overflowed (left shifts do not abort in Move). The flaw lived in get_delta_a, which computes the tokens needed for a liquidity position; under the overflow the numerator wrapped to a tiny value, so the function demanded as little as 1 token unit for an enormous liquidity amount. Using flash swaps (borrowing ~10M haSUI), the attacker opened a tight-range position (ticks [300000, 300200]) and minted a massive amount of liquidity for a negligible deposit, then withdrew real pool reserves. Around $162M was frozen on-chain by Sui validators and eventually returned, while roughly $62M was bridged out to Ethereum. Cetus relaunched after recovering and replenishing affected pool liquidity.

On April 14, 2025 the perpetuals DEX KiloEx lost about $7.5 million across BNB Chain, Base, opBNB, and Taiko to what was reported as oracle price manipulation but was really an access-control failure. KiloEx's price feed (KiloPriceFeed.setPrices) was meant to be reachable only through a keeper-gated call chain, but the top-level MinimalForwarder.execute function was publicly callable and validated an attacker-supplied signature against attacker-supplied data, letting anyone forge a trusted call that reached setPrices and write an arbitrary price. The attacker set a market price far below true value, opened a leveraged position, then set the price far above value and closed it in the same flow, extracting fabricated profit from the vault; the sequence was repeated across all four chains, with a single transaction netting $3.12M. Reporting that framed it as flash-loan oracle manipulation was imprecise: no market liquidity was moved, the price was simply written directly through the unprotected forwarder. After KiloEx offered a 10% (~$750K) whitehat bounty and no legal action, the attacker returned essentially all of the funds by April 18, 2025.

In late March 2025 Abracadabra.Money lost about $13 million (roughly 6,260 ETH) on Arbitrum when an attacker abused the GMX V2 gmCauldrons that accept GMX GM liquidity tokens as collateral. GMX deposits are asynchronous, so the attacker submitted deposit orders with unsatisfiable minOut values that GMX rejected, returning the input USDC to the cauldron's order/router contract while the cauldron's accounting still counted that pending position as live collateral. Functions such as sendValueInCollateral removed real tokens during liquidation without clearing inputAmount/minOut state, so orderValueInCollateral kept reporting phantom collateral. Inside a single cook() batch the attacker borrowed MIM against this ghost collateral, self-liquidated to pull out the real returned tokens, and reborrowed, while the end-of-cook solvency check still read the stale inflated collateral value and passed. The accounting bypass let the attacker borrow against effectively non-existent collateral and extract MIM.

On February 21, 2025, Bybit lost roughly $1.5 billion (about 401,347 ETH plus stETH/mETH) in the largest crypto hack to date. The root cause was a supply-chain/front-end compromise: a breached Safe{Wallet} developer machine let attackers inject malicious JavaScript into the Safe UI served from Safe's S3-backed app.safe.global front end. The code was scoped to activate only for Bybit's cold-wallet Safe (and one other contract), so when the three signers reviewed a routine cold-to-hot transfer the UI showed legitimate data while their Ledgers were sent a different payload. Signers blind-signed a delegatecall (operation=1) to an attacker contract that, executing in the proxy's storage context, overwrote storage slot 0 (the masterCopy/singleton pointer) with an attacker-controlled implementation, after which sweep functions drained the wallet. The FBI and TRM Labs attributed the theft to North Korea's Lazarus Group (TraderTraitor/APT38); funds were rapidly laundered and not recovered.

On February 12, 2025 zkLend, a money-market protocol on Starknet, lost about $9.5 million (roughly 61 wstETH) through an integer-division rounding exploit in its lending accumulator on an empty market. The attacker deposited 1 wei into an empty wstETH market where reserve balance and zToken supply were zero, then used repeated flash-loan borrow-and-repay cycles to inflate the lending_accumulator, computed as (reserve_balance + total_debt - amount_to_treasury) * 1e27 / ztoken_supply, to an extreme value around 4.069e45. Because zToken amounts are derived via amount * 1e27 / lending_accumulator using direct division that rounds down, the attacker could deposit a few wstETH yet mint only 1 zToken, and on withdrawal burn 1 zToken while pulling out more wstETH than deposited. Repeating this rounding asymmetry grew the raw balance and let the attacker drain wstETH and other assets across the protocol.

