DefiHack Examples

Access Control

Arbitrary External Call Vulnerability

Business logic flaw

Input Validation

Price Manipulation

Reentrancy

Reflection token

Access Control

LeetSwap | 20230801 | $630K | [BlockSecTeam, peckshield] | Transaction | POC | _
ARA | 20230618 | $125K | [BeosinAlert, Phalcon_xyz] | Transaction | POC | _
DEPUSDT_LEVUSDC | 20230615 | $105k | [numencyber, Phalcon_xyz, BeosinAlert] | [Tx1 , Tx2] | POC | _
Local Trade LCT | 20230524 | $~384 BNB | [numencyber] | [Tx1, Tx2, Tx3, Tx4] | [POC, POC2 | _
landNFT | 20230514 | $149.6K | [BeosinAlert] | Transaction | POC | nft mint
Melo | 20230506 | $90K | [peckshield] | Transaction | POC | public mint
LaunchZone | 20230227 | ~$320,000 | [Immunefi, LaunchZone] | Transaction | POC | _
swapX | 20230227 | ~$1M | [BlockSecTeam, peckshield, CertiKAlert] | Transaction | POC | _
ULME | 20221026 | ~$200k (resulted in ~$50k profit) | [BlockSecTeam, BeosinAlert] | Transaction | POC | _
HPAY | 20221018 | 115 BNB | [Supremacy_CA] | Transaction | POC | _
Uerii Token | 20221017 | $2.4k | [PeckShield] | Transaction | POC | _
Templedao | 20221011 | $2.3 million | [BlockSecTeam] | Transaction | POC | _
Ragnarok Online Invasion | 20220908 | $44,000 | [BlockSecTeam, CertiKAlert] | Transaction | POC | _
FlippazOne NFT | 20220706 | ownerWithdrawAll | [bertcmiller] | Transaction | POC | _
GYMNetwork | 20220608 | $2.1 million | [peckshield, 1nf0s3cpt, jinse] | Transaction | POC | _
Sandbox LAND | 20220208 | - | [SlowMist] | [Transaction] ｜POC | _
DAO Maker | 20210903 | $4M | [Twitter] | [Transaction] ｜POC | _
88mph | 20210607 | $6.5M | [Medium] | [Address] ｜POC | _

Arbitrary External Call Vulnerability

MIMSpell | 20230620 | ~$17k | [hexagate_] | Transaction | POC | _
RevertFinance | 20230218 | ~$30k | [Mirror.xyz] | Transaction | POC | _
Dexible | 20230217 | ~$1.5M | [peckshield, MevRefund] | Transaction | POC | _
CowSwap | 20230207 | ~$120k | [MevRefund, peckshield] | Transaction | POC | _
Rubic | 20221225 | $1.5M | [BlockSecTeam, peckshield] | Transaction | POC | _
MulticallWithoutCheck | 20221024 | $600 | | Transaction | POC | _
BrahTOPG | 20221109 | $89k | SlowMist_Team | POC | _
Rabby_io | 20221011 | ~200,000 US$ | [Supremacy_CA, SlowMist_Team, BeosinAlert] | Transaction | POC | _
MEV_0ad8 | 20221108 | $282k | Supremacy_CA | Transaction | POC | _

