Security Desk · Tool
Exploit Tracker
Every major crypto exploit we log: what was hit, how much was lost, and how the attack actually worked — in plain English. Maintained by the Security Desk; updated as incidents are verified.
Drift Protocol$286M
On April 1, 2026, Drift Protocol suffered a roughly $286M exploit after attackers gained unauthorised administrative control and drained multiple protocol vaults on Solana.
Early reporting indicated this was not a routine smart-contract math bug but a privileged-control failure. The attacker rapidly drained several core vaults, with stolen assets including JLP, USDC, SOL, cbBTC and wBTC. Drift suspended deposits and withdrawals while investigators traced the outflows. Later reporting from Elliptic said the laundering patterns and on-chain behaviour were consistent with previous DPRK-linked operations, though that remains an attribution claim rather than a court finding.
Resolv Labs$25M
On March 22, 2026, Resolv Labs suffered an infrastructure breach after attackers gained privileged access through a compromised private key and minted a large block of uncollateralised USR.
This was not a contract-logic failure so much as the old classic: somebody got access they should not have had. The attacker used the compromised mint authority to create roughly $80M in fake USR, staked part of it into wstUSR, swapped into real assets, and tried to force value out before the protocol could shut the doors. Resolv moved quickly, paused the relevant contracts, burned a chunk of attacker-held supply, and said the realised damage before the pause was far smaller than the headline nominal mint. The important distinction is that the collateral base was not directly emptied; the danger came from fake liabilities being created against it.
USDC Permit Signature Phish$2M
On March 16, 2026, a victim lost $1.76M in USDC after signing a malicious Permit approval that handed spending rights to an attacker-controlled contract.
No fancy contract math here. The victim was tricked into signing what looked like a routine approval flow, but the Permit granted the attacker's contract the power to transfer the victim's USDC. The funds were drained immediately, swapped into ETH, and split across several wallets. Another reminder that one bad signature can be as fatal as a leaked seed phrase.
Venus$2M
On March 16, 2026, Venus Protocol on BSC was left with about $2.18M in bad debt after an attacker abused a supply-cap enforcement gap around THE and then pumped the token in thin liquidity.
This one was slow-cooked, not smash-and-grab. Over roughly nine months, the attacker built a giant uncapped THE position by routing around the normal deposit path and bypassing the intended supply ceiling. Once the position was in place, they started the recursive part: borrow assets, buy THE in low liquidity, push the price higher, transfer more THE into the market, inflate collateral value, repeat. The oracle did what it was told and reflected the manipulated market. When the unwind came, the collateral could not cover the borrowings and Venus was left with bad debt.
Solv Protocol$3M
On March 5, 2026, Solv's BRO vault was exploited through a double-mint flaw that let the attacker turn a tiny BRO position into a cartoonishly large one and swap it for real SolvBTC.
The vulnerable BRO contract effectively paid twice in the same mint path. When the ERC-3525 NFT transfer callback fired, tokens were minted once, and then the outer mint routine minted them again. The attacker just looped burn/mint repeatedly until 135 BRO had been inflated into hundreds of millions. Once the fake balance existed, it was exchanged for real SolvBTC. Solv said the impact was confined to the affected vault and committed to covering losses.
Blend Protocol$11M
On February 22, 2026, the YieldBlox DAO Pool on Blend V2 was exploited for about $10.86M after an attacker pushed USTRY's SDEX price roughly 100x higher and let the oracle swallow it whole.
The attacker found an absurdly thin order book and did what attackers do when markets are basically decorative: they walked the price into the sky. Reflector picked up the manipulated SDEX price and Blend treated the attacker's USTRY as prime collateral instead of what it actually was. That opened the door to borrowing tens of millions in XLM and USDC against collateral worth a fraction of that. Once again, the oracle was not hacked in the Hollywood sense; it was just far too trusting.
IoTeX ioTube Bridge$4M
On February 21, 2026, IoTeX's ioTube bridge lost about $4.4M on the Ethereum side after attackers compromised the Validator owner account and upgraded it to bypass the bridge's security checks.
Once the owner account was in hostile hands, the attacker replaced the Validator logic with something that effectively waved everything through. That broke the trust boundary protecting the MintPool and TokenSafe contracts, letting the attacker mint bridge-side assets and drain reserve tokens. IoTeX managed to freeze and blacklist a meaningful slice of the fallout, but not before real value had already left.