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

On October 16, 2024, the cross-chain lending protocol Radiant Capital lost roughly $50M (about $53M across Arbitrum and BSC) after attackers compromised the devices of at least three of its multisig signers. Initial access began September 11, 2024 via a Telegram message spoofing a trusted former contractor, delivering a ZIP with a decoy PDF that was actually a macOS application carrying INLETDRIFT backdoor malware. The malware sat between the signers' browsers and their hardware wallets, so the Safe (Gnosis) UI and Tenderly simulations displayed correct data while the signers blind-signed a malicious transferOwnership() call on the LendingPoolAddressesProvider contract; the 3-of-11 threshold was met and the attacker then upgraded the pools to a malicious implementation and drained them. Mandiant assessed with high confidence the attack was conducted by North Korea-linked UNC4736 (aka Citrine Sleet/AppleJeus), part of the Lazarus cluster. Funds were not recovered and the protocol later wound down.

Blind signing, approving a payload the wallet cannot decode, is the final step behind the largest multisig drains: Radiant Capital lost about $50M in October 2024 and Bybit about $1.5B in February 2025, both via hardware-wallet signers approving transactions whose true effect their devices could not render. In the Radiant attack, malware showed legitimate-looking transaction data in the Gnosis Safe front-end while the hardware wallets actually received and signed a Safe execTransaction whose inner operation was a delegatecall to an attacker contract; that delegatecall executed in the Safe's own storage context and overwrote the implementation/owner state, handing control to the attacker. Because a hardware wallet's small display can only show a four-byte selector and raw hex, signers cannot parse a nested execTransaction or distinguish a benign call from a delegatecall that rewrites storage slot zero. The same root cause applies to legacy eth_sign, which signs an arbitrary 32-byte hash with no context, letting a phishing site obtain a signature reusable as a transaction authorization. The signer sees one intent and authorizes a different one.

Gasless permit signatures are now the dominant phishing vector: Scam Sniffer found Permit-type signatures accounted for 56.7% of 2024 wallet-drainer attacks within $494M of total losses, with cases like an October 13, 2024 Permit2 phish that drained roughly $1.39M of PEPE, MSTR and APU from one victim. EIP-2612 adds a permit(owner, spender, value, nonce, deadline, v, r, s) function so an owner signs an off-chain EIP-712 Permit struct that sets an ERC-20 allowance; the standard explicitly allows any address to submit it on-chain. The phishing dApp prompts that off-chain signature with the attacker as spender and value set to the full balance or type(uint256).max; the victim never sends a transaction or pays gas, and the wallet often shows an opaque typed-data blob. The attacker then submits permit() to register the allowance and immediately calls transferFrom to sweep the tokens. Uniswap's Permit2 generalizes this to every ERC-20: a single PermitSingle/PermitTransferFrom signature authorizes the attacker as spender, and because Permit2 defaults to the entire balance, one careless signature empties the wallet.

On September 3, 2024, Penpie, a yield protocol built on Pendle, was drained of about $27.3 million (11,113.6 ETH in wstETH, sUSDe, egETH and rswETH) across Ethereum and Arbitrum. The root cause was a cross-function reentrancy enabled by permissionless market registration: registerPenpiePool trusted any market from Pendle's PendleMarketFactoryV3 without validating the Standardized Yield (SY) token, so the attacker registered a fake market whose SY was their own contract. PendleStakingBaseUpg.batchHarvestMarketRewards (and its internal _harvestBatchMarketRewards) snapshotted reward-token balances before and after calling the market's redeemRewards, but lacked a nonReentrant guard. The malicious SY's claimRewards callback re-entered PendleStakingBaseUpg.depositMarket with flash-loaned Pendle LP tokens mid-accounting, so the deposit was misattributed as harvested rewards, inflating the attacker's reward balance. Although depositMarket itself carried a nonReentrant modifier, the two functions did not share a lock, so the unguarded harvest path let the attacker re-enter the guarded deposit path and claim the inflated rewards via MasterPenpie.multiclaim.