Business Logic Flaw

ShidoGlobal | 20230623 | $997BNB | [Phalcon_xyz, AnciliaInc] | Transaction | [POC, POC2] | different-price-between-two-pools
LFI Token | 20230523 | $36K | [AnciliaInc] | Transaction | POC | _
Bitpaidio | 20230513 | $30K | [BlockSecTeam] | Transaction | POC | _
SellToken | 20230511 | $95k | [AnciliaInc, AnciliaInc2] | Transaction | POC | _
SNK | 20230510 | $197k | [Phalcon_xyz] | Transaction | POC | _
Axioma | 20230424 | $21BNB | [HypernativeLabs] | Transaction | POC | _
DBW | 20230325 | $24k | [BeosinAlert, AnciliaInc] | Transaction | POC | _
EulerFinance | 20230313 | ~$200M | [Frank Researcher, nomorebear, PeckShield, BlockSecTeam] | Transaction | POC | _
DYNA | 20230222 | ~$21k | [BlockSecTeam, BeosinAlert] | Transaction 1, Transaction 2 | POC | _
Starlink | 20230217 | ~$12k | [NumenAlert, bbbb] | Transaction | POC | _
Platypusdefi | 20230217 | ~$8.5M | [peckshield, spreekaway] | Transaction | POC | _
QTNToken | 20230118 | ~2ETH | [BlockSecTeam] | Transaction 1, Transaction 2 | POC | _
ThoreumFinance | 20230119 | ~2000 BNB | [AnciliaInc] | Transaction | POC | _
UPSToken | 20230118 | ~22 ETH | [QuillAudits] | Transaction | POC | _
BRA | 20230110 | 819 BNB (~224k$) | [CertiKAlert, BlockSecTeam] | Transaction 1, Transaction 2 | POC | _
GDS | 20230103 | $180k | [peckshield, BlockSecTeam] | Transaction 1, Transaction 2 | POC | Business Logic Flaw
ElasticSwap | 20221213 | $845k | QuillAudits | Transaction | POC | Business Logic Flaw
SEAMAN | 20221129 | $7k | PeckShield | Transaction | POC | Business Logic Flaw
sDAO | 20221121 | $13k | 8olidity | Transaction | POC | Business Logic Flaw
BDEX | 20221105 | 16WBNB | [BeosinAlert] | Transaction | POC | _
Bad Guys by RPF | 20220902 | 400 NFTs | [RugDoctorApe] | Transaction | POC | Missing Check For Number of NFT to Mint

Input Validation

GYMNET | 20230731 | ~unclear | [AnciliaInc] | [Transaction] | POC | fake-token
BabyDogeCoin | 20230529 | ~135k | [Phalcon_xyz] | [Transaction] | POC | _
SellToken | 20230514 | ~unknow | [BlockSecTeam] | [Transaction, Transaction2] | POC | _
SushiSwap | 20230409 | >$3.3M | [peckshield, SlowMist_Team, AnciliaInc] | Transaction | POC | V3Callback
OmniEstate | 20230117 | $70k(236 BNB) | [BlockSecTeam] | Transaction 1, Transaction 2 | POC | _
Phoenix | 20230307 | ~$100k | [HypernativeLabs] | Transaction | POC | fake-token
SheepFarm | 20221116 | ~1BNB | AnciliaInc | Transaction | POC | _
OlympusDAO | 20221021 | ~$292K (30500 OHM) | [PeckShield] | Transaction | POC | _
BabySwap | 20221001 | - | [BlockSecTeam] | Transaction | POC | fake-router

Price Manipulation

Uwerx | 20230802 | $174ETH | [deeberiroz] | Transaction | POC | _
Neutrafinance | 20230801 | $23ETH | [phalcon_xyz] | Transaction | POC | _
Themis | 20230628 | $370k | [BeosinAlert, BlockSecTeam] | Transaction | POC | _
CFC | 20230615 | $16k | [Phalcon_xyz, hexagate_, HypernativeLabs] | Transaction | POC | skim
UN | 20230606 | $26k | [MetaTrustAlert] | Transaction | POC | skim
ERC20TokenBank | 20230531 | $111K | [BlockSecTeam] | Transaction | POC | _
Jimbo | 20230529 | $8M | [cryptofishx, yicunhui2] | [Tx, Tx2, Tx3, Tx4] | POC | Protocol-specific price manipulation
LW | 20230512 | $50K | [PeckShieldAlert, hexagate_] | Transaction | POC | FlashLoan
Allbridge | 20230402 | $550k | [peckshield, BeosinAlert] | Transaction | POC1, POC2 | _
DKP | 20230308 | ~$80K | [CertiKAlert] | Transaction 1, Transaction 2 | POC | _
RoeFinance | 20230112 | $80k | [BlockSecTeam] | Transaction | POC | _
Nmbplatform | 20221214 | $76k | [BlockSecTeam] | Transaction | POC | _
BGLD (Deflationary token) | 20221212 | $18k | [BlockSecTeam] | Transaction | POC | _
Lodestar | 20221211 | $4M | SolidityFinance, Lodestar | Transaction | POC | _
MU&MUG | 20221210 | $57k | BeosinAlert | Transaction | POC | _
TIFIToken | 20221210 | 87 WBNB | PeckShield | Transaction | POC | _
AES (Deflationary token) | 20221207 | $60k | BlockSecTeam, PeckShield | Transaction | POC | _
BBOX | 20221205 | $12k | AnciliaInc | Transaction | POC | _
APC | 20221201 | $6k | BlockSecTeam | Transaction | POC | _
INUKO | 20221014 | $50k | [AnciliaInc] | Transactions | POC | _
ATK | 20221012 | $127k | [BlockSecTeam] | Transaction | POC | _
ZoomproFinance | 20220905 | $61,160 | [blocksecteam] | Transaction | POC | _
ShadowFi | 20220902 | 1,078 BNB | [PeckShieldAlert] | Transaction | POC | _
EGD Finance | 20220807 | 36,044 USDT | [BlockSecTeam, PeckShieldAlert] | Transaction | POC | _