Moonwell cbETH Oracle Incident$2M
On February 15, 2026, Moonwell on Base suffered about $1.78M in losses when cbETH was mispriced at roughly $1.12 instead of around $2,200, triggering mass liquidations and cheap borrowing.
This was not subtle. The oracle pipeline effectively passed through a token ratio without multiplying it back into the dollar value of ETH. That meant the protocol treated cbETH as almost worthless. Liquidation bots stepped in, repaid pocket change, and received outsized chunks of collateral. Other users borrowed against the same broken number. Moonwell moved to clamp the market fast, but not before the bad price had already done its damage.
CrossCurve$3M
On February 1, 2026, CrossCurve lost roughly $2.9M after an attacker exploited an authorisation bypass in ReceiverAxelar's express execution flow.
Axelar's model is supposed to bind execution to validated cross-chain messages. The weak point here was a path that skipped that validation and relied too heavily on attacker-controlled metadata. The result was spoofed messages that looked close enough to pass local checks, letting the attacker trigger unlocks they had no right to trigger. CrossCurve responded with a white-hat ultimatum and threat of legal follow-through, which is usually what teams say when the chain has already spoken.
Step Finance Treasury Breach$30M
On January 31, 2026, Step Finance suffered a treasury breach of roughly $27M-30M after multiple treasury wallets were compromised and stake authority was transferred away.
Step described the route as a well-known attack vector, which usually means something operational and ugly rather than elegantly novel. Once the attacker had the relevant wallet access, they moved stake authority, unstaked, and drained a huge SOL position. The key point is that this appears to have been treasury-specific rather than a user-fund contract exploit, but $30M disappearing is still $30M disappearing.
Aperture Finance$4M
On January 25, 2026, Aperture Finance V3/V4 contracts were exploited for about $3.67M across multiple chains through a similar arbitrary-call / approval-abuse flaw.
The attacker did not need users to do anything in the moment. The damage came from approvals that already existed. Once the vulnerable call path was abused, ERC-20 and even NFT-style approvals could be cashed in. The exploit also overlapped with the wider SwapNet incident, which suggests the attackers were not improvising but moving through a known pattern.
SwapNet$17M
On January 25, 2026, SwapNet was hit for about $17M after attackers abused an arbitrary-call style flaw to weaponise existing token approvals.
This one was grimly practical. Users had already approved router-style contracts, and the vulnerable logic let attackers steer those approvals into unauthorised transferFrom calls. In other words, the protocol became a machine for cashing in permissions users had granted earlier under normal conditions. This was linked to the same broader approval-abuse wave that also hit Aperture.
SagaEVM$7M
On January 21, 2026, SagaEVM suffered a roughly $7M incident involving coordinated malicious deployments and cross-chain exits to Ethereum.
Saga's account of this is important: they said there was no validator compromise, no consensus failure, and no signer key leak. That suggests the failure lived inside the chainlet or attached execution environment rather than the network's deeper trust layer. Still, the attacker got real assets out before the chainlet was halted, which is all users and markets tend to care about.
Makina Finance$5M
On January 20, 2026, Makina Finance suffered a $5M oracle-manipulation exploit against the DUSD/USDC Curve pool, with part of the value intercepted by an MEV builder.
The attacker pulled a giant USDC flash loan, distorted the MachineShareOracle's pricing, and used the bad number to drain the relevant stablecoin liquidity. The funny detail, if one can call it funny, is that a big chunk of the exploit value was frontrun and effectively stolen from the thief by an MEV builder. DeFi increasingly has these nested theft structures now: protocol gets robbed, then the robber gets partially robbed on the way out.
Yo Yield$4M
On January 13, 2026, Yo Yield lost about $3.7M when 3.84M GHO was swapped into just 112K USDC during a vault operation.
Sometimes the exploit is simply dreadful execution. The protocol converted something that should have behaved roughly like a stable-for-stable trade into catastrophic slippage. Whether you label that a bug, controls failure, or operator negligence, the effect is the same: a vault did something economically insane and users wore the damage.
NYC Memecoin$3M
On January 13, 2026, the $NYC memecoin was accused of a classic rug after liquidity was pulled shortly after promotion from a high-profile account.
There is not much technical subtlety here. The pattern described by researchers is the standard memecoin circus: public hype, fast inflows, liquidity removed, late buyers stranded. Once again, the interesting part is not the code but the distribution mechanism -- credibility and audience were the real attack surface.
