Documented Timeline of DeFi Exploits

As of today, there are a total of 148 DeFi exploits* that have occurred, with lost funds amounting to a total of approximately $4.28 billion at the time of these exploits; with the biggest exploit being the Ronin bridge exploit, losing $625 million of value.

💡 Achieve enterprise-grade wallet security by using a Ledger hardware wallet.



This list doesn’t include hacks concerning front-ends, DNSs, etc.

Ethereum: 71
BNB Chain: 36
Fantom: 5
Solana: 5
Avalanche: 7
Arbitrum: 4
Harmony: 2

Polygon: 4
Optimism: 3
EOS: 1
Cronos: 1
Polkadot: 1
Klayn: 1
zkSync: 1

Algorand: 1
Ronin: 1
Moonriver: 2
Celo: 1
Near: 1
Hedera: 1

2023: 18 exploits
2022: 45 exploits
2021: 62 exploits
2020: 16 exploits

* some exploits occur on multiple chains.

2023 (18 exploits)

Level Finance (May 2, 2023)

“Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token.” — Cointelegraph

Amount stolen: $1,000,000

0vix (April 28, 2023)

“Decentralized-finance protocol 0VIX has lost roughly $2 million in a flash-loan exploit, according to on-chain data on Polygon’s block explorer.

A total of 1.45 million USDC, along with other tokens, was stolen before being bridged to the Ethereum mainnet on Stargate Finance, where it was eventually swapped for ether (ETH).” — CoinDesk

Amount stolen: $1,082,000

Merlin (April 27, 2023)

“Newly launched decentralized exchange Merlin was drained of around $1.82 million from its liquidity pool on Wednesday, with auditor CertiK—who completed an audit of the DEX just before its launch—blaming “rogue developers” for the hack.” — Decrypt

Amount stolen: $1,082,000

Hundred Finance (April 15, 2023)

“The multi-chain lending protocol Hundred Finance disclosed Saturday that it lost around $7 million after being hacked on the Ethereum layer-2 blockchain Optimism.” — Decrypt

Amount stolen: $7,400,000

Yearn (April 13, 2023)

“A bug in a token issued by decentralized finance (DeFi) protocol Yearn Finance was impacted in an exploit this morning, security firm PeckShield tweeted, leading to millions of dollars in losses.

Losses could total over $11 million and occurred on Aave version 1, the data suggested. These were spread over U.S. dollar-pegged stablecoins dai (DAI), tether (USDT), USD coin (USDC), Binance USD (BUSD) and tru USD (TUSD).” — CoinDesk

Amount stolen: $11,000,000

Sushi (April 9, 2023)

“Decentralized exchange SushiSwap has fallen victim to an exploit, which led to the loss of more than $3.3 million from at least one user, known as 0xSifu on Twitter.

The exploit involves an approve-related bug on the RouterProcessor2 contract — which PeckShield and SushiSwap Head Chef Jared Grey recommend revoking on all chains.” — The Block

Amount stolen: $200,000,000

AllBridge (April 1, 2023)

“Allbridge has yet to publicly disclose how much was stolen, but blockchain security firm CertiK said the sum is close to $550,000, while PeckSheild said the exploit netted $282,889 in BUSD and $290,868 worth of Tether, totaling roughly $573,000.” — Cointelegraph

Amount stolen: $573,000

SafeMoon (March 29, 2023)

“The Safemoon token liquidity pool (LP) was drained of nearly $9 million worth of tokens on Wednesday after attackers manipulated a faulty feature on its smart contracts.

Safemoon’s SFM tokens fell over 40% in early Asian hours before slightly recovering at writing time.” — CoinDesk

Amount stolen: $200,000,000

Euler Finance (March 13, 2023)

“Euler Finance has suffered an exploit that resulted in almost $200 million being lost.
The losses occurred over four transactions in dai (DAI), wrapped bitcoin (WBTC), staked ether (sETH) and USDC, according to smart contract auditor BlockSec. The attacker used a flash loan to conduct the attack.” — CoinDesk

Amount stolen: $200,000,000

Hedera (March 9, 2023)

“Hedera, the team behind distributed ledger Hedera Hashgraph, has confirmed a smart contract exploit on the Hedera Mainnet that has led to the theft of several liquidity pool tokens.” — CoinTelegraph

Amount stolen: n/a

PeopleDAO (March 6, 2023)

“PeopleDAO, a group formed to buy a copy of the U.S. Constitution, has lost 76.5 ETH ($120,000) to a social engineering hack on March 6 that targeted the project’s monthly contributor payout form on Google Sheets.” — The Block

Amount stolen: $120,000

LaunchZone (February 27, 2023)

“BNB Chain-based DeFi protocol LaunchZone claims an exploit led to $700,000 of funds being drained from its liquidity pool, with its native token plunging in value.” — CoinTelegraph

Amount stolen: $700,000

Platypus (February 17, 2023)

“The $8 million Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post-mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn’t exist in the version they audited.” — CoinTelegraph

Amount stolen: $8,000,000

DForce (February 13, 2023)

“On Feb. 13, onchain security firm Peckshield noticed a security breach on the dForce network. DForce had suffered a reentrancy hack attack on two vaults and lost about $3.65 million. After the hack, dForce immediately paused the vaults to ensure the safety of the remaining funds.

