# ZeroDay Dev Exploit-Data > Machine-readable Markdown catalog of exploit incidents and CVE learning references included in ZeroDay Dev. - Total entries: 172 - Incident entries: 146 - CVE entries: 26 - Generated at: 2026-05-13 - Source commit: cbe4271 ## Notes This is an educational collection of important exploit incidents and CVE-based references included in ZeroDay Dev. It is not a comprehensive database of every exploit, breach, or disclosed vulnerability. ## Entries ### 0ktapus, Twilio and Cloudflare SMS phishing - Incident | Date: Aug 2022 - Summary: SMS phishing campaign used a real-time relay kit to capture and forward TOTP codes, compromising Twilio and 136 companies. Cloudflare blocked it with FIDO2 hardware keys. ### 1inch Fusion V1 Settlement - Incident | Date: 2025-03 | Amount: $5M - Summary: Integer underflow in Yul pointer arithmetic corrupted calldata suffix handling and enabled unauthorized resolver execution. ### Aave + CoW Swap - Incident | Date: 2026-03 | Amount: ~$50M→$36K - Summary: A large fill-or-kill aUSDT->aAAVE swap executed at extreme price impact after quote-quality degradation, solver non-delivery, and auction-path failures. ### Aave wstETH CAPO - Incident | Date: Mar 2026 | Amount: $26M - Summary: ~$26M wrongful liquidations (Mar 2026). snapshotRatio vs snapshotTimestamp misalignment. ### Abracadabra - Incident | Date: 2025-10 | Amount: ~$13M - Summary: Attackers used flash loans to inflate collateral values, then exploited rounding truncation in the lending contract's LTV calculation to over-borrow MIM stablecoin. ### ALEX Protocol - Incident | Date: 2025-06 | Amount: ~$8.3M - Summary: ALEX Protocol on Stacks (Bitcoin L2) lost $8.3M when an attacker exploited missing authorization checks in the vault permission system, bypassing intended access controls. ### Alpha Homora / Iron Bank - Incident | Date: 2021-02 | Amount: $37M - Summary: A cross-protocol integration weakness between Alpha Homora and Iron Bank enabled recursive borrowing and bad debt. ### Ankr/Helio - Incident | Date: 2022-12 | Amount: $15M - Summary: A compromised Ankr deployer key enabled minting 6T aBNBc tokens. The market price crashed but Helio’s oracle remained at the pre-dump level. Attackers bought cheap aBNBc, posted it at the stale price as collateral, and borrowed $10M in HAY stablecoin. ### Aperture Finance - Incident | Date: 2026-01 | Amount: ~$3.7M - Summary: LP position management contract's internal swap helper accepted user-controlled call target and calldata without whitelist; attacker passed WBTC contract as target and forged transferFrom calldata to drain victim approvals including ERC-721 LP NFTs. ### Axios npm Supply Chain - Incident | Date: 2026-03 - Summary: Attackers compromised the axios lead maintainer's PC via a multi-week social engineering campaign and RAT malware. Using the stolen npm credentials they published axios@1.14.1 and 0.30.4 with a poisoned dependency, plain-crypto-js@4.2.1. A postinstall hook in setup.js deployed a cross-platform remote access trojan that harvested environment variables and CI/CD secrets, contacting C2 at sfrclak.com:8000 (142.11.206.73). The malicious versions were live for ~3 hours before the npm team removed them after community escalation. ### BadgerDAO Frontend Compromise - Incident | Date: 2021-12 | Amount: $120M - Summary: Attackers compromised frontend dependencies and injected malicious transaction flows. Users signed approvals to attacker-controlled spenders via trusted UI paths. ### Balancer v2 - Incident | Date: 2025-11 | Amount: $121.1M - Summary: Composable Stable Pools undercharged exact-out swaps because _upscale always rounded down even after scaling factors began incorporating rate-provider values. Attackers used BPT-as-a-token exitSwaps and batchSwap net settlement to push pools into low liquidity, deflate the stable invariant, and later withdraw Vault internal balances. ### Base USDC - Incident | Date: Jan 2026 - Summary: malicious spender approvals drained funds (Jan 2026). ### BCE Token - Incident | Date: 2025-03 | Amount: ~$679K - Summary: BCE token on BNB Chain embedded IUniswapV2Pair(pair).sync() inside its _transfer burn logic; the attacker deployed two fresh contracts (not in the static address blacklist) and routed BCE sells through PancakeRouter - each sell triggered a burn that called sync() mid-swap, corrupting the BCE-USDT pair reserve accounting. With the k invariant lowered, the attacker extracted ~$679K USDT in one transaction. ### Beanstalk - Incident | Date: Apr 2022 | Amount: $182M - Summary: ~$76M drained (Apr 2022). Flash-loan governance takeover; emergencyCommit in same block. ### BNB Bridge (Token Hub) - Incident | Date: 2022-10 | Amount: $566M - Summary: A verification flaw let attackers submit crafted proofs that bypassed intended bridge checks. The bridge minted assets that were not properly backed by source-chain state. ### BonqDAO - Incident | Date: 2023-02 | Amount: $120M - Summary: Manipulated collateral pricing enabled under-collateralized borrowing and protocol insolvency. Losses propagated through dependent debt positions. ### British Airways (Magecart) - Incident | Date: Sep 2018 - Summary: Compromised third-party script execution in checkout context enabled card-skimming JavaScript to exfiltrate payment data in-browser. ### Bunni V2 - Incident | Date: Sep 2025 | Amount: $8.3M - Summary: rounding down in withdraw under-burned shares; 44 tiny withdrawals + sandwich drained ~$8.3M (Sep 2025). ### Bybit - Incident | Date: 2025-02 | Amount: $1.5B - Summary: A