41 hack event(s)
Description of the event: Veil Cash's legacy fixed-denomination privacy pools on Base were exploited due to a misconfigured Groth16 verifier (delta2 == gamma2), allowing the attacker to forge zkSNARK proofs and drain ~2.9 ETH. With whitehat intervention and the exploiter voluntarily returning funds, 100% of the affected funds were recovered. Live pools were unaffected.
Amount of loss: $ 5,000 Attack method: Smart Contract Vulnerability
Description of the event: The AI-powered crypto trading agent platform Bankr on the Base network suffered a social engineering attack. The attacker exploited prompt injection techniques targeting the automated agent trust layer between Grok and Bankrbot — including malicious inputs such as Morse code — to trick the system into executing unauthorized transaction signatures, ultimately gaining access to 14 user wallets and transferring funds. Bankr has suspended the affected functionality, launched an investigation, and pledged to fully reimburse all losses from its treasury.
Amount of loss: $ 440,000 Attack method: Social Engineering
Description of the event: Singularity Finance vaults were exploited due to a critical oracle misconfiguration. The admin had registered an unsupported Uniswap V3 fee tier of 42 (valid tiers: 100/500/3000/10000) back in January, causing factory.getPool() to silently return address(0). This made the oracle price all non-USDC reserves at zero. The vault only recognized ~$100 in idle USDC while real yield tokens sat undervalued. The attacker flash-loaned 100K USDC from Morpho, deposited into the vault to mint ~99.99% of shares at the broken ratio, then redeemed for a proportional share of actual underlying assets, draining ~$413K. Root cause: admin parameter error combined with missing input validation on fee tiers. The misconfig sat undetected for ~3 months.
Amount of loss: $ 413,000 Attack method: Smart Contract Vulnerability
Description of the event: The Kipseli Router contract on Base was exploited via Improper Validation / Decimal Mismatch. The router blindly used the amount returned by an external USDC-only quoter as the raw transfer amount for tokenOut without verifying that the output token matched the quote token. The attacker used an unsupported path (e.g., WETH → cbBTC), causing the quoter to return a USDC-scaled value (6 decimals) which was then transferred as cbBTC (8 decimals), resulting in massive over-transfer. The attacker swapped only ~0.04 WETH for ~0.926 cbBTC (worth ~$72.35K). Afterward, the finder contacted the team, returned 80% of the funds as a white-hat disclosure, and kept 20% as a bug bounty.
Amount of loss: $ 72,350 Attack method: Smart Contract Vulnerability
Description of the event: On April 12, 2026, attackers exploited a vulnerability in SubQuery Network’s Settings contract on the Base network (the setContractAddress() function missing the onlyOwner access control modifier). By repeatedly calling this function, the attacker set their address as StakingManager and RewardsDistributor, enabling drainage of pooled SQT from the Staking contract, impacting 272 individual staker/delegator wallets, RewardsBooster, and a small protocol Treasury. Approximately 382,433,441 SQT were drained (worth about $134,000 USD at the time). The team quickly responded by deploying a fix, pausing withdrawals, and committing to full compensation for all affected users. No user private keys were compromised. The root cause was a missing access control from a prior code refactor.
Amount of loss: $ 134,000 Attack method: Smart Contract Vulnerability
Description of the event: According to The Block, DeFi lending protocol Moonwell is facing a governance attack on its Moonriver deployment, where an unknown attacker spent approximately $1,800 to acquire 40 million MFAM tokens and managed to buy, propose, and pass a initial vote within just 11 minutes. The attacker is seeking to transfer administrative control of seven lending markets, the comptroller, and the oracle to a malicious contract, which would enable the extraction of roughly $1.08 million in user funds. Although the proposal reached a quorum early on, "No" votes have since taken the lead, and while the voting is set to continue until March 27, the final outcome remains dependent on the remaining votes and community coordination.
Amount of loss: 0 Attack method: Governance Attack
Description of the event: The privacy gaming platform FOOMCASH was attacked on Base and Ethereum, resulting in a loss of 24,283,773,519,600 $FOOM (approximately $2.26 million). The vulnerability was caused by a misconfiguration of the verification key, which the attacker exploited to forge zkSNARK proofs and subsequently extract a massive amount of $FOOM from the compromised contracts.
Amount of loss: $ 2,260,000 Attack method: Smart Contract Vulnerability
Description of the event: Veil.Cash (a zk-SNARK privacy protocol on Base, forked from Tornado Cash) suffered an exploit on its legacy fixed-denomination privacy pools. Due to a misconfigured Groth16 zk-SNARK verifier (where delta2 equaled gamma2), an attacker was able to forge valid zero-knowledge proofs and drain approximately 2.9 ETH (~$5,000) in a single transaction by making multiple fraudulent withdrawals without corresponding deposits. Whitehat interveners and the exploiter voluntarily returned the funds, resulting in 100% recovery. The project’s newer/live pools were unaffected.
