419 hack event(s)
Description of the event: The on-chain private fund Goldfinch’s old contract on Ethereum (0x0689) contained a vulnerability. Because the user deltatiger.eth did not revoke the authorization in time, they were exploited and lost approximately USD 330,000. The attacker has already sent 118 ETH (around USD 329,000) into the privacy mixer Tornado Cash.
Amount of loss: $ 330,000 Attack method: contract vulnerability
Description of the event: According to PeckShieldAlert on X, Yearn Finance suffered an attack in which the hacker drained the liquidity pool by infinitely minting yETH, causing losses of roughly $9 million. Approximately 1,000 ETH (about $3 million) was transferred to Tornado Cash, while the attacker’s address still holds around $6 million worth of crypto assets. On December 1, according to PeckShield’s monitoring, Yearn recovered 2.4 million USD by burning the pxETH held by the hacker. An equivalent amount of pxETH has been re-minted and returned to the Redacted Cartel multisig wallet.
Amount of loss: $ 9,000,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol Balancer V2 suffered a vulnerability exploit that affected its Composable Stable Pools. The root cause of the incident was an incorrect rounding direction in the Stable Pool’s “exact-out” swap path. This flaw was amplified under conditions of precision errors introduced by rate providers and extremely low liquidity, allowing the attacker to manipulate the invariant and distort the BPT price calculation. As a result, the attacker was able to withdraw large amounts of assets from the pool at a cost far below their real value.The attack caused a total loss of $121.1 million across Ethereum, Arbitrum, Base, Optimism, and Polygon. As of November 19, coordinated mitigation efforts enabled several security measures to be deployed promptly after the issue was discovered, resulting in approximately $45.7 million in user funds being protected or recovered.
Amount of loss: $ 121,100,000 Attack method: Logic Vulnerability
Description of the event: The decentralized lending project Abracadabra lost approximately $1.8 million worth of Magic Internet Money (MIM) stablecoins. The attacker exploited a vulnerability in the project’s smart contracts to borrow far more than their collateral should have allowed.
Amount of loss: $ 1,800,000 Attack method: Contract Vulnerability
Description of the event: MIN Spell posted on X that the team discovered a security vulnerability affecting some deprecated V4 Cauldrons on the Ethereum mainnet. During the attack, the attacker minted 1.79 million MIM. Shortly afterward, the DAO Treasury identified and fixed the vulnerability, confirmed that no other Cauldrons or user funds were affected, and repurchased all impacted MIM from the market, fully offsetting the impact of the attack.
Amount of loss: $ 1,790,000 Attack method: Contract Vulnerability
Description of the event: According to an announcement from Equilibria Finance, a vulnerability was discovered in the ePENDLE auto-compounder contract on Ethereum, resulting in a loss of approximately 13.36 ETH. The issue stemmed from the stk-ePENDLE contract on Ethereum mainnet not being configured as non-transferable. The attacker used flash loans via Balancer to acquire ePENDLE, staked it into stk-ePENDLE, and then repeatedly transferred stk-ePENDLE across multiple addresses. Each transfer triggered a reward claim, enabling the attacker to drain the unclaimed rewards from the contract.
Amount of loss: $ 62,500 Attack method: Contract Vulnerability
Description of the event: According to SlowMist Threat Intelligence, puffer[.]fi and @puffer_finance have been compromised.
Amount of loss: - Attack method: Account Compromise
Description of the event: The official X account of the stablecoin protocol Level was reportedly compromised, and a fraudulent airdrop link was posted.
Amount of loss: - Attack method: Account Compromise
Description of the event: Pundi AI recently experienced a security breach resulting in the unauthorized minting of 1 million tokens. The incident was caused by a vulnerability in the token swap contract, which was exploited via a front-running attack during deployment. According to Pundi AI co-founder Danny Lim, the exploit led to the creation of tokens valued at approximately $6 million at the time of the incident. Through coordinated asset freezes and recovery efforts, the team successfully retrieved around 87% of the affected funds. The remaining loss—nearly $2 million—will be fully covered by the project team.