In a tweet earlier today, dForce announced that the exploited funds had been fully returned to their multi-sig on both Arbitrum and Optimism.” — crypto.news

Amount stolen: $0

Cow Swap (February 7, 2023)

“Security firm PeckShield reported that the hacker successfully drained roughly 551 BNB off CoW Swap into Tornado Cash, which was worth around $181,600 at the time of writing.” — CoinDesk

Amount stolen: $181,000

Orion Protocol (February 3, 2023)

“Crypto trading venue Orion Protocol was set to pause operations Thursday after an apparent attacker drained millions of dollars worth of cryptocurrency, according to cybersecurity firm Peckshield.” — CoinDesk

Amount stolen: $3,000,000

BonqDAO (January 12, 2023)

“An oracle hack allowed the exploiter to manipulate the price of the AllianceBlock token, leading to an estimated $120 million loss, according to Peckshield.” — CoinTelegraph

Amount stolen: $120,000,000

LendHub (January 12, 2023)

“According to a report issued by the team on Friday, DeFi digital asset lending firm LendHub has lost $6 million in digital assets on its network.” — crypto.news

Amount stolen: $6,000,000

2022 (44 exploits)

Defrost Finance (December 26, 2022)

“Defrost Finance, which on Sunday said its V1 and V2 products had been exploited, said the hacker in the larger V1 attack has returned the funds.” — CoinDesk

Amount stolen: $0

Rubic (December 25, 2022)

“Rubic, a service that allows users to swap cryptocurrencies between different exchanges, was exploited earlier Wednesday after attackers gained access to the private keys of an administrator’s wallet.” — CoinDesk

Amount stolen: $1,000,000

Raydium (December 16, 2022)

“Solana-based decentralized exchange platform Raydium confirmed in a tweet on Friday that it had been the victim of an exploit.

At press time, around $2 million worth of different cryptocurrencies was sitting in the account of an attacker that managed to maliciously withdraw user funds from Raydium exchange pools.” — CoinDesk

Amount stolen: $2,000,000

Lodestar Finance (December 11, 2022)

Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of PlutusDAO’s plvGLP token before borrowing all platform liquidity using the inflated token. — Cointelegraph

Amount stolen: $5,800,000

Ankr (December 2, 2022)

“Ankr, which called itself the first “node-as-a-service” platform, had suffered the multimillion-dollar exploit due to a bug in its code that allowed for unlimited minting of its token.” — CoinDesk

Amount stolen: $5,000,000

DFX Finance (November 11, 2022)

“DFX Finance, a decentralized exchange protocol for fiat-pegged stablecoins, reported that it was attacked at 2:21 pm ET. An unknown attacker siphoned approximately $7.5 million from DFX, according to estimates from security researchers at BlockSec.” — The Block

Amount stolen: $7,500,000

Skyward Finance (November 2, 2022)

“Skyward finance, an IDO platform enabling fair token distribution for projects on the NEAR Protocol, has reportedly been exploited for 1.1M NEAR tokens, worth an estimated $3 million USD at time of publication.” — CoinTelegraph

Amount stolen: $3,000,000

Solend (November 1, 2022)

“Solend, a Solana-based lending protocol, reported a market manipulation attack that resulted in $1.26 million of bad debt for the protocol. The incident occurred on Wednesday, as noted by security firm PeckShield.” — The Block

Amount stolen: $1,026,000

Moola Market (October 19, 2022)

“Celo-based lending and borrowing protocol Moola Market had over $10 million worth of tokens stolen, and later returned, Wednesday morning after a market manipulation attack.” — CoinDesk

Amount stolen: $10,000,000

TempleDAO (October 11, 2022)

“TempleDAO, a protocol that claims it provides sustainable income via staking, suffered a malicious exploit this morning on one of its staking vaults for 1,830 ETH, roughly $2.3 million at the time, according to data from Etherscan.” — The Block

Amount stolen: $2,300,000

Mango Markets (October 11, 2022)

“Mango, a decentralized finance platform hosted on the Solana blockchain, has been exploited for over $100 million.

