MyGit

SunWeb3Sec/DeFiHackLabs

Fork: 1185 Star: 5400 (更新于 2024-12-22 13:29:36)

license: 暂无

Language: Solidity .

Reproduce DeFi hacked incidents using Foundry.

GitHub网址

DeFi Hacks Reproduce - Foundry

Reproduce DeFi hack incidents using Foundry.

542 incidents included.

Let's make Web3 secure! Join Discord

Notion: 101 root cause analysis of past DeFi hacked incidents

Transaction debugging tools

Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.

Getting Started

Web3 Cybersecurity Academy

All articles are also published on Substack.

OnChain transaction debugging

Who Support Us? DeFiHackLabs Received Grant From

Donate us

If you appreciate our work, please consider donating. Even a small amount helps us continue developing and improving our projects, and promoting web3 security.

List of Past DeFi Incidents

20241119 PolterFinance

20241111 DeltaPrime

20241026 CompoundFork

20241022 Erc20transfer

20241022 VISTA

20241013 MorphoBlue

20241011 P719Token

20241006 HYDT

20241006 SASHAToken

20241005 AIZPTToken

20241002 LavaLending

20241001 FireToken

20240926 OnyxDAO

20240926 Bedrock_DeFi

20240924 MARA

20240923 Bankroll_Network

20240913 OTSeaStaking

20240910 Caterpillar_Coin_CUT

20240903 Penpiexyz_io

20240816 Zenterest

20240816 OMPxContract

20240828 AAVE

20240814 YodlRouter

20240813 VOW

20240812 iVest

20240806 Novax

20240801 Convergence

20240724 Spectra_finance

20240723 MEVbot_0xdd7c

20240716 Lifiprotocol

20240714 Minterest

20240712 DoughFina

20240711 SBT

20240711 GAX

20240708 LW

20240705 DeFiPlaza

20240703 UnverifiedContr_0x452E25

20240702 MRP

20240628 Will

20240627 APEMAGA

20240618 INcufi

20240617 Dyson_money

20240616 WIFCOIN_ETH

20240611 Crb2

20240611 JokInTheBox

20240610 UwuLend - Price Manipulation

20240610 Bazaar

20240608 YYStoken

20240606 SteamSwap

20240606 MineSTM

20240604 NCD

20240601 VeloCore

20240531 Liquiditytokens

20240531 MixedSwapRouter

20240529 SCROLL

20240529 MetaDragon

20240528 Tradeonorion

20240528 EXcommunity

20240527 RedKeysCoin

20240526 NORMIE

20240522 Burner

20240516 TCH

20240514 Sonne Finance

20240514 PredyFinance

20240512 TGC

20240510 GFOX

20240510 TSURU

20240508 GPU

20240507 SATURN

20240506 OSN

20240430 Yield

20240430 PikeFinance

20240427 BNBX

20240425 NGFS

20240424 XBridge

20240424 YIEDL

20240422 Z123

20240420 Rico

20240419 HedgeyFinance

20240417 UnverifiedContr_0x00C409

20240416 SATX

20240416 MARS_DEFI

20240415 GFA

20240415 ChaingeFinance

20240414 Hackathon

20240412 FIL314

20240412 SumerMoney

20240412 GROKD

20240410 BigBangSwap

20240409 UPS

20240408 SQUID

20240404 WSM

20240402 HoppyFrogERC

20240401 ATM

20240401 OpenLeverage

20240329 ETHFIN

20240329 PrismaFi

20240328 LavaLending

20240325 ZongZi

20240314 ARK

20240323 CGT

20240321 SSS

20240320 Paraswap

20240314 MO

20240313 IT

20240312 BBT

20240311 Binemon

20240309 Juice

20240309 UnizenIO

20240307 GHT

20240306 ALP

20240306 TGBS

20240305 Woofi

20240228 Seneca

20240228 SMOOFSStaking

20240223 Zoomer

20240223 CompoundUni

20240223 BlueberryProtocol

20240222 SwarmMarkets

20240221 DeezNutz404

20240221 GAIN

20240220 EGGX

20240219 RuggedArt

20240216 ParticleTrade

20240215 DualPools

20240215 Babyloogn

20240215 Miner

20240213 MINER BSC

20240211 Game

20240210 FILX DN404

20240208 Pandora404

20240205 BurnsDefi

20240202 ADC

20240201 AffineDeFi

20240130 XSIJ

20240130 MIMSpell

20240129 PeapodsFinance

20240128 BarleyFinance

20240127 CitadelFinance

20240125 NBLGAME

20240122 DAO_SoulMate

20240117 BmiZapper

20240117 SocketGateway

20240115 Shell_MEV_0xa898

20240112 WiseLending

20240110 Freedom

20240110 LQDX Alert

20240104 Gamma

20240102 MIC

20240102 RadiantCapital

20240101 OrbitChain

2023

20231231 Channels BUSD&USDC

20231230 ChannelsFinance

20231228 CCV

20231228 DominoTT

20231225 Telcoin

20231222 PineProtocol

20231220 TransitFinance

20231217 Bob

20231217 FloorProtocol

20231216 GoodDollar

20231216 KEST

20231216 NFTTrader

20231214 PHIL

20231213 HYPR

20231211 GoodCompound

20231209 BCT

20231207 HNet

20231206 TIME

20231206 ElephantStatus

20231205 MAMO

20231205 BEARNDAO

20231202 bZxProtocol

20231201 UnverifiedContr_0x431abb

20231130 EEE

20231130 CAROLProtocol

20231129 Burntbubba

20231129 AIS

20231128 FiberRouter

20231125 MetaLend

20231125 TheNFTV2

20231122 KyberSwap

20231117 Token8633_9419

20231117 ShibaToken

20231116 WECO

20231115 EHX

20231115 XAI

20231115 LinkDAO

20231114 OKC Project

20231112 MEV_0x8c2d

20231112 MEV_0xa247

20231111 Mahalend

20231110 Raft_fi

20231110 GrokToken

20231107 RBalancer

20231107 MEVbot

20231106 TrustPad

20231106 TheStandard_io

20231106 KR

20231102 BRAND

20231102 3913Token

20231101 SwampFinance

20231101 OnyxProtocol

20231031 UniBotRouter

20231030 LaEeb

20231028 AstridProtocol

20231024 MaestroRouter2

20231022 OpenLeverage

20231019 kTAF

20231018 HopeLend

20231018 MicDao

20231013 BelugaDex

20231013 WiseLending

20231012 Platypus

20231011 BH

20231008 ZS

20231008 pSeudoEth

20231007 StarsArena

20231005 DePayRouter

20230930 FireBirdPair

20230929 DEXRouter

20230926 XSDWETHpool

20230924 KubSplit

20230921 CEXISWAP

20230916 uniclyNFT

20230911 0x0DEX

20230909 BFCToken

20230908 APIG

20230907 HCT

