36 hack event(s)
Description of the event: Singularity Finance vaults were exploited due to a critical oracle misconfiguration. The admin had registered an unsupported Uniswap V3 fee tier of 42 (valid tiers: 100/500/3000/10000) back in January, causing factory.getPool() to silently return address(0). This made the oracle price all non-USDC reserves at zero. The vault only recognized ~$100 in idle USDC while real yield tokens sat undervalued. The attacker flash-loaned 100K USDC from Morpho, deposited into the vault to mint ~99.99% of shares at the broken ratio, then redeemed for a proportional share of actual underlying assets, draining ~$413K. Root cause: admin parameter error combined with missing input validation on fee tiers. The misconfig sat undetected for ~3 months.
Amount of loss: $ 413,000 Attack method: Contract Vulnerability
Description of the event: The Kipseli Router contract on Base was exploited via Improper Validation / Decimal Mismatch. The router blindly used the amount returned by an external USDC-only quoter as the raw transfer amount for tokenOut without verifying that the output token matched the quote token. The attacker used an unsupported path (e.g., WETH → cbBTC), causing the quoter to return a USDC-scaled value (6 decimals) which was then transferred as cbBTC (8 decimals), resulting in massive over-transfer. The attacker swapped only ~0.04 WETH for ~0.926 cbBTC (worth ~$72.35K). Afterward, the finder contacted the team, returned 80% of the funds as a white-hat disclosure, and kept 20% as a bug bounty.
Amount of loss: $ 72,350 Attack method: Contract Vulnerability
Description of the event: On April 12, 2026, attackers exploited a vulnerability in SubQuery Network’s Settings contract on the Base network (the setContractAddress() function missing the onlyOwner access control modifier). By repeatedly calling this function, the attacker set their address as StakingManager and RewardsDistributor, enabling drainage of pooled SQT from the Staking contract, impacting 272 individual staker/delegator wallets, RewardsBooster, and a small protocol Treasury. Approximately 382,433,441 SQT were drained (worth about $134,000 USD at the time). The team quickly responded by deploying a fix, pausing withdrawals, and committing to full compensation for all affected users. No user private keys were compromised. The root cause was a missing access control from a prior code refactor.
Amount of loss: $ 134,000 Attack method: Contract Vulnerability
Description of the event: According to The Block, DeFi lending protocol Moonwell is facing a governance attack on its Moonriver deployment, where an unknown attacker spent approximately $1,800 to acquire 40 million MFAM tokens and managed to buy, propose, and pass a initial vote within just 11 minutes. The attacker is seeking to transfer administrative control of seven lending markets, the comptroller, and the oracle to a malicious contract, which would enable the extraction of roughly $1.08 million in user funds. Although the proposal reached a quorum early on, "No" votes have since taken the lead, and while the voting is set to continue until March 27, the final outcome remains dependent on the remaining votes and community coordination.
Amount of loss: 0 Attack method: Governance Attack
Description of the event: The privacy gaming platform FOOMCASH was attacked on Base and Ethereum, resulting in a loss of 24,283,773,519,600 $FOOM (approximately $2.26 million). The vulnerability was caused by a misconfiguration of the verification key, which the attacker exploited to forge zkSNARK proofs and subsequently extract a massive amount of $FOOM from the compromised contracts.
Amount of loss: $ 2,260,000 Attack method: Contract Vulnerability
Description of the event: According to Decrypt, the DeFi lending protocol Moonwell incurred approximately $1.78 million in bad debt due to an oracle configuration error.
Amount of loss: $ 1,780,000.00 Attack method: Oracle Misconfiguration
Description of the event: According to PeckShield, Matcha Meta reported that SwapNet suffered a security breach, with losses reaching $16.8 million. The attacker swapped approximately 10.5 million USDC for around 3,655 ETH on Base, and has begun bridging the funds to Ethereum. BlockSec’s analysis indicates that the affected contract is not open-sourced and appears to contain an arbitrary call vulnerability. The attacker abused existing token approval mechanisms to execute transferFrom operations and steal assets. The cumulative losses are estimated at $13.37 million on Base, $3.53 million on Ethereum, $125,000 on Arbitrum, and $15,000 on BSC.