The exploit was initially reported on Twitter by blockchain auditors OtterSec, who say “the attacker was able to manipulate their Mango collateral.”” — CoinDesk

Amount stolen: $100,000,000

BNB Chain Bridge (October 6, 2022)

“BNB Chain, the blockchain of crypto exchange Binance, was paused on Oct. 6 due to an exploit on its cross-chain bridge, with attackers making off with an estimated $100 million worth of cryptocurrency.” — CoinTelegraph

Amount stolen: $100,000,000

Transit Swap (October 2, 2022)

“Transit Swap, a multichain decentralized exchange aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract. Following the revelation, Transit Swap issued an apology to users with efforts to track down and recover the stolen funds currently underway.” — CoinTelegraph

Amount stolen: $21,000,000

New Free DAO (September 8, 2022)

“In September 2022, DeFi project New Free DAO was the victim of a flash loan attack. The attacker took advantage of weak reward calculation code to drain 4,481 WBNB worth approximately $1.25 million from the contract.” — Halborn

Amount stolen: $1,025,000

Nereus Finance (September 6, 2022)

“Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Tuesday, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange (DEX) Trader Joe and automated market maker Curve Finance.” — CoinTelegraph

Amount stolen: $371,000

Kyber Network (September 1, 2022)

“Kyber, a multi-chain decentralized finance (DeFi) platform, discovered a vulnerability to its website code that allowed exploiters to run away with approximately $265,000.

Two “whale” addresses appeared to be impacted by the attack, according to Kyber, which plans to reimburse the losses. Kyber said it discovered the exploit, which let attackers insert a “false approval, allowing a hacker to transfer a user’s funds to his address,” on Sept. 1 and “neutralized” the threat within two hours.” — CoinDesk

Amount stolen: $265,000

Acala (August 14, 2022)

“On Aug. 14, a hacker took advantage of a bug on the iBTC/aUSD liquidity pool which resulted in 1.2 billion aUSD being minted without collateral. This event crashed the USD-pegged stablecoin to a cent, and in response, the Acala team froze the erroneously minted tokens by placing the network in maintenance mode.” — Cointelegraph

Amount stolen: n/a

Nomad Bridge (August 2, 2022)

“The cross-chain token bridge Nomad was exploited Monday, with attackers draining the protocol of virtually all of its funds. The total value of cryptocurrency lost to the attack totaled near $200 million.” — CoinDesk

Amount stolen: $200,000,000

Audius (July 24, 2022)

“Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Audius, the passing of a malicious governance proposal resulted in the transfer of tokens worth $6.1 million, with the hacker making away with $1 million.” — Cointelegraph

Amount stolen: $6,100,000

Horizon Bridge (June 24, 2022)

“The Horizon Bridge to the Harmony layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).

The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.” — Cointelegraph

Amount stolen: $100,000,000

Inverse Finance (June 16, 2022)

“Inverse Finance was exploited for more than $1.2 million worth of cryptocurrency on Thursday morning, on-chain data appears to show.

Exploiters seemed to use a flash loan attack to trick the protocol and steal more than 53 bitcoin, worth $1.1 million, and 10,000 tether (USDT), a stablecoin backed on a 1-1 basis with U.S. dollars. The exploit comes just over two months after attackers stole $15 million worth of cryptocurrencies from Inverse Finance in a similar attack, as previously reported.” — CoinDesk

Amount stolen: $1,200,000

Rari Capital + Fei Protocol (May 1, 2022)

“Decentralized finance (DeFi) platforms Rari Capital and Fei Protocol suffered a more-than-$80 million hack early Saturday.
The hacker exploited a reentrancy vulnerability in Rari’s Fuse lending protocol, according to a tweet by smart contract analysis firm Block Sec.” — CoinDesk

Amount stolen: $80,000,000

Saddle Finance (April 30, 2022)

“Saddle Finance, a decentralized exchange for trading stablecoins, was hacked in a DeFi exploit today.
The unknown hacker carried out the exploit at 07:40 AM UTC and netted over $10 million in ether cryptocurrency, according to on-chain data.” — The Block

Amount stolen: $10,000,000

Deus Finance (April 28, 2022)

“Decentralized finance (DeFi) application Deus Finance was exploited for the second time in two months, with the attacker gaining more than $13.4 million of cryptocurrency in early Asian hours today, security researchers at PeckShield said in a tweet. The exploit occurred on the Fantom Network.” — CoinDesk

Amount stolen: $13,400,000

Beanstalk Farms (April 18, 2022)

“Credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral from a security breach caused by two sinister governance proposals and a flash loan attack.” — Cointelegraph

Amount stolen: $182,000,000

Elephant Money (April 13, 2022)

“According to a statement by cybersecurity team BlockSec, Elephant Money DeFi protocol has fallen victim to a price manipulation attack that started with borrowed Wrapped Binance Coins (WBNB).” — U.Today

Amount stolen: $11,200,000

Starstream Finance (April 7, 2022)

“Starstream Finance had their treasury drained in an exploit and has advised anyone holding funds in AgoraDefi to withdraw them. The Team has announced this incident on their official Discord.” — CoinCodeCap

Amount stolen: $4,000,000

WonderHero (April 7, 2022)

The operators of cryptocurrency play-to-earn game WonderHero have disabled the service after hackers stole about $320,000 worth of Binance Coin (BNB).

