2177 hack event(s)
Description of the event: Lazy Summer Protocol (under Summer.fi) USDC vaults were exploited due to NAV/share price calculation flaw. The attacker used flash loans and pre-accumulated overvalued Silo tokens to inflate vault NAV (~9.5%), redeeming at inflated price and extracting ~$6.04M from other depositors.
Amount of loss: $ 6,040,000 Attack method: Smart Contract Vulnerability
Description of the event: BonkDAO suffered a governance attack. The attacker spent ~$4M to buy BONK tokens for sufficient voting power and passed a malicious governance proposal (BIP-76) to transfer ~$20M BONK from the treasury to controlled wallets. No smart contract exploit; used the DAO's own voting system.
Amount of loss: $ 20,000,000 Attack method: Governance Attack
Description of the event: Hinkal privacy DeFi protocol's Ethereum contract was exploited. The attacker used a "proofless deposit" vulnerability to drain approximately $820K USDC, then converted it to ETH and laundered via Tornado Cash and THORChain. The team paused contracts, limited the incident to one Ethereum pool, and committed to 1:1 user compensation.
Amount of loss: $ 820,000 Attack method: Smart Contract Vulnerability
Description of the event: Edel Finance lending protocol was exploited via wGOOGLx wrapped token exchange rate manipulation. The attacker used flash loans in repeated deposit/borrow loops to inflate wGOOGLx collateral value ~78x, then borrowed assets, creating ~$403K bad debt.
Amount of loss: $ 403,000 Attack method: Smart Contract Vulnerability
Description of the event: AIDC token on BSC was exploited due to a flaw in _sellTransfer()/burn logic. The attacker manipulated the PancakeSwap LP pool, causing burn fees to accumulate without properly deducting from sender balance, draining ~$121K WBNB.
Amount of loss: $ 121,000 Attack method: Smart Contract Vulnerability
Description of the event: Polymarket suffered a third-party supply chain attack where hackers injected a malicious script into the platform's frontend, draining approximately $3.1 million in PUSD from 11 user wallets. Funds were moved from Polygon to Ethereum. Polymarket contained the incident, removed the affected dependency, and promised full refunds to impacted users.
Amount of loss: $ 3,100,000 Attack method: Supply Chain Attack
Description of the event: Lixir Finance's vault tokens (lv_* wrappers over Uniswap V3 LP positions) were exploited due to a broken EIP-2612 permit signature verification. The attacker reused a single dummy signature to bypass checks, granting approval to their contract over dozens of holders' tokens, then drained underlying assets (WETH, USDC, USDT, LIX) via withdrawFrom/withdrawETHFrom, resulting in ~$12,300 loss.
Amount of loss: $ 12,300 Attack method: Smart Contract Vulnerability
Description of the event: According to security firm Blockaid, Yield Yak suffered a frontend attack. Its subdomain vote.yieldyak.com was injected with Eleven Drainer malicious code, posing risks of asset theft upon access. This mirrors a similar frontend attack previously experienced by Gitcoin.
Amount of loss: - Attack method: Frontend Attack
Description of the event: SecondFi (formerly Yoroi) Cardano wallet suffered an exploit due to a vulnerability in its proprietary web wallet generation software, exposing private keys at the address level. Attackers drained ~16 million ADA ($2.4M) from 374 affected wallets across three attacks. The project secured ~129 million ADA (~$19.4M) through emergency rescue; affected users must wait for official recovery and are advised to use hardware wallets for migration.
Amount of loss: $ 2,400,000 Attack method: Predictable Private Key Exploit
Description of the event: A legacy royalties contract (Royal1155LD) associated with Royal.io on Polygon was exploited due to a logic flaw in reward/pro-rata royalty accounting. The attacker used a flash loan and 100 zero-value ERC1155 transfers to manipulate the beforeLdaTransfer function, inflating balances and withdrawing ~$263K USDC.
Amount of loss: $ 263,000 Attack method: Smart Contract Vulnerability
Description of the event: Blockchain security firm Blockaid detected a front-end attack on Gitcoin’s subdomain files.gitcoin.co. The compromised site contained malicious “Eleven drainer” code designed to steal users’ cryptocurrency wallet assets. Users were advised not to interact with the site while the issue is being investigated and remediated. This is a frontend compromise incident rather than an on-chain smart contract exploit.
Amount of loss: - Attack method: Front-end Attack
Description of the event: On June 21-22, 2026, Taiko (an Ethereum L2) suffered a bridge exploit targeting its ERC20 Vault. Attackers exploited a compromise in the chain state verification mechanism by forging SGX proofs to register a malicious prover, bypassing verification to submit fake bridge messages and drain approximately $1.7 million in assets (including USDC, ETH, and TAIKO tokens). Taiko quickly confirmed the verification compromise, paused the bridge and block production, initially urged users to withdraw funds, and later contained the incident while coordinating with exchanges to freeze attacker assets. A full post-mortem is forthcoming.