signing-flow/UI spoofing attack enabled approval of malicious payloads while presenting benign transaction context to signers. ### bZx Fulcrum - Incident | Date: Feb 2020 | Amount: ~$918K - Summary: Two February 2020 incidents on Ethereum mainnet. Feb 15: dYdX flash loan → Compound WBTC hoard → bZx 5x margin short via Kyber/Uniswap moved WBTC spot; a margin health check was skipped when loadDataBytes was empty and sentAmounts[6] equaled sentAmounts[1], so an undercollateralized position was opened and value leaked. Feb 18: flash loan from bZx iETH; attacker pushed sUSD price on Kyber then borrowed ~6.8k ETH against mispriced collateral. ### Capital One - Incident - Summary: The 2019 Capital One breach: server-side URL fetchers accepted attacker-controlled targets, enabling access to cloud metadata credentials and large-scale data theft. ### Cashio - Incident | Date: 2022-03 | Amount: ~$52.8M - Summary: Cashio's CASH minting logic validated the collateral type inside the passed arrow account but never verified that arrow was owned by the Cashio program. Attacker created a fake arrow pointing to a worthless token, passed it to the mint instruction, and minted over 2 billion CASH tokens immediately swapped for USDC, USDT, and UST. ### Cetus Protocol - Incident | Date: May 2025 | Amount: $223M - Summary: $223M drained (May 2025, Sui). Incorrect overflow guard in checked_shlw corrupted add-liquidity token-delta. ### Change Healthcare, ALPHV/BlackCat - Incident | Date: Feb 2024 | Amount: $22M - Summary: ALPHV gained initial access via stolen credentials on a Citrix gateway with MFA disabled, then moved laterally to exfiltrate 6–8 TB of medical records for 190 million Americans. ### CircleCI incident - Incident | Date: Jan 2023 - Summary: Malware on a CircleCI engineer's laptop stole a 2FA-backed SSO session cookie with a 30-day lifetime, providing persistent production access and enabling extraction of encryption keys from live process memory. ### Cisco Catalyst SD-WAN Manager (Mar-Apr 2026 API chain, CVE-2026-20122/20128/20133) - CVE | Date: 2026-04 - Summary: Cisco disclosed active exploitation across multiple SD-WAN Manager API flaws in March and April 2026. The set included unauthenticated information disclosure bugs (CVE-2026-20128 and CVE-2026-20133) and an authenticated arbitrary file overwrite bug (CVE-2026-20122) that could elevate a read-only API user to vManage privileges. ### CitrixBleed (CVE-2023-4966) - CVE | Date: Oct 2023 - Summary: A buffer overread in Citrix NetScaler ADC and Gateway leaked authenticated session tokens from heap memory. Unauthenticated attackers replayed tokens to bypass MFA and gain full access to enterprise networks. ### Coinbase Data Breach - Incident | Date: 2025-05 | Amount: ~$8M - Summary: Company insiders were bribed to export sensitive customer information including names, contact data, and partial account details, enabling downstream social engineering attacks. ### CoinsPaid - Incident | Date: Jul 2023 | Amount: $37.3M - Summary: CoinsPaid lost $37.3M after a months-long social-engineering campaign culminated in an employee executing malware from a fake hiring workflow. Attackers gained workstation and infrastructure access before withdrawing operational funds. ### Compound COMP Distribution Bug - Incident | Date: 2021-09 | Amount: $70M - Summary: A Compound governance upgrade introduced an off-by-one error in COMP distribution, letting users claim excess rewards. Because protocol changes require a 2-day governance timelock, the emergency patch could not be deployed immediately. ### Compound Proposal 289 - Incident | Date: July 2024 | Amount: $24M - Summary: Compound Proposal 289, July 2024. 499,000 COMP (~$24M) transferred to 'Golden Boys' unmonitored multisig via legitimate governance vote. ### Confluence RCE (CVE-2021-26084) - CVE | Date: Aug 2021 - Summary: Atlassian Confluence's WebWork MVC layer evaluated OGNL expressions from unauthenticated HTTP request parameters. Mass exploitation began within days of disclosure, deploying cryptominers and web shells across internet-facing Confluence instances. ### cPanel & WHM (CVE-2026-41940) - CVE | Date: 2026-04 - Summary: A crafted Basic auth header with CRLF bytes injected attacker-controlled keys into cPanel's raw session file. Because the loader preferred JSON cache state, the forged lines only became authoritative after cache promotion, enabling management-plane authentication bypass. ### Cream Finance - Incident | Date: 2021-10 | Amount: $130M - Summary: Oracle relied on yVault pricePerShare() which could be manipulated by reducing share supply. Attacker inflated collateral valuation to borrow all available liquidity. ### Crema Finance - Incident | Date: 2022-07 | Amount: ~$8.8M - Summary: Crema Finance's concentrated liquidity Claim instruction read fee accumulator fields from the caller-supplied tick account without verifying it was a valid PDA owned by the Crema program. Attacker constructed a fake tick account with maximally inflated fee data, injected it alongside a Solend flash loan, and claimed the entire pool's reserves as phantom fees. ### CrossCurve / Portal - Incident | Date: 2026-02 | Amount: $1.7M - Summary: Unrestricted express execution and weak threshold assumptions enabled unauthorized cross-chain actions. ### Curve/Vyper reentrancy lock bug - Incident | Date: 2023-07 | Amount: $60M+ - Summary: A compiler-level reentrancy lock issue impacted multiple Curve pools and downstream integrators. Attackers exploited callback windows and inconsistent lock behavior during