20230905 QuantumWN

20230905 JumpFarm

20230905 HeavensGate

20230905 FloorDAO

20230902 DAppSocial

20230829 EAC

20230827 Balancer

20230826 SVT

20230824 GSS

20230821 EHIVE

20230819 BTC20

20230818 ExactlyProtocol

20230814 ZunamiProtocol

20230809 EarningFram

20230802 CurveBurner

20230802 Uwerx

20230801 NeutraFinance

20230801 LeetSwap

20230731 GYMNET

20230730 Curve

20230726 Carson

20230724 Palmswap

20230723 MintoFinance

20230722 ConicFinance02

20230721 ConicFinance

20230721 SUT

20230720 Utopia

20230720 FFIST

20230718 APEDAO

20230718 BNO

20230717 NewFi

20230715 USDTStakingContract28

20230712 Platypus

20230712 WGPT

20230711 RodeoFinance

20230711 Libertify

20230710 ArcadiaFi

20230708 CIVNFT

20230708 Civfund

20230707 LUSD

20230704 BambooIA

20230704 BaoCommunity

20230703 AzukiDAO

20230630 Biswap

20230630 MyAi

20230628 Themis

20230627 UnverifiedContr_9ad32

20230627 STRAC

20230623 SHIDO

20230621 BabyDogeCoin02

20230621 BUNN

20230620 MIM

20230619 Contract_0x7657

20230618 ARA

20230617 MidasCapitalXYZ

20230617 Pawnfi

20230615 CFC

20230615 DEPUSDT_LEVUSDC

20230612 Sturdy Finance

20230611 SellToken04

20230607 CompounderFinance

20230606 VINU

20230606 UN

20230602 NST SimpleSwap

20230601 DDCoin

20230601 Cellframenet

20230531 ERC20TokenBank

20230529 Jimbo

20230529 BabyDogeCoin

20230529 FAPEN

20230529 NOON_NO

20230525 GPT

20230524 LocalTrade

20230524 CS

20230523 LFI

20230514 landNFT

20230514 SellToken03

20230513 Bitpaidio

20230513 SellToken02

20230512 LW

20230511 SellToken01

20230510 SNK

20230509 MCC

20230509 HODL

20230506 Melo

20230505 DEI

20230503 NeverFall

20230502 Level

20230428 0vix

20230427 SiloFinance

20230424 Axioma

20230419 OLIFE

20230416 Swapos V2

20230415 HundredFinance

20230413 yearnFinance

20230412 MetaPoint

20230411 Paribus

20230409 SushiSwap

20230405 Sentiment

20230402 Allbridge

20230328 SafeMoon Hack

20230328 THENA

20230325 DBW

20230322 BIGFI

20230317 ParaSpace NFT

20230315 Poolz

20230313 EulerFinance

20230308 DKP

20230307 Phoenix

20230227 LaunchZone

20230227 SwapX

20230224 EFVault

20230222 DYNA

20230218 RevertFinance

20230217 Starlink

20230217 Dexible

20230217 Platypusdefi

20230210 Sheep Token

20230210 dForce

20230207 CowSwap

20230206 FDP Token

20230203 Orion Protocol

20230203 Spherax USDs

20230202 BonqDAO

20230130 BEVO

20230126 TomInu Token

20230119 SHOCO Token

20230119 ThoreumFinance

20230118 QTN Token

20230118 UPS Token

20230117 OmniEstate

20230116 MidasCapital

20230111 UFDao

20230111 ROE

20230110 BRA

20230103 GDS

2022

20221230 DFS

20221229 JAY

20221225 Rubic

20221223 Defrost

20221214 Nmbplatform

20221214 FPR

20221213 ElasticSwap

20221212 BGLD

20221211 Lodestar

20221211 MEVbot_0x28d9

20221210 MUMUG

20221210 TIFIToken

20221209 NOVAToken

20221207 AES

20221205 RFB

20221205 BBOX

20221202 OverNight

20221201 APC

20221129 MBC & ZZSH

20221129 SEAMAN

20221123 NUM

20221122 AUR

20221121 SDAO

20221119 AnnexFinance

20221118 Polynomial

20221117 UEarnPool

20221116 SheepFarm

20221110 DFXFinance

20221109 brahTOPG

20221108 MEV_0ad8

20221108 Kashi

20221107 MooCAKECTX

20221105 BDEX

20221027 VTF

20221027 Team Finance

20221026 N00d Token

20221025 ULME

20221024 Market

20221024 MulticallWithoutCheck

20221021 OlympusDAO

20221020 HEALTH Token

20221019 BEGO Token

20221018 HPAY

20221018 PLTD Token

20221017 Uerii Token

20221014 INUKO Token

20221014 EFLeverVault

20221014 MEVBOT a47b

20221012 ATK

20221011 Rabby Wallet SwapRouter

20221011 Templedao

20221010 Carrot

20221009 Xave Finance

20221006 RES-Token

20221002 Transit Swap

20221001 BabySwap

20221001 RL

20221001 Thunder Brawl

20220929 BXH

20220928 MEVBOT Badc0de

20220923 RADT-DAO

20220913 MevBot Private TX

20220909 DPC

20220908 YYDS

20220908 NewFreeDAO

20220908 Ragnarok Online Invasion

20220906 NXUSD

20220905 ZoomproFinance

20220902 ShadowFi

20220902 Bad Guys by RPF

20220828 DDC

20220824 LuckyTiger NFT

20220816 Circle_2

20220813 Circle

20220810 XSTABLE Protocol

20220809 ANCH

20220807 EGD Finance

20220804 EtnProduct

20220803 Qixi

20220802 Nomad Bridge

20220801 Reaper Farm

20220725 LPC

20220723 Audius

20220713 SpaceGodzilla

20220710 Omni NFT

20220706 FlippazOne NFT

20220701 Quixotic - Optimism NFT Marketplace

20220626 XCarnival

20220624 Harmony's Horizon Bridge

20220618 SNOOD

20220616 InverseFinance

20220608 GYMNetwork

20220608 Optimism - Wintermute

20220606 Discover

20220529 NOVO Protocol

20220524 HackDao

20220517 ApeCoin

20220508 Fortress Loans

20220430 Saddle Finance

20220430 Rari Capital/Fei Protocol

20220428 DEUS DAO

20220424 Wiener DOGE

20220423 Akutar NFT

20220421 Zeed Finance

20220416 BeanstalkFarms

20220415 Rikkei Finance

20220412 ElephantMoney

20220411 Creat Future

20220409 GYMNetwork

20220329 Ronin Network

20220329 Redacted Cartel

20220327 Revest Finance

20220326 Auctus

20220322 CompoundTUSDSweepTokenBypass

20220321 OneRing Finance

20220320 LI.FI

20220320 Umbrella Network

20220315 Agave Finance

20220315 Hundred Finance

20220313 Paraluni

20220309 Fantasm Finance

20220305 Bacon Protocol

20220303 TreasureDAO

20220214 BuildFinance - DAO

20220208 Sandbox LAND

20220205 Meter

20220204 TecraSpace

20220128 Qubit Finance