Reentrancy

EarningFram | 20230809 | $154ETH | [BeosinAlert, Phalcon_xyz] | Transaction | POC | ERC4626
Curve | 20230730 | $41M | [LlamaRisk] | Transaction | POC | JPEG
Paribus | 20230411 | $100k | [Phalcon_xyz, BlockSecTeam, peckshield] | Transaction | POC | CompoundV2
Sentiment | 20230405 | $1M | [peckshield, spreekaway, Coinmonks] | Transaction | POC | Read-Only
dForce | 20230210 | ~$3.65M | [SlowMist_Team, BlockSecTeam, peckshield] | Transaction | POC | read-only
Orion Protocol | 20230203 | $3M | [peckshield, BlockSecTeam, Numen Cyber] | Transaction ETH, Transaction BSC | POC | _
MidasCapital | 20230116 | $650k | [peckshield, BlockSecTeam] | Transaction | POC | read-only
JAY | 20221229 | $15.32 ETH | [BlockSecTeam] | Transaction | POC | _
Defrost | 20221223 | $170k | [PeckShieldAlert] | Transaction | POC | _
DFXFinance | 20221110 | $4M | BlockSecTeam | Transaction | POC | _
N00d Token | 20221026 | $29k | [BlockSecTeam, AnciliaInc] | Transaction | POC | _
Market | 20221024 | $220k | [QuillAudits] | Transaction | POC | read-only
Thunder Brawl | 20221001 | - | [PeckShield] | Transaction | POC | _
Omni NFT | 20220710 | $1.4M | [SlowMist_Team] | Transaction | POC | _
Rari Capital/Fei Protocol | 20220430 | $80 million | [certik, peckshield] | Transaction | POC | Flashloan Attack
Revest Finance | 20220327 | $11.2 million | [BlockSecTeam] | [Transaction] ｜POC | _
Hundred Finance | 20220313 | $1.7 million | [Immunefi] | [Transaction] ｜POC | ERC667
Paraluni | 20220313 | $1.7 million | [Halborn] [PeckShield] | [Transaction] ｜POC | _
Bacon Protocol | 20220305 | $1 million | [PeckShield] | [Transaction1] [Transaction2] ｜POC | _
Visor Finance | 20211221 | $8.2 million | [BEOSIN] | [Transaction] ｜POC | _
Cream Finance | 20210830 | $18M | [Twitter] | [Transaction] ｜POC | _
XSURGE | 20210817 | $5M | [Medium] | [Transaction] ｜POC | _
RariCapital | 20210509 | $10M | [Rekt] | [Transaction] ｜POC | Cross Contract
Value Defi | 20210508 | $11M | [Rekt] | [Transaction] ｜POC | Cross Contract

Reflection token

BUNN | 20230621 | $52BNB | [DecurityHQ] | Transaction | POC | _
OLIFE | 20230419 | $32BNB | [BeosinAlert] | Transaction | POC | _
BIGFI | 20230322 | $30k | [HypernativeLabs] | Transaction | POC | _
Sheep | 20230210 | ~$3K | [BlockSecTeam, BlockSecTeam] | Transaction | POC | _
FDP | 20230207 | ~16 WBNB | [BeosinAlert] | Transaction | POC | _
TINU | 20230126 | 22 ETH | [libevm] | Transaction | POC | _

K-value error

Swapos V2 | 20230416 | $468k | [CertiK, Beosin] | Transaction | POC | _

ExchangeRate Manipulation & ERC4626 Inflation Attack

HundredFinance | 20230415 | $7M | [PeckShield, DanielVF, Hexagate] | Transaction | POC | ERC4626