Social Engineering Theft$282M
On January 10, 2026, a victim lost more than $282M in BTC and LTC through a hardware-wallet social-engineering scam, after which the attacker moved rapidly across THORChain, CEXs and privacy rails.
This was not a protocol failure at all; it was human compromise followed by industrial-grade laundering. The attacker started bridging and swapping almost immediately, moving large slices through THORChain into ETH, XRP and other assets, then dispersing funds across exchanges and mixers. It was a reminder that in raw dollar terms, social engineering still competes comfortably with every smart-contract exploit you care to name.
Truebit$27M
On January 8, 2026, Truebit lost about $26.5M after an integer overflow in getPurchasePrice() let the attacker mint TRU for effectively zero ETH and dump it.
This is the kind of bug that makes smart-contract veterans sigh and stare into the middle distance. A large input caused the pricing math to overflow, the division result collapsed to zero, and the attacker could repeatedly mint huge amounts of TRU without paying meaningful cost. The market did the rest. Once the newly minted supply hit liquidity, the token price fell off a cliff and the attacker walked away with ETH.
TMX$1M
On January 6, 2026, TMX on Arbitrum lost around $1.4M when an attacker found a profitable mint/stake/swap/unstake loop and repeated it until the pools were drained.
The contract was unverified, which never helps, but the core pattern was simple enough: each cycle returned more value than went in. Once that kind of mechanical edge exists, the attacker's job is just to keep pressing the button until the pool stops paying. That appears to be what happened here.
Unleash Protocol$4M
On December 30, 2025, Unleash Protocol's multisig governance was compromised, enabling an unauthorised upgrade and a drain of roughly $3.9M.
This was a permissions story. Once the attacker acquired governance-side control, the rest followed in depressingly familiar fashion: upgrade logic, withdraw assets, bridge out, launder through Tornado. Story itself said its core infrastructure was unaffected, which may be true, but that is cold comfort when the application sitting on top of it has been opened with admin keys.
Flow Network$4M
On December 27, 2025, an attacker exploited a flaw in Flow's execution layer and moved roughly $3.9M off-network through bridges before validators coordinated a halt.
Flow stressed that existing user balances were not touched, which matters. The vulnerability appears to have been in the exit/execution path rather than a direct user-account drain. That said, once assets are already riding bridges to Ethereum and the attacker is sending value through THORChain and Chainflip, the distinction becomes more architectural than comforting.
Trust Wallet Browser Extension$7M
On December 26, 2025, Trust Wallet Browser Extension v2.68 was compromised, leading to about $6M-7M being drained from affected users.
This was a supply-chain style wallet incident. The bad version reportedly gave the attackers access to sensitive wallet material or signing capability, and once a malicious update is sitting in a live extension channel the blast radius can expand quickly. Trust Wallet pushed users to disable the version and move fast, but malicious updates are brutal because they hijack the trust users have already granted.
Address Poisoning Attack$50M
On December 20, 2025, a victim lost almost $50M in USDT after copying a poisoned lookalike address from transaction history.
This was pure human-interface exploitation. The attacker exploited how people rely on recent transaction history and glance at the first and last few characters of an address instead of verifying the whole thing. After the victim sent a small test amount, the poisoned address appeared in their history and the main transfer followed. The attacker then started laundering almost immediately through stablecoin swaps and Tornado.
Yearn Finance Legacy yETH Exploit$9M
On November 30, 2025, a legacy Yearn yETH product was exploited, letting the attacker infinitely mint yETH and drain almost $9M from connected liquidity pools.
The vulnerable path sat in old yETH logic rather than Yearn's later vault architecture. Once the attacker could mint effectively unbacked yETH, those fake claims were pushed into Balancer and Curve-style liquidity to pull out real ETH and LSDs. Yearn later coordinated some recovery and treasury support, but the broader lesson was the usual one: old code with live liquidity attached is still live risk.
Upbit Solana Hot-Wallet Breach$36M
On November 27, 2025, Upbit reported about $36M in unauthorised outflows from a production Solana hot wallet and suspended Solana rails.
The outflows hit multiple Solana assets, and the important operational point was that Upbit said cold wallets were not compromised and customer balances would be made whole. That suggests an exchange hot-wallet security failure rather than a total infrastructure collapse. Still, when a major exchange says unauthorised outflow, the words are polite but the meaning is not.
