405 hack event(s)
Description of the event: Haedal Protocol’s Vault pools on Sui suffered an exploit due to a hidden cross-version logic flaw from a 2025 upgrade. The attacker used deprecated old deposit paths to mint inflated LP shares and redeemed them via new paths for excess underlying assets, causing ~$915k in direct losses. Haedal has paused the affected contracts, will fully compensate users, and is preparing a patched upgrade.
Amount of loss: $ 915,179 Attack method: Smart Contract Vulnerability
Description of the event: On June 8, 2026, OpenMonero's P2P trading platform server was breached. The hacker gained root access and stole approximately 200 XMR. The project owner announced on Telegram that all funds were lost; the attack was not at the application layer.
Amount of loss: $ 62,900 Attack method: Supply Chain Attack
Description of the event: GoPlus issued a security alert stating that the X account of crypto KOL Jadoodoo (@jadoodoo_ ) has been hacked. The attacker is sending phishing links via direct messages to fans under the guise of collaboration offers. Multiple KOLs have already fallen victim, with total losses of around $5,000.
Amount of loss: $ 5000 Attack method: Social Engineering
Description of the event: A vulnerability in the Phala Cloud API endpoint allowed unauthorized modifications to some Offchain KMS CVMs. The attacker deployed a malicious pre-launch script to affected CVMs, which may have accessed decrypted environment variables after boot. The issue was identified, patched, and contained on June 1, 2026. Affected users/CVMs have been directly notified via email.
Amount of loss: 0 Attack method: API endpoint vulnerability
Description of the event: HermesVault, an Algorand-based privacy protocol using zero-knowledge proofs for private transactions, was exploited. The attacker exploited a flaw in the key reset defense logic within the withdrawal verification script. This allowed bypassing the zero-knowledge (zk) verification process and unauthorized withdrawal of funds. The protocol permanently shut down operations following the incident. Lead engineer Giulio Pizzini confirmed that the core zk circuit remained secure, but the auxiliary withdrawal script had a vulnerability. The team patched the issue, refunded a large portion of the funds, and initiated a full refund process for affected users.
Amount of loss: $ 29,466 Attack method: Smart Contract Vulnerability
Description of the event: Echo Protocol’s eBTC on Monad was compromised due to an admin private key leak. The attacker granted themselves minting rights, minted 1,000 unbacked eBTC (~$76.7M nominal value), deposited 45 eBTC (~$3.45M) as collateral into Curvance to borrow ~11.29 WBTC (~$867K), bridged it to Ethereum, swapped for ETH, and sent ~384 ETH (~$821K) to Tornado Cash. The remaining 955 eBTC stays under attacker control, posing ongoing depegging risk.
Amount of loss: $ 821,700 Attack method: Private Key Leakage
Description of the event: Keith Gill’s (Roaring Kitty) verified X account was apparently hacked on May 11, 2026. Attackers posted the contract address of a newly launched Solana meme coin $RKC (Red Kitten Crew) on Pump.fun, along with related images. This briefly pumped the token’s market cap to around $11-12 million. The posts were deleted within an hour, causing a 90%+ crash. The developer used 10 wallets to acquire ~39.52% of the supply (with ~$1,950 investment) and dumped for over $611K profit. Over 80 wallets lost approximately $2.86 million in total. Keith Gill has not issued any statement regarding the incident.
Amount of loss: 0 Attack method: The X account was hacked
Description of the event: SmartCredit’s Leveraged Lido module was exploited. The attacker drained funds from this leveraged staking feature. The team has paused the Leveraged Lido functionality, and the protocol’s Loss Provision Fund will fully cover the gap for affected stakers.
Amount of loss: $ 72,000 Attack method: Smart Contract Vulnerability
Description of the event: Sweat Foundation was exploited. An attacker drained approximately 13.71 billion SWEAT tokens (about 65% of total supply) from multiple foundation-controlled accounts within roughly 30 seconds, resulting in a loss of about $3.5 million. The attacker exploited a vulnerability in the SWEAT token contract using a custom drainer contract, then attempted to liquidate and bridge the funds via Ref Finance and Wormhole. The team quickly paused the contract, coordinated freezes with MEXC, and restored all external user balances.
Amount of loss: $ 3,500,000 Attack method: Smart Contract Vulnerability
Description of the event: Aftermath Finance, a decentralized perpetuals trading platform built on the Sui blockchain, suffered a security exploit in its perpetuals (perps) protocol. The vulnerability stemmed from a flaw in the fee accounting logic, specifically allowing negative "builder code" fees to be set. This enabled the attacker to inflate synthetic collateral and drain funds from the protocol's vault.The attacker drained approximately $1.14 million in USDC across 11 transactions within about 36 minutes. Blockchain security firm Blockaid detected and flagged the attack in real time (attacker address starting with 0x1a65...2d41e). Aftermath Finance promptly paused the affected perpetuals product and collaborated with security partners including Blockaid and CertiK for investigation. The team confirmed that the exploit was isolated to the perpetual futures market; spot trading, AMM pools, afSUI staking, and other products remained unaffected.
Amount of loss: $ 1,140,000 Attack method: Smart Contract Vulnerability
Description of the event: A deprecated side contract (V2 rewards contract) tied to Scallop’s sSUI Spool rewards pool was exploited. The attacker exploited a missing validation in the reward accumulator logic (uninitialized variable in update_points function). By staking a small amount (0.2 SUI), they generated massive fake reward points (162 trillion), draining the entire leftover rewards pool of approximately 150,000 SUI. Core lending markets, user deposits, and active pools were unaffected. The team promptly froze the affected contract, committed to covering 100% of the loss from treasury, and resumed normal operations.
