Documented Timeline of DeFi Exploits

As of today, there are a total of 148 DeFi exploits* that have occurred, with lost funds amounting to a total of approximately $4.28 billion at the time of these exploits; with the biggest exploit being the Ronin bridge exploit, losing $625 million of value.

This list doesn’t include hacks concerning front-ends, DNSs, etc.

2023: 18 exploits
2022: 45 exploits
2021: 62 exploits
2020: 16 exploits

* some exploits occur on multiple chains.

2023 (18 exploits)

Lodestar Finance (December 11, 2022)

Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of PlutusDAO’s plvGLP token before borrowing all platform liquidity using the inflated token. — Cointelegraph

Amount stolen: $5,800,000

Ankr (December 2, 2022)

“Ankr, which called itself the first “node-as-a-service” platform, had suffered the multimillion-dollar exploit due to a bug in its code that allowed for unlimited minting of its token.” — CoinDesk

Amount stolen: $5,000,000

DFX Finance (November 11, 2022)

“DFX Finance, a decentralized exchange protocol for fiat-pegged stablecoins, reported that it was attacked at 2:21 pm ET. An unknown attacker siphoned approximately $7.5 million from DFX, according to estimates from security researchers at BlockSec.” — The Block

Amount stolen: $7,500,000

Skyward Finance (November 2, 2022)

“Skyward finance, an IDO platform enabling fair token distribution for projects on the NEAR Protocol, has reportedly been exploited for 1.1M NEAR tokens, worth an estimated $3 million USD at time of publication.” — CoinTelegraph

Amount stolen: $3,000,000

Solend (November 1, 2022)

“Solend, a Solana-based lending protocol, reported a market manipulation attack that resulted in $1.26 million of bad debt for the protocol. The incident occurred on Wednesday, as noted by security firm PeckShield.” — The Block

Amount stolen: $1,026,000

Moola Market (October 19, 2022)

“Celo-based lending and borrowing protocol Moola Market had over $10 million worth of tokens stolen, and later returned, Wednesday morning after a market manipulation attack.” — CoinDesk

Amount stolen: $10,000,000

TempleDAO (October 11, 2022)

“TempleDAO, a protocol that claims it provides sustainable income via staking, suffered a malicious exploit this morning on one of its staking vaults for 1,830 ETH, roughly $2.3 million at the time, according to data from Etherscan.” — The Block

Amount stolen: $2,300,000

Mango Markets (October 11, 2022)

“Mango, a decentralized finance platform hosted on the Solana blockchain, has been exploited for over $100 million.

The exploit was initially reported on Twitter by blockchain auditors OtterSec, who say “the attacker was able to manipulate their Mango collateral.”” — CoinDesk

Amount stolen: $100,000,000

BNB Chain Bridge (October 6, 2022)

“BNB Chain, the blockchain of crypto exchange Binance, was paused on Oct. 6 due to an exploit on its cross-chain bridge, with attackers making off with an estimated $100 million worth of cryptocurrency.” — CoinTelegraph

Amount stolen: $100,000,000

Transit Swap (October 2, 2022)

“Transit Swap, a multichain decentralized exchange aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract. Following the revelation, Transit Swap issued an apology to users with efforts to track down and recover the stolen funds currently underway.” — CoinTelegraph

Amount stolen: $21,000,000

New Free DAO (September 8, 2022)

“In September 2022, DeFi project New Free DAO was the victim of a flash loan attack. The attacker took advantage of weak reward calculation code to drain 4,481 WBNB worth approximately $1.25 million from the contract.” — Halborn

Amount stolen: $1,025,000

Nereus Finance (September 6, 2022)

“Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Tuesday, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange (DEX) Trader Joe and automated market maker Curve Finance.” — CoinTelegraph

Amount stolen: $371,000

Kyber Network (September 1, 2022)

“Kyber, a multi-chain decentralized finance (DeFi) platform, discovered a vulnerability to its website code that allowed exploiters to run away with approximately $265,000.