GANA Payment Liquidity Drain$3M
On November 20, 2025, GANA Payment on BSC was stripped of roughly $3.1M before the proceeds were washed through Tornado Cash on BSC and Ethereum.
The exact technical cause remained murky, but the money trail was clear enough: liquidity drained, proceeds converted, laundering began. GANA looked like one of those thinly documented projects where public code and public explanation lag far behind the actual economic damage.
Stream Finance External Manager Blow-Up$93M
On November 4, 2025, Stream Finance said an external fund manager had effectively vaporised around $93M, triggering a much wider synthetic-debt unwind.
This was less a smart-contract exploit than a systemic collateral crisis. Stream's synthetic stack was wired into multiple lenders and related stable structures, so once confidence broke the damage spread quickly. These are often the messiest incidents because the initial hole is smaller than the eventual credit crater it opens.
Moonwell wrsETH Oracle Meltdown$4M
On November 4, 2025, Moonwell's Base deployment was left with around $3.7M in bad debt after a wrsETH oracle briefly valued one token like a small country.
The attacker used a nonsense oracle print to treat dust-sized wrsETH as enormous collateral. Once that happened, the rest was routine: borrow real assets, cycle through markets fast, leave the protocol holding the embarrassment. Moonwell clamped supply and borrow caps quickly, but fast clamps do not un-create bad debt.
Balancer V2 Stable Pool Exploit$116M
On November 3, 2025, Balancer's V2 Stable and Composable Stable v5 pool logic was exploited for about $116M across multiple deployments.
Balancer's preliminary write-up tied the attack to stable-pool rounding / upscale behaviour in EXACT_OUT swap flows combined with flash loans and BatchSwaps. In plain English: old, complex pool math was pushed into states it should never have tolerated, and the attacker extracted value faster than mitigations could contain it.
Beets Fi Balancer V2 Sonic Incident$3M
On November 3, 2025, Beets' Balancer V2 pools on Sonic were hit in the wider Balancer exploit wave, but Sonic's freeze mechanism trapped around $3M on-chain.
This is the rare exploit where a chain-level intervention materially limited the attacker's ability to get paid. The underlying pool logic was still broken, but Sonic's security tooling prevented the normal exit route of bridge-and-launder.
Garden Finance Multi-Chain Liquidity Drain$11M
On October 30, 2025, Garden Finance lost about $11M across multiple networks in a coordinated drain of WBTC, USDC and USDT liquidity.
Garden argued its core contracts were fine and pointed to integrations; outside observers were less generous. Whatever the precise fault line, the practical result was that value moved out across chains, into ETH, and into laundering routes. That is usually the moment when debates about root cause become secondary.
Typus Finance Oracle Manipulation$3M
On October 15, 2025, Typus Finance on Sui lost about $3.44M after a broken auth gate in the oracle module let the attacker publish bogus prices.
A public price feed without real authentication is less an oracle than a suggestion box. Once the attacker could publish values the protocol treated as trusted, draining the TLP became straightforward. Typus paused quickly, but the bug was the kind that should never have made it to production.
Hyperliquid Private Key Compromise$21M
On October 10, 2025, a leaked signing key let attackers bridge out about $21M from a Hyperliquid user.
This was key compromise, not clever protocol exploitation. The funds moved with attacker-signed transactions, which is a much duller but more common cause of loss than people like to admit.
Hypervault Suspected Rugpull$4M
On September 26, 2025, Hypervault appeared to pull a classic exit, moving about $3.6M in user funds off Hyperliquid and into laundering channels.
Team disappears, funds consolidate, bridges light up, Tornado appears in the distance: everyone knows the choreography by now.
GriffinAI GAIN Cross-Chain Peer Exploit$3M
On September 25, 2025, GriffinAI's GAIN token was exploited after a rogue LayerZero peer was accepted as trusted, enabling mass minting and a token collapse.
Trusted-peer design is only as trustworthy as the peer registration. Once the attacker got a malicious contract accepted, they could mint GAIN as if it were legitimate cross-chain flow and dump it into real liquidity.
SBI Crypto Hot-Wallet Heist$24M
On September 24, 2025, attackers drained about $24M across BTC, ETH, LTC, DOGE and BCH in a multi-asset hot-wallet breach tied to SBI infrastructure.