20220118 Multichain (Anyswap)

2021

20211221 Visor Finance

20211218 Grim Finance

20211214 Nerve Bridge

20211130 MonoX Finance

20211123 Ploutoz Finance

20211027 Cream Finance

20211015 Indexed Finance

20210916 SushiSwap Miso

20210915 Nimbus Platform

20210915 NowSwap Platform

20210912 ZABU Finance

20210903 DAO Maker

20210830 Cream Finance

20210817 XSURGE

20210811 Poly Network

20210804 WaultFinance

20210728 Levyathan Finance

20210710 Chainswap

20210702 Chainswap

20210628 SafeDollar

20210625 xWin Finance

20210622 Eleven Finance

20210607 88mph NFT

20210603 PancakeHunny

20210527 JulSwap

20210527 BurgerSwap

20210519 PancakeBunny

20210516 bEarn

20210508 Rari Capital

20210508 Value Defi

20210502 Spartan

20210428 Uranium

20210308 DODO

20210305 Paid Network

20210204 Yearn YDai

20210125 Sushi Badger Digg

Before 2020

20201229 Cover Protocol

20201121 Pickle Finance

20201026 Harvest Finance

20200912 bzx

20200804 Opyn Protocol

20200628 Balancer Protocol

20200618 Bancor Protocol

20200419 LendfMe

20200418 UniSwapV1

20181007 SpankChain

20180424 SmartMesh

20180422 Beauty Chain

20171106 Parity - 'Accidentally Killed It'


Transaction debugging tools

Phalcon | Tx tracer | Cruise | Ethtx | Tenderly | eigenphi

Ethereum Signature Database

4byte | sig db | etherface

Useful tools

ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools

Hacks Dashboard

Slowmist | Defillama | De.Fi | Rekt | Cryptosec


List of DeFi Hacks & POCs

20241119 PolterFinance - FlashLoan Attack

Lost: $7M

forge test --contracts ./src/test/2024-11/PolterFinance_exploit.sol -vvv

Contract

PolterFinance_exploit.sol

Link reference

https://twitter.com/Bcpaintball26/status/1857865758551805976


20241111 DeltaPrime - Reentrancy

Lost: $4.75 M

forge test --contracts ./src/test/2024-11/DeltaPrime_exp.sol -vvv

Contract

DeltaPrime_exp.sol

Link reference

https://x.com/peckshield/status/1855910524460159197


20241026 CompoundFork - Flashloan attack

Lost: $1M

forge test --contracts ./src/test/2024-10/CompoundFork_exploit.sol -vvv --evm-version shanghai

Contract

CompoundFork_exploit.sol

Link reference

https://x.com/Phalcon_xyz/status/1849636437349527725 https://app.blocksec.com/explorer/tx/base/0x6ab5b7b51f780e8c6c5ddaf65e9badb868811a95c1fd64e86435283074d3149e


20241022 Erc20transfer - Access Control

Lost: $14,773.35

forge test --contracts ./src/test/2024-10/Erc20transfer_exp.sol -vvv

Contract

Erc20transfer_exp.sol

Link reference

https://x.com/d23e_AG/status/1849064161017225645


20241022 Vista - flashmint receive error

Lost: $28,000

forge test --contracts ./src/test/2024-10/VISTA_exp.sol -vvv --evm-version cancun

Contract

VISTA_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1848403791881900130


20241013 MorphoBlue - Overpriced Asset in Oracle

Lost: $230,000

forge test --contracts ./src/test/2024-10/MorphoBlue_exp.sol -vvv --evm-version shanghai

Contract

MorphoBlue_exp.sol

Link reference

https://x.com/omeragoldberg/status/1845515843787960661


20241011 P719Token - Price Manipulation Inflate Attack

Total Lost : 547.18 BNB (~$312K USD)

forge test --match-contract P719Token_exp -vvv

Contract

P719Token_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1844753750386426182


20241006 SASHAToken - Price Manipulation

Total Lost : 249 ETH (~$600K USD)

forge test --match-contract SASHAToken_exp -vvv

Contract

SASHAToken_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1842864840265883833


20241010 HYDT - Oracle Price Manipulation

Total Lost : 5.8k USDT

forge test --contracts ./src/test/2024-10/HYDT_exp.sol -vvv --evm-version cancun

Contract

HYDT_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1844241843518951451


20241005 AIZPTToken - Wrong Price Calculation

Total Lost : 34.88 BNB (~$20K USD)

forge test --match-contract AIZPTToken_exp -vvv

Contract

AIZPTToken_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1842576732047700077


20241001 FireToken - Pair Manipulation With Transfer Function

Lost: 8.45 ETH (~$20K USD)

forge test --contracts ./src/test/2024-10/FireToken_exp.sol -vvv

Contract

FireToken_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1841305965750350089


20241002 LavaLending - Price Manipulation

Lost: 1 USDC, 125795.6 cUSDC, 0,0067 WBTC, 2.25 WETH (~$130K USD)

forge test --match-contract LavaLending_exp -vvv

Contract

LavaLending_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1841823216425435308

https://nickfranklin.site/2024/10/03/unknown-lending-project-hacked-due-to-price-oracle-manipulation/


20240926 OnyxDAO - Fake Market

Lost: 4.1M VUSD, 7.35M XCN, 5K DAI, 0.23 WBTC, 50K USDT (>$3.8M USD)

forge test --match-contract OnyxDAO_exp -vvv

Contract

OnyxDAO_exp.sol

Link reference

https://x.com/peckshield/status/1839302663680438342


20240926 Bedrock_DeFi - Swap ETH/BTC 1/1 in mint function

Lost: 27.83925883 BTC (~$1.7M USD)

forge test --match-contract Bedrock_DeFi_exp -vvv

Contract

Bedrock_DeFi_exp.sol

Link reference

https://x.com/certikalert/status/1839403126694326374


20240924-MARA---price-manipulation

Lost: ~8.8 WBNB (~5.3K USD)

forge test --match-contract MARA_exp -vvv

Contract

MARA_exp.sol

Link reference

https://bscscan.com/tx/0x0fe3716431f8c2e43217c3ca6d25eed87e14d0fbfa9c9ee8ce4cef2e5ec4583c

