471 hack event(s)
Description of the event: Lazy Summer Protocol (under Summer.fi) USDC vaults were exploited due to NAV/share price calculation flaw. The attacker used flash loans and pre-accumulated overvalued Silo tokens to inflate vault NAV (~9.5%), redeeming at inflated price and extracting ~$6.04M from other depositors.
Amount of loss: $ 6,040,000 Attack method: Smart Contract Vulnerability
Description of the event: Hinkal privacy DeFi protocol's Ethereum contract was exploited. The attacker used a "proofless deposit" vulnerability to drain approximately $820K USDC, then converted it to ETH and laundered via Tornado Cash and THORChain. The team paused contracts, limited the incident to one Ethereum pool, and committed to 1:1 user compensation.
Amount of loss: $ 820,000 Attack method: Smart Contract Vulnerability
Description of the event: Edel Finance lending protocol was exploited via wGOOGLx wrapped token exchange rate manipulation. The attacker used flash loans in repeated deposit/borrow loops to inflate wGOOGLx collateral value ~78x, then borrowed assets, creating ~$403K bad debt.
Amount of loss: $ 403,000 Attack method: Smart Contract Vulnerability
Description of the event: Lixir Finance's vault tokens (lv_* wrappers over Uniswap V3 LP positions) were exploited due to a broken EIP-2612 permit signature verification. The attacker reused a single dummy signature to bypass checks, granting approval to their contract over dozens of holders' tokens, then drained underlying assets (WETH, USDC, USDT, LIX) via withdrawFrom/withdrawETHFrom, resulting in ~$12,300 loss.
Amount of loss: $ 12,300 Attack method: Smart Contract Vulnerability
Description of the event: Blockchain security firm Blockaid detected a front-end attack on Gitcoin’s subdomain files.gitcoin.co. The compromised site contained malicious “Eleven drainer” code designed to steal users’ cryptocurrency wallet assets. Users were advised not to interact with the site while the issue is being investigated and remediated. This is a frontend compromise incident rather than an on-chain smart contract exploit.
Amount of loss: - Attack method: Front-end Attack
Description of the event: The MEV bot operated by JaredFromSubway.eth was drained of approximately $7.5 million. Attackers deployed fake token wrappers and liquidity pools to trick the bot’s automated MEV execution system into granting token approvals to attacker-controlled contracts. They then exploited the unrevoked approvals to transfer out WETH, USDC, and USDT via transferFrom. It was not a traditional phishing attack or a vulnerability in the victim contracts themselves, but a flaw in the bot’s automated approval-generation mechanism. Jared publicly offered a $1 million bounty for full recovery with full confidentiality.
Amount of loss: $ 7,500,000 Attack method: Business Logic Flaw
Description of the event: On June 19, 2026, at approximately 7:15 AM UTC, the mySwap CL (Concentrated Liquidity) protocol on Starknet was exploited, resulting in around $300,000–$305,000 being drained from its liquidity pools. The mySwap interface had been closed to new liquidity deposits for over six months, and the drained funds were mostly residual LP positions across more than 100,000 positions. The attacker bridged the stolen assets and used Railgun to obscure the transaction flow. The exploit nearly emptied all remaining liquidity in the protocol.
Amount of loss: $ 300,000 Attack method: Smart Contract Vulnerability
Description of the event: A legacy vault of Thetanuts Finance on Ethereum was exploited due to a flaw in redemption math and integer calculations in the mint/claim functions. The attacker used flash loans to drain approximately $2.1 million after reducing token supply to near zero. A whitehat recovered most funds (~$2M), resulting in a net loss of around $105K according to the project. Current products and active contracts were unaffected.
Amount of loss: $ 105,000 Attack method: Smart Contract Vulnerability
Description of the event: An attacker exploited a vulnerability in the incomplete proof verification logic of the deprecated Aztec Connect Router contract on Ethereum, draining approximately $2.1 million in assets. The protocol had been deprecated for three years with no team control over the immutable contract. The current Aztec Network and AZTEC token were unaffected.
Amount of loss: $ 2,100,000 Attack method: Smart Contract Vulnerability
Description of the event: Humanity Protocol suffered a security incident where private keys of a Humanity Foundation member were compromised, leading to the draining of large amounts of $H tokens from multiple linked wallets (interacted with the project’s contracts). The stolen funds were swapped for ETH, with losses exceeding $30M and the $H token crashing ~90%. The team urged users not to interact with the bridge or liquidity pools.