Misconfiguration

CS Token | 20230524 | $714K | [BlockSecTeam, numencyber] | Transaction | POC | Outdated global variable
yearnFinance | 20230413 | $11.6M | [cmichelio, Beosin] | Transaction | POC | _

Unrestricted Approval

MetaPoint | 20230412 | $820k(2500BNB) | [PeckShieldAlert, Phalcon_xyz] | Transaction | POC | _

public burn

SafeMoon | 20230328 | $8.9M | [BlockSecTeam, zokyo_io] | Transaction | POC | frontruned

Yield Protocol Flaw

Thena | 20230328 | $10k | [LTV888] | Transaction | POC | _

Flashloan + scaledBalanceOf Manipulation

ParaSpace NFT | 20230317 | Rescued: ~2,909 ETH | [BlockSecTeam] | Transaction | POC, POC 2 | _

Integer overflow

Poolz | 20230315 | ~$390K | [PeckShield] | Transaction | POC | _

Storage Collision

EFVault | 20230224 | ~$5.1M | [peckshield, drdr_zz, gbaleeeee] | Transaction | POC | _

Balance Recalculation Bug

Spherax USDs | 20230203 | ~309k USDs (Stablecoin) | [danielvf, Medium] | Transaction | POC | _

Price Oracle Manipulation

BonqDAO | 20230202 | ~88M US$ | [BlockSecTeam, SlowMist_Team] | Transaction 1, Transaction 2 | POC | _

Flashloan Price Oracle Manipulation

NXUSD | 20220906 | $50,000 | [Medium] | Transaction | POC | _
PancakeBunny | 20210519 | $45M | [Rekt] | [Transaction] ｜POC | _

Incorrect Parameter Setting

UFDao | 20230112 | $90k | [BlockSecTeam] | Transaction | POC | Incorrect Parameter Setting

Insufficient Validation + FlashLoan

DFS | 20221230 | $1450 | [CertiKAlert] | Transaction | POC | Insufficient Validation + FlashLoan

Malicious Unlimted Minting

NOVAToken | 20221209 | 330 $BNB | BeosinAlert | Transaction | POC | Rugged

Predicting Random Numbers

RFB | 20221205 | 12 BNB | BlockSecTeam | Transaction | POC | _

FlashLoan Attack

OverNight | 20221202 | $170k | PeckShield | Transaction | POC | _
UEarnPool | 20221117 | $24k | CertiKAlert | Transaction | POC | _
NewFreeDAO | 20220908 | $1,000,000 | [SlowMist_Team] | Transaction | POC | _
DODO | 20210308 | $700K | [Postmortem] | [Transaction] ｜POC | _

Business Logic Flaw & Access Control

MBC | 20221129 | $5.6k | AnciliaInc | Address | POC | _

Protocol Token Incompatible

NUM | 20221123 | $13k | BlockSecTeam | Transaction | POC | _

Lack of Permission Check

AUR | 20221122 | $13k | AnciliaInc | Transaction | POC | _

Verify FlashLoan Callback

AnnexFinance | 20221119 | $3k | AnciliaInc | Transaction | POC | _
EFLeverVault | 20221014 | 750 ETH | [Supremacy_CA, MevRefund, danielvf] | Transaction | POC | _

Price-caching Design Defect

Kashi | 20221108 | $110k | BlockSecTeam | Transaction | POC | _

Incorrect Reward Calculation

VTF Token | 20221027 | $50k | [BlockSecTeam, peckshield, BeosinAlert] | Transaction 1, Transaction 2 | POC | Incorrect Reward Calculation

Liquidity Migration Exploit

Team Finance | 20221027 | Multiple Tokens ~$15.8M US$ | [TeamFinance_, peckshield, solid_group_1, BeosinAlert] | Transaction | POC | Liquidity Migration Exploit

Transfer Logic Flaw

HEALTH | 20221020 | 16 BNB | [BlockSecTeam] | Transaction | POC | Transfer Logic Flaw
PLTD | 20221018 | $24k | [BeosinAlert] | Transaction | POC | Transfer Logic Flaw

Incorrect signature verification

BEGO | 20221020 | 12 BNB | [AnciliaInc, peckshield] | Transaction | POC | Incorrect signature verification

