2148 hack event(s)
Description of the event: Syscoin Bridge was exploited. The attacker leveraged a validation issue in the bridge flow, resulting in an unauthorized creation of approximately 5 billion SYS on the UTXO side. The funds were subsequently moved and split. The team has paused the bridge, is actively tracing the tainted outputs, coordinating with exchanges for blacklisting/monitoring, and working on a fix and remediation.
Amount of loss: $ 10,000,000 Attack method: Bridge Verification Flaw
Description of the event: Ambient Finance (formerly CrocSwap) was exploited via an accounting logic flaw in surplus collateral handling. The attacker used a flash loan and rapid cycling through HotProxy/WarmPath/ColdPath operations to drain ~83.72 ETH (~$110.6K) from the protocol’s monolithic smart contract.
Amount of loss: $ 110,600 Attack method: Smart Contract Vulnerability
Description of the event: BitmapPunks on BSC (using BT404) was exploited. The attacker used the same BT404 packed ownership vulnerability (high-bit NFT ID aliasing + unchecked balance underflow) as Floor Protocol V2 to mint excess fungible tokens and drain the team's supplied liquidity pools. Project CTO @0xFreeLunch has publicly taken responsibility and is tracking the funds.
Amount of loss: - Attack method: Smart Contract Vulnerability
Description of the event: Flooring Protocol was exploited. Attackers bypassed unwrap costs through a contract vulnerability, extracting high-value NFTs (such as BAYC, Cryptopunks, etc.) from vaults at little to no cost and dumping them on OpenSea, causing short-term floor price drops for several collections. Yuga Labs quickly intervened with a whitehat operation, recovering dozens of high-value NFTs.
Amount of loss: - Attack method: Smart Contract Vulnerability
Description of the event: The DTXT/USDT liquidity pair on BSC was exploited. The attacker exploited a forgeable liquidity-addition detection logic in the DTXT contract (by sending a small amount of USDT directly to the pair address, tricking the contract into classifying large sells as liquidity additions). This bypassed sell fees and drained the pool, resulting in a loss of approximately $35,041 USDT.
Amount of loss: $ 35,041 Attack method: Business Logic Vulnerability
Description of the event: The ATM token on BSC was exploited due to a flaw in its custom transferFrom() function logic (which automatically swapped ~20% of transferred amounts to BSC-USD). The attacker repeatedly triggered the mechanism to drain approximately $243,500 from the protocol.
Amount of loss: $ 243,500 Attack method: Smart Contract Vulnerability
Description of the event: The public triggerAutoBurn() maintenance function in BYToken contract on BSC was abused. The attacker took a Moolah flashloan (~422k WBNB), performed Pancake swaps, then called the unprivileged function. This burned ~67.8 quadrillion BY directly from the BY/WBNB pair and called pair.sync(), rewriting reserves to 1 BY + full WBNB. The extreme skew allowed massive BY sells to drain nearly all WBNB liquidity, netting the attacker ~146.60 BNB ($87,402).
Amount of loss: $ 87,402 Attack method: Smart Contract Vulnerability
Description of the event: ApeBond's ApeYieldVault smart contract on BSC was exploited. The attacker used a public helper contract to call migrateToVotingEscrow with duplicate pool IDs, inflating a lock amount from ~1.71 quadrillion ABOND to ~29 quadrillion ABOND. They then unlocked, claimed the inflated lock, sold ABOND in the public ABOND/WBNB pool, repaid a Moolah flashloan, and kept ~5.72 WBNB profit. The entire flow was permissionless and on-chain.
Amount of loss: $ 3,421 Attack method: Smart Contract Vulnerability
Description of the event: Gnosis Pay disclosed a bug in its Delay Module that was being actively exploited. The Delay Module provides a security timelock for transactions in Gnosis Pay’s self-custodial card system. Users were urgently advised to withdraw their EURe and GNO balances immediately. The Gnosis team confirmed that affected users will be fully reimbursed.
Amount of loss: 0 Attack method: Smart Contract Vulnerability
Description of the event: GoPlus issued a security alert stating that the X account of crypto KOL Jadoodoo (@jadoodoo_ ) has been hacked. The attacker is sending phishing links via direct messages to fans under the guise of collaboration offers. Multiple KOLs have already fallen victim, with total losses of around $5,000.