Two “whale” addresses appeared to be impacted by the attack, according to Kyber, which plans to reimburse the losses. Kyber said it discovered the exploit, which let attackers insert a “false approval, allowing a hacker to transfer a user’s funds to his address,” on Sept. 1 and “neutralized” the threat within two hours.” — CoinDesk

Amount stolen: $265,000

Acala (August 14, 2022)

“On Aug. 14, a hacker took advantage of a bug on the iBTC/aUSD liquidity pool which resulted in 1.2 billion aUSD being minted without collateral. This event crashed the USD-pegged stablecoin to a cent, and in response, the Acala team froze the erroneously minted tokens by placing the network in maintenance mode.” — Cointelegraph

Amount stolen: n/a

Nomad Bridge (August 2, 2022)

“The cross-chain token bridge Nomad was exploited Monday, with attackers draining the protocol of virtually all of its funds. The total value of cryptocurrency lost to the attack totaled near $200 million.” — CoinDesk

Amount stolen: $200,000,000

Audius (July 24, 2022)

“Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Audius, the passing of a malicious governance proposal resulted in the transfer of tokens worth $6.1 million, with the hacker making away with $1 million.” — Cointelegraph

Amount stolen: $6,100,000

Horizon Bridge (June 24, 2022)

“The Horizon Bridge to the Harmony layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).

The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.” — Cointelegraph

Amount stolen: $100,000,000

Inverse Finance (June 16, 2022)

“Inverse Finance was exploited for more than $1.2 million worth of cryptocurrency on Thursday morning, on-chain data appears to show.

Exploiters seemed to use a flash loan attack to trick the protocol and steal more than 53 bitcoin, worth $1.1 million, and 10,000 tether (USDT), a stablecoin backed on a 1-1 basis with U.S. dollars. The exploit comes just over two months after attackers stole $15 million worth of cryptocurrencies from Inverse Finance in a similar attack, as previously reported.” — CoinDesk

Amount stolen: $1,200,000

Rari Capital + Fei Protocol (May 1, 2022)

“Decentralized finance (DeFi) platforms Rari Capital and Fei Protocol suffered a more-than-$80 million hack early Saturday.
The hacker exploited a reentrancy vulnerability in Rari’s Fuse lending protocol, according to a tweet by smart contract analysis firm Block Sec.” — CoinDesk

Amount stolen: $80,000,000

Saddle Finance (April 30, 2022)

“Saddle Finance, a decentralized exchange for trading stablecoins, was hacked in a DeFi exploit today.
The unknown hacker carried out the exploit at 07:40 AM UTC and netted over $10 million in ether cryptocurrency, according to on-chain data.” — The Block

Amount stolen: $10,000,000

Deus Finance (April 28, 2022)

“Decentralized finance (DeFi) application Deus Finance was exploited for the second time in two months, with the attacker gaining more than $13.4 million of cryptocurrency in early Asian hours today, security researchers at PeckShield said in a tweet. The exploit occurred on the Fantom Network.” — CoinDesk

Amount stolen: $13,400,000

Beanstalk Farms (April 18, 2022)

“Credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral from a security breach caused by two sinister governance proposals and a flash loan attack.” — Cointelegraph

Amount stolen: $182,000,000

Elephant Money (April 13, 2022)

“According to a statement by cybersecurity team BlockSec, Elephant Money DeFi protocol has fallen victim to a price manipulation attack that started with borrowed Wrapped Binance Coins (WBNB).” — U.Today

Amount stolen: $11,200,000

Starstream Finance (April 7, 2022)

“Starstream Finance had their treasury drained in an exploit and has advised anyone holding funds in AgoraDefi to withdraw them. The Team has announced this incident on their official Discord.” — CoinCodeCap

Amount stolen: $4,000,000

WonderHero (April 7, 2022)

The operators of cryptocurrency play-to-earn game WonderHero have disabled the service after hackers stole about $320,000 worth of Binance Coin (BNB).