20240923 Bankroll_Network - Incorrect input validation

Lost: ~404 WBNB (~234.8K USD)

forge test --match-contract Bankroll_exp -vvv

Contract

Bankroll_exp.sol

Link reference

https://x.com/Phalcon_xyz/status/1838042368018137547


20240913 OTSeaStaking - Logic Flaw

Lost: 26k

forge test --match-contract OTSeaStaking_exp -vvv

Contract

OTSeaStaking_exp.sol

Link reference

Nick Franklin: https://nickfranklin.site/2024/09/13/otsea-staking-hacked/


20240910 Caterpillar_Coin_CUT - Price Manipulation

Lost: ~1.4M USD

forge test --match-contract Caterpillar_Coin_CUT_exp -vvv --evm-version shanghai

Contract

Caterpillar_Coin_CUT_exp.sol

Link reference

https://www.certik.com/zh-CN/resources/blog/caterpillar-coin-cut-token-incident-analysis


20240903 Penpiexyz_io - Reentrancy and Reward Manipulation

Lost: 11,113.6 ETH (~$27,348,259 USD)

forge test --match-contract Penpiexyzio_exp -vvv --evm-version shanghai

Contract

Penpiexyzio_exp.sol

Link reference

https://x.com/peckshield/status/1831072098669953388

https://x.com/AnciliaInc/status/1831080555292856476

https://x.com/hackenclub/status/1831383106554573099

post-morten: https://x.com/Penpiexyz_io/status/1831462760787452240


20240828 AAVE - Arbitrary Call Error

Lost: 52000

forge test --match-contract AAVE_Repay_Adapter -vvv

Contract

AAVE_Repay_Adapter.sol

Link reference

https://www.vibraniumaudits.com/post/aave-hacked-via-periphery-contract-56kstolenfromtipjar

20240816 Zenterest - Price Out Of Date

Lost: ~21000 USD

forge test --match-contract Zenterest_exp -vvvv --evm-version shanghai

Contract

Zenterest_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1824579761383018564


20240816 OMPx Contract - FlashLoan

Lost: 4.37 ETH (~11527 USD)

forge test --match-contract OMPxContract_exp -vvv

Contract

OMPxContract_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1820816386551357448


20240814 NoName - Arbitrary Call

Lost: ~5k

forge test --match-contract YodlRouter_exp -vvv

Contract

YodlRouter_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1823601087011807636


20240813 VOW - Misconfiguration

Lost: ~ 1M USD

forge test --match-contract VOW_exp -vvv

Contract

VOW_exp.sol

Link reference

https://x.com/Vowcurrency/status/1823407231658025300


20240812 iVest - Business logic flaw

Lost: ~338 WBNB

forge test --match-contract IvestDao_exp -vvv

Contract

IvestDao_exp.sol

Link reference

https://x.com/AnciliaInc/status/1822870201698050064


20240806 Novax - Price Manipulation

Lost: ~25K USD

forge test --match-contract NovaXM2E_exp -vvv

Contract

NovaXM2E_exp.sol

Link reference

https://x.com/EXVULSEC/status/1820676684410147276


20240801 Convergence - Incorrect input validation

Lost: ~200K USD

forge test --match-contract Convergence_exp -vvvv --evm-version cancun

Contract

Convergence_exp.sol

Link reference

https://x.com/DecurityHQ/status/1819030089012527510


20240724 Spectra_finance - Incorrect input validation

Lost: ~73K USD

forge test --match-contract Spectra_finance_exp -vvv

Contract

Spectra_finance_exp.sol

Link reference

https://x.com/shoucccc/status/1815981585637990899


20240723 MEVbot_0xdd7c - Incorrect input validation

Lost: ~18k USD

forge test --match-contract -vvv --evm-version cancun

Contract

MEVbot_0xdd7c_exp.sol

Link reference

https://x.com/SlowMist_Team/status/1815656653100077532


20240716 Lifiprotocol - Incorrect input validation

Lost: ~10M USD

forge test --match-contract Lifiprotocol_exp -vvv

Contract

Lifiprotocol_exp.sol

Link reference

https://x.com/danielvf/status/1505689981385334784


20240714 Minterest - Reentrancy

Lost: ~427 ETH

forge test --match-contract Minterest_exp -vvv

Contract

Minterest_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1813122959219040323


20240712 DoughFina - Incorrect input validation

Lost: ~1.8M USD

forge test --match-contract DoughFina_exp -vvv

Contract

DoughFina_exp.sol

Link reference

https://x.com/CertiKAlert/status/1811668992882307478


20240711 SBT - business logic flaw

Lost: ~56K USD

forge test --match-contract SBT_exp -vvv

Contract

SBT_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1811401263969673654


20240711 GAX - Lack of access control

Lost: ~50K $BUSD

forge test --match-contract GAX_exp -vvv

Contract

GAX_exp.sol

Link reference

https://x.com/EXVULSEC/status/1811348160851378333


20240708 LW - Integer Underflow

Lost: ~7K USD

forge test --match-contract LW_exp -vvv

Contract

LW_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1810245893490368820


20240705 DeFiPlaza - loss of precision

Lost: ~200K USD

forge test --match-contract DeFiPlaza_exp -vvv

Contract

DeFiPlaza_exp.sol

Link reference

https://x.com/DecurityHQ/status/1809222922998808760


20240703 UnverifiedContr_0x452E25 - lack-of-access-control

Lost: 27 ETH

forge test --match-contract UnverifiedContr_0x452E25_exp -vvv --evm-version "cancun"

Contract

UnverifiedContr_0x452E25_exp.sol

Link reference

https://x.com/SlowMist_Team/status/1808334870650970514


20240702 MRP - Reentrancy

Lost: 17 BNB

forge test --match-contract MRP_exp -vvv

Contract

MRP_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1808309614443733005


20240628 Will - business logic flaw

Lost: $52K

forge test --match-contract Will_exp -vvv --evm-version "shanghai"

Contract

Will_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1806704287252394238


20240627 APEMAGA - business logic flaw

Lost: ~9 ETH

forge test --match-contract APEMAGA_exp -vvv --evm-version "shanghai"

Contract

APEMAGA_exp.sol

Link reference

https://x.com/ChainAegis/status/1806297556852601282


20240618 INcufi - business logic flaw

Lost: ~59K USD

forge test --match-contract INcufi_exp -vvv

Contract

INcufi_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1803317022513832301


20240617 Dyson_money - business logic flaw

Lost: 52 BNB

forge test --match-contract Dyson_money_exp -vvv

Contract

Dyson_money_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1802634237667054052


20240616 WIFCOIN_ETH - business logic flaw

Lost: ~3.4 ETH (WIF token)

forge test --match-contract WIFCOIN_ETH_exp -vvv --evm-version "shanghai"

Contract

WIFCOIN_ETH_exp.sol

Link reference

https://x.com/ChainAegis/status/1802550962977964139


20240616 Crb2 - business logic flaw

Lost: ~15K

forge test --match-contract Crb2_exp -vvv --evm-version shanghai

Contract

Crb2_exp.sol

Link reference


20240611 JokInTheBox - business logic flaw

Lost: ~9.2 ETH

forge test --match-contract JokInTheBox_exp -vvv --evm-version cancun

Contract

JokInTheBox_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1800355604692910571


