Summary # On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies.
Attackers # The attackers remain unidentified.
Exploiter addresses:
...
Summary # On April 2, 2023, AllBridge, a multichain token bridge, fell victim to an exploit that resulted in approximately $573,000 worth of assets being drained from its BNB Chain pools. The attacker, acting as both a liquidity provider and a swapper, exploited a flaw in a smart contract that enabled them to manipulate swap prices. This led to the theft of $282,889 in Binance USD (BUSD) and $290,868 in Tether (USDT).
...
Summary # On March 13, 2023, a flash loan attack targeted Euler Finance, a noncustodial lending platform on the Ethereum blockchain. The attack led to a loss of roughly $196 million in various cryptocurrencies, including Dai, USD Coin, Staked Ether, and Wrapped Bitcoin. The attacker took advantage of a weakness in Euler’s smart contract, specifically in a feature called “donateToReserves.”
The attacker used multiple Ethereum addresses to exploit this weakness in the contract and took advantage of a problem in Euler’s system for liquidation.
...
Summary # On February 16, 2023, Platypus Finance, the project behind the USP stablecoin, fell victim to a flash loan attack. This resulted in an estimated loss of $8.5 million. The exploit led to a significant drop in the price of the $USP stablecoin, devaluing it by more than 66% from its intended $1 peg. The attack was carried out by minting an excessive number of USP tokens from the MasterPlatypusV4 contract and using an inflated amount of Platypus LP-USDC tokens as collateral.
...
Summary # On April 17, 2022, Beanstalk Farms, an Ethereum-based DeFi protocol that enables users to earn yield on their cryptocurrency deposits, fell victim to a flash loan attack. This attack resulted in a staggering loss of $182 million, including around $77 million in assets taken from liquidity pools unrelated to Beanstalk. The attacker managed to profit from the exploit, absconding with 24,840 ETH, equivalent to roughly $80 million. The remaining $106 million was returned via a flash loan to Aave, the lending platform.
...
Summary # On October 27, 2021, Cream Finance, a decentralized finance (DeFi) platform, fell victim to a sophisticated attack resulting in the theft of $130 million worth of cryptocurrency. The attacker exploited vulnerabilities in Cream Finance’s lending pool contract and manipulated the price oracle, allowing them to carry out a series of orchestrated transactions that ultimately drained the protocol of its liquidity.
Attackers # The attackers remain unidentified.
0x24354d31bc9d90f62fe5f2454709c32049cf866b Losses # $130M USD
...
Summary # On May 19, 2021 PancakeBunny, a yield farming aggregator built on Binance Smart Chain, suffered a flash loan attack.
Exploit was possible because of how the protocol uses PancakeSwap AMM for its asset price calculation. In bugs like this, flashloans are the go-to way to manipulate the price of AMM pools which affects the price oracle
– Adrian Hetman Source
The hacker exploited a vulnerability related to reward minting to mint 6,972,455 BUNNY tokens, after which the flash loan was paid back, dumping the huge number of newly minted BUNNY in the market caused the token’s price to plummet, the attacker ran off with 114k BNB and 697k BUNNY.
...
Summary # On February 13, 2021, Alpha Finance, a DeFi project, suffered a hack that resulted in a $37.5 million loss. The attacker exploited a rounding error in the repayment process, accumulating a substantial amount of cySUSD. They used this to obtain loans in different assets and distributed the stolen Ether. Iron Bank responded by modifying the smart contract configuration, freezing funds and preventing lenders on Alpha Homora from withdrawing their liquidity.
...