1946 hack event(s)
Description of the event: The DeFi protocol dTRINITY suffered an exploit targeting its swap adapter contracts, resulting in the loss of approximately $56,000 belonging to core team members.
Amount of loss: $ 56,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol Hyperdrive, built on the Hyperliquid chain, was exploited. The attacker repeatedly abused an arbitrary call vulnerability in the router, resulting in a loss of approximately $782,000.
Amount of loss: $ 782,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol HyperVault, built on the Hyperliquid chain, has executed a rug pull, making off with approximately $3.61 million.
Amount of loss: $ 3,610,000 Attack method: Rug Pull
Description of the event: The attackers exploited a misconfigured LayerZero bridge along with a compromised private key for the GAIN BSC contract. By setting a malicious peer contract on Ethereum, they bypassed validation checks and minted 5 billion counterfeit GAIN tokens on BSC. The attackers then sold approximately 150 million of these counterfeit tokens (about 2.8% of the total fake supply) on PancakeSwap, cashing out around USD 3 million.
Amount of loss: $ 3,000,000 Attack method: Private Key Leakage
Description of the event: The AI-powered Web3 social platform UXLINK was exploited after an attacker gained control of the project’s multisignature wallet. By minting large amounts of UXLINK tokens, the attacker cashed out over $11.3 million. Shortly after the incident, the attacker—apparently rushing to liquidate before the token price dropped further or exchanges could freeze the assets—accidentally approved a phishing contract. As a result, approximately 542 million UXLINK tokens were transferred to a phishing address.
Amount of loss: $ 11,300,000 Attack method: Multisignature Theft
Description of the event: Meta Alchemist, founder of the Web3 incubator and launchpad platform Seedify, announced on X that one of its SFUND bridges was recently hacked. According to Seedify’s official account, a DPRK-affiliated group known for multiple Web3 exploits gained access to a developer’s private key. Using this access, the attackers were able to mint a large number of SFUND tokens through a bridge contract that had previously passed audit. As a result, the OFT contract was compromised, allowing the attackers to alter its settings and mint unauthorized tokens on Avalanche.
Amount of loss: $ 1,700,000 Attack method: Private Key Leakage
Description of the event: The DeFi project Corepound, built on the Core DAO blockchain, has carried out a rug pull, making off with approximately $400,000.
Amount of loss: $ 400,000 Attack method: Rug Pull
Description of the event: Stablecoin protocol Yala announced that a recent security incident occurred due to a hacker abusing temporary deployment keys during an authorized cross-chain bridge deployment, setting up an unauthorized bridge and extracting 7.64M USDC (approximately 1,636 ETH).
Amount of loss: $ 7,640,000 Attack method: Security Vulnerability
Description of the event: Kame Aggregator suffered an exploit due to a design flaw in the swap() function, which allowed arbitrary executor calls. This vulnerability enabled attackers to transfer tokens authorized to the AggregationRouter by users, particularly those with unlimited or oversized approvals. The total value of affected assets was approximately $1.32 million, of which around $946,000 was recovered by the Kame team from the primary exploiter, and about $22,000 was recovered by white-hat hackers.
Amount of loss: $ 1,320,000 Attack method: Contract Vulnerability
Description of the event: The Shibarium bridge, connecting the Layer 2 network of the same name to Ethereum, was targeted in a flash loan attack, resulting in a loss of approximately $2.4 million. The attacker used a flash loan to purchase 4.6 million BONE tokens and obtained validator signing keys, gaining control of the majority of validator power, and ultimately signed a malicious state to drain assets from the bridge.
Amount of loss: $ 2,400,000 Attack method: Flash Loan Attack
Description of the event: Nemo Protocol, a DeFi protocol on Sui, was attacked, resulting in a loss of approximately $2.4 million.
Amount of loss: $ 2,400,000 Attack method: Unknown
Description of the event: Swiss crypto platform SwissBorg suffered a security incident in which approximately 192,600 SOL (~$41.5M) was stolen on Solana. According to SwissBorg’s official statement, the incident was caused by a compromised partner API, impacting its SOL Earn program.
Amount of loss: $ 41,500,000 Attack method: Third-party Vulnerability
Description of the event: On-chain investigator ZachXBT reported that the Solana project Aqua has likely executed a rug pull involving approximately 21,770 SOL (~$4.65M). A few hours ago, the funds were split into four parts, moved through multiple intermediary addresses, and then sent to various instant exchanges.
Amount of loss: $ 4,650,000 Attack method: Rug Pull
Description of the event: Bunni, a DEX built on Uniswap v4, was exploited on Ethereum and UniChain, with total losses of approximately $8.4 million.
Amount of loss: $ 8,400,000 Attack method: Flash Loan Attack
Description of the event: The PulseChain-based defi project BetterBank was exploited by an attacker who took advantage of a vulnerability that allowed them to mint arbitrary tokens, some of which they then swapped for ETH. The attacker later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.
Amount of loss: $ 5,000,000 Attack method: Contract Vulnerability
Description of the event: According to an announcement from Equilibria Finance, a vulnerability was discovered in the ePENDLE auto-compounder contract on Ethereum, resulting in a loss of approximately 13.36 ETH. The issue stemmed from the stk-ePENDLE contract on Ethereum mainnet not being configured as non-transferable. The attacker used flash loans via Balancer to acquire ePENDLE, staked it into stk-ePENDLE, and then repeatedly transferred stk-ePENDLE across multiple addresses. Each transfer triggered a reward claim, enabling the attacker to drain the unclaimed rewards from the contract.
Amount of loss: $ 62,500 Attack method: Contract Vulnerability
Description of the event: ABCCApp on BSC was reportedly attacked, resulting in a loss of approximately $10.1K. The root cause was that the contract’s addFixedDay() function lacked access control, and fixedDay was used in calculating claimable USDT.
Amount of loss: $ 10,100 Attack method: Contract Vulnerability
Description of the event: According to SlowMist Threat Intelligence, puffer[.]fi and @puffer_finance have been compromised.
Amount of loss: - Attack method: Account Compromise
Description of the event: D3X AI (@D3X_AI) was attacked on BSC, resulting in a loss of approximately $158.9K. The root cause was that the exchange() function of contract 0xb8ad relied on the spot price of the d3xat token from a UniswapV2 pair, which the attacker exploited through a price manipulation attack.
Amount of loss: $ 158,900 Attack method: Price Manipulation
Description of the event: The official X account of the stablecoin protocol Level was reportedly compromised, and a fraudulent airdrop link was posted.
Amount of loss: - Attack method: Account Compromise