The attack caused the price of WonderHero’s own coin, WND, to plummet more than 90%. — The Record

Amount stolen: $320,000

Inverse Finance (April 2, 2022)

“Ethereum-based lending protocol Inverse Finance (INV) said Saturday it suffered an exploit, with an attacker netting $15.6 million worth of stolen cryptocurrency.
According to Inverse, the attacker targeted its Anchor money market – artificially manipulating token prices to borrow loans against extremely low collateral.” — CoinDesk

Ronin Network (March 29, 2022)

“The gaming-focused Ronin network announced Tuesday a loss of over $625 million in USDC and ether (ETH).
According to a blog post published by the Ronin network’s official Substack, the exploit affected Ronin validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.” — CoinDesk

Amount stolen: $625,000,000

Cashio (March 23, 2022)

“A stablecoin on the Solana blockchain has been exploited for around $52.8 million and lost practically all of its value.” — The Block

Amount stolen: $52,800,000

One Ring Finance (March 21, 2022)

“At the time of the attack, the attacker was fully prepared. Before the attack the hacker has moved funds needed for gas through the Celer Network cBridge.
15 minutes later the attacker deployed the contract that was used to drain funds from OneRing. This contract has been self-destructed however we are already working with node providers in order to get the information of the block where the contract was deployed. We believe we can find the bytecode, decompile it and at least have a brief idea on how this contract was structured.” — One Ring Finance | Medium

Amount stolen: $1,400,000

Li Finance (March 21, 2022)

“The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.

The exploit took place at 2:51 am UTC on Sunday. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol.” — Cointelegraph

Amount stolen: $600,000

Umbrella Network (March 20, 2022)

“On March 20, 2022, Uno Re’s partner- Umbrella Network announced that the LP tokens staked in their Polar Stream staking contracts on Ethereum and BNB Chain are drained from both of the contracts. Reportedly, the hacker then withdrew liquidity using those stolen LP tokens from both the UMB-ETH Uniswap and the UMB-BNB Pancakeswap pools.” — Uno.Reinsure | Medium

Amount stolen: $700,000

Fantasm (March 9, 2022)

“Fantom-based algorithmic assets protocol Fantasm Finance was exploited for over $2.6 million worth of crypto early on Thursday, with the stolen tokens swapped for ether using privacy protocol Tornado Cash.” — CoinDesk

Amount stolen: $2,600,000

Treasure DAO (March 3, 2022)

“In early Asian hours on Thursday, hackers were able to exploit a vulnerability on the protocol that allowed them to mint NFTs for no cost. Treasure asked users to delist their NFTs from the marketplace at the time. NFTs are blockchain-based representation of a digital or real-world asset.” — CoinDesk

Amount stolen: n/a

Dego Finance (February 21, 2022)

“Dego Finance’s official Twitter handle claimed that its own address providing liquidity on popular decentralized exchanges – Uniswap and PancakeSwap – was compromised. As a result, DEGO pairs liquidity provided by the team was drained.” — CryptoPotato

Amount stolen: $10,000,000

Meter (February 6, 2022)

“With teams now using independently modified forks of ChainBridge without auditing their changes, it was only a matter of time before costly mistakes were made. In the case of Meter, their modifications to the ChainBridge code introduced a bug in the automatic wrap and unwrap of native tokens like BNB and ETH, which created an opening for a hacker to exploit.” — ChainSafe

Amount stolen: $4,300,000

Wormhole (February 3, 2022)

“One of the most popular cross-blockchain bridges may have been the victim of a hack worth over $326 million on Wednesday.
On-chain analysts called attention to an 80,000 ether (ETH) transaction from Wormhole to an address currently in possession of over $250 million worth of ETH. According to another developer, the attacker also kept 40,000 ETH on Solana, where they have been selling for other assets.” — CoinDesk

Amount stolen: $326,000,000

KlaySwap (February 3, 2022)

“Hackers have stolen roughly $1.9 million from South Korean cryptocurrency platform KLAYswap after they pulled off a rare and clever BGP hijack against the server infrastructure of one of the platform’s providers.” — The Record

Amount stolen: $1,900,000

Qubit (January 28, 2022)

“Binance Smart Chain-based Qubit Finance was exploited for over $80 million by attackers on Friday morning, developers confirmed in a post.” CoinDesk

Amount stolen: $80,000,000

Lympo (January 10, 2022)

“Sports nonfungible token (NFT) minting platform and Animoca Brands subsidiary Lympo suffered a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack.” — Cointelegraph

Amount stolen: $18,700,000

Tinyman (January 1, 2022)

“Decentralized trading protocol Tinyman, built on Algorand, was the victim of a smart contract exploit. The protocol is estimated to have lost $3 million after all was said and done.” — BeInCrypto

Amount stolen: $3,000,000

2021 (62 exploits)

Visor Finance (December 22, 2021)

“The Visor team revealed that a malicious smart contract drained the protocol’s staking contract of 8,812,958 VISR tokens. At the time of the exploit, this was valued at around $8.1 million.” — BeInCrypto

Amount stolen: $8,100,000

Grim Finance (December 19, 2021)

“Yield compounding tool Grim Finance had $30 million worth of fantom tokens stolen from its protocol after an exploit on Sunday. The project took preventive measures to stop further damage.” — CoinDesk