liquidity operations. ### CVE-2016-5195 - CVE | Date: 2016 - Summary: Dirty COW was a Linux kernel race condition that let an unprivileged local process write to read-only mappings and escalate to root privileges on affected systems. ### CVE-2017-0144 - CVE | Date: 2017 - Summary: EternalBlue was the SMBv1 remote code execution flaw later weaponized by WannaCry, allowing wormable compromise of unpatched Windows systems over the network. ### CVE-2021-41773 - CVE | Date: 2021 - Summary: An Apache HTTP Server path traversal flaw could expose files outside the document root and, in some configurations, lead to remote code execution through CGI paths. ### CVE-2023-30541 - CVE | Date: 2023 - Summary: This OpenZeppelin proxy selector-clash issue highlighted how overlapping admin and implementation selectors can route privileged calls incorrectly without transparent-proxy safeguards. ### CVE-2023-42462 - CVE | Date: 2023 - Summary: A Vyper compiler bug broke expected nonreentrancy protections by generating incorrect storage locking behavior, contributing to reentrancy risk in affected contracts. ### Cyberhaven Chrome Extension - Incident | Date: 2024-12 - Summary: On December 24, 2024, an attacker phished a Cyberhaven employee into authorizing a malicious OAuth application named 'Privacy Policy Extension', granting Chrome Web Store admin access. The attacker published v24.10.4 with modified worker.js (C2 communication to cyberhavenext.pro) and a new content.js (DOM monitoring and cookie exfiltration). Approximately 400K browsers auto-updated between Dec 25 01:32 UTC and Dec 26 02:50 UTC. Primary targets were Facebook advertising credentials and authenticated sessions. ### DBXen - Incident | Date: 2026-03 | Amount: $135K - Summary: Authorization logic mixed `msg.sender` and `_msgSender()` with forwarder semantics, enabling permission confusion. ### DEXX - Incident | Date: 2024-11 | Amount: ~$30M - Summary: DEXX operated as a custodial Solana trading terminal, holding user private keys server-side. Private keys were transmitted in plaintext in export_wallet API responses. A server-side breach or traffic interception gave the attacker signing keys for 8,620+ wallets, which were drained of ~$30M in assets. ### dForce (Lendf.Me) - Incident | Date: 2020-04 | Amount: $25M - Summary: Lendf.Me called transferFrom before recording the deposit. imBTC (ERC-777) fired tokensReceived on the contract during transfer, allowing the attacker to re-enter supply() and inflate their credited balance before it was written. ### DMM Bitcoin - Incident | Date: May 2024 | Amount: $305M - Summary: An unauthorized outflow of 4,502.9 BTC (~$305M) left DMM Bitcoin in May 2024. The operator did not publicly confirm the exact intrusion path, but the incident is widely treated as a likely hot-wallet or signing-authority compromise. ### Drift Protocol - Incident | Date: 2026-04 | Amount: ~$285M - Summary: Citrine Sleet (UNC4736, DPRK - same group as the October 2024 Radiant Capital hack) conducted a 6-month intelligence operation: fake quantitative trading firm, in-person contact at multiple crypto conferences across multiple countries, $1M Ecosystem Vault deposit to build trust, device compromise via a malicious code repository exploiting a VSCode/Cursor zero-click vulnerability and a TestFlight wallet app. Two of five Security Council members were induced to pre-sign governance transactions using Solana's durable nonce feature. On April 1, 2026, the attacker executed the pre-signed transactions to seize admin control, listed a fake CVT collateral market with a manipulated oracle, removed withdrawal limits, and drained ~$285M in 31 withdrawals over 12 minutes. ### Equifax Data Breach - Incident | Date: Sep 2017 - Summary: Attackers exploited Apache Struts 2 OGNL injection (CVE-2017-5638) in an internet-facing Equifax dispute portal. A crafted Content-Type header achieved remote code execution on a system that should have been patched months earlier. ### Euler Finance - Incident | Date: 2023-03 | Amount: $197M - Summary: Donation of eTokens reduced collateral without a liquidity check, enabling engineered liquidation profit. ### Follina (CVE-2022-30190) - CVE | Date: May 2022 - Summary: A malicious Office document invoked the ms-msdt:// URI protocol handler via an external OLE relationship, triggering Microsoft Support Diagnostic Tool to execute attacker-supplied PowerShell without any macro enablement — exploitable via Preview Pane in some configurations. ### FoomLottery - Incident | Date: Feb 2026 | Amount: $1.1M - Summary: ~$1.1M at risk (Feb 2026). Whitehat rescue; same Groth16 verifier flaw as VeilCash. ### FortiClient EMS SQL Injection (CVE-2026-21643) - CVE | Date: 2026-04 - Summary: CVE-2026-21643 is an actively exploited SQL injection flaw in Fortinet FortiClient EMS. Reports indicate the `/api/v1/init_consts` path trusted an attacker-controlled `Site` header, allowing unauthenticated database manipulation and follow-on command or code execution on the management server. ### Fortinet FortiClient EMS - Incident | Date: 2026-04 - Summary: CVE-2026-35616 was an actively exploited improper access control flaw in FortiClient EMS that let unauthenticated attackers send crafted API requests to bypass authentication and authorization checks, enabling unauthorized code or command execution on the management server. For crypto firms, compromise of an endpoint-management plane can become a pivot into operator workstations, VPN access, and custody-adjacent infrastructure. ### Furucombo - Incident | Date: 2021-02 | Amount: $14M - Summary: Attacker registered a cube pointing to Aave v2’s implementation. Furucombo’s proxy delegatecall’d into it, executing Aave code in the proxy’s storage context. Because the proxy held infinite user approvals, the attacker drained them via transferFrom. ### Fuse - Incident | Date: Jan 2023 - Summary: oracle manipulation drained overvalued collateral (Jan 2023). ### FutureSwap - Incident | Date: Jan 2026 - Summary: 433K USD drained (Jan 2026). Unit mismatch in calculations. ### Gala Games - Incident | Date: 2024-05 | Amount: $216M - Summary: Legacy/deployer authority compromise allowed unauthorized minting and market disruption. ### GMX - Incident | Date: Jul 2025 - Summary: share price manipulation (Jul 2025). ### Grok Bankrbot Morse-Code Prompt Injection - Incident | Date: 2026-05 | Amount: ~$200K - Summary: An attacker posted Morse code to X, Grok decoded it, and Bankrbot treated the decoded text as an authorized transfer instruction, moving 3 billion DRB from a verified wallet on Base. ### Harmony Horizon Bridge - Incident | Date: 2022-06 | Amount: $100M - Summary: Attacker obtained enough validator keys to satisfy bridge withdrawal threshold. Once signatures were forged, funds were released as if legitimate. ### Harvest Finance - Incident | Date: 2020-10 | Amount: $24M - Summary: Attackers used flash loans and rapid Curve pool imbalances to exploit Harvest vault share accounting assumptions. ### Heartbleed (CVE-2014-0160) - CVE | Date: Apr 2014 - Summary: CVE-2014-0160 (Apr 2014): The TLS heartbeat extension lets a client send a 'payload' with a claimed length up to 64 KB. OpenSSL copied that many bytes from server memory using the attacker-supplied length, without checking whether that many bytes were actually received. One request could silently return 64 KB of heap - private keys, session tokens, passwords - with no server-side log entry and no connection state needed. ### Hegic - Incident | Date: 2025-01 | Amount: ~$60K - Summary: Withdrawal state was not marked consumed per position/tranche, allowing repeated withdrawals against the same entitlement. ### HTX / Heco - Incident | Date: 2023-11 | Amount: $258M - Summary: Compromised bridge/wallet custody controls enabled high-value unauthorized transfers. ### Hundred Finance - Incident | Date: 2023-04 | Amount: $7M - Summary: A forked lending implementation inherited fragile accounting behavior under edge conditions. Attackers exploited the gap between assumed and actual solvency calculations. ### Hyperbridge - Incident | Date: 2026-04 | Amount: ~$237K - Summary: A forged MMR-based cross-chain request exploited proof verification edge cases and missing trust-boundary hardening, letting the attacker seize bridged DOT mint authority on Ethereum, mint 1B unbacked tokens, and extract about 108.2 ETH. ### imBTC Uniswap V1 Reentrancy - Incident | Date: April 2020 - Summary: 777 tokensToSend hook, April 2020. ### Indexed Finance - Incident | Date: 2021-10 | Amount: ~$50K - Summary: The pool pricing/share invariant was broken via token balance manipulation and flash liquidity, enabling underpriced withdrawals. ### Infini - Incident | Date: 2025-02 | Amount: ~$49.5M - Summary: Stablecoin neobank Infini lost $49.5M when an address with developer-level admin permissions, never revoked after deployment, drained protocol reserves. ### Inverse Finance - Incident | Date: 2022-04 | Amount: $15.6M - Summary: Inverse Finance’s oracle relied on a low-liquidity INV/WETH Uniswap pair via Keep3r. An attacker flash-loaned $150M, swapped into the pair to inflate INV’s price, borrowed against the manipulated collateral value, and repaid the flash loan. ### IoTeX ioTube - Incident | Date: 2026-02 | Amount: ~$4.4M - Summary: Compromised owner private key to the TransferValidatorWithPayload bridge contract allowed attacker to call upgrade() and deploy a malicious implementation that stripped all signature verification, then transferred vault ownership to drain $4.4M in bridged assets and mint 821M unbacked CIOTX. ### Ivanti Endpoint Manager Mobile (CVE-2026-6973) - CVE | Date: 2026-05 - Summary: CVE-2026-6973 is an actively exploited improper input validation flaw in on-prem Ivanti Endpoint Manager Mobile that allows remote code execution after an attacker obtains administrator authentication. Ivanti warned that environments which did not fully complete January 2026 EPMM credential-response guidance remain at materially higher risk. ### KelpDAO rsETH Bridge - Incident | Date: 2026-04 | Amount: $292M - Summary: Poisoned RPC inputs plus a 1-of-1 DVN configuration let a forged burn message pass verification and trigger rsETH release on Ethereum. ### KiloEx - Incident | Date: April 2025 | Amount: $7M - Summary: KiloEx, April 2025. ~$7M lost across multiple chains. ### Kinto - Incident | Date: Jul 2025 | Amount: $1.55M - Summary: $1.55M drained (Jul 2025). Uninitialized ERC-1967 proxies. ### KyberSwap Elastic - Incident | Date: 2023-11 | Amount: $48M - Summary: A tick boundary precision mismatch caused liquidity accounting disagreement during swaps, enabling attacker-controlled double counting. ### LastPass breach - Incident | Date: 2022 | Amount: $150M - Summary: Attackers exfiltrated encrypted password vaults containing unencrypted site URLs, enabling targeted attacks against high-value accounts even before any password encryption is broken. ### LiFi - Incident | Date: 2022-03 | Amount: $202K+ - Summary: User-supplied calldata enabled arbitrary external calls that spent existing user approvals, draining wallet