400 hack event(s)
Description of the event: According to Purrlend's official post-mortem report, Purrlend suffered a security incident on April 25. The deployments on HyperEVM and MegaETH incurred a total loss of approximately $1.52 million. The attacker compromised the team's 2/3-admin multi-signature wallet, granting malicious addresses various administrative permissions, including the BRIDGE_ROLE. Subsequently, the attacker used the mintUnbacked function to mint approximately 2 million unbacked pUSDm and 4.85 million pUSDC without collateral. These tokens were then used as collateral to borrow real assets from the liquidity pools. HyperEVM suffered a loss of about $1.2 million, while MegaETH lost approximately $325,000. Purrlend has paused the protocol, revoked the permissions, and contacted law enforcement agencies as well as blockchain analytics firms to trace the funds. The root cause of the incident was the lack of a time-lock in the multi-signature configuration, rather than any vulnerability in the smart contract logic itself. The team is currently exploring compensation options.
Amount of loss: $ 1,520,000 Attack method: Multisig Compromise + Privilege Escalation
Description of the event: Sweat Foundation was exploited. An attacker drained approximately 13.71 billion SWEAT tokens (about 65% of total supply) from multiple foundation-controlled accounts within roughly 30 seconds, resulting in a loss of about $3.5 million. The attacker exploited a vulnerability in the SWEAT token contract using a custom drainer contract, then attempted to liquidate and bridge the funds via Ref Finance and Wormhole. The team quickly paused the contract, coordinated freezes with MEXC, and restored all external user balances.
Amount of loss: $ 3,500,000 Attack method: 先退款与后退款逻辑漏洞利用
Description of the event: Aftermath Finance, a decentralized perpetuals trading platform built on the Sui blockchain, suffered a security exploit in its perpetuals (perps) protocol. The vulnerability stemmed from a flaw in the fee accounting logic, specifically allowing negative "builder code" fees to be set. This enabled the attacker to inflate synthetic collateral and drain funds from the protocol's vault.The attacker drained approximately $1.14 million in USDC across 11 transactions within about 36 minutes. Blockchain security firm Blockaid detected and flagged the attack in real time (attacker address starting with 0x1a65...2d41e). Aftermath Finance promptly paused the affected perpetuals product and collaborated with security partners including Blockaid and CertiK for investigation. The team confirmed that the exploit was isolated to the perpetual futures market; spot trading, AMM pools, afSUI staking, and other products remained unaffected.
Amount of loss: $ 1,140,000 Attack method: Signedness Mismatch in Integrator Fee Accounting
Description of the event: Scallop, a lending protocol in the Sui ecosystem, stated on X that it discovered a vulnerability in an auxiliary contract related to Scallop’s sSUI reward pool, resulting in a loss of approximately 150,000 SUI. The affected contract has been frozen. Scallop said that its core contracts remain secure, and only the sSUI reward pool was impacted. All other reward pools remain safe and unaffected. Scallop also stated that it will fully cover 100% of the losses and will release further updates as soon as possible.
Amount of loss: $ 141,750 Attack method: Contract Vulnerability
Description of the event: Volo, a protocol in the Sui ecosystem, disclosed on X that Volo Vaults experienced a security vulnerability today, resulting in approximately $3.5 million in assets (WBTC, XAUm, and USDC) being stolen. Volo stated that it detected the attack and immediately notified the Sui Foundation and ecosystem partners, and has frozen all vaults to prevent further losses.