MEVBOT a47b

MevRefund | 20221014 | $241k | [BlockSecTeam, AnciliaInc] | Transaction | POC | _

Public FunctionCall

Carrot | 20221010 | >$31k | [BlockSecTeam] | Transaction | POC | _

Malicious Proposal Mint & Transfer Ownership

XaveFinance | 20221009 | >$590w | [BeosinAlert] | Transaction | POC | _

Incorrect Owner Address Validation

TransitFinance | 20221002 | - | [TransitFinance, 1nf0s3cpt] | Transaction | POC | _

Incorrect Reward Calculation

RL Token | 20221001 | - | [CertiKAlert] | Transaction | POC | _
DPC | 20220910 | $103,755 | [BeosinAlert, LearnBlockchain] | Contract Address | POC | _

MEV-Badc0de

MEVBOT | 20220928 | $1,469,700 | [RektNews] | Transaction | POC | _

MevBot Private Tx

MevBot | 20220913 | $140 K | [BlockSecTeam, 1nf0s3cpt] | Transaction | POC | _

Pair Manipulation

RES-Token | 20221006 | - | [AnciliaInc] | Transaction | POC, POC2 | _
RADT-DAO | 20220923 | 94,304 USDT | BlockSecTeam | Transaction | POC | _
YYDS | 20220909 | $742,286.27 | [BlockSecTeam] | Transaction | POC | _

Predicting Random Numbers

LuckyTiger NFT | 20220824 | 50 NFTs | [1nf0s3cpt] | Transaction | POC | _

Incorrect Logic Check

XSTABLE Protocol | 20220810 | 27.13 WETH | [BlockSecTeam] | Transaction | POC | _

Skim token balance

GSS | 20230824 | ~25K | [bbbb] | Transaction | POC | _
ANCH | 20220809 | - | [AnciliaInc] | Contract | POC | _

Incorrect acceptable merkle-root checks

Nomad Bridge | 20220802 | Multiple ERC-20 Tokens (~152M US$) | [samczsun] | Transaction | POC | _

Lack of access control mechanism

Reaper Farm | 20220801 | Multiple ERC-20 Tokens (~1.7M US$) | [Reaper_Farm, BeosinAlert] | Transaction | POC | _

Incorrect recipient balance check, did not check sender!=recipient in transfer

LPC | 20220725 | 178 BNB (~45,715 US$) | [panewslab, BeosinAlert] | Transaction | POC | _

Storage Collision & Malicious Proposal

Audius | 20220723 | 704 ETH (~1.08M US$) | [AudiusProject, 1nf0s3cpt] | Contract | POC | _

Flashloans & Price Manipulation (FlashLoan price manipulation)

SpaceGodzilla | 20220713 | 25,378 BUSD | [BlockSecTeam] | Transaction | POC | _
Wault Finance | 20210804 | 390 ETH | [Medium] | [Transaction] ｜POC | _

Flashloan & Price Oracle Manipulation

BXH | 20220928 | $40,305 | [Jinse] | Transaction | POC | _
InverseFinance | 20220616 | 53.2445 WBTC and 99,976.29 USDT | [peckshield, SlowMist_Team, blocksecteam, certik] | Transaction | POC | _
Discover | 20220606 | 49 BNB | [BeosinAlert, anquanke] | Transaction | POC | _
OneRing Finance | 20220321 | $1.45 million | [OneRingFinance] | [Transaction] ｜POC | _
NOVO Protocol | 20220529 | 279 BNB | [panewslab, BscScan] | Transaction | POC | _
DEUS DAO | 20220428 | $13 million | [peckshield] | Transaction | POC | _
ElephantMoney | 20220412 | $11.2 million (27,416.46 BNB) | [ElephantMoney] [peckshield] [BlockSecTeam]| [Transaction] ｜POC | _

Signature replay

[MintoFinance | 20230723 | $9K | [bbbb]| [Transaction] ｜POC | _
Wintermute | 20220608 | 20 million Optimism (OP) tokens (returned 17 million) | [inspexco] | Transaction1, Transaction2 | POC | _

Skim token balance

HackDao | 20220524 | 279 BNB | [BlockSecTeam] | Transaction | POC | _

Flashloan

NFTX protocol ApeCoin (APE) | 20220517 | $1.1 million | [coincu] | Transaction | POC | _
Wiener DOGE | 20220424 | 78 BNB | [coinyuppie, solid_group] | Transaction | POC | _