On August 13, 2024 the Vow (Vowcurrency) protocol lost about $1.2 million (~452 ETH) when its own admin temporarily misconfigured a price setter and an MEV bot pounced. Vow's usdRateSetter admin key called setUSDRate and changed the VOW-to-vUSD exchange rate from 1 to 100 - the team later said it was testing the rate-setter while preparing a lending pool - then reverted it. The function had no input validation and no rate-change delay or timelock, and the inflated rate was readable on-chain for the window between the two transactions. An attacker-controlled MEV bot, its contract deployed 110 days earlier and funded via Tornado Cash, detected the change and within two blocks swapped VOW into vUSD at the 100x rate, minting roughly 148.7 million vUSD far above its backing, then dumped it for ETH and USDT on Uniswap. The VOW token fell 80-87%. The root cause was an unbounded, unprotected privileged setter exposed without a timelock, turning a careless admin action into instantly exploitable on-chain state.

On July 18, 2024 Indian exchange WazirX lost approximately $230M (about $234.9M) from a Safe (Gnosis) 4-of-6 multisig wallet held under a custody arrangement with Liminal (five WazirX keys plus one Liminal key). The attack was a blind-signing exploit: signers reviewed benign transaction details in the manipulated Liminal interface while the payload actually signed differed, authorizing a delegatecall (function selector 0x804e1f0a) that overwrote slot0 of the Safe proxy and repointed its implementation to an attacker-controlled contract (0xef279c2ab14960aa319008cbea384b9f8ac35fc6). Once the proxy pointed to attacker logic the wallet was fully controlled without further keys, and it was drained. The theft was attributed to North Korea's Lazarus Group, later confirmed in a joint statement by the US, South Korea and Japan in January 2025. Funds were laundered via Tornado Cash; victims are being repaid through a court-approved restructuring (resumed October 2025, BitGo custody) rather than direct recovery.

On June 10, 2024, UwU Lend, an Aave-fork lending protocol on Ethereum, lost about $19.3 million, followed by a second ~$3.7 million drain on June 13, 2024 (combined ~$23 million). The root cause was flash-loan oracle manipulation of the sUSDe price feed: the custom sUSDePriceProviderBUniCatch oracle priced sUSDe as the median of 11 sources, 5 of which read instantaneous Curve pool spot prices via get_p (no TWAP/EMA smoothing) across the FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD and GHOUSDe pools. Using a roughly $3.8 billion flash loan, the attacker swapped large USDe amounts to suppress the median sUSDe price, set up positions, then reversed the swaps to inflate it, rendering their own leveraged position liquidatable and self-liquidating repeatedly to harvest base assets at favorable rates. Curve explicitly advises against using get_p spot reads for oracles. The June 13 follow-up reused collateral left from the first attack, since sUSDe was not disabled as borrowable collateral.

On June 2, 2024, the DEX Velocore was drained of about $6.8 million from its constant-product (volatile) pools on Linea and zkSync Era. The root cause combined a missing access-control modifier with an unchecked arithmetic underflow in the ConstantProductPool fee math: velocore__execute performed Vault-only state changes but had no onlyVault check, so anyone could call it directly. The pool's feeMultiplier, which increases per withdrawal and resets each block to deter free swaps, fed an effective fee computed as fee1e9 * feeMultiplier / 1e9 with no upper bound and inside an unchecked block. By repeatedly invoking velocore__execute to inflate feeMultiplier, the attacker drove effectiveFee1e9 above 100% (> 1e9), so the growth term 1e18 - ((1e18 - k) * effectiveFee1e9) / 1e9 underflowed and wrapped to a huge unsigned value, causing a small single-token withdrawal to be accounted as a massive deposit and mint excessive LP tokens. Linea controversially paused its sequencer for about an hour to stop the remaining funds from bridging out.