Amount of loss: $ 5,000 Attack method: Smart Contract Vulnerability
Description of the event: According to Decrypt, the DeFi lending protocol Moonwell incurred approximately $1.78 million in bad debt due to an oracle configuration error.
Amount of loss: $ 1,780,000 Attack method: Oracle Misconfiguration
Description of the event: Revert Finance’s newly launched Aerodrome Lend vault on Base was exploited for $50,101. The attacker used a flash loan from Morpho to mint an Aerodrome concentrated liquidity NFT, deposited it as collateral, borrowed USDC, and then exploited a missing safety check in the GaugeManager contract. This allowed unstaking and withdrawing all liquidity from the debt-backed position, leaving the vault with a worthless NFT shell. A second attacker replicated it shortly after. User funds were safe; losses were mostly from Revert’s own seeded USDC. The team disabled deposits and published a post-mortem.
Amount of loss: $ 50,101 Attack method: Smart Contract Vulnerability
Description of the event: SwapNet’s closed-source aggregator contracts were exploited via an arbitrary-call vulnerability due to insufficient input validation on user-controlled parameters. This allowed attackers to abuse existing token approvals (especially from users who disabled Matcha Meta’s One-Time Approval) to execute unauthorized transferFrom calls, draining ~$13.43M across Base, Ethereum, Arbitrum, and BSC. The attacker swapped large amounts of USDC to ETH on Base and bridged funds. Matcha Meta and 0x core contracts were unaffected.
Amount of loss: $ 13,430,000 Attack method: Smart Contract Vulnerability
Description of the event: According to a BlockSec alert, the SynapLogic contract lacked critical parameter validation in the swapExactTokensForETHSupportingFeeOnTransferTokens function, allowing attackers to manipulate the whitelist logic and designate arbitrary recipient addresses. In addition, the contract failed to verify whether the total amount of native tokens distributed exceeded the actual payment made, enabling attackers to withdraw excess native tokens while simultaneously receiving newly minted SYP, resulting in losses of approximately $186,000.
Amount of loss: $ 186,000 Attack method: Smart Contract Vulnerability
Description of the event: BasisOS disclosed on X: “Due to a security breach, the Agentic FoF was compromised, resulting in approximately USD 531,000 in leaked funds. All vaults have now been suspended, and withdrawals from the Agentic FoF have also been paused pending the results of an internal investigation.”
Amount of loss: $ 531,000 Attack method: Unknown
Description of the event: Aerodrome, a DEX built on Base, posted on X that the centralized domains of Velodrome and Aerodrome were hijacked on November 21 due to an internal security vulnerability at NameSilo, resulting in redirection to malicious content. With the rapid response from security partners including Blockaid, Groom Lake, Security Alliance, and FTI Consulting, MetaMask and Coinbase Wallet displayed warnings within two minutes, and the issue was fully mitigated within four hours. The incident resulted in approximately $700,000 in losses.
Amount of loss: $ 700,000 Attack method: Domain Hijacking
Description of the event: According to CertiK’s monitoring, the Moonwell lending contract suffered multiple attack transactions. The attacker exploited an incorrect oracle price for wrst (around USD 5.8 million). By using a flash loan of only about 0.02 wrstETH and depositing it, the attacker repeatedly borrowed over 20 wstETH, gaining 295 ETH (approximately USD 1 million) in profit.
Amount of loss: $ 1,000,000 Attack method: Oracle Attack
Description of the event: According to the incident analysis report released by Arcadia Finance, at 04:05 AM UTC on July 15, 2025, an active exploit targeting a series of peripheral contracts occurred. The attacker abused the delegated powers of Arcadia account owners on the rebalancer and compounder asset manager contracts, resulting in a loss of approximately $3.6 million. This exploit was limited to the asset manager contracts; lending and token contracts were not affected.
Amount of loss: $ 3,600,000 Attack method: Contract Vulnerability
Description of the event: Impermax was attacked on the Base network. In a tweet, Impermax stated that someone launched a flash loan attack and drained its V3 liquidity pools. The team is currently investigating and advises users not to interact with any V3 pools.
Amount of loss: $ 400,000 Attack method: Flash Loan Attack
Description of the event: According to monitoring by the SlowMist security team, due to a lack of input validation in @odosprotocol, the vulnerability has been exploited across multiple chains, resulting in approximately $100,000 in losses. ODOS stated in a post that the attack exploited a vulnerability in its audited executor contract, allowing the theft of revenue stored within the contract but not affecting any user funds.
Amount of loss: $ 100,000 Attack method: Contract Vulnerability
Description of the event: Multiple attack transactions targeting the Alien Base BunniHub contract resulted in a loss of approximately $38,000.
Amount of loss: $ 38,000 Attack method: Contract Vulnerability
Description of the event: Virtuals Protocol announced on X that their official Discord server has been compromised. They advised users not to click on any posts or private messages from administrators until further notice.
Amount of loss: - Attack method: Account Compromise