The case had all the usual custodial red flags: hot-wallet exposure, fast laundering, and uncertainty over whether the initial compromise was keys, servers, or something adjacent. Either way, the exchange side of the stack failed before chain logic had any chance to matter.
UXLINK Multi-Sig & Mint Abuse$48M
On September 22, 2025, UXLINK suffered a multi-sig takeover, asset sweep and huge unauthorised token mint, with losses around $48M.
Once multi-sig control broke, it ceased to be a protocol and became the attacker's toy. Funds were swept first, inflation weaponised next, and then the attacker themselves reportedly got partially phished later in a kind of criminal slapstick sequel.
Aqua Solana Presale Rug$5M
On September 9, 2025, Aqua's team allegedly rugged a Solana presale worth roughly $4.65M despite audits, partnerships and heavy credibility theatre.
The familiar pattern: build a trust wrapper, borrow legitimacy, pull liquidity, vanish. The scam's sophistication tends to live in its marketing, not its code.
SwissBorg SOL Earn Breach$42M
On September 8, 2025, a compromised Kiln integration led to about $41.5M in SOL losses from SwissBorg's SOL Earn product.
SwissBorg said the issue was isolated to the partner integration and covered users from treasury. That distinction matters operationally, but from the user side it still feels like the platform's stack failed where it most needed not to.
Venus Protocol Delegate Phish$13M
On September 2, 2025, a malicious delegation flow let an attacker borrow and redeem roughly $13M on a user's behalf -- though the funds were later recovered.
The protocol itself was not mathematically broken; the permission model around the victim account was. That is increasingly common: not code failure exactly, but trust granted to the wrong address or contract.
Bunni v4 Hooks Liquidity Drain$8M
On September 2, 2025, Bunni's custom v4 hook logic was exploited for about $8.4M across Ethereum and Unichain.
Uniswap v4 lets builders get creative. Creativity is not always the same thing as safety. Bunni's rebalancing and share-accounting logic could be pushed into states that credited more value than it should have.
Better Bank Bonus-Mint Exploit$5M
On August 26, 2025, Better Bank lost about $5M after an attacker abused a bonus-mint path tied to its Favor / Esteem mechanics.
The attacker found a route where the protocol rewarded itself into insolvency. Once a contract can be induced to create more redeemable value than should exist, the rest is just path optimisation.
Phishing: 783 BTC Drained$91M
On August 19, 2025, a victim lost 783 BTC -- roughly $91M -- in a high-touch support-impersonation theft.
This was not a smart-contract exploit but a trust exploit. The attacker posed as support staff, won access, and then started the slow hygiene of laundering. In cash terms, social engineering is still one of the industry's strongest recurring primitives.
BtcTurk Hack$48M
On August 14, 2025, BtcTurk suffered a roughly $48M hot-wallet breach across several chains.
This was another exchange hot-wallet event: assets drained, emergency measures triggered, assurances about cold storage made after the fact.
Odin.fun Exploit$7M
On August 12, 2025, Bitcoin launchpad Odin.fun lost about 58.2 BTC, roughly $7M, after liquidity manipulation in its AMM tool.
Spoofed or cheaply inserted assets distorted the AMM's assumptions, letting the attacker walk out with real BTC while the accounting insisted the pool was behaving normally enough.
Phishing USDT Theft$3M
On August 6, 2025, a victim was tricked into signing an approval and lost about $3.05M in USDT.
The simplest scams remain brutally effective. The attacker got approval, moved fast, and routed the funds away before the victim could react.
CrediX Exploit$5M
On August 4, 2025, CrediX on Sonic lost around $4.5M after misassigned admin roles let attackers mint unbacked assets and drain pools.
Access-control failures do not need technical glamour to be expensive. The wrong permissions existed, the attacker used them, the pool paid.
WOO X Phishing Breach$14M
On July 24, 2025, WOO X lost about $14M after a targeted phishing attack hit a team member's device and opened the way to account drains.
Infrastructure can be excellent and still be undone by the human endpoint sitting in front of it.
CoinDCX Breach$44M
On July 20, 2025, CoinDCX lost roughly $44M after attackers compromised an internal liquidity account.
Server-side or key-side compromise remains one of the cleanest paths to very large exchange losses. Once the attacker is inside the liquidity machinery, chain-level sophistication is optional.
BigONE Exchange Hack$28M
On July 16, 2025, BigONE lost around $28M in a hot-wallet breach spanning Bitcoin, Ethereum, Tron and Solana.