Amount of loss: $ 6,570,000 Attack method: Contract Vulnerability
Description of the event: According to monitoring by the MistEye system, decentralized stablecoin protocol Resupply appears to have suffered an exploit, with estimated losses of around $9.5 million. The attacker manipulated the cvcrvUSD exchange rate by making donation transactions to the cvcrvUSD Controller contract, ultimately stealing a large amount of reUSD tokens.
Amount of loss: $ 9,500,000 Attack method: Contract Vulnerability
Description of the event: According to reports from social media users, the official X account of Abstract Chain appears to have been compromised. The attacker is impersonating the project to promote a fake “official token” scam.
Amount of loss: - Attack method: Account Compromise
Description of the event: An attacker exploited a vulnerability in the staking contract for Meta Pool, which is a liquid staking project. This allowed them to mint 9,700 mpETH, the project's liquid staking token, which is notionally worth $27 million. However, very low liquidity for the token meant that the attacker was only able to swap 10 ETH (~$25,000) of tokens.
Amount of loss: $ 25,000 Attack method: Contract Vulnerability
Description of the event: The official ether.fi Discord was hacked, and fraudulent messages containing scam links were posted. ether.fi urges users not to interact with any links within the Discord.
Amount of loss: - Attack method: Account Compromise
Description of the event: Lending protocol Malda tweeted that one of its contracts has been compromised and all contracts have been paused. Users are advised not to interact with any contracts until further notice.
Amount of loss: $ 281,000 Attack method: Contract Vulnerability
Description of the event: On May 28, SlowMist detected potential suspicious activity related to Cork Protocol. According to the SlowMist security team’s analysis, the root cause of the attack was the lack of strict validation on user-supplied data, allowing the protocol’s liquidity to be manipulated and transferred to unintended markets, which attackers then exploited to perform unauthorized redemptions and profit illegally.
Amount of loss: $ 12,000,000 Attack method: Contract Vulnerability
Description of the event: Zunami Protocol has reported a hack in which the collateral for zunUSD and zunETH was stolen, resulting in a loss of approximately $500,000. The attacker has transferred the stolen funds to Tornado Cash.
Amount of loss: $ 500,000 Attack method: Unknown
Description of the event: Curve Finance’s official website and X account were compromised in quick succession. On May 5, attackers first took control of the project’s X account and used it to post a phishing message promoting a fake airdrop. Then on May 12, the project issued a warning that the Curve frontend had been “hijacked,” in what appeared to be a domain takeover incident.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to the SlowMist MistEye security monitoring system, Aventa, which specializes in creating intuitive Web3 utilities for the crypto community, appears to have been attacked, resulting in a loss of approximately 3.9 ETH.
Amount of loss: $ 7,000 Attack method: Flash Loan Attack
Description of the event: A member of the crypto community previously revealed that "a smart contract of a certain Web3 project was suspected to have been implanted with malicious code by an employee," leading to losses of several hundred thousand dollars. Thomson, a developer of the DeFi trading and asset management project QuantMaster, stated that he was the primary victim of this theft. According to Thomson, the suspect has been largely identified. The GitHub submission records clearly point to a specific employee, and the device used to submit the code is also unique. Cursor retains a complete local AI activity log, which has been reviewed, ruling out the possibility that the malicious code was generated or modified by AI.
Amount of loss: - Attack method: Insider Manipulation
Description of the event: On April 26, 2025, lending protocol Term Labs introduced an internal inconsistency in decimal precision during an update to the tETH oracle, resulting in incorrect pricing of the tETH asset within the protocol. This mispricing triggered unintended liquidations, affecting approximately 918 ETH. The incident stemmed from human error during a sensitive system upgrade — a failure in operational execution rather than a flaw in the code or smart contracts. Through rapid response and negotiation efforts, Term Labs successfully recovered around 556 ETH, reducing the final net protocol loss to 362 ETH (approximately $650,000).
Amount of loss: $ 1,650,000 Attack method: Human Error