Amount of loss: $ 31,000,000 Attack method: Private Key Leakage
Description of the event: Asterix Labs (a fork of the Flooring Protocol NFT liquidity platform) suffered an exploit targeting its $ASTX token contract. Attackers drained approximately $40,000 by exploiting a smart contract vulnerability in the shared DN404/BT404 token standard codebase—the same flaw used in the Flooring Protocol attack the previous day. The project team immediately acknowledged the incident on X and stated they are investigating, with a full post-mortem to follow.
Amount of loss: $ 40,000 Attack method: Smart Contract Vulnerability
Description of the event: The NovaBox platform’s reward pool on Ethereum was hacked. The attacker borrowed 427.5 WETH via an Aave V3 flash loan and exploited a flaw in the reward distribution mechanism (dividends distributed before balance updates on deposits/withdrawals). By first depositing a small amount of NOVA tokens to trigger dividend calculation and then a large ETH deposit to inflate their actual share—while the system still calculated based on the old small share—they generated approximately 145.82 ETH in “phantom dividends,” draining the pool from 65.11 ETH to 0.09 ETH (99.86% loss) in a single transaction. Security firm F12 confirmed it was not a smart contract vulnerability but a flaw in the reward mechanism logic.
Amount of loss: $ 93,600 Attack method: Flash Loan Attack
Description of the event: Token of Power (TOP) suffered a governance takeover exploit due to misconfiguration in its Aragon DAO (no timelock). The attacker used funds from Tornado Cash to acquire majority voting power (>50% of the small 16,384 TOP supply), passed a malicious proposal in a single transaction to mint billions of new TOP tokens, and drained 944.2 WETH (~$1.58M) from the TOP/WETH Balancer V1 liquidity pool. Balancer protocol itself was not exploited.
Amount of loss: $ 1,580,000 Attack method: Malicious Governance Takeover
Description of the event: Ambient Finance (formerly CrocSwap) was exploited via an accounting logic flaw in surplus collateral handling. The attacker used a flash loan and rapid cycling through HotProxy/WarmPath/ColdPath operations to drain ~83.72 ETH (~$110.6K) from the protocol’s monolithic smart contract.
Amount of loss: $ 110,600 Attack method: Smart Contract Vulnerability
Description of the event: Gnosis Pay disclosed a bug in its Delay Module that was being actively exploited. The Delay Module provides a security timelock for transactions in Gnosis Pay’s self-custodial card system. Users were urgently advised to withdraw their EURe and GNO balances immediately. The Gnosis team confirmed that affected users will be fully reimbursed.
Amount of loss: 0 Attack method: Smart Contract Vulnerability
Description of the event: ATOHook smart contract was exploited due to a storage slot collision between the rewards mapping and Solady’s fixed ReentrancyGuard slot. The nonReentrant modifier in getReward() wrote a sentinel value that was misinterpreted as a reward balance for a colliding address, allowing the attacker to repeatedly claim and drain a fixed amount of ETH (200 times), stealing approximately 14.41 ETH.
Amount of loss: $ 25,000 Attack method: Smart Contract Vulnerability
Description of the event: Fluid DeFi protocol’s off-chain Merkle rewards distribution infrastructure was compromised. The attacker used compromised proposer and approver operational keys to submit fake Merkle roots and claim rewards with empty proofs, resulting in approximately $215K loss. Core lending, DEX, and user funds were unaffected. The team revoked the compromised keys and paused claims for upgrades.
Amount of loss: $ 215,000 Attack method: Private Key Leakage
Description of the event: The ONTR token project was drained due to a flawed onlyOwner check in the contract (accepts owner == address(0)). This allowed re-owning a renounced token. The attacker used hidden balance-grant logic to fake massive ONTR balances (no totalSupply/mint logs), dumped into the ONTR/WETH LP, and swapped out WETH for profit.
Amount of loss: $ 98,200 Attack method: Smart Contract Vulnerability
Description of the event: WUSD.fi / GLOVE on Ethereum suffered an incentive abuse exploit. The attacker exploited the lack of Sybil resistance in the WUSD._englove reward path. By using EIP-7702 helper contracts and a Morpho USDT flash loan to repeatedly wrap/unwrap at least 100 WUSD (with fresh addresses holding <2 GLOVE), they harvested nearly 2 GLOVE per cycle, dumped the GLOVE into Uniswap V3 pools, and drained ~$200K in USDC/USDT from the liquidity pools.
Amount of loss: $ 200,000 Attack method: Sybil Attack
Description of the event: According to on-chain investigator ZachXBT and security firm Blockaid, two contracts linked to European stablecoin issuer StablR (EURR and USDR on Ethereum) were suspected of being exploited. The attacker’s funds appear to have come via CCTP on Noble. ~$2.8M+ extracted so far, causing both stablecoins to depeg significantly.
Amount of loss: $ 2,800,000 Attack method: Private Key Leakage