Amount of loss: $ 142,000 Attack method: Smart Contract Vulnerability
Description of the event: According to Purrlend's official post-mortem report, Purrlend suffered a security incident on April 25. The deployments on HyperEVM and MegaETH incurred a total loss of approximately $1.52 million. The attacker compromised the team's 2/3-admin multi-signature wallet, granting malicious addresses various administrative permissions, including the BRIDGE_ROLE. Subsequently, the attacker used the mintUnbacked function to mint approximately 2 million unbacked pUSDm and 4.85 million pUSDC without collateral. These tokens were then used as collateral to borrow real assets from the liquidity pools. HyperEVM suffered a loss of about $1.2 million, while MegaETH lost approximately $325,000. Purrlend has paused the protocol, revoked the permissions, and contacted law enforcement agencies as well as blockchain analytics firms to trace the funds. The root cause of the incident was the lack of a time-lock in the multi-signature configuration, rather than any vulnerability in the smart contract logic itself. The team is currently exploring compensation options.
Amount of loss: $ 1,520,000 Attack method: Admin Privilege Abuse
Description of the event: Volo, a protocol in the Sui ecosystem, disclosed on X that Volo Vaults experienced a security vulnerability today, resulting in approximately $3.5 million in assets (WBTC, XAUm, and USDC) being stolen. Volo stated that it detected the attack and immediately notified the Sui Foundation and ecosystem partners, and has frozen all vaults to prevent further losses.
Amount of loss: $ 3,500,000 Attack method: Private Key Leakage
Description of the event: Vercel CEO Guillermo Rauch stated on X that the company is currently conducting a full investigation into a security incident. The incident originated from a compromise of Context.ai, an AI platform used by a Vercel employee. This breach led to the attacker gaining access to the employee’s Google Workspace account associated with Vercel. From there, the attacker carried out a series of actions that further escalated access within the environment. Vercel clarified that all customer environment variables are fully encrypted at rest. However, the platform allows some variables to be explicitly marked as “non-sensitive.” The attacker was able to enumerate these and leverage them to gain additional access. The company noted that the speed of the attacker’s actions and their understanding of Vercel’s architecture were beyond expectations.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to CertiK, a security incident occurred in the NEAR ecosystem DeFi protocol Rhea Finance. The attacker created multiple fake token contracts and added liquidity to newly created pools, allegedly misleading the protocol’s oracle and validation layers, thereby extracting at least approximately $7.6 million in assets from the related pools. On April 18, Rhea Finance released an update regarding its security incident, stating that its lending market suffered an unauthorized attack on April 16, specifically targeting its leveraged trading functionality. The attacker exploited a potential vulnerability in the slippage protection mechanism, stealing approximately $18.4 million in assets from the protocol’s reserve pool. This resulted in actual losses within the protocol, affecting both reserve balances and participating users. The attacker has since returned approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract. In addition, 4.34 million USDT has been frozen—of which 3.291 million USDT was frozen by Tether in the attacker’s wallet, and 1.053 million USDT was frozen within NEAR Intent. Meanwhile, to ensure fund safety, the lending contract has been suspended, and recovery efforts are still ongoing. The team is actively attempting to contact the attacker in order to recover the remaining affected assets. Furthermore, the team has formally initiated tracking procedures with centralized exchanges to identify the account holder.
Amount of loss: $ 18,400,000 Attack method: Slippage Protection Logic Flaw
Description of the event: The DeFi project Dango released an update three hours after disclosing a security incident last night, stating that the white-hat hacker has fully returned the stolen funds and received a bug bounty. User funds were not affected. The founder of Dango said that fixes will be deployed, additional security measures will be implemented, and preparations are underway to restart the blockchain. According to the earlier announcement, the attacker exploited a logic flaw in the insurance fund to steal USDC collateral. The vulnerability arose because the insurance fund allowed anyone to make donations but failed to verify that the donation amount was positive. Thanks to rate limits on the cross-chain bridge, the attacker was only able to bridge $410,000 worth of USDC to Ethereum, while the remaining $1.49 million stayed on Dango and was successfully recovered. The vulnerability has now been fixed and does not affect other trading system functions such as order matching, PnL settlement, or liquidation.
Amount of loss: $ 1,900,000 Attack method: Insurance Fund Logic Vulnerability
Description of the event: GoPlus has issued a security alert regarding a suspected cyberattack on Adobe, involving the potential leak of approximately 13 million users' data. Affected users may face heightened risks, including phishing emails or calls impersonating Adobe customer support, precision social engineering scams leveraging leaked ticket information, and credential stuffing attacks.
Amount of loss: 0 Attack method: Supply Chain Attack
Description of the event: DeFi lending protocol HypurrFi tweeted that the hypurr.fi domain has been hijacked. The team has migrated its infrastructure to hypurrfi .com. The protocol itself, user funds, and team infrastructure remain unaffected.
Amount of loss: 0 Attack method: Domain Hijacking
Description of the event: Huma Finance issued a warning on X stating that the official X account of its partner Arf, @arf_one, has been compromised. Please refrain from interacting with any posts from that account until it has been fully secured.
Amount of loss: 0 Attack method: Account Compromised
Description of the event: Socket has detected an active supply chain attack targeting version 1.14.1 of the core npm package, axios. The attacker injected malicious code into axios by introducing a malicious dependency that first appeared today. Developers using axios are advised to pin their versions immediately and review their project lockfiles.
Amount of loss: 0 Attack method: Supply Chain Attack