The attack caused the price of WonderHero’s own coin, WND, to plummet more than 90%. — The Record

Amount stolen: $320,000

Inverse Finance (April 2, 2022)

“Ethereum-based lending protocol Inverse Finance (INV) said Saturday it suffered an exploit, with an attacker netting $15.6 million worth of stolen cryptocurrency.
According to Inverse, the attacker targeted its Anchor money market – artificially manipulating token prices to borrow loans against extremely low collateral.” — CoinDesk

Ronin Network (March 29, 2022)

“The gaming-focused Ronin network announced Tuesday a loss of over $625 million in USDC and ether (ETH).
According to a blog post published by the Ronin network’s official Substack, the exploit affected Ronin validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.” — CoinDesk

Amount stolen: $625,000,000

Cashio (March 23, 2022)

“A stablecoin on the Solana blockchain has been exploited for around $52.8 million and lost practically all of its value.” — The Block

Amount stolen: $52,800,000

One Ring Finance (March 21, 2022)

“At the time of the attack, the attacker was fully prepared. Before the attack the hacker has moved funds needed for gas through the Celer Network cBridge.
15 minutes later the attacker deployed the contract that was used to drain funds from OneRing. This contract has been self-destructed however we are already working with node providers in order to get the information of the block where the contract was deployed. We believe we can find the bytecode, decompile it and at least have a brief idea on how this contract was structured.” — One Ring Finance | Medium

Amount stolen: $1,400,000

Li Finance (March 21, 2022)

“The Li Finance swap aggregator has experienced a smart contract exploit leading to the loss of around $600,000 from 29 users’ wallets.

The exploit took place at 2:51 am UTC on Sunday. The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol.” — Cointelegraph

Amount stolen: $600,000

Umbrella Network (March 20, 2022)

“On March 20, 2022, Uno Re’s partner- Umbrella Network announced that the LP tokens staked in their Polar Stream staking contracts on Ethereum and BNB Chain are drained from both of the contracts. Reportedly, the hacker then withdrew liquidity using those stolen LP tokens from both the UMB-ETH Uniswap and the UMB-BNB Pancakeswap pools.” — Uno.Reinsure | Medium

Amount stolen: $700,000

Fantasm (March 9, 2022)

“Fantom-based algorithmic assets protocol Fantasm Finance was exploited for over $2.6 million worth of crypto early on Thursday, with the stolen tokens swapped for ether using privacy protocol Tornado Cash.” — CoinDesk

Amount stolen: $2,600,000

Treasure DAO (March 3, 2022)

“In early Asian hours on Thursday, hackers were able to exploit a vulnerability on the protocol that allowed them to mint NFTs for no cost. Treasure asked users to delist their NFTs from the marketplace at the time. NFTs are blockchain-based representation of a digital or real-world asset.” — CoinDesk

Amount stolen: n/a

Dego Finance (February 21, 2022)

“Dego Finance’s official Twitter handle claimed that its own address providing liquidity on popular decentralized exchanges – Uniswap and PancakeSwap – was compromised. As a result, DEGO pairs liquidity provided by the team was drained.” — CryptoPotato

Amount stolen: $10,000,000

Meter (February 6, 2022)

“With teams now using independently modified forks of ChainBridge without auditing their changes, it was only a matter of time before costly mistakes were made. In the case of Meter, their modifications to the ChainBridge code introduced a bug in the automatic wrap and unwrap of native tokens like BNB and ETH, which created an opening for a hacker to exploit.” — ChainSafe

Amount stolen: $4,300,000

Wormhole (February 3, 2022)

“One of the most popular cross-blockchain bridges may have been the victim of a hack worth over $326 million on Wednesday.
On-chain analysts called attention to an 80,000 ether (ETH) transaction from Wormhole to an address currently in possession of over $250 million worth of ETH. According to another developer, the attacker also kept 40,000 ETH on Solana, where they have been selling for other assets.” — CoinDesk

Amount stolen: $326,000,000

KlaySwap (February 3, 2022)

“Hackers have stolen roughly $1.9 million from South Korean cryptocurrency platform KLAYswap after they pulled off a rare and clever BGP hijack against the server infrastructure of one of the platform’s providers.” — The Record

Amount stolen: $1,900,000

Qubit (January 28, 2022)

“Binance Smart Chain-based Qubit Finance was exploited for over $80 million by attackers on Friday morning, developers confirmed in a post.” CoinDesk

Amount stolen: $80,000,000

Lympo (January 10, 2022)

“Sports nonfungible token (NFT) minting platform and Animoca Brands subsidiary Lympo suffered a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack.” — Cointelegraph

