Quick Summary: zkLend suffered a $9.5M exploit on Starknet when an attacker attempted to launder funds via Railgun.

Details of the Exploit: An unknown attacker moved stolen assets from zkLend to Ethereum through Railgun – a privacy protocol that unexpectedly reversed the laundering attempt. zkLend then offered a whitehat bounty allowing the attacker to retain 10% if approximately 3,300 ETH (valued at ~$8.6M) were returned by the deadline. This case highlights the compliance benefits of Railgun over other anonymizing mixers.

Block Data:

• zkLend Ethereum Return Address
• Hacker Railgun Deposit
• Railgun Returns Deposit

Quick Summary: DogWifTools was exploited for $10M, draining multiple wallet types.

Details of the Exploit: Malicious actors infiltrated users’ devices and drained hot, hardware, and centralized exchange wallets by exploiting a reversed GitHub token extraction method. Experts warn this breach exposes deep systemic vulnerabilities.

Quick Summary: Phemex lost $37M amid multi-chain wallet breaches.

Details of the Exploit: Attackers targeted hot wallets on Ethereum, BNB, Polygon, Arbitrum, Base, and Optimism. Suspicious stablecoin transactions were rapidly converted to ETH and laundered via mixers, prompting emergency protocols.

Quick Summary: $29M in SUI tokens were stolen and laundered via Tornado Cash.

Details of the Exploit: Around 6.27M SUI tokens were illicitly moved from the Sui network to Ethereum and then laundered, complicating traceability despite significant user growth.

Quick Summary: Gifto minted 1.2B extra tokens, triggering an $8.6M dump.

Details of the Exploit: Following Binance’s delisting notice, massive on-chain minting flooded exchanges. The oversupply crashed the token’s value, drawing sharp criticism for exploiting the grace period.

Quick Summary: Radiant Capital lost over $58M in a cyberattack.

Details of the Exploit: Attackers obtained three private keys and drained funds across BSC and Arbitrum. This breach exposed critical weaknesses in multi-signature wallet security and spurred immediate system upgrades.

Block Data Reference:

• Arbitrum Exploiter Address
• BSC Exploiter Address

Quick Summary: A phishing scam cost $2.47M in sDAI.

Details of the Exploit: A user unwittingly signed a fraudulent permit transaction, granting an attacker control over their sDAI wallet via temporary CREATE2 addresses.

Quick Summary: A $130K loss hit an Arbitrum lender via oracle manipulation.

Details of the Exploit: The attacker manipulated the UniswapV3Pool price feed to inflate WETH-USDC LP token values, enabling excessive withdrawals from the protocol.

Block Data Reference:

• Transaction Hash

Quick Summary: FireToken was exploited 24 seconds post-launch for $24K.

Details of the Exploit: A flaw in the token-burning mechanism reduced circulating supply without affecting ETH reserves, allowing an attacker to profit from subsequent price manipulation in the liquidity pool.

Block Data Reference:

• Exploit Transaction

Quick Summary: Bedrock lost $2M by targeting its synthetic Bitcoin token, uniBTC.

Details of the Exploit: Attackers exploited a flaw in the staking mechanism for uniBTC, draining $2M from liquidity pools while core BTC reserves remained intact. A post-mortem and reimbursement plan are underway.

Block Data Reference:

• Exploiter Address
• Exploit Transaction

Quick Summary: uniBTC’s minting flaw led to a $1.7M loss.

Details of the Exploit: An infinite minting vulnerability enabled the attacker to generate unlimited tokens, dump them on the market, and significantly devalue uniBTC.

Block Data:

• Exploit Reference

Quick Summary: Onyx lost $4M via a liquidation flaw.

Details of the Exploit: The attacker exploited a vulnerability in the liquidation logic, allowing them to force unfavorable liquidations and siphon off $4M from the protocol.

Block Data:

• Exploit Reference

Quick Summary: Truflation lost $5M after a malware breach.

Details of the Exploit: Malware infiltrated the infrastructure and compromised a critical private key, enabling attackers to drain $5M from the platform.

Block Data:

• Exploit Reference

Quick Summary: Shezmu’s flaw dumped tokens for a $4.9M loss.