allowances. ### Litecoin MWEB Reorg - Incident | Date: 2026-04 | Amount: $600K at risk - Summary: The postmortem showed two linked failures: March's missing MWEB input metadata revalidation during block connection enabled an inflated peg-out, and April's mutated-block handling bug stalled upgraded miners long enough for unpatched miners to grow a 13-block invalid branch. ### LiteV3 Bridge - Incident | Date: Feb 2026 - Summary: Proxy init race (Feb 2026). Attacker front-ran init and seized ownership. ### Log4Shell (CVE-2021-44228) - CVE | Date: Dec 2021 - Summary: Log4j JNDI lookup expansion processed attacker-controlled strings from logged data, triggering remote class loading and code execution in vulnerable Java services. ### Loopscale - Incident | Amount: $5.8M - Summary: Loopscale lost about $5.8M in a collateral pricing manipulation incident. ### Lyra DepositWrapper - Incident | Date: 2025-09 | Amount: $500K+ - Summary: Missing target validation plus zero-amount path granted unlimited approvals to attacker-controlled contracts. ### Makina DUSD - Incident | Date: 2026-01 | Amount: $1M+ - Summary: Spot-like external pool state was ingested into protocol accounting and manipulated with flash liquidity. ### Mango Markets - Incident | Date: Oct 2022 | Amount: $114M - Summary: Mango Markets, October 11 2022. $114M extracted via MNGO spot price manipulation → inflated perp PnL → borrowed real assets. ### Mercor LiteLLM Supply Chain - Incident | Date: 2026-04 - Summary: Attackers compromised the Trivy security scanner supply chain, stole PyPI credentials, and published poisoned LiteLLM 1.82.7/1.82.8 packages that harvested credentials and exfiltrated data from Mercor after install. ### Mixin Network - Incident | Date: 2023-09 | Amount: $200M - Summary: Compromise of centralized custody infrastructure enabled major unauthorized asset outflows. ### MonoX Finance - Incident | Date: 2021-11 | Amount: $31M - Summary: MonoX used independent _sell and _buy price updates. Swapping MONO as both input and output inflated its virtual price. Attacker then used overvalued MONO to drain other tokens from the pool. ### Moonwell cbETH - Incident | Date: Feb 2026 - Summary: oracle misconfigured, price off by ~2000x (Feb 2026). ### MOVEit CLOP Zero-day (CVE-2023-34362) - CVE | Date: May 2023 - Summary: CL0P exploited a SQL injection zero-day in MOVEit Transfer, installed a persistent LEMURLOOT web shell, and simultaneously exfiltrated data from 2,700+ organisations. ### Multichain - Incident | Date: 2023-07 | Amount: $126M - Summary: CEO sole server access; Executor keys compromised after CEO disappearance. ### Munchables - Incident | Date: Mar 2024 | Amount: $62.5M - Summary: $62.5M drained (Mar 2024). Rogue developer storage backdoor. ### Nirvana Finance - Incident | Date: 2022-07 | Amount: ~$3.5M - Summary: Nirvana's ANA token bonding curve used the treasury as direct counterparty with no flash loan protection. Attacker borrowed 10.25M USDC via Solend flash loan to buy ANA (inflating the curve price 3x), then sold ANA back at the inflated price, receiving 3.49M USDT from the treasury. Flash loan repaid; treasury fully drained in one transaction. ### Nomad Bridge - Incident | Date: 2022-08 | Amount: $190M - Summary: Buggy upgrade trusted ZERO_HASH; any forged zero-body message passed validation. ### NotPetya - Incident | Date: Jun 2017 - Summary: Attackers compromised the M.E.Doc software update channel, distributed NotPetya through a trusted update, then spread laterally with credential theft, PsExec, WMI, and SMB exploits including EternalBlue. ### Odos Router - Incident | Date: Jan 2025 - Summary: arbitrary token drains (Jan 2025). Signature validation lacked proper domain separation and safety checks. ### Okta support system breach - Incident | Date: Oct 2023 - Summary: An attacker accessed Okta's support system via a compromised employee personal Google account and replayed session tokens found in customer-uploaded HAR debug files to hijack active sessions. ### OptiFi - Incident | Date: 2022-08 | Amount: $661K - Summary: While attempting to close a buffer account to recover rent, an OptiFi developer ran `solana program close` with the production program address. Solana irreversibly marks the program non-executable with no confirmation prompt. All PDAs owned by the program, including $661K in USDC and all open derivatives positions, became permanently inaccessible. ### Orbit Bridge - Incident | Date: 2023-12 | Amount: $80M - Summary: Bridge operator trust assumptions failed after key compromise. Attackers triggered unauthorized bridge outflows across connected assets. ### PAN-OS GlobalProtect (CVE-2024-3400) - CVE | Date: Apr 2024 - Summary: Unauthenticated OS command injection on Palo Alto Networks PAN-OS GlobalProtect, exploited as a zero-day by nation-state actors. A path traversal wrote attacker-controlled content to disk; an unsanitized telemetry shell command then executed it, deploying the UPSTYLE Python backdoor. ### PAN-OS User-ID Authentication Portal (CVE-2026-0300) - CVE | Date: 2026-05 - Summary: A buffer overflow / out-of-bounds write in the PAN-OS User-ID Authentication Portal (Captive Portal) let unauthenticated attackers send crafted packets that achieved root-level code execution on exposed PA-Series and VM-Series firewalls. Palo Alto reported in-production exploitation, CISA added the issue to KEV, and the main mitigations before patching were to restrict portal access to trusted internal IPs or disable the feature entirely. ### Pancake Bunny - Incident | Date: 2021-05 | Amount: $45M - Summary: An attacker manipulated PancakeSwap pool prices with flash loans and abused spot-price-dependent reward minting. ### Parity Multisig Freeze - Incident | Date: 2017-11 | Amount: $150M locked - Summary: A public initializer let an attacker take ownership of the shared library contract and selfdestruct it, freezing multisig wallets. ### Platypus Finance - Incident | Date: 2023-02 | Amount: $9M - Summary: Protocol accounting and solvency assumptions were exploitable during withdrawal/position transitions. Attackers extracted value by violating intended pool health invariants. ### PlayDapp - Incident | Date: 2024-02 | Amount: $290M - Summary: Compromised mint authority enabled large unauthorized token issuance and market impact. ### Poloniex - Incident | Date: 2023-11 | Amount: $114M - Summary: Compromised exchange wallet control led to unauthorized multi-asset transfers. ### Poly Network - Incident | Date: 2021-08 | Amount: $611M - Summary: Cross-chain execution used caller-derived contract and method bytes without allowlisting; four-byte selector derivation collided with a privileged keeper update. ### Polygon Clone Wallet - Incident | Date: Dec 2023 - Summary: TEL drained (Dec 2023). Uninitialized clone allowed attacker to set owner. ### PrintNightmare (CVE-2021-34527) - CVE | Date: Jun 2021 - Summary: Insufficient privilege checks in Windows Print Spooler's AddPrinterDriverEx RPC call allowed any authenticated domain user to install a malicious DLL loaded by Spooler as SYSTEM, enabling LPE and RCE on every Windows machine with the service running. ### Prisma Finance - Incident | Date: Mar 2024 | Amount: $12M - Summary: Prisma Finance's MigrateTroveZap helper trusted attacker-controlled flash-loan callback data when reopening troves, allowing exploiters to act on delegated positions with inflated collateral values. ### ProxyLogon (CVE-2021-26855) - CVE | Date: Mar 2021 - Summary: ProxyLogon abused Exchange's frontend proxy to send backend-authenticated requests, then chained into arbitrary file write and web-shell deployment. Mass exploitation rapidly followed against unpatched on-prem Exchange servers. ### Pump - Incident | Date: May 2024 - Summary: loan driven bonding-curve exploit in May 2024. ### PumpToken - Incident | Date: 2025-01 | Amount: ~$40K - Summary: Liquidity-removal logic trusted manipulable k-growth assumptions and burned LP pair tokens without fair compensation safeguards. ### Qubit qBridge - Incident | Date: 2022-01 | Amount: $80M - Summary: Bridge accounting mismatch let destination-chain minting occur without source-chain backing. ### Radiant Capital - Incident | Date: Oct 2024 | Amount: $50M - Summary: ~$50M stolen (Oct 2024). Malware displayed legitimate tx in Gnosis Safe UI while sending malicious payload to hardware wallet. ### Radiant Capital - Incident | Date: Jan 2024 | Amount: $4.5M - Summary: $4.5M drained (Jan 2024). Rounding error in token quantity calculations. ### Rari Capital Fuse / Fei - Incident | Date: 2022-04 | Amount: $80M - Summary: Integration-level external calls allowed reentrant state abuse across lending components. Composability increased blast radius beyond a single contract path. ### Raydium - Incident | Date: 2022-12 | Amount: ~$4.4M - Summary: A trojan on a Raydium developer machine compromised the private key of the pool_owner authority for eight V4 AMM pools. The attacker invoked the admin withdrawpnl() instruction, which required only a matching pool_owner signature, and drained all accumulated protocol fees. ### React2Shell (CVE-2025-55182) - CVE | Date: Dec 2025 - Summary: A critical RCE in React Server Components' module resolution pipeline accepted attacker-controlled component paths without sanitization, enabling arbitrary server-side module loading. CVSS 10.0: no-auth, no-interaction, full server compromise. Exploited within 48 hours of December 2025 disclosure. ### Resolv USR - Incident | Date: 2026-03 | Amount: ~$25M - Summary: Privileged completeSwap minted USR without onchain verification that mint amount matched deposited USDC; compromised SERVICE_ROLE passed arbitrary amounts. ### RewardsHypervisor - Incident | Date: 2021-12 | Amount: $8.2M - Summary: External callback reentered the deposit flow before critical accounting finalized, allowing repeated crediting and token drain. ### Rhea Finance - Incident | Date: 2026-04 | Amount: ~$7.6M - Summary: Attacker-created fake token contracts and fresh pools on NEAR appear to have fed manipulated pricing or validation signals into Rhea's Margin Trading path, which shared liquidity with Rhea Lending and enabled real-asset extraction. ### Ronin Bridge (Aug 2024 upgrade misconfiguration) - Incident | Date: 2024-08 | Amount: $12M - Summary: A bridge upgrade skipped critical initialization, leaving operator-weight state at zero so the vote-threshold check accepted unauthorized withdrawals. ### Ronin Bridge (Mar 2022 validator compromise) - Incident | Date: 2022-03 | Amount: $625M - Summary: Validator key compromise; 5/9 threshold met via phished keys and unrevoked legacy allowlist. ### SagaEVM - Incident | Date: 2026-01 | Amount: ~$7M - Summary: An inherited Ethermint IBC precompile accepted IBC transfer calls from any EVM contract without verifying the caller was a legitimate cross-chain relay; attacker deployed a helper contract to forge IBC messages and mint 7M in Saga Dollar stablecoins. ### SBR - Incident | Date: 2025-03 | Amount: ~$17K - Summary: Transfer-hook side effects desynced Uniswap V2-style reserves from actual balances, letting the