1949 hack event(s)
Description of the event: According to monitoring by Scam Sniffer, the official X account of Watt Protocol was compromised, and the attacker used it to post phishing tweets.
Amount of loss: - Attack method: Account Compromise
Description of the event: The decentralized lending project Abracadabra lost approximately $1.8 million worth of Magic Internet Money (MIM) stablecoins. The attacker exploited a vulnerability in the project’s smart contracts to borrow far more than their collateral should have allowed.
Amount of loss: $ 1,800,000 Attack method: Contract Vulnerability
Description of the event: BNB Chain officially announced that its English X account has been compromised and is currently under emergency recovery. The team warned users not to click on any links.
Amount of loss: - Attack method: Account Compromise
Description of the event: The DeFi protocol dTRINITY suffered an exploit targeting its swap adapter contracts, resulting in the loss of approximately $56,000 belonging to core team members.
Amount of loss: $ 56,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol Hyperdrive, built on the Hyperliquid chain, was exploited. The attacker repeatedly abused an arbitrary call vulnerability in the router, resulting in a loss of approximately $782,000.
Amount of loss: $ 782,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol HyperVault, built on the Hyperliquid chain, has executed a rug pull, making off with approximately $3.61 million.
Amount of loss: $ 3,610,000 Attack method: Rug Pull
Description of the event: The attackers exploited a misconfigured LayerZero bridge along with a compromised private key for the GAIN BSC contract. By setting a malicious peer contract on Ethereum, they bypassed validation checks and minted 5 billion counterfeit GAIN tokens on BSC. The attackers then sold approximately 150 million of these counterfeit tokens (about 2.8% of the total fake supply) on PancakeSwap, cashing out around USD 3 million.
Amount of loss: $ 3,000,000 Attack method: Private Key Leakage
Description of the event: The AI-powered Web3 social platform UXLINK was exploited after an attacker gained control of the project’s multisignature wallet. By minting large amounts of UXLINK tokens, the attacker cashed out over $11.3 million. Shortly after the incident, the attacker—apparently rushing to liquidate before the token price dropped further or exchanges could freeze the assets—accidentally approved a phishing contract. As a result, approximately 542 million UXLINK tokens were transferred to a phishing address.
Amount of loss: $ 11,300,000 Attack method: Multisignature Theft
Description of the event: Meta Alchemist, founder of the Web3 incubator and launchpad platform Seedify, announced on X that one of its SFUND bridges was recently hacked. According to Seedify’s official account, a DPRK-affiliated group known for multiple Web3 exploits gained access to a developer’s private key. Using this access, the attackers were able to mint a large number of SFUND tokens through a bridge contract that had previously passed audit. As a result, the OFT contract was compromised, allowing the attackers to alter its settings and mint unauthorized tokens on Avalanche.
Amount of loss: $ 1,700,000 Attack method: Private Key Leakage
Description of the event: The DeFi project Corepound, built on the Core DAO blockchain, has carried out a rug pull, making off with approximately $400,000.
Amount of loss: $ 400,000 Attack method: Rug Pull
Description of the event: Stablecoin protocol Yala announced that a recent security incident occurred due to a hacker abusing temporary deployment keys during an authorized cross-chain bridge deployment, setting up an unauthorized bridge and extracting 7.64M USDC (approximately 1,636 ETH).
Amount of loss: $ 7,640,000 Attack method: Security Vulnerability
Description of the event: Kame Aggregator suffered an exploit due to a design flaw in the swap() function, which allowed arbitrary executor calls. This vulnerability enabled attackers to transfer tokens authorized to the AggregationRouter by users, particularly those with unlimited or oversized approvals. The total value of affected assets was approximately $1.32 million, of which around $946,000 was recovered by the Kame team from the primary exploiter, and about $22,000 was recovered by white-hat hackers.
Amount of loss: $ 1,320,000 Attack method: Contract Vulnerability
Description of the event: The Shibarium bridge, connecting the Layer 2 network of the same name to Ethereum, was targeted in a flash loan attack, resulting in a loss of approximately $2.4 million. The attacker used a flash loan to purchase 4.6 million BONE tokens and obtained validator signing keys, gaining control of the majority of validator power, and ultimately signed a malicious state to drain assets from the bridge.
Amount of loss: $ 2,400,000 Attack method: Flash Loan Attack
Description of the event: Nemo Protocol, a DeFi protocol on Sui, was attacked, resulting in a loss of approximately $2.4 million.
Amount of loss: $ 2,400,000 Attack method: Unknown
Description of the event: Swiss crypto platform SwissBorg suffered a security incident in which approximately 192,600 SOL (~$41.5M) was stolen on Solana. According to SwissBorg’s official statement, the incident was caused by a compromised partner API, impacting its SOL Earn program.
Amount of loss: $ 41,500,000 Attack method: Third-party Vulnerability
Description of the event: On-chain investigator ZachXBT reported that the Solana project Aqua has likely executed a rug pull involving approximately 21,770 SOL (~$4.65M). A few hours ago, the funds were split into four parts, moved through multiple intermediary addresses, and then sent to various instant exchanges.
Amount of loss: $ 4,650,000 Attack method: Rug Pull
Description of the event: Bunni, a DEX built on Uniswap v4, was exploited on Ethereum and UniChain, with total losses of approximately $8.4 million.
Amount of loss: $ 8,400,000 Attack method: Flash Loan Attack
Description of the event: The PulseChain-based defi project BetterBank was exploited by an attacker who took advantage of a vulnerability that allowed them to mint arbitrary tokens, some of which they then swapped for ETH. The attacker later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.
Amount of loss: $ 5,000,000 Attack method: Contract Vulnerability
Description of the event: According to an announcement from Equilibria Finance, a vulnerability was discovered in the ePENDLE auto-compounder contract on Ethereum, resulting in a loss of approximately 13.36 ETH. The issue stemmed from the stk-ePENDLE contract on Ethereum mainnet not being configured as non-transferable. The attacker used flash loans via Balancer to acquire ePENDLE, staked it into stk-ePENDLE, and then repeatedly transferred stk-ePENDLE across multiple addresses. Each transfer triggered a reward claim, enabling the attacker to drain the unclaimed rewards from the contract.
Amount of loss: $ 62,500 Attack method: Contract Vulnerability
Description of the event: ABCCApp on BSC was reportedly attacked, resulting in a loss of approximately $10.1K. The root cause was that the contract’s addFixedDay() function lacked access control, and fixedDay was used in calculating claimable USDT.
Amount of loss: $ 10,100 Attack method: Contract Vulnerability