20240610 UwULend - Price Manipulation

Lost: 19.3M

forge test --contracts ./src/test/2024-06/UwuLend_First_exp.sol -vvv --evm-version shanghai
forge test --contracts ./src/test/2024-06/UwuLend_Second_exp.sol -vvv --evm-version shanghai

Contract

UwuLend_First_exp.sol

UwuLend_Second_exp.sol

Link reference

https://x.com/peckshield/status/1800176089316163831


20240610 Bazaar - Insufficient Permission Check

Lost: 1.4M

forge test --match-contract Bazaar_exp -vvv

Contract

Bazaar_exp.sol

Link reference

https://x.com/shoucccc/status/1800353122159833195


20240608 YYStoken - Business Logic Flaw

Lost: $28K

forge test --match-contract YYS_exp -vv

Contract

YYS_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1799610045589831833


20240606 SteamSwap - Logic Flaw

Lost: ~$91k

forge test --match-contract SteamSwap_exp -vvv --evm-version shanghai

Contract

SteamSwap_exp.sol

Link reference

https://x.com/SlowMist_Team/status/1798905797440897386


20240606 MineSTM - Business Logic Flaw

Lost: $13.8K

forge test --match-contract MineSTM_exp -vv

Contract

MineSTM_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1798920774511898862


20240604 NCD - Business Logic Flaw

Lost: $6.4K

forge test --match-contract NCD_exp -vv

Contract

NCD_exp.sol

Link reference

https://x.com/SlowMist_Team/status/1797821034319765604


20240601 VeloCore - lack-of-access-control

Lost: $6.88M

forge test --match-contract Velocore_exp -vv

Contract

Velocore_exp.sol

Link reference

https://x.com/BeosinAlert/status/1797247874528645333


20240531 Liquiditytokens - Business Logic Flaw

Lost: ~200K USD

forge test --match-contract Liquiditytokens_exp -vvv

Contract

Liquiditytokens_exp.sol

Link reference

https://x.com/EXVULSEC/status/1796499069583724638


20240531 MixedSwapRouter - Arbitrary Call

Lost: >10700USD(WINR token)

forge test --match-contract MixedSwapRouter_exp -vvv

Contract

MixedSwapRouter_exp.sol

Link reference

https://x.com/ChainAegis/status/1796484286738227579


20240529 SCROLL - Integer Underflow

Lost: 76 ETH

forge test --match-contract SCROLL_exp -vvv

Contract

SCROLL_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1795650745448169741


20240529 MetaDragon - Lack of Access Control

Lost: ~ $180k

forge test --match-contract MetaDragon_exp -vvvvv --evm-version shanghai

Contract

MetaDragon_exp.sol

Link reference

https://x.com/Phalcon_xyz/status/1795746828064854497


20240528 Tradeonorion - Business Logic Flaw

Lost: ~645K

forge test --match-contract Tradeonorion_exp -vvv

Contract

Tradeonorion_exp.sol

Link reference

https://x.com/MetaSec_xyz/status/1796008961302258001


20240528 EXcommunity - Business Logic Flaw

Lost: 33BNB

forge test --match-contract EXcommunity_exp -vvv

Contract

EXcommunity_exp.sol

Link reference

https://x.com/SlowMist_Team/status/1795648617530995130


20240527 RedKeysCoin - Weak RNG

Lost: $12K

forge test --match-contract RedKeysCoin_exp -vvv --evm-version shanghai

Contract

RedKeysCoin_exp.sol

Link reference


20240526 NORMIE - Business Logic Flaw

Lost: $490K

forge test --match-contract NORMIE_exp -vv

Contract

NORMIE_exp.sol

Link reference

https://x.com/lookonchain/status/1794680612399542672


20240522 Burner - sandwich ack

Lost: 1.7 eth

forge test --match-contract Burner_exp -vv

Contract

Burner_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1792925754243625311


20240516 TCH - Signature Malleability Vulnerability

Lost: $18K

forge test --match-contract TCH_exp -vvv

Contract

TCH_exp.sol

Link reference

https://x.com/DecurityHQ/status/1791180322882629713


20240514 Sonne Finance - Precision loss

Lost: $20M

forge test --match-contract Sonne_exp -vvv

Contract

Sonne_exp.sol

Link reference

https://neptunemutual.com/blog/taking-a-closer-look-at-sonne-finance-exploit/


20240514 PredyFinance - Reentrancy

Lost: $464K

forge test --match-contract PredyFinance_exp -vvv

Contract

PredyFinance_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1790307019590680851


20240512 TGC - Business Logic Flaw

Lost: $32K

forge test --match-contract TGC_exp -vvv

Contract

TGC_exp.sol

Link reference

https://x.com/ChainAegis/status/1789490986588205529


20240510 GFOX - lack of access control

Lost: 330K USD

forge test --match-contract GFOX_exp -vvv --evm-version shanghai

Contract

GFOX_exp.sol

Link reference

https://twitter.com/CertiKAlert/status/1788751142144401886


20240510 TSURU - Insufficient Validation

Lost: 140K

forge test --match-contract TSURU_exp -vvv --evm-version shanghai

Contract

TSURU_exp.sol

Link reference

https://base.tsuru.wtf/usdtsuru-exploit-incident-report


20240508 GPU - self transfer

Lost: ~32K USD

forge test --match-contract GPU_exp -vvv

Contract

GPU_exp.sol

Link reference

https://twitter.com/PeckShieldAlert/status/1788153869987611113


20240507 SATURN - Price Manipulation

Lost: ~15 BNB

forge test --match-contract OSN_exp -vvv

Contract

SATURN_exp.sol

Link reference

https://twitter.com/ChainAegis/status/1787667253435195841


20240506 OSN - Reward Distribution Problem

Lost: ~109K USD

forge test --match-contract OSN_exp -vvv --evm-version shanghai

Contract

OSN_exp.sol

Link reference

https://twitter.com/SlowMist_Team/status/1787330586857861564


20240430 Yield - Business Logic Flaw

Lost: 181K

forge test --match-contract Yield_exp -vvv

Contract

Yield_exp.sol

Link reference

https://twitter.com/peckshield/status/1785121607192817692

https://medium.com/immunefi/yield-protocol-logic-error-bugfix-review-7b86741e6f50


20240430 PikeFinance - Uninitialized Proxy

Lost: 1.4M

forge test --match-contract PikeFinance_exp -vvv

Contract

PikeFinance_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1785508900093194591