attacker force `sync()` on a corrupted state and trade against the wrong price curve. ### Shai-Hulud 2.0 npm campaign - Incident | Date: Nov 2025 - Summary: Attackers compromised maintainer accounts, inserted preinstall hooks that launched setup_bun.js and bun_environment.js, harvested secrets, and established CI persistence via self-hosted GitHub runners. ### Shellshock (CVE-2014-6271) - CVE | Date: Sep 2014 - Summary: Bash incorrectly processed imported function definitions from environment variables and executed trailing commands, allowing remote command execution through CGI, DHCP, SSH ForceCommand, and other Bash-invoking code paths. ### Sigma.Money - Incident | Date: Mar 2026 - Summary: Proxy backdoored (Mar 2026). CPIMP front-run; attacker initialized and upgraded before victim. ### Slope Wallet - Incident | Date: 2022-08 | Amount: ~$4.1M - Summary: Slope Wallet's Sentry error monitoring integration transmitted mnemonic or private-key material in plaintext as part of event payloads to a self-hosted Sentry instance (o7e.slope.finance). No PII scrubbing was configured. This confirmed leak likely explains a subset of the correctly signed drains, but public post-mortems did not conclusively tie it to every affected wallet. ### SmartBank - Incident | Date: 2024-07 | Amount: $57K - Summary: Raw balance-based accounting was manipulated with flash liquidity, letting the attacker satisfy checks and extract assets. ### Snowflake customer breach - Incident | Date: 2024 - Summary: Attackers used infostealer-harvested credentials to access 165+ Snowflake customer accounts that lacked MFA, exfiltrating data from Ticketmaster, AT&T, Santander, and others. ### Solana web3.js (CVE-2024-54134) - CVE | Date: 2024-12 | Amount: ~$130K - Summary: A publish-access npm account for Solana web3.js was compromised on Dec 3 2024. Attackers injected a malicious addToQueue function into versions 1.95.6 and 1.95.7 that exfiltrated private keys via CloudFlare headers. The backdoor was live for ~5 hours (3:20-8:25pm UTC); ~$130K lost. Non-custodial wallets were unaffected; only apps handling raw private keys (bots, server keypairs) were at risk. ### SolarWinds Orion (Sunburst) - Incident - Summary: Attackers compromised the build/sign pipeline, inserted backdoored Orion binaries, and distributed them as trusted signed updates. ### Solend Whale Governance - Incident | Date: 2022-06 - Summary: A single anonymous wallet deposited 5.7M SOL (95% of Solend's SOL deposit pool) and borrowed $108M. Automated liquidation would cause ~$20M DEX slippage in one block. SLND1 governance passed at 1.13% quorum granting emergency account takeover powers; community condemned it as a self-custody violation. SLND2 revoked SLND1 within 24 hours. ### Solv Protocol - Incident | Date: 2026-03 | Amount: ~$2.7M - Summary: ERC-3525 semi-fungible tokens inherit ERC-721's onERC721Received callback mechanism; Solv's BRO vault called _mint inside the callback and again after it returned, double-minting for every deposit. Attacker looped 22 times to inflate 135 BRO into 567M and swap for ~$2.7M in SolvBTC. ### Sonne Finance - Incident | Date: May 2024 | Amount: $20M - Summary: run market activation and exploit empty-market donation vulnerability. ### Spectre / Meltdown - Incident | Date: Jan 2018 - Summary: Speculative-execution side channels let code infer secrets across user/kernel, process, browser, and cloud isolation boundaries by measuring cache timing effects from transient execution. ### Spring4Shell (CVE-2022-22965) - CVE | Date: Mar 2022 - Summary: Spring MVC's recursive data binding exposed the Java ClassLoader chain, enabling unauthenticated attackers to write a JSP web shell via Tomcat's AccessLogValve pattern property on WAR deployments running Java 9+. ### StakingRewards - Incident | Date: Mar 2022 - Summary: 8.79K UNI-V2 LP drained (Mar 2022). Withdraw underflow; zero balance could withdraw full supply. ### Step Finance Treasury - Incident | Date: 2026-01 | Amount: $1M+ - Summary: Compromised privileged wallets enabled stake authority transfer and treasury outflows. ### Stuxnet - Incident | Date: Jun 2010 - Summary: Stuxnet used multiple Windows zero-days, removable-media propagation, and signed-driver abuse to reach Siemens industrial controllers and alter PLC logic while replaying normal telemetry to operators. ### SwapNet - Incident | Date: 2026-01 | Amount: ~$13.4M - Summary: DEX aggregator router accepted user-controlled call targets and calldata without whitelist validation; attacker replaced expected DEX address with USDC token contract and used victim approvals to call transferFrom and drain assets. ### TanStack npm Supply Chain - Incident | Date: 2026-05 - Summary: Attackers poisoned GitHub Actions cache state through a `pull_request_target` workflow, restored that cache in trusted release jobs, extracted the in-memory OIDC token from the runner process, and published 84 malicious versions across 42 `@tanstack/*` packages with valid SLSA provenance. The install-time payload executed `router_init.js`, harvested cloud and developer credentials, exfiltrated them via the Session network, and self-propagated to additional npm packages maintained by victims. ### TCH Token - Incident | Date: 2024-05 | Amount: $500K+ - Summary: Non-canonical signatures and replay keys based on raw signature bytes enabled repeated privileged action abuse. ### TecraCoin - Incident | Date: Feb 2022 - Summary: 580K TCR + 639K USDT drained (Feb 2022). Inverted allowance check in burnFrom. ### Terra/UST - Incident | Date: May 