Amount stolen: $18,700,000

Tinyman (January 1, 2022)

“Decentralized trading protocol Tinyman, built on Algorand, was the victim of a smart contract exploit. The protocol is estimated to have lost $3 million after all was said and done.” — BeInCrypto

Amount stolen: $3,000,000

2021 (62 exploits)

Visor Finance (December 22, 2021)

“The Visor team revealed that a malicious smart contract drained the protocol’s staking contract of 8,812,958 VISR tokens. At the time of the exploit, this was valued at around $8.1 million.” — BeInCrypto

Amount stolen: $8,100,000

Grim Finance (December 19, 2021)

“Yield compounding tool Grim Finance had $30 million worth of fantom tokens stolen from its protocol after an exploit on Sunday. The project took preventive measures to stop further damage.” — CoinDesk

Amount stolen: $30,000,000

Vulcan Forged (December 13, 2021)

“Earlier today, 96 private keys were stolen from the crypto gaming ecosystem Vulcan Forged, enabling the attacker to siphon off $140 million in cryptocurrency.” — The Block

Amount stolen: $140,000,000

8ight Finance (December 8, 2021)

“8ight Finance, the OHM fork on the Harmony blockchain that saw some $1.73 million worth of stablecoins stolen from its treasury, has admitted that its “opsec was low” after revealing that the private keys to the treasury wallets were sent through Facebook chat and Google Drive.” — Source: FullyCrypto

Amount stolen: $1,073,000

Pizza DeFi (December 5, 2021)

“By using a large number of Tripool tokens, the hacker was able to open over-collateralized positions and drain real valuable assets and withdraw them to his or her own wallet. The lost tokens are valued at $5 million.” — U.Today

Amount stolen: $5,000,000

BadgerDAO (December 2, 2021)

“On Wednesday night an attacker drained funds from the wallets of dozens of users of the Badger DAO yield vault protocol using malicious contract permissions. Blockchain data and security analytics company PeckShield has concluded that the total loss amounted to about 2,100 BTC and 151 ETH.” — CoinDesk

Amount stolen: $120,000,000

MonoX (November 30, 2021)

“Decentralized finance (DeFi) lending protocol bZx was compromised for $55 million today, in what is becoming a recurring theme.” — The Block

Amount stolen: $31,000,000

bZx (November 5, 2021)

“Decentralized finance (DeFi) lending protocol bZx was compromised for $55 million today, in what is becoming a recurring theme.” — The Block

Amount stolen: $55,000,000

Cream Finance (October 27, 2021)

“An attacker has gained over $130 million of assets in an exploit that appears to have drained Cream’s coffers.” — CoinDesk

Amount stolen: $130,000,000

PancakeHunny (October 20, 2021)

“On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times. This is the sequence of events.” — PancakeHunny | Medium

Amount stolen: $2,000,000

Indexed Finance (October 15, 2021)

“Indexed Finance has lost over $16 million worth of users’ assets after a hacker exploited a vulnerability in the protocol’s smart contracts.” — CryptoBriefing

Amount stolen: $16,000,000

Compound Finance (September 30, 2021)

“DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk.” — CoinDesk

Amount stolen: $80,000,000 (?)

Vee Finance (September 21, 2021)

“Decentralized finance (DeFi) platform Vee Finance has been hit for an exploit of around $35 million in the second major attack of an Avalanche platform.” — CoinDesk

Amount stolen: $35,000,000

pNetwork (September 20, 2021)

“An unidentified hacker has stolen 277 wrapped Bitcoin, currently worth around $12.5 million, by exploiting a bug in decentralized finance (DeFi) interoperability protocol pNetwork, its developers disclosed on Sunday.” — Decrypt

Amount stolen: $12,000,000

Sushi (September 16, 2021)

“The SushiSwap decentralized exchange has narrowly avoided becoming the latest decentralized finance hack victim thanks to assistance from a white hat hacker.
A security researcher from venture capital firm Paradigm, known on Twitter as Samczsun, has managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether (ETH).” — Cointelegraph

Amount stolen: n/a

Zabu Finance (September 12, 2021)

