2163 hack event(s)
Description of the event: Blockchain security firm Blockaid detected a front-end attack on Gitcoin’s subdomain files.gitcoin.co. The compromised site contained malicious “Eleven drainer” code designed to steal users’ cryptocurrency wallet assets. Users were advised not to interact with the site while the issue is being investigated and remediated. This is a frontend compromise incident rather than an on-chain smart contract exploit.
Amount of loss: - Attack method: Front-end Attack
Description of the event: The MEV bot operated by JaredFromSubway.eth was drained of approximately $7.5 million. Attackers deployed fake token wrappers and liquidity pools to trick the bot’s automated MEV execution system into granting token approvals to attacker-controlled contracts. They then exploited the unrevoked approvals to transfer out WETH, USDC, and USDT via transferFrom. It was not a traditional phishing attack or a vulnerability in the victim contracts themselves, but a flaw in the bot’s automated approval-generation mechanism. Jared publicly offered a $1 million bounty for full recovery with full confidentiality.
Amount of loss: $ 7,500,000 Attack method: Business Logic Flaw
Description of the event: The OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) was exploited, resulting in approximately $1.1 million in losses. The attacker exploited a logic vulnerability in the OLPC token contract’s _update function. Approximately 46 days prior, the OLPC owner had maliciously changed the decimalsValue parameter to an extremely large value (7326680472586200649) and later renounced ownership. A small OLPC transfer triggered massive burns of OLPC and LABUBU tokens from the pool (to the dead address), desynchronizing the pair’s cached reserves. This allowed the attacker to drain a large amount of LABUBU, which was swapped through intermediate pools for ~1.115 million USDT. Funds were bridged to Ethereum and deposited into Tornado Cash.
Amount of loss: $ 1,100,000 Attack method: Smart Contract Vulnerability
Description of the event: On June 19, 2026, approximately $600,000 in assets (ATOM, USDC, OSMO, TIA, NYM, etc.) were drained from Namada’s Multi-Asset Shielded Pool (MASP) through an IBC Transfer Logic Exploit. The loss initially went unnoticed because a stale indexer continued displaying funds as available, while live RPC queries showed zero balances on the chain. The attacker swept shielded IBC assets cross-chain. Namada confirmed the exploit and is investigating.
Amount of loss: $ 600,000 Attack method: Protocol Vulnerability
Description of the event: On June 19, 2026, at approximately 7:15 AM UTC, the mySwap CL (Concentrated Liquidity) protocol on Starknet was exploited, resulting in around $300,000–$305,000 being drained from its liquidity pools. The mySwap interface had been closed to new liquidity deposits for over six months, and the drained funds were mostly residual LP positions across more than 100,000 positions. The attacker bridged the stolen assets and used Railgun to obscure the transaction flow. The exploit nearly emptied all remaining liquidity in the protocol.
Amount of loss: $ 300,000 Attack method: Smart Contract Vulnerability
Description of the event: The JB DeFi protocol suffered an exploit involving flashloan and price manipulation, resulting in approximately $50,000 being drained. The attack exploited protocol logic through flash loan-enabled price manipulation on the Solidity-based contract.
Amount of loss: $ 50,000 Attack method: Flashloan Price Manipulation
Description of the event: On June 17, 2026, attackers exploited Aztec’s deprecated Private Rollup Bridge (launched in 2021 and shut down in 2022). They abused an immutable escape-hatch function that lacked proper ownership checks, using manipulated or fake rollup proofs to withdraw assets without corresponding deposits. Approximately $2.16 million (1,158 ETH, 150,000 DAI, and 0.47 renBTC) was drained. Aztec Labs confirmed the affected contract is unrelated to the current Aztec Network or the AZTEC ERC-20 token and that they have no control over the immutable old contracts.
Amount of loss: $ 2,160,000 Attack method: Smart Contract Vulnerability
Description of the event: On June 17, 2026, Little Boy Plus — a fully decentralized DeFi mining protocol on BSC claiming “no team, no admin keys” — was exploited. An attacker exploited a logic vulnerability in the LBPHashrate contract’s _update() function. By triggering it with a zero-value transferFrom call (bypassing OpenZeppelin authorization), the attacker unauthorizedly called _harvest and minted LBP tokens directly to the PancakeSwap LBP/USDT pair via mintReward. This inflated the pair’s balance without updating reserves, allowing the attacker to drain ~377,642 USDT (~$367k–$378k) through PancakePair.swap(). The funds were later sent to Tornado Cash.
Amount of loss: $ 367,000 Attack method: Smart Contract Vulnerability
Description of the event: A legacy vault of Thetanuts Finance on Ethereum was exploited due to a flaw in redemption math and integer calculations in the mint/claim functions. The attacker used flash loans to drain approximately $2.1 million after reducing token supply to near zero. A whitehat recovered most funds (~$2M), resulting in a net loss of around $105K according to the project. Current products and active contracts were unaffected.
Amount of loss: $ 105,000 Attack method: Smart Contract Vulnerability
Description of the event: An attacker exploited a vulnerability in the incomplete proof verification logic of the deprecated Aztec Connect Router contract on Ethereum, draining approximately $2.1 million in assets. The protocol had been deprecated for three years with no team control over the immutable contract. The current Aztec Network and AZTEC token were unaffected.