On May 31, 2024 Japanese exchange DMM Bitcoin lost 4,502.9 BTC, worth approximately $305M-$308M at the time. The compromise was a supply-chain social-engineering chain that did not breach DMM directly: a TraderTraitor operator posing as a recruiter on LinkedIn sent an employee of wallet-software vendor Ginco a malicious Python script disguised as a GitHub pre-employment coding test. The malware (RN Loader / RN Stealer) harvested SSH keys, credentials and cloud configurations; weeks later attackers used stolen session cookies to impersonate the Ginco employee, access the unencrypted communications system linked to DMM, and tamper with a legitimate withdrawal request submitted by a DMM employee, redirecting 4,502.9 BTC to attacker addresses. US and Japanese authorities (FBI, DC3, Japan's NPA) attributed the theft to North Korean actors tracked as TraderTraitor (Jade Sleet / UNC4899), associated with the Lazarus Group. Funds were not recovered; DMM Bitcoin shut down and transferred accounts to SBI VC Trade.

On May 20, 2024, the GALA token contract on Ethereum was abused to mint 5,000,000,000 GALA (nominally ~$200 million), of which the attacker sold 592 million GALA for 5,952 ETH (~$21.8 million) before being blocklisted. The GALA v2 contract did gate minting behind a MINTER role (OpenZeppelin AccessControl-style onlyRole check), so this was not an unprotected mint function; the root cause was a compromised, over-privileged minter account that had sat dormant for roughly 180 days without rotation or revocation. Holding a legitimately privileged role, the attacker called the privileged mint path to issue billions of tokens to their own address. This is improper privilege management and privileged-key compromise at the operational layer rather than a missing on-chain role check. Gala used a pre-existing blocklist function to freeze billions of the minted GALA within about 45 minutes, and the attacker later returned 5,913.2 ETH (~$22.3 million).

On May 14, 2024 Sonne Finance, a Compound v2 lending fork on Optimism, lost about $20 million when an attacker exploited a freshly created, low-liquidity VELO (Velodrome) market. Because market creation and the protective collateral-factor setup were split across timelocked permissionless transactions two days apart, the attacker acted inside the window before the market was safely seeded. The attacker minted the minimum amount of soVELO cTokens (1 wei) and then donated a large quantity of VELO directly to the soVELO contract, inflating totalCash while totalSupply stayed near zero. Since exchangeRate equals (totalCash + totalBorrows - totalReserves) / totalSupply, this empty-market rounding manipulation drove the cToken exchange rate up so the tiny share position was valued as enormous collateral. The attacker then borrowed roughly 265 WETH plus available USDC.e against the over-valued collateral, draining about $20M within about 25 minutes.

Address poisoning exploits the human habit of verifying only the first and last few characters of a wallet address; on May 3, 2024 a whale lost roughly $68M in WBTC after copying a poisoned look-alike address, the single largest recorded case. Attackers brute-force a vanity address whose leading and trailing characters match an address the victim recently transacted with, then seed it into the victim's history. They do this cheaply by emitting a Transfer event the victim did not authorize: a zero-value ERC-20 transferFrom, or a fake-token contract that emits Transfer logs, so the look-alike address appears in the wallet's recent-activity list at essentially gas-only cost (the $68M poisoning transaction carried 0 ETH value and about $0.65 gas). Later, the victim copies the recipient from their own transaction history, pastes the attacker's near-identical address, and sends funds directly to it. No signature exploit is involved; the attack is pure UI deception of the wallet's transaction-history display.