20240427 BNBX - precission loss

Lost: ~75 $BNB

forge test --match-contract BNBX_exp -vvv --evm-version shanghai

Contract

BNBX_exp.sol

Link reference

https://x.com/ChainAegis/status/1784431544557514896


20240425 NGFS - Bad Access Control

Lost: ~190K

forge test --match-contract NGFS_exp -vvv --evm-version shanghai

Contract

NGFS_exp.sol

Link reference

https://twitter.com/CertiKAlert/status/1783476515331616847


20240424 XBridge - Logic Flaw

Lost: >200k USD(plus a lot of STC, SRLTY, Mazi tokens)

forge test --match-contract XBridge_exp -vvv

Contract

XBridge_exp.sol


20240424 YIEDL - Input Validation

Lost: 150k USD

forge test --match-contract YIEDL_exp -vvv

Contract

YIEDL_exp.sol

20240422 Z123 - price manipulation

Lost: 136k USD

forge test --match-contract Z123_exp -vvv

Contract

Z123_exp.sol

Link reference

https://twitter.com/PeckShieldAlert/status/1782322484911784385


20240420 Rico - Arbitrary Call

Lost: 36K

forge test --match-contract Rico_exp -vvv

Contract

Rico_exp.sol

Link reference

https://twitter.com/ricocreditsys/status/1781803698940781009


20240419 HedgeyFinance - Logic Flaw

Lost: 48M USD

forge test --match-contract HedgeyFinance_exp -vvv

Contract

HedgeyFinance_exp.sol

Link reference

https://twitter.com/Cube3AI/status/1781294512716820918


20240417 UnverifiedContr_0x00C409 - unverified external call

Lost: ~ 18 eth

forge test --match-contract UnverifiedContr_0x00C409_exp -vvv

Contract

UnverifiedContr_0x00C409_exp.sol

Link reference

https://x.com/CyversAlerts/status/1780593407871635538


20240416 SATX - Logic Flaw

Lost: ~ 50 BNB

forge test --match-contract SATX_exp -vvv

Contract

SATX_exp.sol

Link reference

https://x.com/bbbb/status/1780341239801393479


20240416 MARS - Bad Reflection

Lost: >100K

forge test --match-contract MARS_exp -vv

Contract

MARS_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1780150315603701933


20240415 GFA - business-logic-flaw

Lost: ~14K USD

forge test --match-contract GFA_exp -vvv

Contract

GFA_exp.sol

Link reference

https://x.com/ChainAegis/status/1779809931962827055


20240415 ChaingeFinance - Arbitrary External Call

Lost: ~560K

forge test --match-contract ChaingeFinance_exp -vvv

Contract

ChaingeFinance_exp.sol

Link reference

https://twitter.com/CyversAlerts/status/1779875922381860920


20240414 Hackathon - business logic flaw

Lost: ~20K

forge test --match-contract Hackathon_exp -vvv

Contract

Hackathon_exp.sol

Link reference

https://x.com/EXVULSEC/status/1779519508375613827


20240412 FIL314 - Insufficient Validation And Price Manipulation

Lost: ~14 BNB

forge test --match-contract FIL314_exp -vvv

Contract

FIL314_exp.sol

Link reference


20240412 SumerMoney - Reentrancy

Lost: 350K

forge test --match-contract SumerMoney_exp -vvv

Contract

SumerMoney_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1778986926705672698


20240412 GROKD - lack of access control

Lost: $~150 BNB

forge test --match-contract GROKD_exp -vvv

Contract

GROKD_exp.sol

Link reference

https://x.com/hipalex921/status/1778482890705416323?t=KvvG83s7SXr9I55aftOc6w&s=05


20240410 BigBangSwap - precission loss

Lost: $~5K $BUSD

forge test --match-contract BigBangSwap_exp -vvv

Contract

BigBangSwap_exp.sol

Link reference

https://x.com/ChainAegis/status/1778254222288621912


20240409 UPS - business logic flaw

Lost: $~28K USD

forge test --match-contract UPS_exp -vvv

Contract

UPS_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1777589021058728214


20240408 SQUID - sandwich attack

Lost: $~87K USD

forge test --match-contract SQUID_exp -vvv

Contract

SQUID_exp.sol

Link reference

https://twitter.com/bbbb/status/1777228277415039304


20240404 wsm - manipulating price

Lost: $~18K USD

forge test --match-contract WSM_exp -vvv

Contract

WSM_exp.sol

Link reference

https://hacked.slowmist.io/#:~:text=Hacked%20target%3A%20Wall%20Street%20Memes


20240402 HoppyFrogERC - business logic flaw

Lost: ~0.3 ETH

forge test --match-contract HoppyFrogERC_exp -vvv --evm-version shanghai

Contract

HoppyFrogERC_exp.sol

Link reference

https://x.com/ChainAegis/status/1775351437410918420


20240401 ATM - business logic flaw

Lost: $~182K USD

forge test --match-contract ATM_exp -vvv

Contract

ATM_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1775008489569718508


20240401 OpenLeverage - business logic flaw

Lost: ~234K

forge test --match-contract OpenLeverage2_exp -vvv

Contract

OpenLeverage2_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1774727539975672136


20240329 ETHFIN - lack of access control

Lost: ~$1.24K (2.13 BNB)

forge test --match-contract ETHFIN_exp -vvv --evm-version shanghai

Contract

ETHFIN_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0xfe031685d84f3bae1785f5b2bd0ed480b87815c3f23ce6ced73b8573b7e367c6


20240329 PrismaFi - Insufficient Validation

Lost: $~11M

forge test --match-contract Prisma_exp -vvv

Contract

Prisma_exp.sol

Link reference

https://twitter.com/EXVULSEC/status/1773371049951797485


20240328 LavaLending - Business Logic Flaw

Lost: ~340K

forge test --match-contract LavaLending_exp -vvv

Contract

LavaLending_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1774727539975672136

https://twitter.com/Phalcon_xyz/status/1773546399713345965

https://hackmd.io/@LavaSecurity/03282024


20240325 ZongZi - Price Manipulation

Lost: ~223K

forge test --match-contract ZongZi_exp -vvv

Contract

ZongZi_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1772195949638775262


20240323 CGT - Incorrect Access Control

Lost: 996B (CGT token)

forge test --match-contract CGT_exp -vvv

Contract

CGT_exp.sol

Link reference

https://x.com/AnciliaInc/status/1771598968448745536


20240321 SSS - Token Balance Doubles on Transfer to self

Lost: 4.8M

forge test --match-contract SSS_exp -vvv

Contract

SSS_exp.sol

Link reference

https://twitter.com/dot_pengun/status/1770989208125272481


20240324 ARK - business logic flaw

Lost: ~348BNB

forge test --match-contract ARK_exp -vvv

Contract

ARK_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1771728823534375249


20240320 Paraswap - Incorrect Access Control

Lost: ~24K

forge test --match-contract Paraswap_exp -vvv --evm-version shanghai

Contract

Paraswap_exp.sol

Link reference

https://medium.com/neptune-mutual/analysis-of-the-paraswap-exploit-1f97c604b4fe


20240314 MO - business logic flaw

Lost: ~413k USDT

forge test --match-contract MO_exp -vvv

Contract

MO_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1768184024483430523


20240313 IT - business logic flaw

Lost: ~13k USDT

forge test --via-ir ---match-contract IT_exp -vvv

Contract

IT_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1768171595561046489


20240312 BBT - business logic flaw

Lost: ~5.06 ETH

forge test --match-contract BBT_exp -vvv

Contract

BBT_exp.sol

Link reference

https://x.com/8olidity/status/1767470002566058088


20240311 Binemon - precission-loss

Lost: ~0.2 BNB

forge test --match-contract Binemon_exp -vvv

Contract

Binemon_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0x1999bb5c11a8d8bfa7620fc5cc37f5bc59c1a99d7a9250a8d6076c93bbdbeb5f