Malicious Proposal & Price Oracle Manipulation

Fortress Loans | 20220508 | 1,048.1 ETH + 400,000 DAI (~$3.00M) | [BlockSecTeam, Certik] | Transaction | POC | _

Swap Metapool Attack

Saddle Finance | 20220430 | $10 million | [peckshield, medium, github] | Transaction1, Transaction2 | POC | _

Denial of Service

Akutar NFT | 20220423 | 34M USD | [blocksecteam, bscscan] | Contract | POC | _

Reward distribution flaw

Zeed Finance | 20220421 | $1 million | [cryptotimes, zeedcommunity] | Contract | POC | _

DAO + Flashloan

BeanstalkFarms | 20220416 | $182 million | [rekt, uno-re, peckshield] | Transaction 1, Transaction 2 | POC | _

Access control & Price Oracle Manipulation

Rikkei Finance | 20220415 | $1.1 million (2671 BNB) | [blockmagnates, knownseclab, rikkeifinance] | Transaction | POC | _

Creat Future

CreatFuture | 20220411 | $1.9 million | [BlockSecTeam] | [Transaction] ｜POC | _

Flashloan + token migrate flaw

GYMNetwork | 20220409 | 1,327 WBNB | [BlockSecTeam] [Beosin] | [Transaction] ｜POC | _

Ronin Network - Bridge

Ronin Network | 20220329 | $624 million | [Rekt News] | [Transaction 1] [Transaction 2] ｜POC | _

Custom Approval Logic

Redacted Cartel | 20220329 | - | [Immunefi] | [Contract Address] ｜POC | _

Auctus

Auctus | 20220326 | $726k | [AuctusOptions] | [Transaction] ｜POC | _

CompoundTUSD SweepTokenBypass

Compound Finance | 20220322 | - | [OpenZeppelin] | [Contract Address] ｜POC | _

Bridges

Li.Fi | 20220320 | $570K | [lifiprotocol] [Blog] | [Transaction] ｜POC | _

Underflow

Umbrella Network | 20220320 | $4.26 billion | [Umbrella Network] | [Transaction] ｜POC | _
Grim Finance | 20211218 | $30 million | [Cointelegraph] | [Transaction] ｜POC | _

Business logic in mint()

Fantasm Finance | 20220309 | $2.6 million | [Fantasm] [QuillHash] | [Transactions] ｜POC | _

Zero Fee

TreasureDAO | 20220303 | $1 million | [SlowMist] | [Transaction] ｜POC | _

DAO

BuildFinance | 20220214 | $470k | [CryptoTimes] | [Transaction] ｜POC | _

Bridge

Meter | 20220206 | $4.3 million | [ChainSafe Blog] | [Transaction] ｜POC | _

Bridge address(0).safeTransferFrom() does not revert

Qubit Finance | 20220128 | $80 million | [REKT] | [Transaction 1] [Transaction 2] ｜POC | _

Insufficient Token Validation

Multichain (Anyswap) | 20220118 | $1.4 million | [ZenGo] | [Transaction] ｜POC | _

Price Manipulation

SellToken | 20230513 | $197K | BlockSecTeam] | [Transaction] ｜POC | _
Never Fall | 20230503 | $74K | BeosinAlert, Phalcon_xyz] | [Transaction] ｜POC | _
MonoX Finance | 20211130 | $31 million | [SlowMist] | [Transaction] ｜POC | _
Cream Finance | 20211027 | $130M | [Immunefi] | [Transaction] ｜POC | _
Indexed Finance | 20211015 | $16M | [BlockSecTeam] | [Transaction] ｜POC | _

SushiSwap Miso

SushiSwap | 20210916 | All funds returned | [Paradigm] | [Transaction] ｜POC | _

Nimbus Platform

Nimbus Platform | 20210915 | 1.45 ETH | _ | [Transaction] ｜POC | Twitter

NowSwap Platform

NowSwap Platform | 20210915 | 158.28 WETH and 535,706 USDT | _ | [Transaction] ｜POC | Twitter