Amount of loss: $ 3,500,000 Attack method: Private Key Leakage
Description of the event: Vercel CEO Guillermo Rauch stated on X that the company is currently conducting a full investigation into a security incident. The incident originated from a compromise of Context.ai, an AI platform used by a Vercel employee. This breach led to the attacker gaining access to the employee’s Google Workspace account associated with Vercel. From there, the attacker carried out a series of actions that further escalated access within the environment. Vercel clarified that all customer environment variables are fully encrypted at rest. However, the platform allows some variables to be explicitly marked as “non-sensitive.” The attacker was able to enumerate these and leverage them to gain additional access. The company noted that the speed of the attacker’s actions and their understanding of Vercel’s architecture were beyond expectations.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to CertiK, a security incident occurred in the NEAR ecosystem DeFi protocol Rhea Finance. The attacker created multiple fake token contracts and added liquidity to newly created pools, allegedly misleading the protocol’s oracle and validation layers, thereby extracting at least approximately $7.6 million in assets from the related pools. On April 18, Rhea Finance released an update regarding its security incident, stating that its lending market suffered an unauthorized attack on April 16, specifically targeting its leveraged trading functionality. The attacker exploited a potential vulnerability in the slippage protection mechanism, stealing approximately $18.4 million in assets from the protocol’s reserve pool. This resulted in actual losses within the protocol, affecting both reserve balances and participating users. The attacker has since returned approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract. In addition, 4.34 million USDT has been frozen—of which 3.291 million USDT was frozen by Tether in the attacker’s wallet, and 1.053 million USDT was frozen within NEAR Intent. Meanwhile, to ensure fund safety, the lending contract has been suspended, and recovery efforts are still ongoing. The team is actively attempting to contact the attacker in order to recover the remaining affected assets. Furthermore, the team has formally initiated tracking procedures with centralized exchanges to identify the account holder.
Amount of loss: $ 18,400,000 Attack method: Slippage Protection Logic Flaw
Description of the event: The DeFi project Dango released an update three hours after disclosing a security incident last night, stating that the white-hat hacker has fully returned the stolen funds and received a bug bounty. User funds were not affected. The founder of Dango said that fixes will be deployed, additional security measures will be implemented, and preparations are underway to restart the blockchain. According to the earlier announcement, the attacker exploited a logic flaw in the insurance fund to steal USDC collateral. The vulnerability arose because the insurance fund allowed anyone to make donations but failed to verify that the donation amount was positive. Thanks to rate limits on the cross-chain bridge, the attacker was only able to bridge $410,000 worth of USDC to Ethereum, while the remaining $1.49 million stayed on Dango and was successfully recovered. The vulnerability has now been fixed and does not affect other trading system functions such as order matching, PnL settlement, or liquidation.
Amount of loss: $ 1,900,000 Attack method: Smart contract business logic vulnerability
Description of the event: DeFi lending protocol HypurrFi tweeted that the hypurr.fi domain has been hijacked. The team has migrated its infrastructure to hypurrfi .com. The protocol itself, user funds, and team infrastructure remain unaffected.
Amount of loss: 0 Attack method: Domain Hijacking
Description of the event: GoPlus has issued a security alert regarding a suspected cyberattack on Adobe, involving the potential leak of approximately 13 million users' data. Affected users may face heightened risks, including phishing emails or calls impersonating Adobe customer support, precision social engineering scams leveraging leaked ticket information, and credential stuffing attacks.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: Huma Finance issued a warning on X stating that the official X account of its partner Arf, @arf_one, has been compromised. Please refrain from interacting with any posts from that account until it has been fully secured.
Amount of loss: 0 Attack method: Account Compromised
Description of the event: Socket has detected an active supply chain attack targeting version 1.14.1 of the core npm package, axios. The attacker injected malicious code into axios by introducing a malicious dependency that first appeared today. Developers using axios are advised to pin their versions immediately and review their project lockfiles.
Amount of loss: 0 Attack method: Supply Chain Attack
Description of the event: SlowMist's CISO 23pds warned on X: "A major supply chain attack has hit LiteLLM (97M monthly downloads) via PyPI. Simply executing pip install litellm allows attackers to steal sensitive data: SSH keys, cloud logins (AWS/GCP/Azure), K8s configs, Git credentials, API keys, shell history, crypto wallets, and DB passwords."