Amount stolen: $30,000,000

Vulcan Forged (December 13, 2021)

“Earlier today, 96 private keys were stolen from the crypto gaming ecosystem Vulcan Forged, enabling the attacker to siphon off $140 million in cryptocurrency.” — The Block

Amount stolen: $140,000,000

8ight Finance (December 8, 2021)

“8ight Finance, the OHM fork on the Harmony blockchain that saw some $1.73 million worth of stablecoins stolen from its treasury, has admitted that its “opsec was low” after revealing that the private keys to the treasury wallets were sent through Facebook chat and Google Drive.” — Source: FullyCrypto

Amount stolen: $1,073,000

Pizza DeFi (December 5, 2021)

“By using a large number of Tripool tokens, the hacker was able to open over-collateralized positions and drain real valuable assets and withdraw them to his or her own wallet. The lost tokens are valued at $5 million.” — U.Today

Amount stolen: $5,000,000

BadgerDAO (December 2, 2021)

“On Wednesday night an attacker drained funds from the wallets of dozens of users of the Badger DAO yield vault protocol using malicious contract permissions. Blockchain data and security analytics company PeckShield has concluded that the total loss amounted to about 2,100 BTC and 151 ETH.” — CoinDesk

Amount stolen: $120,000,000

MonoX (November 30, 2021)

“Decentralized finance (DeFi) lending protocol bZx was compromised for $55 million today, in what is becoming a recurring theme.” — The Block

Amount stolen: $31,000,000

bZx (November 5, 2021)

“Decentralized finance (DeFi) lending protocol bZx was compromised for $55 million today, in what is becoming a recurring theme.” — The Block

Amount stolen: $55,000,000

Cream Finance (October 27, 2021)

“An attacker has gained over $130 million of assets in an exploit that appears to have drained Cream’s coffers.” — CoinDesk

Amount stolen: $130,000,000

PancakeHunny (October 20, 2021)

“On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times. This is the sequence of events.” — PancakeHunny | Medium

Amount stolen: $2,000,000

Indexed Finance (October 15, 2021)

“Indexed Finance has lost over $16 million worth of users’ assets after a hacker exploited a vulnerability in the protocol’s smart contracts.” — CryptoBriefing

Amount stolen: $16,000,000

Compound Finance (September 30, 2021)

“DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk.” — CoinDesk

Amount stolen: $80,000,000 (?)

Vee Finance (September 21, 2021)

“Decentralized finance (DeFi) platform Vee Finance has been hit for an exploit of around $35 million in the second major attack of an Avalanche platform.” — CoinDesk

Amount stolen: $35,000,000

pNetwork (September 20, 2021)

“An unidentified hacker has stolen 277 wrapped Bitcoin, currently worth around $12.5 million, by exploiting a bug in decentralized finance (DeFi) interoperability protocol pNetwork, its developers disclosed on Sunday.” — Decrypt

Amount stolen: $12,000,000

Sushi (September 16, 2021)

“The SushiSwap decentralized exchange has narrowly avoided becoming the latest decentralized finance hack victim thanks to assistance from a white hat hacker.
A security researcher from venture capital firm Paradigm, known on Twitter as Samczsun, has managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether (ETH).” — Cointelegraph

Amount stolen: n/a

Zabu Finance (September 12, 2021)

“Avalanche-Based Zabu Finance Sees $3.2M Hack.
The attacker used Zabu’s “Transfer Tax” mechanism to mint tokens, sending their value to zero.” — CoinDesk

Amount stolen: $3,200,000

Dao Maker (September 4, 2021)

“DaoMaker was exploited for ~$4m. They left the `init` function unprotected. The attacker re-initialized the contract with malicious data and then called `emergencyExit` to get away with the funds.” — @Mudit__Gupta

Amount stolen: $4,000,000

Cream Finance (August 30, 2021)

“An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp (AMP) token, according to an investigation by blockchain security firm Peckshield.” — Cointelegraph

Amount stolen: $19,000,000

Dao Maker (August 12, 2021)

“According to a report from DAO Maker CEO Christoph Zaknun, hackers were able to remove roughly $7 million in USD Coin (USDC) from 5,251 user accounts.
Despite the name, DAO Maker has no apparent connection to MakerDAO, the decentralized finance, or DeFi, protocol behind the stablecoin Dai (DAI).” — Cointelegraph

Amount stolen: $7,000,000

Poly Network (August 10, 2021)

“Multi-chain interoperability protocol Poly Network fell victim to an exploit today, resulting in the loss of roughly $600 million worth of various cryptocurrencies, the platform’s developers revealed.” — Decrypt [1][2]

Amount stolen: $268,000,000

Punk Protocol (August 10, 2021)

“On Aug 10th, Punk Protocol was hacked for $8.95M, ~$5M of which was later returned.
The platform planned to offer a DeFi annuity scheme backed by ETH, WBTC and stablecoins.” — REKT

Amount stolen: $3,950,000

Popsicle Finance (August 3, 2021)

“Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.