Another custodial wallet failure, another multi-chain scramble, another assurance that reimbursements will follow.
Arcadia Finance Exploit$3M
On July 15, 2025, Arcadia lost about $2.5M on Base after a router validation flaw let attackers smuggle malicious calls through rebalance logic.
The protocol executed instructions it should never have trusted. That is often the heart of these router-style exploits.
GMX Exploit$42M
On July 9, 2025, GMX was exploited for about $42M on Arbitrum. The attacker later returned the funds after accepting a $5M white-hat bounty.
The exploit targeted GMX's older vault logic. After a public bounty offer of 10%, the attacker returned the stolen funds, making this one of the larger successful white-hat recoveries. Recovery does not erase the underlying issue, but it stopped the headline from becoming even worse.
Resupply Exploit$10M
On June 26, 2025, Resupply lost about $9.5M after an oracle manipulation attack let the attacker borrow against inflated collateral.
Again: bad number in, bad debt out.
Nobitex Hack$82M
On June 18, 2025, Iranian exchange Nobitex was hit for about $82M in a major hot-wallet compromise.
Large centralised exchanges remain giant, tempting concentrations of key risk. Nobitex joined the long and unhappy list. The breach was later analysed by Chainalysis and TRM Labs, the latter noting that leaked source code revealed structural weaknesses in the exchange's infrastructure.
AlexLab Exploit$16M
On June 6, 2025, AlexLab on Stacks lost around $16.1M after private keys were compromised, allowing the attacker to drain protocol funds.
Protocol logic was secondary here. Once keys are gone, user-facing assurances tend to follow them. AlexLab later committed to reimbursing affected users and published a detailed breakdown of losses.
Nervos ForceBridge Exploit$4M
On June 2, 2025, Nervos's ForceBridge lost about $3.7M after flawed cross-chain validation let attackers mint synthetic assets and dump them.
Bridge validation is the whole game. When it is wrong, the bridge stops being a bridge and turns into a mint.
Cork Protocol wstETH Exploit$12M
On May 28, 2025, Cork Protocol lost about $12M after a flaw around wrapped staking asset exchange-rate logic was abused via a Uniswap v4 hook vulnerability.
Counterfeit or distorted pricing inside wrapped-asset accounting is a reliable way to make real collateral vanish. Dedaub's analysis highlighted this as a critical lesson in Uniswap v4 hook security, given that Cork was an a16z-backed project.
Cetus Protocol Exploit$260M
On May 22, 2025, Cetus Protocol on Sui was hit for roughly $260M in a devastating AMM manipulation exploit that sent connected token prices down over 90%.
Cetus was one of the year's defining DeFi disasters. By injecting or exploiting false value relationships inside the pool design, the attacker pulled real assets out en masse and left prices across connected tokens shattered. Multiple security firms published detailed root-cause analyses. The Sui ecosystem ultimately coordinated a partial freeze and recovery effort, but the scale of the damage was immense.
Bitcoin Theft$331M
On April 27, 2025, 3,520 BTC -- about $330.7M -- was stolen from an elderly US victim in a social-engineering attack, then funnelled through instant exchanges into Monero, briefly spiking XMR's price.
This was one of those rare incidents large enough to shake adjacent markets. Laundering pressure into XMR caused a visible price reaction. ZachXBT traced the theft and identified the victim as an elderly person in the US targeted through social engineering. Roughly $7M was later frozen with Binance's help, but the vast majority was successfully laundered through privacy rails.
Loopscale Hack$6M
On April 26, 2025, Loopscale on Solana lost about $5.8M after a pricing bug around RateX PT collateral let attackers borrow against inflated value, just two weeks after launch.
Oracle and collateral design failures are often boring on paper and expensive in practice. This was both.
ZKsync Airdrop Contract Exploit$5M
On April 15, 2025, a compromised admin wallet swept around $5M in unclaimed ZK tokens from an airdrop contract.
The exploit path was boring but effective: privileged function, wrong hands, real tokens gone. The ZK token price dropped sharply on the news before partially recovering.
KiloEx Oracle Manipulation$7M
On April 14, 2025, KiloEx lost about $7M across multiple chains after forged or unauthorised oracle inputs were used to juice leveraged PnL.
The attacker manipulated how the price feed was trusted and then harvested the obvious economic imbalance. Once again, if your oracle lies and your protocol believes it, the attacker just has to submit the paperwork.