On April 19, 2024, Hedgey Finance was drained of about $44.7 million (notional) across Arbitrum (~$42.6 million, mostly BONUS tokens) and Ethereum (~$2.1 million in USDC, ETH and other tokens). The root cause was an unvalidated attacker-controlled address combined with a stale token allowance in the ClaimCampaigns contract. createLockedCampaign granted an ERC-20 allowance via SafeERC20.safeIncreaseAllowance(IERC20(campaign.token), claimLockup.tokenLocker, campaign.amount) without validating that the caller-supplied tokenLocker was a legitimate Hedgey vesting contract, so the attacker passed their own address and obtained spend approval. cancelCampaign then refunded the deposited tokens but never called safeDecreaseAllowance, leaving the dangling allowance live after capital was returned. Funding the deposit with a Balancer flash loan, the attacker looped create-then-cancel to accumulate approvals, then called the token's transferFrom directly to drain funds belonging to other campaigns out of the contract.

On March 26, 2024, Munchables, an NFT game on the Blast Layer-2, was exploited for about $62.5M by a rogue insider developer (suspected but not officially confirmed to be North Korea/Lazarus-linked, and likely a single person posing as four hires using GitHub identities such as NelsonMurua913, Werewolves0493, BrightDragon0719 and Super1114). The contract was a dangerously upgradeable proxy whose deployer/owner address the developer controlled rather than the protocol. Before the audited implementation was upgraded in on March 21, the developer manipulated the proxy's storage slots to assign their own address a deposited balance of 1,000,000 ETH; because proxy upgrades replace logic but not storage, this pre-seeded fake balance persisted through the later upgrade to the secure version. Once total value locked grew large enough, the attacker invoked the legitimate-looking withdrawal path against the fake balance to drain the funds. After ZachXBT publicly exposed the developer, they returned the private keys unconditionally and the full ~$62M was recovered to a multisig held by Blast core contributors.

In mid-February 2024 (around February 16), the non-KYC instant crypto exchange FixedFloat was hacked for about $26.1M, comprising roughly 409 BTC (~$21M) and about 1,728 ETH (~$4.9M), drained in roughly nine transactions. FixedFloat denied an insider job or rug pull and said a third party exploited vulnerabilities and insufficient protection in its infrastructure, gaining access to some service functions; it deliberately prioritized patching over disclosure, so no public technical root-cause writeup was ever released. The exact vector therefore remains officially undisclosed, but on-chain analysts observed no smart-contract exploitation and a direct hot-wallet drain pattern consistent with a compromised hot wallet or private key rather than a protocol bug. The stolen funds were quickly laundered, with ETH funneled through the eXch mixer and BTC split across many addresses, and were not recovered.

Between February 9 and 12, 2024, the South Korean crypto gaming and NFT platform PlayDapp was exploited twice for about $290M after a privileged-key compromise. Around January 16, 2024 the attacker spear-phished the PLA token deployer with a domain-spoofed email whose attachment installed a remote-access tool, giving control of the deployer's machine and its private key. PLA used a custom MinterRole/Ownable mint-permission pattern, so the attacker called addMinter(address) (method ID 0x983b2d56) on the PLA contract (0x3a4f40631a4f906c2BaD353Ed06De7A5D3fCb430) to authorize their own address as an authorized minter, then minted over 200 million PLA (~$36.5M) on February 9 and a further 1.59 billion PLA (~$253.9M) on February 12. PlayDapp's $1M return offer was ignored; PLA trading was suspended and exchanges worked to freeze funds, with most of the inflated supply effectively unsellable due to thin liquidity.