The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.”” — Decrypt

Amount stolen: $25,000,000

Levyathan (July 30, 2021)

“A Smart Contract flaw has seen Levyathan mint limitless tokens and endure a cataclysmic price drop.
Leviathan’s (LEV) token price fell from $0.15 to an unthinkable $0.00000147 at the time of writing according to CoinGecko data.” — BSC NEWS

Amount stolen: n/a

THORChain (July 23, 2021)

“Thorchain has been exploited for the third time in a month, bringing total losses to around $13 million. The platform, which looks after $100 million in funds, is designed for exchanging crypto tokens across different blockchains.” — The Block

Amount stolen: $13,000,000

PancakeBunny (July 16, 2021)

“PolyBunny, a yield farming protocol running on the Polygon network and QuickSwap decentralized exchange (DEX) based on Ethereum (ETH), got exploited for $2.4 million on July 16.” — CryptoSlate

Amount stolen: $2,400,000

THORChain (July 15, 2021)

“THORChain has suffered another unfortunate exploit — the second this month.” — RUNEBase

Amount stolen: $4,900,000

THORChain (June 28, 2021)

“$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.” — THORChain | Medium

Amount stolen: $139,000

Bondly Finance (July 15, 2021)

“Decentralized e-commerce platform Bondly Finance is the latest decentralized finance (DeFi) platform to suffer an alleged exploit. The developer team advised the DeFi community to stop trading Bondly, the platform’s native token, following a suspected exploit on Thursday.” — Cointelegraph

Amount stolen: n/a

ChainSwap (July 10, 2021)

“crypto projects that had used ChainSwap to launch Ethereum tokens on Binance Smart Chain lost millions to an attacker whose address now holds about $4.4 million.” — Decrypt

Amount stolen: $4,400,000

ChainSwap (July 2, 2021)

“On July 2nd, the project announced that its smart contract was compromised and the hackers drained around $800,000 worth of assets from users’ wallets.” — CryptoPotato

Amount stolen: $800,000

SafeDollar (June 28, 2021)

“According to the contract address on the Polygon Scan dashboard, $248,000 in USDC and Tether was withdrawn from the protocol on June 28.” — BeInCrypto

Amount stolen: $248,000

Eleven Finance (June 22, 2021)

“Eleven Finance was exploited to drain a number of vaults at the loss of about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a flashswap-assisted one.” — PeckShield

Amount stolen: $4,600,000

Impossible Finance (June 21, 2021)

“Decentralized finance (DeFi) protocol Impossible Finance has lost as much as $500,000 in user funds during a flash loan attack today. The attack on Impossible Finance’s liquidity pool occurred at around 4:40 AM UTC on June 21 and resulted in a loss of 229.84 ETH (about $0.5 million at the time).” — Decrypt

Amount stolen: $500,000

Alchemix (June 16, 2021)

“This morning, Alchemix announced that the contracts for one of their synthetic assets, alETH, had experienced an “incident.”
for a short window of time users were able to withdraw their ETH collateral with their alETH loans still outstanding — a rugpull by the community to the tune of $6.5 million” — Cointelegraph

Amount stolen: n/a

Belt Finance (May 28, 2021)

“Belt Finance, a platform that provides automated market making for decentralized finance (DeFi), was hacked Saturday in a flash loan attack that resulted in a profit of $6.23 million for the perpetrator and an overall $50 million loss for the platform.” — CoinDesk

Amount stolen: $50,000,000

BurgerSwap (May 28, 2021)

“According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.” — The Block

Amount stolen: $7,200,000

Wild Credit (May 27, 2021)

“Preliminary results show that BNT-ETH was the only exploited pool.
Total amount is 125,585 BNT (~ $637k).
The attacker has returned the BNT. All funds have been recovered with zero losses.” — @WildCredit [1][2]

Amount stolen: n/a

Merlin Lab (May 26, 2021)

“A total of $330k was stolen, bringing their TVL (total value lost) to $1,560,000, and putting them on par with Value DeFi as one of the few protocols to be so unsafe that they have three positions onto the rekt leaderboard.” — REKT

Amount stolen: $330,000

Merlin Lab (May 26, 2021)

“Just 8 hours after the first attack, they lost another ~200 ETH to a completely different exploit.” — REKT

Amount stolen: $550,000

Merlin Lab (May 26, 2021)

“On May 26, 2021, 03:59:05 AM +UTC, less than 48 hrs after the Autoshark hack. Merlin Lab, (another fork of PancakeBunny), was attacked in a similar fashion to the Bunny and the Autoshark hack.
As a result, the hacker was able to remove ~240 ETH (~680K USD).” — REKT

Amount stolen: $680,000

AutoShark Finance (May 24, 2021)

“Flash loan attacks on the Binance Smart Chain (BSC) are becoming an everyday affair now. DeFi protocols are becoming much more vulnerable to attackers exploiting the (BSC) platform. In a third flash-loan-attack incident within a week’s time, AutoShark Finance has been the latest victim.” — CoinGape