2022 | Amount: $40B - Summary: Terra/UST — $40B+ destroyed (May 2022). LUNA supply grew from ~346M to 6.5 trillion tokens in 72 hours. ### The DAO - Incident | Date: 2016-06 | Amount: $60M - Summary: A call-before-effects withdraw pattern allowed recursive draining and became the canonical reentrancy incident. ### TMX Tribe - Incident | Date: 2026-01 | Amount: ~$1.4M - Summary: GMX-fork perpetuals protocol on Arbitrum had flawed LP staking/swap logic: attacker looped mint-LP → swap USDT for USDG → unstake LP → sell USDG with no balance checks or circuit breakers, draining $1.4M across 502 transactions over 36 hours via unverified contracts. ### TO Protocol - Incident | Date: 2026-02 | Amount: ~$17.5K - Summary: AMM reserve accounting was desynchronized by sell-burn-sync sequencing, enabling reserve distortion and profitable extraction. ### Transit Swap - Incident | Date: 2022-10 | Amount: $29M - Summary: The router accepted arbitrary target addresses and calldata without validation. Users had approved the router for large amounts. The attacker passed a malicious target contract that called transferFrom against those approvals. ### Truebit - Incident | Date: Jan 2026 - Summary: 8,540 ETH drained (Jan 2026). Integer overflow in token logic. ### TrustedVolumes RFQ Proxy Drain - Incident | Date: 2026-05 | Amount: $6.7M drained - Summary: Attackers abused TrustedVolumes' controlled custom RFQ swap proxy to self-register an allowed signer and then exploited a maker/funding-source mismatch in settlement, draining resolver-approved assets on Ethereum. The incident was separate from the 2025 1inch Fusion V1 bug; 1inch's own contracts, infrastructure, and user funds were not affected. ### TSURUWrapper - Incident | Date: 2024-05 | Amount: $410K - Summary: An inverted ERC1155 callback guard accepted unauthorized flows and minted unbacked wrapper assets redeemable for real value. ### Uber MFA fatigue, Lapsus$ - Incident | Date: Sep 2022 - Summary: Lapsus$ obtained contractor credentials, bombed them with MFA push requests for over an hour, then impersonated Uber IT on WhatsApp to socially engineer approval, gaining full internal access. ### Uniswap V3 callback victim - Incident | Date: 2024-07 | Amount: ~$85K - Summary: The Uniswap V3 callback trusted attacker-controlled calldata without authenticating pool/caller context, enabling unauthorized token transfer. ### VeilCash - Incident | Date: Feb 2026 - Summary: 2.9 ETH drained (Feb 2026). Incomplete Groth16 Phase 2 trusted setup. ### Venus vTHE - Incident | Date: 2026-03 | Amount: $5M - Summary: Raw balance-based cash accounting enabled supply-cap bypass and amplified borrowing manipulation. ### WannaCry - Incident | Date: May 2017 - Summary: WannaCry used EternalBlue against SMBv1 systems missing MS17-010, then propagated laterally as a worm and deployed ransomware on each newly compromised Windows host. ### Wasabi Protocol - Incident | Date: 2026-04 | Amount: ~$5.7M lost - Summary: A public Spring Boot Actuator heap dump on Wasabi's AWS analytics surface leaked credentials that ultimately led attackers to the private keys controlling affected EVM contracts, enabling unauthorized withdrawals. ### WazirX - Incident | Date: 2024-07 | Amount: $235M - Summary: Compromise in signing/custody workflow enabled large unauthorized outflows. ### Wintermute Profanity Address Exploit - Incident | Date: 2022-09 | Amount: $160M - Summary: A weak vanity address generation method reduced effective key entropy. Attackers reconstructed private keys for production wallets and drained funds. ### wolfSSL (CVE-2026-5194) - CVE | Date: 2026-04 - Summary: Missing digest-size validation and signature OID/key OID agreement checks in wolfSSL certificate verification could allow forged signatures to be accepted across ECDSA, DSA, ML-DSA, Ed25519, and Ed448 paths. ### Wormhole Bridge - Incident | Date: February 2022 | Amount: $320M - Summary: Wormhole Bridge, February 2022. $320M lost. ### XZ Utils Backdoor (CVE-2024-3094) - CVE | Date: Mar 2024 - Summary: A multi-year social engineering campaign inserted a build-system backdoor into XZ Utils that injected malicious SSH code into compiled binaries without any modification to reviewed C source files. ### Yearn yETH - Incident | Date: 2025-11 | Amount: $9M - Summary: Unsafe arithmetic in the invariant solver let rounding collapse the product term and later underflow during a reachable bootstrap path, enabling massive over-minting and a drain of the yETH weighted stable pool plus the yETH/WETH Curve pool. ### YieldBlox - Incident | Date: 2025-02 | Amount: $10.86M - Summary: A thin SDEX orderbook was manipulated and ingested by the Reflector oracle, inflating collateral valuation and enabling over-borrowing. ### ZeroLogon (CVE-2020-1472) - CVE | Date: Aug 2020 - Summary: A cryptographic flaw in Windows Netlogon's AES-CFB8 implementation allowed an unauthenticated attacker with network access to a domain controller to set the DC's machine account password to empty, enabling DCSync and full Active Directory compromise in seconds. ### zkLend - Incident | Date: 2025-02 | Amount: ~$9.5M - Summary: Attacker exploited empty wstETH market on StarkNet, inflated lending_accumulator via flash-loan donations, then leveraged integer division precision loss during share burns to drain 46+ pools. ### Zoth Protocol - Incident | Date: 2025-03 | Amount: ~$8.4M - Summary: Restaking protocol Zoth lost $8.4M when attackers manipulated RWA-linked yield accounting transaction flows, extracting funds before developers detected anomalies.