“Avalanche-Based Zabu Finance Sees $3.2M Hack.
The attacker used Zabu’s “Transfer Tax” mechanism to mint tokens, sending their value to zero.” — CoinDesk

Amount stolen: $3,200,000

Dao Maker (September 4, 2021)

“DaoMaker was exploited for ~$4m. They left the `init` function unprotected. The attacker re-initialized the contract with malicious data and then called `emergencyExit` to get away with the funds.” — @Mudit__Gupta

Amount stolen: $4,000,000

Cream Finance (August 30, 2021)

“An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp (AMP) token, according to an investigation by blockchain security firm Peckshield.” — Cointelegraph

Amount stolen: $19,000,000

Dao Maker (August 12, 2021)

“According to a report from DAO Maker CEO Christoph Zaknun, hackers were able to remove roughly $7 million in USD Coin (USDC) from 5,251 user accounts.
Despite the name, DAO Maker has no apparent connection to MakerDAO, the decentralized finance, or DeFi, protocol behind the stablecoin Dai (DAI).” — Cointelegraph

Amount stolen: $7,000,000

Poly Network (August 10, 2021)

“Multi-chain interoperability protocol Poly Network fell victim to an exploit today, resulting in the loss of roughly $600 million worth of various cryptocurrencies, the platform’s developers revealed.” — Decrypt [1][2]

Amount stolen: $268,000,000

Punk Protocol (August 10, 2021)

“On Aug 10th, Punk Protocol was hacked for $8.95M, ~$5M of which was later returned.
The platform planned to offer a DeFi annuity scheme backed by ETH, WBTC and stablecoins.” — REKT

Amount stolen: $3,950,000

Popsicle Finance (August 3, 2021)

“Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.

The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.”” — Decrypt

Amount stolen: $25,000,000

Levyathan (July 30, 2021)

“A Smart Contract flaw has seen Levyathan mint limitless tokens and endure a cataclysmic price drop.
Leviathan’s (LEV) token price fell from $0.15 to an unthinkable $0.00000147 at the time of writing according to CoinGecko data.” — BSC NEWS

Amount stolen: n/a

THORChain (July 23, 2021)

“Thorchain has been exploited for the third time in a month, bringing total losses to around $13 million. The platform, which looks after $100 million in funds, is designed for exchanging crypto tokens across different blockchains.” — The Block

Amount stolen: $13,000,000

PancakeBunny (July 16, 2021)

“PolyBunny, a yield farming protocol running on the Polygon network and QuickSwap decentralized exchange (DEX) based on Ethereum (ETH), got exploited for $2.4 million on July 16.” — CryptoSlate

Amount stolen: $2,400,000

THORChain (July 15, 2021)

“THORChain has suffered another unfortunate exploit — the second this month.” — RUNEBase

Amount stolen: $4,900,000

THORChain (June 28, 2021)

“$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.” — THORChain | Medium

Amount stolen: $139,000

Bondly Finance (July 15, 2021)

“Decentralized e-commerce platform Bondly Finance is the latest decentralized finance (DeFi) platform to suffer an alleged exploit. The developer team advised the DeFi community to stop trading Bondly, the platform’s native token, following a suspected exploit on Thursday.” — Cointelegraph

Amount stolen: n/a

ChainSwap (July 10, 2021)

“crypto projects that had used ChainSwap to launch Ethereum tokens on Binance Smart Chain lost millions to an attacker whose address now holds about $4.4 million.” — Decrypt

Amount stolen: $4,400,000

ChainSwap (July 2, 2021)

“On July 2nd, the project announced that its smart contract was compromised and the hackers drained around $800,000 worth of assets from users’ wallets.” — CryptoPotato

Amount stolen: $800,000

SafeDollar (June 28, 2021)

“According to the contract address on the Polygon Scan dashboard, $248,000 in USDC and Tether was withdrawn from the protocol on June 28.” — BeInCrypto

Amount stolen: $248,000

Eleven Finance (June 22, 2021)

“Eleven Finance was exploited to drain a number of vaults at the loss of about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a flashswap-assisted one.” — PeckShield

Amount stolen: $4,600,000

Impossible Finance (June 21, 2021)