20240309 Juice - Business Logic Flaw

Lost: ~54 ETH

forge test --match-contract Juice_exp -vvv --evm-version shanghai

Contract

Juice_exp.sol

Link reference

https://medium.com/@juicebotapp/juice-staking-exploit-next-steps-95e218b3ec71


20240309 UnizenIO - unverified external call

Lost: ~2M

forge test --match-contract UnizenIO_exp -vvvv

Contract

UnizenIO_exp.sol | UnizenIO2_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1766274000534004187

https://twitter.com/AnciliaInc/status/1766261463025684707


20240307 GHT - Business Logic Flaw

Lost: ~57K

forge test --match-contract GHT_exp -vvv

Contract

GHT_exp.sol

Link reference


20240306 ALP - Public internal function

Lost: ~10K

Testing

forge test --match-contract ALP_exp -vvv

Contract

ALP_exp.sol

Link Reference

https://twitter.com/0xNickLFranklin/status/1765296663667875880


20240306 TGBS - Business Logic Flaw

Lost: ~150K

forge test --match-contract TGBS_exp -vvv

Contract

TGBS_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1765290290083144095

https://twitter.com/Phalcon_xyz/status/1765285257949974747


20240305 Woofi - Price Manipulation

Lost: ~8M

forge test --match-contract Woofi_exp -vvv

Contract

Woofi_exp.sol

Link reference

https://twitter.com/spreekaway/status/1765046559832764886 https://twitter.com/PeckShieldAlert/status/1765054155478175943


20240228 Seneca - Arbitrary External Call Vulnerability

Lost: ~6M

forge test --match-contract Seneca_exp -vvv

Contract

Seneca_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1763045563040411876


20240228 SMOOFSStaking - Reentrancy

Lost: Unclear

forge test --match-contract SMOOFSStaking_exp -vvv

Contract

SMOOFSStaking_exp.sol

Link reference

https://twitter.com/AnciliaInc/status/1762893563103428783

https://twitter.com/0xNickLFranklin/status/1762895774311178251


20240223 Zoomer - Business Logic Flaw

Lost: ~14 ETH

forge test --match-contract Zoomer_exp -vvv --evm-version "shanghai"

Contract

Zoomer_exp.sol

Link reference

https://x.com/ChainAegis/status/1761246415488225668


20240223 CompoundUni - Oracle bad price

Lost: ~439,537 USD

forge test --match-contract CompoundUni_exp -vvv

Contract

CompoundUni_exp.sol

Link reference

https://twitter.com/0xLEVI104/status/1762092203894276481


20240223 BlueberryProtocol - logic flaw

Lost: ~1,400,000 USD

forge test --match-contract BlueberryProtocol_exp -vvv

Contract

BlueberryProtocol_exp.sol

Link reference

https://twitter.com/blueberryFDN/status/1760865357236211964


20240222 SwarmMarkets - lack of validation

Lost: ~7k $DAI

forge test --match-contract SwarmMarkets_exp -vvv

Contract

SwarmMarkets_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/eth/0xa4d7ee2ddb9db06961a17e2a5ae71743a266bcb720be138670f4a10e8dfc13e9


20240221 DeezNutz 404 - lack of validation

Lost: ~170k

forge test --match-contract DeezNutz404_exp -vvv

Contract

DeezNutz404_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1760481343161700523


20240221 GAIN - bad function implementation

Lost: ~6.4 ETH

forge test --match-contract GAIN_exp -vvv

Contract

GAIN_exp.sol

Link reference

https://twitter.com/0xNickLFranklin/status/1760559768241160679


20240220 EGGX - reentrancy

Lost: ~2 ETH

forge test --match-contract EGGX_exp -vvv

Contract

EGGX_exp.sol

Link reference

https://x.com/PeiQi_0/status/1759826303044497726


20240219 RuggedArt - reentrancy

Lost: ~10k

forge test --match-contract RuggedArt_exp -vvv

Contract

RuggedArt_exp.sol

Link reference

https://twitter.com/EXVULSEC/status/1759822545875025953


20240216 ParticleTrade - lack of validation data

Lost: ~50k

forge test --match-contract ParticleTrade_exp -vvv

Contract

ParticleTrade_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1758028270770250134


20240215 DualPools - precision truncation

Lost: ~42k

forge test --match-contract DualPools_exp -vvvv

Contract

DualPools_exp.sol

Link reference

https://medium.com/@lunaray/dualpools-hack-analysis-5209233801fa


20240215 Babyloogn - lack of validation

Lost: ~2 $BNB

forge test --match-contract Babyloogn_exp -vvvv

Contract

Babyloogn_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0xd081d6bb96326be5305a6c00dd51d1799971794941576554341738abc1ceb202


20240215 Miner - lack of validation dst address

Lost: ~150k

forge test --match-contract Miner_exp -vvv --evm-version shanghai

Contract

Miner_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1757777340002681326


20240213 MINER - Price Manipulation

Lost: ~3.5 WBNB

forge test --match-contract MINER_bsc_exp -vvv --evm-version shanghai

Contract

MINER_bsc_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0x15ab671c9bf918fa4b6a9eed9ccb527f32aca40e926ede2aec2c84dfa9c30512?line=6


20240211 Game - Reentrancy && Business Logic Flaw

Lost: ~20 ETH

forge test --match-contract Game_exp -vvv

Contract

Game_exp.sol

Link reference

https://twitter.com/AnciliaInc/status/1757533144033739116


20240210 FILX DN404 - Access Control

Lost: 200K

forge test --match-contract DN404_exp -vvv

Contract

DN404_exp.sol


20240208 Pandora - interger underflow

Lost: ~17K USD

forge test --match-contract PANDORA_exp -vvv

Contract

PANDORA_exp.sol

Link reference

https://twitter.com/pennysplayer/status/1766479470058406174


20240205 BurnsDefi - Price Manipulation

Lost: ~67K

forge test --match-contract BurnsDefi_exp -vvv

Contract

BurnsDefi_exp.sol

Link reference

https://twitter.com/pennysplayer/status/1754342573815238946

https://medium.com/neptune-mutual/how-was-citadel-finance-exploited-a5f9acd0b408 (similar incident)