Amount of loss: $ 16,800,000 Attack method: Contract Vulnerability
Description of the event: BasisOS disclosed on X: “Due to a security breach, the Agentic FoF was compromised, resulting in approximately USD 531,000 in leaked funds. All vaults have now been suspended, and withdrawals from the Agentic FoF have also been paused pending the results of an internal investigation.”
Amount of loss: $ 531,000 Attack method: Unknown
Description of the event: Aerodrome, a DEX built on Base, posted on X that the centralized domains of Velodrome and Aerodrome were hijacked on November 21 due to an internal security vulnerability at NameSilo, resulting in redirection to malicious content. With the rapid response from security partners including Blockaid, Groom Lake, Security Alliance, and FTI Consulting, MetaMask and Coinbase Wallet displayed warnings within two minutes, and the issue was fully mitigated within four hours. The incident resulted in approximately $700,000 in losses.
Amount of loss: $ 700,000 Attack method: Domain Hijacking
Description of the event: According to CertiK’s monitoring, the Moonwell lending contract suffered multiple attack transactions. The attacker exploited an incorrect oracle price for wrst (around USD 5.8 million). By using a flash loan of only about 0.02 wrstETH and depositing it, the attacker repeatedly borrowed over 20 wstETH, gaining 295 ETH (approximately USD 1 million) in profit.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: According to the incident analysis report released by Arcadia Finance, at 04:05 AM UTC on July 15, 2025, an active exploit targeting a series of peripheral contracts occurred. The attacker abused the delegated powers of Arcadia account owners on the rebalancer and compounder asset manager contracts, resulting in a loss of approximately $3.6 million. This exploit was limited to the asset manager contracts; lending and token contracts were not affected.
Amount of loss: $ 3,600,000 Attack method: Contract Vulnerability
Description of the event: Impermax was attacked on the Base network. In a tweet, Impermax stated that someone launched a flash loan attack and drained its V3 liquidity pools. The team is currently investigating and advises users not to interact with any V3 pools.
Amount of loss: $ 400,000 Attack method: Flash Loan Attack
Description of the event: According to monitoring by the SlowMist security team, due to a lack of input validation in @odosprotocol, the vulnerability has been exploited across multiple chains, resulting in approximately $100,000 in losses. ODOS stated in a post that the attack exploited a vulnerability in its audited executor contract, allowing the theft of revenue stored within the contract but not affecting any user funds.
Amount of loss: $ 100,000 Attack method: Contract Vulnerability
Description of the event: Multiple attack transactions targeting the Alien Base BunniHub contract resulted in a loss of approximately $38,000.
Amount of loss: $ 38,000 Attack method: Contract Vulnerability
Description of the event: Virtuals Protocol announced on X that their official Discord server has been compromised. They advised users not to click on any posts or private messages from administrators until further notice.
Amount of loss: - Attack method: Account Compromise
Description of the event: Standing on Bizness (BIZNESS) appears to have been subjected to a reentrancy attack on Base, resulting in an estimated loss of $15,700.
Amount of loss: $ 15,700 Attack method: Reentrancy Attack
Description of the event: According to community feedback, the official X account of the Meme token Brett on the Base chain has reportedly been compromised and used to post false information. Please stay vigilant against related risks.
Amount of loss: - Attack method: Account Compromise
Description of the event: Base chain detected a price manipulation attack targeting unverified lending contracts, where the attacker gained around $1 million in tokens through excessive borrowing.
Amount of loss: $ 1,000,000 Attack method: Price Manipulation
Description of the event: The yield-optimizing DeFi protocol BaseBros Fi has vanished after executing a rug pull via an unaudited smart contract.
Amount of loss: $ 130,000 Attack method: Rug Pull
Description of the event: ETHTrustFund conducted a rugpull and stole approximately $2 million worth of cryptocurrencies on Base.
Amount of loss: $ 2,000,000 Attack method: Rug Pull