Amount of loss: $ 2,100,000 Attack method: Smart Contract Vulnerability
Description of the event: Solana-based decentralized exchange Raydium disclosed a vulnerability in its deprecated AMM V3 program (phased out in 2021), which allowed an attacker to drain approximately $1.34 million from five inactive liquidity pools (Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL). The flaw was due to insufficient validation of LP mint addresses, enabling the attacker to create a fake LP token and bypass proportion checks to withdraw funds. No current users, active programs, SDK, or dApp were affected. Raydium will fully compensate losses from its treasury and is conducting a security review of mainnet programs.
Amount of loss: $ 1,340,000 Attack method: Smart Contract Vulnerability
Description of the event: An attacker exploited a vulnerability in Secret Network’s modified CW20-ICS20 contract used for the Axelar IBC bridge. By creating a fake Cosmos chain and sending forged IBC deposit packets (the contract had critical source-channel verification checks commented out), the attacker minted approximately $4.67 million in unbacked “saTokens” (Secret-wrapped versions of Axelar-bridged assets). These were redeemed through the legitimate bridge channel, draining real assets from Axelar’s escrow in about 18 minutes. Funds were then bridged out via Osmosis to Ethereum and mostly cashed out on exchanges. The incident was detected on June 17 and publicly disclosed on June 19. Axelar paused the Secret bridge routes; its core protocol and other chains were unaffected. No funds have been recovered.
Amount of loss: $ 4,670,000 Attack method: Smart Contract Vulnerability
Description of the event: Humanity Protocol suffered a security incident where private keys of a Humanity Foundation member were compromised, leading to the draining of large amounts of $H tokens from multiple linked wallets (interacted with the project’s contracts). The stolen funds were swapped for ETH, with losses exceeding $30M and the $H token crashing ~90%. The team urged users not to interact with the bridge or liquidity pools.
Amount of loss: $ 31,000,000 Attack method: Private Key Leakage
Description of the event: Asterix Labs (a fork of the Flooring Protocol NFT liquidity platform) suffered an exploit targeting its $ASTX token contract. Attackers drained approximately $40,000 by exploiting a smart contract vulnerability in the shared DN404/BT404 token standard codebase—the same flaw used in the Flooring Protocol attack the previous day. The project team immediately acknowledged the incident on X and stated they are investigating, with a full post-mortem to follow.
Amount of loss: $ 40,000 Attack method: Smart Contract Vulnerability
Description of the event: Haedal Protocol’s Vault pools on Sui suffered an exploit due to a hidden cross-version logic flaw from a 2025 upgrade. The attacker used deprecated old deposit paths to mint inflated LP shares and redeemed them via new paths for excess underlying assets, causing ~$915k in direct losses. Haedal has paused the affected contracts, will fully compensate users, and is preparing a patched upgrade.
Amount of loss: $ 915,179 Attack method: Smart Contract Vulnerability
Description of the event: The NovaBox platform’s reward pool on Ethereum was hacked. The attacker borrowed 427.5 WETH via an Aave V3 flash loan and exploited a flaw in the reward distribution mechanism (dividends distributed before balance updates on deposits/withdrawals). By first depositing a small amount of NOVA tokens to trigger dividend calculation and then a large ETH deposit to inflate their actual share—while the system still calculated based on the old small share—they generated approximately 145.82 ETH in “phantom dividends,” draining the pool from 65.11 ETH to 0.09 ETH (99.86% loss) in a single transaction. Security firm F12 confirmed it was not a smart contract vulnerability but a flaw in the reward mechanism logic.
Amount of loss: $ 93,600 Attack method: Flash Loan Attack
Description of the event: Syscoin Bridge was exploited. The attacker leveraged a validation issue in the bridge flow, resulting in an unauthorized creation of approximately 5 billion SYS on the UTXO side. The funds were subsequently moved and split. The team has paused the bridge, is actively tracing the tainted outputs, coordinating with exchanges for blacklisting/monitoring, and working on a fix and remediation.
Amount of loss: $ 10,000,000 Attack method: Bridge Verification Flaw
Description of the event: Flooring Protocol V2 and BitmapPunks (BT404 / $BMP) were exploited due to a BT404-style packed ownership logic vulnerability (malicious high-bit token ID alias + unchecked integer underflow). The attacker minted near-infinite fpTokens/$BMP with a dust amount of WETH, drained liquidity pools, and extracted high-value NFTs (e.g., BAYC, CryptoPunks) at low cost. Yuga Labs quickly intervened with a white-hat operation via GrailsOTC, rescuing 68 NFTs worth over $500,000, now held safely for return after fixes.
Amount of loss: - Attack method: Smart Contract Vulnerability
Description of the event: Ambient Finance (formerly CrocSwap) was exploited via an accounting logic flaw in surplus collateral handling. The attacker used a flash loan and rapid cycling through HotProxy/WarmPath/ColdPath operations to drain ~83.72 ETH (~$110.6K) from the protocol’s monolithic smart contract.
Amount of loss: $ 110,600 Attack method: Smart Contract Vulnerability
Description of the event: On June 8, 2026, OpenMonero's P2P trading platform server was breached. The hacker gained root access and stole approximately 200 XMR. The project owner announced on Telegram that all funds were lost; the attack was not at the application layer.
Amount of loss: $ 62,900 Attack method: Supply Chain Attack