20240202 ADC - incorrect-access-control

Lost: ~20 eth

forge test --match-contract ADC_exp -vvv

Contract

ADC_exp.sol

Link reference

https://x.com/EXVULSEC/status/1753294675971313790


20240201 AffineDeFi - lack of validation userData

Lost: ~88K

forge test --match-contract AffineDeFi_exp -vvv

Contract

AffineDeFi_exp.sol

Link reference

https://twitter.com/Phalcon_xyz/status/1753020812284809440

https://twitter.com/CyversAlerts/status/1753040754287513655


20240130 XSIJ - Business Logic Flaw

Lost: ~51K USD

forge test --match-contract XSIJ_exp -vvv

Contract

XSIJ_exp.sol

Link reference

https://x.com/CertiKAlert/status/1752384801535918264


20240130 MIMSpell - Precission Loss

Lost: ~6,5M

forge test --match-contract MIMSpell2_exp -vvv

Contract

MIMSpell2_exp.sol

Link reference

https://twitter.com/kankodu/status/1752581744803680680

https://twitter.com/Phalcon_xyz/status/1752278614551216494

https://twitter.com/peckshield/status/1752279373779194011

https://phalcon.blocksec.com/explorer/security-incidents


20240129 PeapodsFinance - Reentrancy

Lost: ~1K $DAI

forge test --match-contract PeapodsFinance_exp -vvv

Contract

PeapodsFinance_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/eth/0x95c1604789c93f41940a7fd9eca11276975a9a65d250b89a247736287dbd2b7e


20240128 BarleyFinance - Reentrancy

Lost: ~130K

forge test --match-contract BarleyFinance_exp -vvv

Contract

BarleyFinance_exp.sol

Link reference

https://phalcon.blocksec.com/explorer/security-incidents

https://www.bitget.com/news/detail/12560603890246

https://twitter.com/Phalcon_xyz/status/1751788389139992824


20240127 CitadelFinance - Price Manipulation

Lost: ~93K

forge test --match-contract CitadelFinance_exp -vvv

Contract

CitadelFinance_exp.sol

Link reference

https://medium.com/neptune-mutual/how-was-citadel-finance-exploited-a5f9acd0b408


20240125 NBLGAME - Reentrancy

Lost: ~180K

forge test --match-contract NBLGAME_exp -vvv

Contract

NBLGAME_exp.sol

Link reference

https://twitter.com/SlowMist_Team/status/1750526097106915453

https://twitter.com/AnciliaInc/status/1750558426382635036


20240122 DAO_SoulMate - Incorrect Access Control

Lost: ~319K

forge test --match-contract DAO_SoulMate_exp -vvv --evm-version 'shanghai'

Contract

DAO_SoulMate_exp.sol

Link reference

https://twitter.com/MetaSec_xyz/status/1749743245599617282


20240117 BmiZapper - Arbitrary external call vulnerability

Lost: ~114K

forge test --match-contract Bmizapper_exp -vvv

Contract

BmiZapper_exp.sol

Link reference

https://x.com/0xmstore/status/1747756898172952725


20240115 Shell_MEV_0xa898 - lack of access control

Lost: ~1K $BUSD

forge test --match-contract Shell_MEV_0xa898_exp -vvv

Contract

Shell_MEV_0xa898_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0x24f114c0ef65d39e0988d164e052ce8052fe4a4fd303399a8c1bb855e8da01e9


20240112 SocketGateway - Lack of calldata validation

Lost: ~3.3Million $

forge test --match-contract SocketGateway_exp -vvv --evm-version shanghai

Contract

SocketGateway_exp.sol

Link reference

https://twitter.com/BeosinAlert/status/1747450173675196674

https://twitter.com/peckshield/status/1747353782004900274


20240112 WiseLending - Bad HealthFactor Check

Lost: ~464K

forge test --match-contract WiseLending02_exp -vvv --evm-version shanghai

Contract

WiseLending02_exp.sol

Link reference

https://twitter.com/danielvf/status/1746303616778981402


20240110 Freedom - lack of access control

Lost: 74 $WBNB

forge test --match-contract Freedom_exp -vvv

Contract

Freedom_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/bsc/0x309523343cc1bb9d28b960ebf83175fac941b4a590830caccff44263d9a80ff0


20240110 LQDX - Unauthorized TransferFrom

Lost: unknown

forge test --match-contract LQDX_alert_exp -vvv

Contract

LQDX_alert_exp.sol

Link reference

https://twitter.com/SlowMist_Team/status/1744972012865671452


20240104 Gamma - Price manipulation

Lost: ~6.3M

forge test --match-contract Gamma_exp -vvv

Contract

Gamma_exp.sol

Link reference

https://twitter.com/officer_cia/status/1742772207997050899

https://twitter.com/shoucccc/status/1742765618984829326


20240102 MIC - Business Logic Flaw

Lost: ~500K

forge test --match-contract MIC_exp -vvv

Contract

MIC_exp.sol

Link reference

https://x.com/MetaSec_xyz/status/1742484748239536173


20240102 RadiantCapital - Loss of Precision

Lost: ~4,5M

forge test --match-contract RadiantCapital_exp -vvv

Contract

RadiantCapital_exp.sol

Link reference

https://neptunemutual.com/blog/how-was-radiant-capital-exploited/

https://twitter.com/BeosinAlert/status/1742389285926678784


20240101 OrbitChain - Incorrect input validation

Lost: ~81M

forge test --match-contract OrbitChain_exp -vvv

Contract

OrbitChain_exp.sol

Link reference

https://blog.solidityscan.com/orbit-chain-hack-analysis-b71c36a54a69


View Gas Reports

Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter. Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.

Every poc in this repository can produce a gas report like this:

forge test --gas-report --contracts <contract> -vvv

For Example: Let us find out the gas used in the Audius poc

Execution

forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv

Demo

Bug Reproduce

Moved to DeFiVulnLabs

FlashLoan Testing

Moved to DeFiLabs

最近版本更新:(数据更新于 2024-12-23 17:50:55)

主题(topics):

defi, ethereum, foundry, solidity, web3

SunWeb3Sec/DeFiHackLabs同语言 Solidity最近更新仓库

2024-10-03 22:56:46 OpenZeppelin/openzeppelin-contracts

2024-08-28 00:31:10 Uniswap/UniswapX

2024-07-26 11:31:29 bnb-chain/bsc-genesis-contract

2024-02-23 01:47:34 eth-infinitism/account-abstraction

2021-02-26 11:11:11 bnb-chain/eth-bsc-swap-contracts

1970-01-01 00:00:00 Vectorized/solady