On December 31, 2023 (reported January 1, 2024), the Orbit Chain cross-chain bridge lost about $81.5 million when the attacker gained signing control over a majority of validators (analysts cite 7 of 10) and authorized withdrawals from the Ethereum-side vault, draining roughly 30M USDT, 10M USDC, 10M DAI, about 9,500 ETH and 231 WBTC across five transactions to fresh wallets, plus a further transaction disabling the bridge. The root cause was validator private-key/credential compromise enabling improper authorization, not a smart-contract logic flaw; the attack wallet was funded via Tornado Cash. A later statement from developer Ozys alleged that a departing security lead had arbitrarily weakened the firewall policy in November 2023 before leaving without handover, which Ozys treats as the leading access hypothesis, though the causal link remains unproven. The methodical transaction pattern led analysts and South Korean authorities to suspect North Korea's Lazarus Group, but attribution was not formally confirmed. Funds were later laundered via Tornado Cash and not recovered.

On-chain approval phishing remains a core drainer technique within the hundreds of millions stolen annually (Scam Sniffer attributed $295M in 2023 and $494M in 2024 to wallet drainers), abusing the standard ERC-20 approve and ERC-721/1155 setApprovalForAll authorization model. A malicious dApp prompts the victim to send a real on-chain transaction calling approve(spender, type(uint256).max) for a token, or setApprovalForAll(operator, true) (selector 0xa22cb465) for an NFT collection, designating the attacker contract as spender or operator. Wallets historically rendered these as a generic approve with no amount or as an unreadable contract interaction, so the victim confirms a high-value, broad authorization without understanding its scope. Once the allowance or operator flag is set, the attacker's contract calls transferFrom or safeTransferFrom at any later time to drain every token or NFT covered, with no further victim interaction. The approval persists indefinitely until revoked, so victims who signed months earlier remain exploitable.

On December 14, 2023 a former Ledger employee was phished, giving the attacker access to their npmjs account, whose access had not been revoked at offboarding. The attacker published malicious versions (1.1.5, 1.1.6, 1.1.7) of the @ledgerhq/connect-kit npm package in which the library's normal export was replaced with a malicious Drainer class. Because thousands of dApps load Connect Kit dynamically via a CDN script tag rather than a pinned local bundle, the poisoned package was served automatically to every visitor, injecting a fake WalletConnect modal that prompted users to sign asset-draining transactions; the drainer logic was the off-the-shelf Angel Drainer service. Affected front ends included SushiSwap, Zapper and Revoke.cash. The malicious package was live for roughly five hours (active draining under two hours) and Ledger deployed a clean version 1.1.8 about 40 minutes after notification, with around $600K stolen.

Drainer-as-a-service kits (Inferno, Pink, Angel) industrialized crypto phishing, stealing roughly $295M from over 324,000 victims in 2023 and $494M from 332,000 victims in 2024 per Scam Sniffer; Inferno alone took nearly $88M from 137,000 victims before its November 2023 shutdown, with operators keeping a 20% cut of every theft and handing affiliates ready-made phishing scripts spoofing 100+ brands. The kit serves a malicious dApp front-end that injects a JavaScript drainer; it enumerates the connected wallet's most valuable tokens and NFTs, then sequences signature prompts whose intent the wallet cannot meaningfully render: an EIP-2612/Permit2 permit, an unlimited ERC-20 approve, or setApprovalForAll. Because the wallet shows an opaque EIP-712 hash or a generic approval, the victim clicks sign or confirm; the drainer relays the resulting signature or on-chain approval and immediately calls transferFrom or safeTransferFrom from a backend to sweep assets to attacker wallets, splitting proceeds with the kit operator. The affiliate model means thousands of low-skill actors run identical, optimized drainer logic at scale.