“Decentralized finance (DeFi) protocol Impossible Finance has lost as much as $500,000 in user funds during a flash loan attack today. The attack on Impossible Finance’s liquidity pool occurred at around 4:40 AM UTC on June 21 and resulted in a loss of 229.84 ETH (about $0.5 million at the time).” — Decrypt

Amount stolen: $500,000

Alchemix (June 16, 2021)

“This morning, Alchemix announced that the contracts for one of their synthetic assets, alETH, had experienced an “incident.”
for a short window of time users were able to withdraw their ETH collateral with their alETH loans still outstanding — a rugpull by the community to the tune of $6.5 million” — Cointelegraph

Amount stolen: n/a

Belt Finance (May 28, 2021)

“Belt Finance, a platform that provides automated market making for decentralized finance (DeFi), was hacked Saturday in a flash loan attack that resulted in a profit of $6.23 million for the perpetrator and an overall $50 million loss for the platform.” — CoinDesk

Amount stolen: $50,000,000

BurgerSwap (May 28, 2021)

“According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.” — The Block

Amount stolen: $7,200,000

Wild Credit (May 27, 2021)

“Preliminary results show that BNT-ETH was the only exploited pool.
Total amount is 125,585 BNT (~ $637k).
The attacker has returned the BNT. All funds have been recovered with zero losses.” — @WildCredit [1][2]

Amount stolen: n/a

Merlin Lab (May 26, 2021)

“A total of $330k was stolen, bringing their TVL (total value lost) to $1,560,000, and putting them on par with Value DeFi as one of the few protocols to be so unsafe that they have three positions onto the rekt leaderboard.” — REKT

Amount stolen: $330,000

Merlin Lab (May 26, 2021)

“Just 8 hours after the first attack, they lost another ~200 ETH to a completely different exploit.” — REKT

Amount stolen: $550,000

Merlin Lab (May 26, 2021)

“On May 26, 2021, 03:59:05 AM +UTC, less than 48 hrs after the Autoshark hack. Merlin Lab, (another fork of PancakeBunny), was attacked in a similar fashion to the Bunny and the Autoshark hack.
As a result, the hacker was able to remove ~240 ETH (~680K USD).” — REKT

Amount stolen: $680,000

AutoShark Finance (May 24, 2021)

“Flash loan attacks on the Binance Smart Chain (BSC) are becoming an everyday affair now. DeFi protocols are becoming much more vulnerable to attackers exploiting the (BSC) platform. In a third flash-loan-attack incident within a week’s time, AutoShark Finance has been the latest victim.” — CoinGape

Amount stolen: $822,000

Venus Protocol (May 19, 2021)

“Venus Protocol faced massive liquidations of over $200 million on Wednesday due to a possible price manipulation of its native XVS token.” — The Block

Amount stolen: n/a

PancakeBunny (May 19, 2021)

“Popular Binance Smart Chain-based decentralized finance protocol PancakeBunny has suffered a major exploit that allowed a hacker to make off with more than $200 million worth of crypto assets.” — Cointelegraph

Amount stolen: $200,000,000

bEarn Fi (May 16, 2021)

“bEarn Fi, a cross-chain auto yield farming protocol, was exploited earlier Sunday, resulting in a loss of almost $11 million, according to China-based blockchain analysis firm PeckShield.” — CoinDesk

Amount stolen: $11,000,000

xToken (May 12, 2021)

“Decentralized finance (DeFi) protocol xToken said it suffered an exploit Wednesday by an attacker who used flash loans to take $24.5 million.” — CoinDesk

Amount stolen: $24,500,000

Rari Capital (May 8, 2021)

“Rari Capital announced there was an exploit in the Rari Capital ETH Pool related to its Alpha Finance Lab integration.
According to Etherscan, $15 million worth of ether was taken.” — CoinDesk

Amount stolen: $15,000,000

Spartan Protocol (May 2, 2021)

“Spartan Protocol, a decentralized protocol built on Binance Smart Chain for incentivized liquidity and synthetic assets, was exploited earlier Sunday UTC due to “a flawed liquidity share calculation” in the protocol, resulting in a loss of more than $30 million, according to a Medium post by on-chain analysis and security startup PeckShield.” — CoinDesk