Amount of loss: $ 1,700,000 Attack method: Private Key Leakage
Description of the event: Quicksilver Zone (Cosmos Liquid Staking protocol) was exploited via Unchecked Proof Minting vulnerability. The attacker forged proofs to mint large amounts of unbacked qATOM (~505K) and qOSMO (~10M). The chain was halted; actual drained loss was limited (~$3,500). The team is working with Cosmos Hub and Osmosis to burn fake tokens and recover.
Amount of loss: $ 3,500 Attack method: Smart Contract Vulnerability
Description of the event: The MEV bot operated by JaredFromSubway.eth was drained of approximately $7.5 million. Attackers deployed fake token wrappers and liquidity pools to trick the bot’s automated MEV execution system into granting token approvals to attacker-controlled contracts. They then exploited the unrevoked approvals to transfer out WETH, USDC, and USDT via transferFrom. It was not a traditional phishing attack or a vulnerability in the victim contracts themselves, but a flaw in the bot’s automated approval-generation mechanism. Jared publicly offered a $1 million bounty for full recovery with full confidentiality.
Amount of loss: $ 7,500,000 Attack method: Business Logic Flaw
Description of the event: The OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) was exploited, resulting in approximately $1.1 million in losses. The attacker exploited a logic vulnerability in the OLPC token contract’s _update function. Approximately 46 days prior, the OLPC owner had maliciously changed the decimalsValue parameter to an extremely large value (7326680472586200649) and later renounced ownership. A small OLPC transfer triggered massive burns of OLPC and LABUBU tokens from the pool (to the dead address), desynchronizing the pair’s cached reserves. This allowed the attacker to drain a large amount of LABUBU, which was swapped through intermediate pools for ~1.115 million USDT. Funds were bridged to Ethereum and deposited into Tornado Cash.
Amount of loss: $ 1,100,000 Attack method: Smart Contract Vulnerability
Description of the event: On June 19, 2026, approximately $600,000 in assets (ATOM, USDC, OSMO, TIA, NYM, etc.) were drained from Namada’s Multi-Asset Shielded Pool (MASP) through an IBC Transfer Logic Exploit. The loss initially went unnoticed because a stale indexer continued displaying funds as available, while live RPC queries showed zero balances on the chain. The attacker swept shielded IBC assets cross-chain. Namada confirmed the exploit and is investigating.
Amount of loss: $ 600,000 Attack method: Protocol Vulnerability
Description of the event: On June 19, 2026, at approximately 7:15 AM UTC, the mySwap CL (Concentrated Liquidity) protocol on Starknet was exploited, resulting in around $300,000–$305,000 being drained from its liquidity pools. The mySwap interface had been closed to new liquidity deposits for over six months, and the drained funds were mostly residual LP positions across more than 100,000 positions. The attacker bridged the stolen assets and used Railgun to obscure the transaction flow. The exploit nearly emptied all remaining liquidity in the protocol.
Amount of loss: $ 300,000 Attack method: Smart Contract Vulnerability
Description of the event: The JB DeFi protocol suffered an exploit involving flashloan and price manipulation, resulting in approximately $50,000 being drained. The attack exploited protocol logic through flash loan-enabled price manipulation on the Solidity-based contract.
Amount of loss: $ 50,000 Attack method: Flashloan Price Manipulation
Description of the event: On June 17, 2026, attackers exploited Aztec’s deprecated Private Rollup Bridge (launched in 2021 and shut down in 2022). They abused an immutable escape-hatch function that lacked proper ownership checks, using manipulated or fake rollup proofs to withdraw assets without corresponding deposits. Approximately $2.16 million (1,158 ETH, 150,000 DAI, and 0.47 renBTC) was drained. Aztec Labs confirmed the affected contract is unrelated to the current Aztec Network or the AZTEC ERC-20 token and that they have no control over the immutable old contracts.
Amount of loss: $ 2,160,000 Attack method: Smart Contract Vulnerability
Description of the event: On June 17, 2026, Little Boy Plus — a fully decentralized DeFi mining protocol on BSC claiming “no team, no admin keys” — was exploited. An attacker exploited a logic vulnerability in the LBPHashrate contract’s _update() function. By triggering it with a zero-value transferFrom call (bypassing OpenZeppelin authorization), the attacker unauthorizedly called _harvest and minted LBP tokens directly to the PancakeSwap LBP/USDT pair via mintReward. This inflated the pair’s balance without updating reserves, allowing the attacker to drain ~377,642 USDT (~$367k–$378k) through PancakePair.swap(). The funds were later sent to Tornado Cash.
Amount of loss: $ 367,000 Attack method: Smart Contract Vulnerability