On November 23, 2023 KyberSwap Elastic was exploited across six chains for over $48M (>$20M Arbitrum, $15M Optimism, $7.5M Ethereum, $3M Polygon, $2M Base, ~$23K Avalanche). The root cause was a rounding-direction bug in the concentrated-liquidity math: estimateIncrementalLiquidity should have rounded delta liquidity up so the final price rounded down, but it used mulDivFloor and rounded delta liquidity down, pushing the computed sqrt price slightly past a tick boundary without legitimately crossing it. Using Aave flash loans, the attacker first swapped to park the price in a liquidity-empty region, calibrated a tight position, then performed extremely precise swaps so the price landed exactly on a tick's sqrt price. This forced _updateLiquidityAndCrossTick to register a crossing in computeSwapStep twice, double-counting the tick's liquidity on the reverse swap and paying out far more output than backed, draining the pools. The attacker later opened negotiations; most funds were not promptly recovered.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On November 1, 2023 Onyx Protocol, a Compound v2 lending fork on Ethereum, lost about $2.1 million, and the same unfixed bug class was exploited again in September 2024 for about $3.8 million. A newly added, unfunded oPEPE market was left with zero supply because the protocol skipped the standard practice of minting and burning initial cTokens. The attacker used an Aave/Balancer flash loan to mint a tiny amount of oPEPE in the empty market, then donated PEPE directly into the contract to inflate the cToken exchange rate, exploiting the rounding in exchangeRate at low totalSupply. With the artificially over-valued oPEPE counted as collateral, the attacker borrowed other assets and, on redemption, the truncation let them withdraw more value than they supplied, draining the protocol. The September 2024 repeat applied the same empty-market exchange-rate manipulation to a fresh VUSD/oETH market plus an NFTLiquidation input-validation flaw.

On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.

On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.

On or about September 4, 2023, crypto gambling platform Stake.com lost about $41 million across Ethereum, BNB Chain and Polygon after attackers gained the ability to make unauthorized transactions from its hot wallets. The exact mechanism is disputed: co-founder Edward Craven stated private keys were not compromised and blamed a sophisticated breach of the platform's transaction-authorization service, whereas multiple security researchers (Cyvers, others) assessed a hot-wallet private-key leakage as the most plausible explanation given the clean, MEV-free on-chain sweep. Either way, the weakness was operational, signing authority over internet-connected hot wallets was reachable by the attacker, not a smart-contract flaw. On September 6, 2023 the FBI officially attributed the theft to North Korea's Lazarus Group (APT38), tracking the stolen funds as they moved into various virtual-currency addresses; Elliptic observed commingling with Atomic Wallet proceeds. The funds were laundered and not recovered.

Disclosed publicly by OpenZeppelin on August 15, 2023 and leading the ERC-4626 audit checklists from Trail of Bits and Spearbit, this is the canonical tokenized-vault accounting bug, with real losses such as roughly $200K on early unprotected vaults. The attacker becomes the first depositor into an empty vault and mints 1 share for 1 wei of the underlying. The attacker then transfers (donates) a large amount of the underlying directly to the vault contract, bypassing the mint logic, so totalAssets rises while totalSupply stays at 1. A subsequent depositor's share count, computed as assets * totalSupply / totalAssets, rounds down to zero because their deposit is smaller than the inflated price-per-share. The attacker, still holding the only share, then redeems the entire balance including the victim's captured deposit. The root cause is integer division truncation in share pricing at low totalSupply combined with assets being increased by raw transfers.

On July 30, 2023 several Curve Finance native-ETH stable pools were exploited via a compiler/toolchain supply-chain bug in specific Vyper versions (0.2.15, 0.2.16, 0.3.0). The compiler's storage-slot allocator assigned every @nonreentrant(key) decorator its own unique storage slot instead of reusing one shared slot per key, so functions meant to share a single reentrancy lock each got an independent, separately-set lock. This left the guard effective against single-function reentrancy but defeated cross-function reentrancy, letting an attacker re-enter a different guarded function via the native-ETH transfer callback while balances were mid-update. WETH-paired pools were unaffected; the exploited native-ETH pools included CRV/ETH, pETH/ETH, msETH/ETH and alETH/ETH, impacting Alchemix, JPEG'd and Metronome. Gross losses were around $61M; white-hat actors and MEV bots such as c0ffeebabe.eth returned a significant portion, reducing net losses to roughly $52M.