Amount of loss: $ 5000 Attack method: Social Engineering
Description of the event: The DeFi project TesseraDAO (TSR token) on BNB Chain was attacked. Hackers gained control of the core contract, minted 99 million TSR tokens, and sold them on PancakeSwap for approximately $2.4 million, causing the TSR price to plummet 99%. The funds were bridged to Ethereum and laundered via Tornado Cash.
Amount of loss: $ 2,400,000 Attack method: Private Key Leakage
Description of the event: ATOHook smart contract was exploited due to a storage slot collision between the rewards mapping and Solady’s fixed ReentrancyGuard slot. The nonReentrant modifier in getReward() wrote a sentinel value that was misinterpreted as a reward balance for a colliding address, allowing the attacker to repeatedly claim and drain a fixed amount of ETH (200 times), stealing approximately 14.41 ETH.
Amount of loss: $ 25,000 Attack method: Smart Contract Vulnerability
Description of the event: Fluid DeFi protocol’s off-chain Merkle rewards distribution infrastructure was compromised. The attacker used compromised proposer and approver operational keys to submit fake Merkle roots and claim rewards with empty proofs, resulting in approximately $215K loss. Core lending, DEX, and user funds were unaffected. The team revoked the compromised keys and paused claims for upgrades.
Amount of loss: $ 215,000 Attack method: Private Key Leakage
Description of the event: A vulnerability in the Phala Cloud API endpoint allowed unauthorized modifications to some Offchain KMS CVMs. The attacker deployed a malicious pre-launch script to affected CVMs, which may have accessed decrypted environment variables after boot. The issue was identified, patched, and contained on June 1, 2026. Affected users/CVMs have been directly notified via email.
Amount of loss: 0 Attack method: API endpoint vulnerability
Description of the event: Gravity Bridge, a cross-chain bridge connecting Ethereum and the Cosmos ecosystem, was exploited likely due to a compromised contract key or signing authorization. The attacker drained approximately $5.4M in assets (primarily USDC, ETH, and USDT). The exploiter has begun laundering funds via exchanges and mixers, with a significant portion (~2,102 ETH) still under their control.
Amount of loss: $ 5,400,000 Attack method: Private Key Leakage
Description of the event: Alephium TokenBridge was exploited. The attacker used a backend vulnerability in the bridge to forge messages, draining approximately $815K assets from Ethereum and BNB Chain within about 7 minutes, while minting a large amount of unbacked wrapped ALPH. The team quickly shut down the bridge, pledged to compensate users, and advised users to withdraw ALPH liquidity.
Amount of loss: $ 815,000 Attack method: Off-Chain Vulnerability in the Bridge Backend
Description of the event: The DeFi project AROS on BSC was exploited. The attacker interacted with the AROS/USDT PancakeSwap liquidity pool and drained approximately $295.3K USDT.
Amount of loss: $ 295,300 Attack method: Smart Contract Vulnerability
Description of the event: The LegendaryMoneyMonNft contract’s cliamRewred function had a signature verification flaw. The verify() only checked if recoverSigner(...) == admin, without properly validating cases where ecrecover returns address(0). The attacker set admin to zero address, then used an invalid signature (r=0, s=0, v=27) to bypass checks, arbitrarily claim rewards, drain all tokens from the contract, and swap them for USDT via PancakeSwap.
Amount of loss: $ 85,519.47 Attack method: Smart Contract Vulnerability
Description of the event: Computility-associated YSDAO project on BSC suffered a liquidity pool attack on PancakeSwap V2. The hacker manipulated reserves via contract calls and extracted funds, resulting in approximately $19.5K loss.
Amount of loss: $ 19,500 Attack method: Reserve Manipulation Attack
Description of the event: The Joe Agent ($JOE) project smart contract had a single-function reentrancy vulnerability. The attacker exploited the logic in _removeLiquidityViaContract where BNB was sent via low-level call before updating lpInfo[user].lpAmount, performing ~25 reentrancy loops to steal 62.5 BNB and ~1.196M JOE.
Amount of loss: $ 45,000 Attack method: Reentrancy Attack