Amount stolen: $30,000,000

Uranium Finance (April 28, 2021)

“Uranium Finance, an automated market maker platform on the Binance Smart Chain, has reported a security incident that resulted in a loss of about $50 million.” — Cointelegraph

Amount stolen: $50,000,000

EasyFi (April 19, 2021)

“EasyFi, a decentralized finance (DeFi) Polygon Network-powered protocol, has reported suffering a hack Monday of over $80 million.”— CoinDesk

Amount stolen: $80,000,000

Force DAO (April 4, 2021)

“According to a chain of tweets by Mudit Gupta, blockchain team lead at blockchain software company Polymath, there were five attackers, one of whom later returned his share of the stolen funds. The others, however, made off with FORCE tokens worth about US$376,000.” — CoinDesk

Amount stolen: $376,000

TurtleDex (March 18, 2021)

“TurtleDex, a decentralized finance (DeFi) file storage project on the Binance Smart Chain (BSC), is believed to have pulled a rugpull exit scam yesterday when more than $2.4 million in funds were drained from trading pools on major BSC DeFi exchanges Ape Swap and Pancake Swap.” — Decrypt

Amount stolen: $2,400,000

Iron Finance (March 16, 2021)

“Iron Finance is a partially collateralized stablecoin platform based on the Binance Smart Chain (BSC).
It reported that on March 16, two Iron Finance vFarm pools were “subject to an incident”. This ordeal resulted in the loss of user deposits.” — BeInCrypto

Amount stolen: $170,000

Roll (March 14, 2021)

“Roll, a platform for issuing social tokens on the Ethereum network, suffered an apparent exploit on Sunday, resulting in the theft and subsequent sale of tokens.” — The Block

Amount stolen: $5,700,000

DODO (March 8, 2021)

“Decentralized finance (DeFi) platform DODO has been hacked for approximately $3.8 million worth of tokens.” — CoinDesk
“According to an update, the exchange recovered $1.89 million, comprised of about 1,140,000 USDT and 411 ETH, and plans to return the funds to affected parties.” — The Block

Amount stolen: $1,910,000

Paid Network (March 5, 2021)

“PAID Network, a crypto project that utilizes an Ethereum-based token, has suffered a contract exploit, resulting in the minting of nearly $160 million worth of tokens by the attacker.” — The Block

Amount stolen: $160,000,000

Meerkat Finance (March 4, 2021)

“Meerkat Finance, a decentralized finance project, has just said it has been drained by $31 million worth of crypto assets due to a hack. But on-chain data shows it may not be as simple as that.” — The Block

Amount stolen: $31,000,000

Furucombo (February 28, 2020)

“Furucombo, a drag and drop tool for users to create DeFi transactions, has been exploited.
The exploiter has stolen roughly $14M in ETH and ERC-20 tokens.” — The Block

Amount stolen: $14,000,000

Alpha Finance Lab + Cream Finance (February 13, 2021)

“In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform.” — Cointelegraph

Amount stolen: $37,000,000

BT Finance (February 12, 2021)

“In this exploit, the exploiter(s) made a total profit of 31.87renBTC and 211 ETH, and used REN and Tornado.Cash to transfer assets anonymously.” — BT Finance | Medium

Amount stolen: $1,500,000

Growth DeFi (February 8, 2021)

“By forcing the staker contract to accept a liquidity pair containing a fake token, the attacker was able to remove $1.3 million in liquidity.

The attacker created a fake token called AXZ and supplied rAXZZ/GRO liquidity. He then staked it in the contract and pulled out the other pair.” — REKT

Amount stolen: $1,300,000

Yearn Finance (February 4, 2021)

“DeFi yield farming project Yearn Finance has been hit by an exploit that has affected a DAI lending pool.” — Decrypt

Amount stolen: $11,000,000

Saddle Finance (January 19, 2021)

“DeFi protocol Saddle Finance was launched on Jan. 20, with the aim of alleviating the problematic spread between stablecoins and wrapped or tokenized crypto assets. Within a few hours of going live, however, whales had taken advantage of the new protocol by arbitraging for huge profits.” — BeInCrypto

