Smart Contract Exploit

The WOOFi suffered a flash loan exploit on Arbitrum

Summary # On March 5th, WOOFi Swaps’ sPMM algorithm was exploited on the Arbitrum network. The attacker used a sequence of flash loans to manipulate the price of the WOO token due to low liquidity. The¬†exploit occurred due to a combination of the sPMM algorithm vulnerability, incorrect price adjustment, and a failure in the fallback check mechanism. The attacker was able to use flash loans to manipulate the price of WOO and drain funds from the affected pool. ...

Miner ERC-X avatar collection Suffers $466,000 Loss

Summary # On February 14, 2024, the Miner ERC-X avatar collection experienced a critical security breach on the Ethereum Mainnet, resulting in the unauthorized withdrawal of 168.8 ETH, equivalent to approximately $466,000. The root cause of this breach was a smart contract vulnerability stemming from insufficient input validation, specifically, a double-transfer flaw. This issue enabled an attacker to exploit the contract’s transfer function, effectively duplicating their token balance by executing self-transfers, which were not properly restricted by the contract’s logic. ...

Abracadabra Money Suffers $6.5 Million Loss Due to Smart Contract Exploit

Summary # Abracadabra Money, a prominent leverage and lending platform in the DeFi space, was exploited on January 30, 2024, due to a smart contract vulnerability on the Ethereum Mainnet. This exploit led to the unauthorized borrowing and subsequent theft of assets, totaling over $6.5 million, including 1800 ETH and 2.2 million MIM tokens. The attacker exploited the contract’s inability to accurately track the real amount of debt due to rounding errors. ...

Radiant Capitale Suffers $4.6 Million Loss

Summary # On January 2, 2024, Radiant Capital on the Arbitrum Chain suffered a $4.6 million loss from a sophisticated exploit, involving 1902 ETH, due to a smart contract vulnerability. The attack was orchestrated by utilizing flash loans to inflate the USDC reserve liquidity index on the platform artificially. This enabled the attacker to borrow excessive WETH against the artificially high collateral value. The situation was exacerbated by a rounding error within the contract’s calculations, allowing the attacker to manipulate deposit and withdrawal transactions cleverly. ...

Pine Protocol Suffers $92,000 Security Breach

Summary # Pine Protocol, a decentralized, non-custodial asset-backed lending platform, suffered a security breach on December 21, 2023, due to a vulnerability in its smart contract on the Ethereum Mainnet. This exploit resulted in a loss of approximately 40 ETH ($92,000), exploiting the protocol across multiple transactions. The attack was facilitated by a flaw related to shared pools between two different contracts within the platform. Attackers # The identity of the attacker is unknown. ...

KyberSwap Loses $49,000,000 During Cyberattack

Summary # On November 22, 2023, KyberSwap, a decentralized finance platform, experienced a sophisticated exploit resulting in a loss of approximately $49,000,000. The attack involved manipulating the platform’s smart contract through complex transactions. The attacker used flash loans to manipulate token prices, which enabled them to exploit a numerical anomaly in the smart contract. This allowed the attacker to double-count liquidity and withdraw substantial funds. Despite KyberSwap having failsafe mechanisms, the attacker skillfully avoided triggering these protections. ...

Raft Protocol loses $6,700,000 in Smart Contract Exploit

Summary # On November 10, 2023, Raft Protocol experienced an exploit resulting in a loss of about 1,575 cbETH. The exploiter employed a sophisticated multistep attack strategy focusing on a smart contract’s precision calculation vulnerability. Initially, the attacker obtained cbETH through a flash loan before donating and liquidating the cbETH to the Interest Rate Position Manager. This maneuver manipulated the collateral token’s index rate, allowing the exploiter to systematically increase their position in small increments, exploiting a rounding issue in the mint function. ...

Astrid Finance Suffers $228,000 Loss in Smart Contract Exploit

Summary # Astrid Finance, an Ethereum-based liquid restaking pool powered by the Eigen Layer, suffered a significant exploit on October 28, 2023, leading to a loss of $228,000. The exploit was executed through a smart contract vulnerability linked to insufficient input validation, specifically within the withdraw function of the protocol. This flaw enabled the attacker to manipulate transaction parameters, allowing the creation and utilization of fake tokens to illegitimately withdraw funds. ...

Exactly Protocol Bridge Suffers $7.6 Million Security Breach

Summary # Exactly Protocol on Optimism faced a critical security breach on August 18, resulting in a loss of around $7.6 million. The attackers exploited a vulnerability by manipulating market address inputs, allowing them to bypass key security checks within the protocol. This manipulation granted them unauthorized access to execute a deposit function maliciously, leading to the theft of a substantial amount of USDC from users. Attackers # The identity of the hackers who attacked Multichain is unknown. ...

Zunami Protocol lost $2.16 million in a flash loan attack.

Summary # On August 13, 2023, Zunami Protocol, a prominent DeFi platform on Ethereum, was compromised through a sophisticated flash loan attack, resulting in a significant loss of 1,178 ETH, approximately valued at $2.16 million. Central to this exploit was a vulnerability within the platform’s contract that allowed for the manipulation of the UZD token’s balance. By leveraging a flash loan the attacker was able to artificially inflate the value of the UZD token. ...