Summary # On August 13, 2023, Zunami Protocol, a prominent DeFi platform on Ethereum, was compromised through a sophisticated flash loan attack, resulting in a significant loss of 1,178 ETH, approximately valued at $2.16 million. Central to this exploit was a vulnerability within the platform’s contract that allowed for the manipulation of the UZD token’s balance. By leveraging a flash loan the attacker was able to artificially inflate the value of the UZD token.
...
Summary # Steadefi, a yield farming platform on Arbitrum and Avalanche, reported a loss of $1.14 million due to a compromised deployer address. The exploit allowed the attacker to assume control over the platform’s vault contracts, leading to the unauthorized borrowing of all available funds. The total value locked (TVL) in Steadefi dropped from over $2 million to almost $0 as a result. The funds were converted to approximately 625 ETH and landed in Tornado Cash.
...
Summary # On July 11, 2023, Rodeo Finance on Arbitrum was breached, losing around 472 ETH ($888,000) due to an attacker exploiting the TWAP Oracle. By manipulating the oracle’s price calculation, through a “sandwich” attack, they inflated asset prices. This allowed them to mislead the protocol, borrow against the inflated prices from the USDC Pool, and conduct swaps to profit from the manipulated price discrepancies, effectively bypassing Rodeo’s security checks.
...
Summary # On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.
Attackers # The attackers are unidentified, but their wallet addresses and contracts are known:
...
Summary # On February 9, 2023, dForce, a DeFi protocol, fell victim to a reentrancy attack. The attacker exploited a known vulnerability in the smart contract, resulting in a loss of approximately $3.6 million.
Attackers # The identity of the attacker is unknown. The attackers utilized the following addresses:
Arbitrum:
0xe0d551017c0111ac11108641771897aa33b2817c Optimism:
0xe0d551017c0111ac11108641771897aa33b2817c Losses # ~$3.65 million total
Arbitrum:
1,236.65 ETH (~1,893,000 USD) 719,437 USX Optimism:
1,037,492 USDC source
...
Summary # On April 17, 2022, Beanstalk Farms, an Ethereum-based DeFi protocol that enables users to earn yield on their cryptocurrency deposits, fell victim to a flash loan attack. This attack resulted in a staggering loss of $182 million, including around $77 million in assets taken from liquidity pools unrelated to Beanstalk. The attacker managed to profit from the exploit, absconding with 24,840 ETH, equivalent to roughly $80 million. The remaining $106 million was returned via a flash loan to Aave, the lending platform.
...
Summary # On May 19, 2021 PancakeBunny, a yield farming aggregator built on Binance Smart Chain, suffered a flash loan attack.
Exploit was possible because of how the protocol uses PancakeSwap AMM for its asset price calculation. In bugs like this, flashloans are the go-to way to manipulate the price of AMM pools which affects the price oracle
– Adrian Hetman Source
The hacker exploited a vulnerability related to reward minting to mint 6,972,455 BUNNY tokens, after which the flash loan was paid back, dumping the huge number of newly minted BUNNY in the market caused the token’s price to plummet, the attacker ran off with 114k BNB and 697k BUNNY.
...
Summary # On February 13, 2021, Alpha Finance, a DeFi project, suffered a hack that resulted in a $37.5 million loss. The attacker exploited a rounding error in the repayment process, accumulating a substantial amount of cySUSD. They used this to obtain loans in different assets and distributed the stolen Ether. Iron Bank responded by modifying the smart contract configuration, freezing funds and preventing lenders on Alpha Homora from withdrawing their liquidity.
...