[
{
"id": "euler-finance-2023",
"protocol": "Euler Finance",
"date": "2023-03-13",
"loss_usd": 196000000,
"chain": "evm",
"invariant_ids": ["evm_conservation_check_absent", "evm_oracle_spot_price"],
"attack_summary": "Flash loan used to manipulate oracle price, then borrow against inflated collateral value",
"tx_hash": "0x...",
"postmortem_url": "https://www.euler.finance/blog/euler-incident-post-mortem"
},
{
"id": "gmx-2024",
"protocol": "GMX",
"date": "2024-09-08",
"loss_usd": 50000000,
"chain": "evm",
"invariant_ids": ["evm_oracle_spot_price", "evm_oracle_flash_loan_same_block"],
"attack_summary": "Attacker executed flash loan and manipulated synthetic asset pricing on same block",
"tx_hash": "0x...",
"postmortem_url": "https://gmx.io/"
},
{
"id": "mango-markets-2022",
"protocol": "Mango Markets",
"date": "2022-10-11",
"loss_usd": 114000000,
"chain": "solana",
"invariant_ids": ["sol_oracle_rate_account", "sol_oracle_self_trade"],
"attack_summary": "Attacker used large token balance and perp account control to manipulate oracle price",
"tx_hash": "0x...",
"postmortem_url": "https://www.mangolabs.io/"
},
{
"id": "wormhole-2022",
"protocol": "Wormhole Bridge",
"date": "2022-02-02",
"loss_usd": 325000000,
"chain": "solana",
"invariant_ids": ["evm_proof_payload_binding", "evm_zero_challenge_period"],
"attack_summary": "Signature verification missing on bridge, allowed invalid message approval",
"tx_hash": "0x...",
"postmortem_url": "https://wormhole.com/"
},
{
"id": "nomad-bridge-2022",
"protocol": "Nomad Bridge",
"date": "2022-08-02",
"loss_usd": 190000000,
"chain": "evm",
"invariant_ids": ["evm_merkle_root_zero", "evm_proof_payload_binding"],
"attack_summary": "Bridge accepted bytes32(0) as valid merkle root, allowing unauthorized transfers",
"tx_hash": "0x...",
"postmortem_url": "https://nomad.xyz/"
},
{
"id": "poly-network-2021",
"protocol": "Poly Network",
"date": "2021-08-10",
"loss_usd": 611000000,
"chain": "evm",
"invariant_ids": ["evm_unprotected_initializer", "evm_missing_signer_check"],
"attack_summary": "Exploiter called initialize() without modifier check, gained admin access",
"tx_hash": "0x...",
"postmortem_url": "https://www.polynetwork.org/"
},
{
"id": "radiant-capital-2023",
"protocol": "Radiant Capital",
"date": "2023-04-27",
"loss_usd": 4300000,
"chain": "evm",
"invariant_ids": ["evm_oracle_spot_price", "evm_reentrancy_classic"],
"attack_summary": "Flash loan reentrancy attack on ERC677 token integration",
"tx_hash": "0x...",
"postmortem_url": "https://radiantcapital.io/"
},
{
"id": "badger-dao-2021",
"protocol": "BadgerDAO",
"date": "2021-12-02",
"loss_usd": 49000000,
"chain": "evm",
"invariant_ids": ["evm_missing_signer_check", "evm_public_relay"],
"attack_summary": "Contract function callable by anyone without access check, allowed direct token sweeps",
"tx_hash": "0x...",
"postmortem_url": "https://badger.com/"
},
{
"id": "beanstalk-2022",
"protocol": "Beanstalk",
"date": "2022-04-17",
"loss_usd": 182000000,
"chain": "evm",
"invariant_ids": ["evm_flash_loan_governance", "evm_same_block_snapshot"],
"attack_summary": "Flash loan used to acquire voting power and execute governance proposal in same block",
"tx_hash": "0x...",
"postmortem_url": "https://bean.money/"
},
{
"id": "compound-governance-2020",
"protocol": "Compound Governance",
"date": "2020-02-18",
"loss_usd": 0,
"chain": "evm",
"invariant_ids": ["evm_flash_loan_governance", "evm_same_block_snapshot"],
"attack_summary": "Flash loan voting attack allowed governance takeover (prevented before execution)",
"tx_hash": "0x...",
"postmortem_url": "https://compound.finance/"
},
{
"id": "celer-bridge-2022",
"protocol": "Celer Bridge",
"date": "2022-07-13",