Details of the Exploit: A minting logic vulnerability allowed unlimited token creation, which were rapidly sold off—crashing the token’s value and causing severe financial damage.

Block Data:

• Exploit Reference

Quick Summary: BingX lost $52M through multi-chain wallet breaches.

Details of the Exploit: Vulnerabilities in 15 hot wallets across Ethereum, BSC, Base, Optimism, Polygon, Arbitrum, and Avalanche allowed unauthorized transfers. Emergency protocols were enacted and assets secured in cold storage.

Block Data:

• Hacker Wallet Address
• BingX Wallet Maintenance Notice

Quick Summary: DeltaPrime lost $6M via a key compromise.

Details of the Exploit: The admin’s lost private key allowed attackers to maliciously upgrade contracts and drain liquidity pools on Arbitrum. Stolen USDC was swapped to ETH, emphasizing the need for enhanced key security.

Block Data:

• Suspicious Address: 0x0ef5a5130c795dba28e6b2cbfda05cf1ef81cc54

Quick Summary: Indodax lost $22M through multi-chain wallet breaches.

Details of the Exploit: Hackers exploited vulnerabilities in hot wallets across Bitcoin, Ethereum, and Tron using Tornado Cash to obfuscate transfers, draining a total of $22M and exposing critical flaws in the withdrawal system.

Block Data:

• Bitcoin: bc1q5uqpn0ha5llrvhcvkq3nfalp8fj7qe3rydcvmf
• Tron: TBooefeY6FvGuyKfvp5yE1HmzhzvXnvA1P
• Ethereum: 0xb0a2e43d3e0dc4c71346a71484ac6a2627bbcbed
• Polygon: 0x90fffbc09e9a5f6d035e92d25d67e244ef5e904f
• Optimism: 0x3b8f1131a20e131c195bda6fdd6e9be38935eb6d

Quick Summary: A flash loan attack drained $1.4M from CUT.

Details of the Exploit: Exploiting a yield flaw via a PancakeSwap flash loan, the attacker manipulated the CUT-BUSD pair to drain $1.4M from the liquidity pool.

Block Data:

• Exploiter Address

Quick Summary: Penpie lost over $27M via reentrancy.

Details of the Exploit: A reentrancy flaw enabled attackers to generate fraudulent yield tokens and siphon funds through multiple transactions, draining over $27M from the protocol.

Block Data:

• Exploiter 1
• Exploiter 4

Quick Summary: Aave lost $56K via an unchecked allowance flaw.

Details of the Exploit: A flaw in the _buyOnParaSwap function allowed unauthorized transfers by exploiting unchecked token allowances, draining $56K from the collateral adapter.

Block Data:

• Exploiter
• Transaction

Quick Summary: A phishing scam cost $55M in DAI.

Details of the Exploit: A user unwittingly signed a fraudulent permit transaction, granting an attacker control over their proxy, draining $55M in DAI from the account.

Quick Summary: Vow lost $1.2M due to a conversion flaw.

Details of the Exploit: A smart contract bug enabled attackers to create valueless tokens and convert them into real assets by manipulating the burn rate, causing a $1,200,000 loss.

Block Data:

• Exploiter Address

Quick Summary: Nexera lost $449K via unauthorized access.

Details of the Exploit: Attackers exploited compromised security credentials to gain control of Nexera’s smart contracts and transfer NXRA tokens, resulting in a $449K loss.

Block Data:

• Exploiter

Quick Summary: Ronin lost $12M via a bridge vulnerability.

Details of the Exploit: An uninitialized variable in the updated Ronin bridge contract enabled unauthorized withdrawals of ETH and USDC totaling $12M.

Block Data:

• Exploit Transaction

Quick Summary: Convergence lost $210K via a liquidity pool exploit.

Details of the Exploit: A vulnerability in the reward distribution contract allowed an attacker to claim excessive rewards and drain $210K from liquidity pools.

Block Data:

• Exploiter

Quick Summary: Terra lost $6.5M via an oracle manipulation attack.

Details of the Exploit: An attacker manipulated Terra’s oracle price feeds, triggering massive liquidations that resulted in a $6.5M asset loss and exposed critical flaws in the pricing mechanism.

Block Data:

• Exploit Transaction