Deflationary token incompatible

ZABU Finance | 20210912 | 200 ETH | [Slowmist] | [Transaction] ｜POC | _

Bridge, getting around modifier through cross-chain message

Poly Network | 20210811 | $611M | [Rekt] | [Transaction] ｜POC | _

(I) Lost keys and minting (II) Vulnerable emergencyWithdraw

Levyathan Finance | 20210728 | $1.5M | [Medium] | [Transaction] ｜POC | _

Bridge, logic flaw

Chainswap | 20210710 | $4.4M | [Medium] | [Transaction] ｜POC | _
Chainswap | 20210702 | $.8M | [Medium] | [Transaction] ｜POC | _

Deflationary token uncompatible

SafeDollar | 20210628 | $.2M | [Twitter] | [Transaction] ｜POC | _

Doesn’t burn shares

Eleven Finance | 20210622 | $4.6M | [Medium] | [Transaction] ｜POC | _

Mathematical flaw + Reentrancy

BurgerSwap | 20210527 | $7.2M | [Tweet] | [Contract] ｜POC | _

Incorrect calculation

SNOOD | 20220618 | 104 ETH | [ethereum.stackexchange, ethtx.info] | Transaction | POC | _function spendAllowance
PancakeHunny | 20210603 | 216 BNB | [Medium] | [Transaction] ｜POC | _
Uranium | 20210428 | $50M | [Tweet] | [Transaction] ｜POC | _

Wrong balance check

FAPEN | 20230529 | $600 | [hexagate_] | Transaction | POC | _

Wrong visibility in function

NOON | 20230529 | $2K | [hexagate_] | Transaction | POC | _

Fee Machenism Exploitation

GPT Token | 20230525 | $42K | [Phalcon_xyz] | Transaction | POC | skim

wrong implemention

DEI | 20230505 | $5.4M | [eugenioclrc] | Transaction | POC | _

Lack Slippage Protection

BabyDogeCoin02 | 20230621 | $441BNB | [hexagate_] | Transaction | POC | _

notes:

In most cases, Flashloan are not the root cause of attacks; they are merely a lending method. If an attack cannot be executed without the step of a Flashloan, only then it can been classified as a Flashloan attack.

cryptothink629 / defihacks Goto Github PK

defihacks's Introduction

DefiHack Examples

Access Control

Arbitrary External Call Vulnerability

Business Logic Flaw

Input Validation

Price Manipulation

Reentrancy

Reflection token

K-value error

ExchangeRate Manipulation & ERC4626 Inflation Attack

Misconfiguration

Unrestricted Approval

public burn

Yield Protocol Flaw

Flashloan + scaledBalanceOf Manipulation

Integer overflow

Storage Collision

Balance Recalculation Bug

Price Oracle Manipulation

Flashloan Price Oracle Manipulation

Incorrect Parameter Setting

Insufficient Validation + FlashLoan

Malicious Unlimted Minting

Predicting Random Numbers

FlashLoan Attack

Business Logic Flaw & Access Control

Protocol Token Incompatible

Lack of Permission Check

Verify FlashLoan Callback

Price-caching Design Defect

Incorrect Reward Calculation

Liquidity Migration Exploit

Transfer Logic Flaw

Incorrect signature verification

MEVBOT a47b

Public FunctionCall

Malicious Proposal Mint & Transfer Ownership

Incorrect Owner Address Validation

Incorrect Reward Calculation

MEV-Badc0de

MevBot Private Tx

Pair Manipulation

Predicting Random Numbers

Incorrect Logic Check

Skim token balance

Incorrect acceptable merkle-root checks

Lack of access control mechanism

Incorrect recipient balance check, did not check sender!=recipient in transfer

Storage Collision & Malicious Proposal

Flashloans & Price Manipulation (FlashLoan price manipulation)

Optimism NFT Marketplace

Infinite Number of Loans

Private key compromised

Flashloan & Price Oracle Manipulation

Signature replay

Skim token balance

Flashloan

Malicious Proposal & Price Oracle Manipulation

Swap Metapool Attack

Denial of Service

Reward distribution flaw

DAO + Flashloan

Access control & Price Oracle Manipulation

Creat Future

Flashloan + token migrate flaw

Ronin Network - Bridge

Custom Approval Logic

Auctus

CompoundTUSD SweepTokenBypass

Bridges

Underflow

Business logic in mint()

Zero Fee

DAO

Bridge

Bridge address(0).safeTransferFrom() does not revert

Insufficient Token Validation

Price Manipulation