Amount stolen: $822,000

Venus Protocol (May 19, 2021)

“Venus Protocol faced massive liquidations of over $200 million on Wednesday due to a possible price manipulation of its native XVS token.” — The Block

Amount stolen: n/a

PancakeBunny (May 19, 2021)

“Popular Binance Smart Chain-based decentralized finance protocol PancakeBunny has suffered a major exploit that allowed a hacker to make off with more than $200 million worth of crypto assets.” — Cointelegraph

Amount stolen: $200,000,000

bEarn Fi (May 16, 2021)

“bEarn Fi, a cross-chain auto yield farming protocol, was exploited earlier Sunday, resulting in a loss of almost $11 million, according to China-based blockchain analysis firm PeckShield.” — CoinDesk

Amount stolen: $11,000,000

xToken (May 12, 2021)

“Decentralized finance (DeFi) protocol xToken said it suffered an exploit Wednesday by an attacker who used flash loans to take $24.5 million.” — CoinDesk

Amount stolen: $24,500,000

Rari Capital (May 8, 2021)

“Rari Capital announced there was an exploit in the Rari Capital ETH Pool related to its Alpha Finance Lab integration.
According to Etherscan, $15 million worth of ether was taken.” — CoinDesk

Amount stolen: $15,000,000

Spartan Protocol (May 2, 2021)

“Spartan Protocol, a decentralized protocol built on Binance Smart Chain for incentivized liquidity and synthetic assets, was exploited earlier Sunday UTC due to “a flawed liquidity share calculation” in the protocol, resulting in a loss of more than $30 million, according to a Medium post by on-chain analysis and security startup PeckShield.” — CoinDesk

Amount stolen: $30,000,000

Uranium Finance (April 28, 2021)

“Uranium Finance, an automated market maker platform on the Binance Smart Chain, has reported a security incident that resulted in a loss of about $50 million.” — Cointelegraph

Amount stolen: $50,000,000

EasyFi (April 19, 2021)

“EasyFi, a decentralized finance (DeFi) Polygon Network-powered protocol, has reported suffering a hack Monday of over $80 million.”— CoinDesk

Amount stolen: $80,000,000

Force DAO (April 4, 2021)

“According to a chain of tweets by Mudit Gupta, blockchain team lead at blockchain software company Polymath, there were five attackers, one of whom later returned his share of the stolen funds. The others, however, made off with FORCE tokens worth about US$376,000.” — CoinDesk

Amount stolen: $376,000

TurtleDex (March 18, 2021)

“TurtleDex, a decentralized finance (DeFi) file storage project on the Binance Smart Chain (BSC), is believed to have pulled a rugpull exit scam yesterday when more than $2.4 million in funds were drained from trading pools on major BSC DeFi exchanges Ape Swap and Pancake Swap.” — Decrypt

Amount stolen: $2,400,000

Iron Finance (March 16, 2021)

“Iron Finance is a partially collateralized stablecoin platform based on the Binance Smart Chain (BSC).
It reported that on March 16, two Iron Finance vFarm pools were “subject to an incident”. This ordeal resulted in the loss of user deposits.” — BeInCrypto

Amount stolen: $170,000

Roll (March 14, 2021)

“Roll, a platform for issuing social tokens on the Ethereum network, suffered an apparent exploit on Sunday, resulting in the theft and subsequent sale of tokens.” — The Block

Amount stolen: $5,700,000

DODO (March 8, 2021)

“Decentralized finance (DeFi) platform DODO has been hacked for approximately $3.8 million worth of tokens.” — CoinDesk
“According to an update, the exchange recovered $1.89 million, comprised of about 1,140,000 USDT and 411 ETH, and plans to return the funds to affected parties.” — The Block

Amount stolen: $1,910,000

Paid Network (March 5, 2021)

“PAID Network, a crypto project that utilizes an Ethereum-based token, has suffered a contract exploit, resulting in the minting of nearly $160 million worth of tokens by the attacker.” — The Block

Amount stolen: $160,000,000

Meerkat Finance (March 4, 2021)

“Meerkat Finance, a decentralized finance project, has just said it has been drained by $31 million worth of crypto assets due to a hack. But on-chain data shows it may not be as simple as that.” — The Block

Amount stolen: $31,000,000

Furucombo (February 28, 2020)

“Furucombo, a drag and drop tool for users to create DeFi transactions, has been exploited.
The exploiter has stolen roughly $14M in ETH and ERC-20 tokens.” — The Block

Amount stolen: $14,000,000

Alpha Finance Lab + Cream Finance (February 13, 2021)

“In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform.” — Cointelegraph

Amount stolen: $37,000,000

BT Finance (February 12, 2021)

“In this exploit, the exploiter(s) made a total profit of 31.87renBTC and 211 ETH, and used REN and Tornado.Cash to transfer assets anonymously.” — BT Finance | Medium

Amount stolen: $1,500,000

Growth DeFi (February 8, 2021)

“By forcing the staker contract to accept a liquidity pair containing a fake token, the attacker was able to remove $1.3 million in liquidity.