UPCX ProxyAdmin Take-Over$70M
On April 1, 2025, a hijacked ProxyAdmin let attackers insert malicious logic and drain about $70M worth of UPC tokens.
Proxy upgrade power is effectively absolute power. Once lost, every downstream assurance becomes theatre.
Abracadabra GMX-Cauldron Bug$13M
On March 25, 2025, Abracadabra lost about $13M after a bookkeeping flaw let an attacker self-liquidate, re-borrow and recycle collateral in cauldrons tied to GMX liquidity tokens.
This was accounting getting confused in exactly the way attackers pray for: debt gone from the books before the collateral had really stopped mattering. PeckShield flagged the exploit in real time and multiple security firms published detailed breakdowns.
Zoth Logic-Contract Swap$8M
On March 21, 2025, leaked admin rights let attackers swap Zoth's implementation contract and drain around $8.32M from the RWA protocol.
Upgradeable systems are wonderful right up to the point someone else becomes the upgrader.
1inch Fusion v1 Re-entrancy$3M
On March 6, 2025, a re-entrancy issue in 1inch Fusion v1's resolver contract let attackers repeatedly reuse approvals and drain roughly $2.6M.
Recursive control flow plus user-supplied values remains a classic way to manufacture losses out of otherwise respectable code. 1inch published an official statement confirming the vulnerability was in the resolver contract, not the core aggregation protocol.
Suji Yan Wallet Hack$4M
On February 27, 2025, Mask Network founder Suji Yan lost roughly $4M after what appeared to be an offline phone or wallet compromise.
No protocol bug, just a personal-security disaster with on-chain consequences.
Infini Insider Drain$50M
On February 24, 2025, Infini lost about $50M after retained administrative privileges were allegedly used to drain funds from the stablecoin payment card issuer.
Insider or insider-style privilege abuse tends to be especially poisonous because it destroys both the money and the story the team can tell about how secure the system was. Infini offered a bounty for return of funds, but the damage to trust was already done.
Bybit Multisig Cold-Wallet Hack$1.40bn
On February 21, 2025, Bybit suffered the largest single crypto theft on record after a phished multisig flow led to $1.4B in ETH being drained. The FBI attributed the attack to North Korea's Lazarus Group (TraderTraitor).
The key lesson was brutal and simple: a multisig is only as safe as the signing environment and the humans using it. The interface showed one thing, the underlying permission change did another, and the largest single crypto theft on record followed. The FBI publicly attributed the hack to the DPRK-linked threat actor known as TraderTraitor (Lazarus Group / APT38) and issued a formal PSA. Bybit published a detailed incident timeline and committed to full transparency throughout the recovery process.
LIBRA Rug Pull$286M
On February 16, 2025, LIBRA imploded in what looked far more like insider distribution and rug mechanics than some tragic accident, wiping out roughly $286M. The incident sparked a political scandal in Argentina.
When memecoin theatrics overlap with politics, the post-mortem gets noisy fast. The money, unfortunately, was quieter and more final. TRM Labs published a detailed fund-tracing analysis, and the incident eventually warranted its own Wikipedia article due to the political dimensions involved.
zkLend Exploit$10M
On February 12, 2025, zkLend lost about $9.5M in a flash-loan exploit on Starknet. The attacker later attempted to launder through Railgun but funds were flagged and partially recovered.
The protocol still failed first. The partial recovery narrative is interesting, but it came after the money had already been stolen. BlockSec published a detailed post-mortem clarifying several misunderstandings about the attack mechanics.
DogWifTools Exploit$10M
On January 28, 2025, DogWifTools users were hit in a roughly $10M supply-chain exploit that drained wallets through a compromised version of the Solana pump.fun trading tool.
When wallet-adjacent software is compromised, the distinction between application risk and wallet risk disappears immediately. BleepingComputer covered this as a supply-chain attack where the tool itself was trojaned to exfiltrate private keys.
Phemex Exploit$37M
On January 23, 2025, Phemex lost about $37M amid a multi-chain hot-wallet breach. The exchange published a timeline and compensation plan shortly after.
Another exchange reminder that once the hot-wallet layer is compromised, attackers do not need deep protocol wizardry to do large damage fast. Phemex was relatively transparent in their response, publishing a detailed timeline and reassuring users with a compensation framework.