Amount stolen: $275,000

2020 (16 exploits)

Cover Protocol (December 28, 2020)

“Decentralized finance (DeFi) protocol Cover, which recently merged with Yearn.Finance, has just been exploited.” — The Block

Amount stolen: $5,000,000

Warp Finance (December 18, 2020)

“Decentralized finance (DeFi) lending protocol Warp Finance has experienced a flash loan attack that resulted in a loss of $7.7 million worth of stablecoins.” — The Block

Amount stolen: $7,700,000

Pickle Finance (November 21, 2020)

“The coffers of Pickle Finance, a decentralized finance (DeFi) protocol with a native token that looks suspiciously like Pickle Rick, of Rick and Morty fame, were drained today of $20 million in what appears to be a hack.” — Decrypt

Amount stolen: $30,000,000

Origin Protocol (November 17, 2020)

“Stablecoin project Origin Dollar (OUSD) sustained a re-entrancy attack at 00:47 UTC Tuesday resulting in a loss of funds worth $7 million, including over $1 million deposited by Origin and its founders and employees.” — CoinDesk

Amount stolen: $7,000,000

Value DeFi (November 14, 2020)

“Value DeFi was exploited for approximately $6 million earlier Saturday, possibly due to a flash loan attack, a scheme often seen in the fast-growing DeFi sector.” — CoinDesk

Amount stolen: $6,000,000

Akropolis (November 12, 2020)

“Decentralized finance (DeFi) protocol Akropolis lost $2 million in DAI in an exploit on Thursday morning.” — The Block

Amount stolen: $2,000,000

Harvest Finance (October 26, 2020)

“An arbitrage trade exploiting weak points in decentralized finance (DeFi) protocol Harvest Finance led to some $24 million in stablecoins being siphoned away from the project’s pools on Monday, according to CoinGecko.” — CoinDesk

Amount stolen: $24,000,000

Leo Finance (October 11, 2020)

“Wrapped Leo (WLEO) and its investors have been named recent victims of hackers after the team confirmed in a blog post earlier today that about $42,000 was drained from the DeFi project.” — Cryptopolitan

Amount stolen: $42,000

Eminence (September 29, 2020)

“Experimental DeFi platform Yearn Finance cultists were hit with losses this morning after an unidentified hacker exploited a smart contract vulnerability in Eminence, an upcoming gaming project built by Yearn founder Andre Cronje.” — Decrypt

Amount stolen: $15,000,000

bZx (September 13, 2020)

“Decentralized finance (DeFi) lending protocol bZx was attacked once again last night and lost a little over $8 million due to a faulty code in its smart contracts.” — The Block

Amount stolen: $8,000,000

Soft Yearn (September 7, 2020)

“An anonymous user has revealed how he made $250k in profits from a minor investment in a cloned version of Yearn.finance called Soft Yearn (SYFI).” — Cointelegraph

Amount stolen: $250,000

Opyn (August 4, 2020)

“Attackers raided the decentralized finance (DeFi) protocol Opyn yesterday, making off with over 370,000 USDC.
Opyn, which deals primarily with options for ETH, was subject to a double-spend attack.” — Decrypt

Amount stolen: $370,000

Balancer (June 29, 2020)

“Balancer Pool admitted early Monday morning it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000 worth of tokens.” — CoinDesk

Amount stolen: $500,000

dForce (April 19, 2020)

“The total value locked in the dForce ecosystem was down by 100% to $6 over the past 24 hours, per DeFi Pulse data. A day ago, the total value locked in the system was $24.9 million.” — The Block

Amount stolen: $24,900,000

bZx (February 15, 2020)

“In the last four days, the bZx DeFi trading protocol was exploited twice; the first attack was executed over Valentine’s Day and yielded ~1,271 ETH, while the second one was just last night and made ~2,378 ETH. That’s about $320,000 and $600,000, respectively, with ETH at $250.” — The Defiant

Amount stolen: $900,000

Fulcrum (January 11, 2020)

“when Fulcrum team released their own Flash Loans feature on the Ethereum Mainnet, and we happened to find a very critical vulnerability in it. We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction..” — 1inch Network

Amount stolen: $2,500,000