The attacker created a fake token called AXZ and supplied rAXZZ/GRO liquidity. He then staked it in the contract and pulled out the other pair.” — REKT

Amount stolen: $1,300,000

Yearn Finance (February 4, 2021)

“DeFi yield farming project Yearn Finance has been hit by an exploit that has affected a DAI lending pool.” — Decrypt

Amount stolen: $11,000,000

Saddle Finance (January 19, 2021)

“DeFi protocol Saddle Finance was launched on Jan. 20, with the aim of alleviating the problematic spread between stablecoins and wrapped or tokenized crypto assets. Within a few hours of going live, however, whales had taken advantage of the new protocol by arbitraging for huge profits.” — BeInCrypto

Amount stolen: $275,000

2020 (16 exploits)

Cover Protocol (December 28, 2020)

“Decentralized finance (DeFi) protocol Cover, which recently merged with Yearn.Finance, has just been exploited.” — The Block

Amount stolen: $5,000,000

Warp Finance (December 18, 2020)

“Decentralized finance (DeFi) lending protocol Warp Finance has experienced a flash loan attack that resulted in a loss of $7.7 million worth of stablecoins.” — The Block

Amount stolen: $7,700,000

Pickle Finance (November 21, 2020)

“The coffers of Pickle Finance, a decentralized finance (DeFi) protocol with a native token that looks suspiciously like Pickle Rick, of Rick and Morty fame, were drained today of $20 million in what appears to be a hack.” — Decrypt

Amount stolen: $30,000,000

Origin Protocol (November 17, 2020)

“Stablecoin project Origin Dollar (OUSD) sustained a re-entrancy attack at 00:47 UTC Tuesday resulting in a loss of funds worth $7 million, including over $1 million deposited by Origin and its founders and employees.” — CoinDesk

Amount stolen: $7,000,000

Value DeFi (November 14, 2020)

“Value DeFi was exploited for approximately $6 million earlier Saturday, possibly due to a flash loan attack, a scheme often seen in the fast-growing DeFi sector.” — CoinDesk

Amount stolen: $6,000,000

Akropolis (November 12, 2020)

“Decentralized finance (DeFi) protocol Akropolis lost $2 million in DAI in an exploit on Thursday morning.” — The Block

Amount stolen: $2,000,000

Harvest Finance (October 26, 2020)

“An arbitrage trade exploiting weak points in decentralized finance (DeFi) protocol Harvest Finance led to some $24 million in stablecoins being siphoned away from the project’s pools on Monday, according to CoinGecko.” — CoinDesk

Amount stolen: $24,000,000

Leo Finance (October 11, 2020)

“Wrapped Leo (WLEO) and its investors have been named recent victims of hackers after the team confirmed in a blog post earlier today that about $42,000 was drained from the DeFi project.” — Cryptopolitan

Amount stolen: $42,000

Eminence (September 29, 2020)

“Experimental DeFi platform Yearn Finance cultists were hit with losses this morning after an unidentified hacker exploited a smart contract vulnerability in Eminence, an upcoming gaming project built by Yearn founder Andre Cronje.” — Decrypt

Amount stolen: $15,000,000

bZx (September 13, 2020)

“Decentralized finance (DeFi) lending protocol bZx was attacked once again last night and lost a little over $8 million due to a faulty code in its smart contracts.” — The Block

Amount stolen: $8,000,000

Soft Yearn (September 7, 2020)

“An anonymous user has revealed how he made $250k in profits from a minor investment in a cloned version of Yearn.finance called Soft Yearn (SYFI).” — Cointelegraph

Amount stolen: $250,000

Opyn (August 4, 2020)

“Attackers raided the decentralized finance (DeFi) protocol Opyn yesterday, making off with over 370,000 USDC.
Opyn, which deals primarily with options for ETH, was subject to a double-spend attack.” — Decrypt

Amount stolen: $370,000

Balancer (June 29, 2020)

“Balancer Pool admitted early Monday morning it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000 worth of tokens.” — CoinDesk

Amount stolen: $500,000

dForce (April 19, 2020)

“The total value locked in the dForce ecosystem was down by 100% to $6 over the past 24 hours, per DeFi Pulse data. A day ago, the total value locked in the system was $24.9 million.” — The Block

Amount stolen: $24,900,000

bZx (February 15, 2020)

“In the last four days, the bZx DeFi trading protocol was exploited twice; the first attack was executed over Valentine’s Day and yielded ~1,271 ETH, while the second one was just last night and made ~2,378 ETH. That’s about $320,000 and $600,000, respectively, with ETH at $250.” — The Defiant

Amount stolen: $900,000

Fulcrum (January 11, 2020)

“when Fulcrum team released their own Flash Loans feature on the Ethereum Mainnet, and we happened to find a very critical vulnerability in it. We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction..” — 1inch Network

Amount stolen: $2,500,000

🔒 Protect your backups from extreme conditions with The Billfodl.

😃 Help save a crypto wallet from getting stolen by sharing our website!