"loss_usd": 240000,
"chain": "evm",
"invariant_ids": ["evm_zero_challenge_period", "evm_proof_payload_binding"],
"attack_summary": "Insufficient challenge period and validation in optimistic bridge settlement",
"tx_hash": "0x...",
"postmortem_url": "https://celer.network/"
},
{
"id": "drift-protocol-2023",
"protocol": "Drift Protocol",
"date": "2023-06-20",
"loss_usd": 0,
"chain": "solana",
"invariant_ids": ["sol_oracle_rate_account", "evm_precision_loss"],
"attack_summary": "Oracle manipulation via price feed control (prevented by circuit breaker)",
"tx_hash": "0x...",
"postmortem_url": "https://www.drift.trade/"
},
{
"id": "futureswap-2021",
"protocol": "Futureswap",
"date": "2021-09-12",
"loss_usd": 7000000,
"chain": "evm",
"invariant_ids": ["evm_reentrancy_classic", "evm_oracle_spot_price"],
"attack_summary": "Reentrancy attack on leveraged trading contract combined with price oracle manipulation",
"tx_hash": "0x...",
"postmortem_url": "https://futureswap.com/"
},
{
"id": "hop-protocol-2022",
"protocol": "Hop Protocol",
"date": "2022-03-15",
"loss_usd": 27000,
"chain": "evm",
"invariant_ids": ["evm_proof_payload_binding", "evm_missing_signer_check"],
"attack_summary": "Bridge validator signature not properly verified before token release",
"tx_hash": "0x...",
"postmortem_url": "https://hop.exchange/"
},
{
"id": "looksrare-2022",
"protocol": "LooksRare",
"date": "2022-01-20",
"loss_usd": 1000000,
"chain": "evm",
"invariant_ids": ["evm_reentrancy_classic", "evm_missing_signer_check"],
"attack_summary": "NFT marketplace reentrancy allowing unauthorized token transfers",
"tx_hash": "0x...",
"postmortem_url": "https://looksrare.org/"
},
{
"id": "kelpdao-raeth-2024",
"protocol": "KelpDAO rsETH",
"date": "2024-04-06",
"loss_usd": 10900000,
"chain": "evm",
"invariant_ids": ["evm_oracle_spot_price", "evm_conservation_check_absent"],
"attack_summary": "Oracle price manipulation allowing incorrect collateral valuation",
"tx_hash": "0x...",
"postmortem_url": "https://kelpdao.org/"
},
{
"id": "socket-protocol-2024",
"protocol": "Socket Protocol",
"date": "2024-05-12",
"loss_usd": 3300000,
"chain": "evm",
"invariant_ids": ["evm_missing_signer_check", "evm_public_relay"],
"attack_summary": "Unguarded message relay function allowed arbitrary contract calls",
"tx_hash": "0x...",
"postmortem_url": "https://socket.tech/"
},
{
"id": "allbridge-2023",
"protocol": "Allbridge",
"date": "2023-11-14",
"loss_usd": 380000,
"chain": "evm",
"invariant_ids": ["evm_zero_challenge_period", "evm_proof_payload_binding"],
"attack_summary": "Cross-chain bridge validation bypassed due to insufficient challenge period",
"tx_hash": "0x...",
"postmortem_url": "https://allbridge.io/"
},
{
"id": "li-fi-2023",
"protocol": "Li.Fi",
"date": "2023-03-17",
"loss_usd": 600000,
"chain": "evm",
"invariant_ids": ["evm_missing_signer_check", "evm_public_relay"],
"attack_summary": "Unprotected sweeper function allowed tokens to be stolen from router",
"tx_hash": "0x...",
"postmortem_url": "https://li.finance/"
},
{
"id": "loopscale-2022",
"protocol": "Loopscale",
"date": "2022-09-08",
"loss_usd": 5300000,
"chain": "evm",
"invariant_ids": ["evm_reentrancy_erc20", "evm_precision_loss"],
"attack_summary": "Reentrancy in token accounting combined with division precision loss",
"tx_hash": "0x...",
"postmortem_url": "https://loopscale.io/"
},
{
"id": "transit-swap-2023",
"protocol": "Transit Swap",
"date": "2023-02-10",
"loss_usd": 13000000,
"chain": "evm",
"invariant_ids": ["evm_missing_signer_check", "evm_shallow_auth"],
"attack_summary": "DEX router lacked proper caller validation, allowed token draining",
"tx_hash": "0x...",
"postmortem_url": "https://transit.finance/"
}
]