Amount of loss: - Attack method: PyPI Supply Chain Attack
Description of the event: According to Decrypt, Bitcoin ATM operator Bitcoin Depot disclosed in a filing with the U.S. Securities and Exchange Commission that it experienced a security breach on March 23. Approximately 50.9 BTC, valued at around $3.665 million, was stolen by attackers. The hackers infiltrated the company’s IT systems and obtained credentials for its digital asset settlement accounts, enabling unauthorized fund transfers. Bitcoin Depot stated that it has activated its incident response procedures, engaged external cybersecurity experts to investigate the attack vector and secure remaining assets, and notified law enforcement authorities. The company also noted that its customer platform and user data were not affected by the breach.
Amount of loss: $ 3,665,000 Attack method: Credential Compromise
Description of the event: dTRINITY disclosed on X that yesterday, the dLEND deployment on Ethereum suffered its first deposit inflation attack. This incident drained the dUSD liquidity in the lending pool, resulting in approximately $257,000 in bad debt.The protocol has been temporarily paused, and the team is actively working on remediation measures. They have committed to covering 100% of the losses using internal funds. Repayment of the bad debt will begin within 24 hours of the announcement, after which dLEND is expected to resume operations.Deployments of dTRINITY on Fraxtal and Katana were not affected, and user funds remain safe. Each deployment maintains isolated reserves, collateral, and lending pools across different chains.
Amount of loss: $ 257,000 Attack method: Deposit Inflation Attack
Description of the event: The Bitcoin staking protocol Solv Protocol stated on X that its BRO Vault experienced a limited exploit. Fewer than 10 users were affected, with a loss of 38.0474 SolvBTC (approximately $2.7 million). Other vaults and user funds were not impacted, and mitigation measures have already been implemented to prevent similar incidents. The team has committed to fully covering the losses of the affected users. They also told the attacker that a 10% white-hat bounty will be offered if the funds are returned promptly. The attacker can contact the team via direct message or by sending an on-chain message to a designated address.
Amount of loss: $ 2,700,000 Attack method: Double-Minting
Description of the event: Bitcoin payment service provider Bitrefill disclosed on X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee laptop, which allowed the attacker to access parts of the company’s databases and cryptocurrency wallets.The investigation indicates that the attack methods closely resemble those previously used by the North Korean DPRK Lazarus Group / Bluenoroff hacking organization in targeting crypto companies.Approximately 18,500 purchase records were affected, involving limited customer information such as email addresses, crypto payment addresses, and IP metadata. Among these, around 1,000 records contained customer names stored in encrypted form, which may also have been accessed.Bitrefill stated that customers do not need to take specific action but are advised to remain vigilant for any suspicious communications.The company added that the affected systems have been shut down and isolated, and it is working with security experts, on-chain analysts, and law enforcement agencies. Operations have now largely returned to normal.Bitrefill emphasized that it remains financially strong and profitable, capable of absorbing the losses from this incident, and will continue strengthening its cybersecurity measures, including internal access controls, monitoring, and incident response mechanisms.
Amount of loss: - Attack method: Endpoint Compromise via Social Engineering
Description of the event: Scroll alerted on X that the X account of co-founder @shenhaichen has been compromised. They are actively working to recover the account and advise users not to interact with any links or direct messages.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to an announcement from Paradex, the internal systems of the Mithril trading bot were compromised by an attacker, resulting in the exposure of approximately 57 user subkeys. While these subkeys do not allow withdrawals, they grant trading permissions and are commonly used to connect third-party applications and trading bots. Paradex has suspended all XP transfers and revoked all subkeys associated with Mithril. The affected users are limited to accounts that had previously authorized the Mithril bot. The team also reminded users to exercise caution when authorizing third-party services and to independently assess the associated risks.
Amount of loss: - Attack method: Unknown
Description of the event: According to a BlockSec alert, the SynapLogic contract lacked critical parameter validation in the swapExactTokensForETHSupportingFeeOnTransferTokens function, allowing attackers to manipulate the whitelist logic and designate arbitrary recipient addresses. In addition, the contract failed to verify whether the total amount of native tokens distributed exceeded the actual payment made, enabling attackers to withdraw excess native tokens while simultaneously receiving newly minted SYP, resulting in losses of approximately $186,000.
Amount of loss: $ 186,000 Attack method: Smart Contract Vulnerability