Rugpulls, hacks, exploits, etc...
The goal of this document is to serve as an up-to-date register of every rugpull, hack, exploit, etc... taking place on Ethereum & its sidechains to help users make more informed decisions when eyeing up prospective investments. Not all entries will necessarily be DeFi projects, and I'd like to focus on services rather than arbitrary tokens created purely for pumping & dumping. With this initial release I've only included events from 2021 and onward, but in the future I plan to add older events too.
If you have any questions for me or know of any (new or old) entries that you think I may have missed, please reach out with the contact information below, or submit a pull request.
website and following them on Twitter, as they do a great job reviewing projects for rug-potential. Huge shoutout to Rekt, and Watchpug as they've become my go-to for their investigations into these events.Sidenote - I recommend watching RugDoc.io's
For an up-to-date list of all slashings & rugpulls related to staking pools, see this link: https://github.com/TheSquanch-147/Staking-Pool-Mishaps
In the pipeline
- Add events occurring pre-2021
- Additional chart detailing audit protocol(s) of the top 25-50 DeFi projects.
- Include a metric showing how long a project has been live without exploitation.
RUGPULLS, HACKS, EXPLOITS, ETC.....
|Service||Chain||Class||Description||Date||Press Release||Recovery Plan|
|PancakeHunny||BSC||Exploit||$2.3m stolen after an attacker exploited the WBNB/TUSD pool by inflating the price of WBNB against TUSD with a flash loan. Then, TUSD was deposited into the vault to mint Hunny at an irregular rate & sold for a profit||10/20/2021||[Link]||[Link]|
$16m stolen after an attacker exploited the way that tokens are rebalanced within the indexes by using flash loans which allowed them to throw off the valuation of the pools. Once the valuation was skewed, they were able to deposit relatively small amounts of one of the tokens in the pool, mint an inflated number of the pool tokens, and immediately cash these out.
|10/14/2021||[Link]||DAO voting on recovery plan Oct 27th|
|Compound||ETH||Exploit||~$147m of COMP was accidentally distributed after a vulnerability was discovered in one of their vaults. This vulnerability allowed users borrowing certain assets to claim more COMP than they otherwise should have been able to. Devs asked for money to be returned in a somewhat-threatening way which resulted in a lot of backlash and few returns.||09/30/2021||[Link]||TBD|
|Vee Finance||Avalanche||Exploit||$34m stolen after an attacker was able to manipulate the price of the Pangolin pool which was being used by the oracle as the source of the price feed. Orders are placed, funds swapped into target token in Pangolin, Pangolin pool is then manipulated. Once orders expire or stop-point reached, the loan is returned automatically.||09/21/2021||[Link]||[Link]|
|Jay pegs Automart||ETH||Exploit||Contracted Dev swapped his wallet address into the MISO auction instead of the auction's wallet. Attacker was identified & doxxed, funds returned.||09/16/2021||[Link]||[Link]|
|Dinner||The Mercer||Rugpull||POAPgod.eth & Wolf.eth denied dinner service due to lack of seating availability. Restaurant will never socially, or financially recover from this event.||09/13/2021||N/A||N/A|
|DAO Maker||ETH||Exploit||"DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each."||09/03/2021||[Link]||[Link]|
|Tomb Finance||Fantom Opera||Exploit||$TOMB stablecoin pegged to value of $FTM by way of a "gate keeper" fee system. The Gatekeeper collects fees on $TOMB sales until it reaches its peg with $FTM (up to 20%). Fees collected are then sold by the DAO for $FTM, with the other half provided as liquidity if it's above the peg, or burned if below the peg.
User found a way to avoid this tax (exploit?), and made it publicly available via a website. Tomb team shut down their gatekeeper as a result, causing the stablecoin to lose its peg and the protocol's token price to tank.
|Cream Finance||ETH||Exploit||17 transactions were issued that utilized an exploit which would allow the attackers (Primary + Copycat) to nest a secondary borrow function inside of the token transfer function before the initial borrow function was updated. This allowed the loan to be paid back while keeping the remainder from the secondary borrow function.||08/31/2021||[Link]||[Link]|
|X-Token||BSC||Exploit||An attacker was able to call a function (that should not be publicly available) due to a vulnerability in X-Token's xSNX code. This has already happened once in the past (May, 2021) and failed to be patched. Devs are planning to compensate their users and shut down their xSNX contract.||08/29/2021||[Link]||[Link]|
|Punk Protocol||ETH||Exploit||Attacker exploited a "crucial flaw in the investing strategy". A whitehat hacker noticed these transactions with his/her frontrunning bot and managed to recover ~$6m (at time of writing). The whitehat negotiated with Punk & agreed to return ~$5m, taking $1m as their bounty. The hacker was able to keep ~$3m.||08/10/2021||[Link]||[Link]|
|Poly Network||Poly, ETH, BSC||Exploit||Poly had a vulnerability that allowed the attacker to call special contracts by replicating the signature hash (through a bit of trial and error) which would allow them to change the public keys. Read the Rekt writeup (link to the right) for more details. Roughly $611m stolen at time of writing. The attacker has begun returning some of the funds and claims that he will return the rest.||08/10/2021||[Link]||[Link]|
|Wault Finance||BSC||Exploit||370 ETH drained after a flash loan attack that was able to manipulate the price of WEX, which a portion of the Wault reserves holds||08/04/2021||[Link]||[Link]|
|Popsicle Finance||ETH||Exploit||Attacker modified the information fed to the contract to convince it that their funds were depostied for longer than they really were, entitling them to a greater share of the fees generated. This allowed them to drain 85% of one of Popsicle Finance's UniswapV3 Optimizer pools, worth roughly $20.7m at the time of the attack||08/03/2021||[Link]||[Link]|
|Levyathan||BSC||Rugpull||Devs left a private key with the ability to mint tokens on their public github repo. Tokens were infinitely minted and dumped on the market for ETH. Devs claiming that it "was not an inside job" as the keys were publicly available.||07/30/2021||[Link]||N/A|
|ThorChain||Multi||Exploit||ETH router attacked by exploiting "multiple critical issues". Left note in tx data: "Could have taken ETH, BTC, LYC, BNB, and BEP20s if waited. Wanted to teach lesson minimizing damage. Multiple critical issues. 10% VAR bounty would have prevented this. Disable until audits are complete. Audits are not a nice to have. Do not rush code that controls 9 figures."||07/22/2021||[Link]||[Link]|
|Pancake Bunny||Poly||Exploit||PolyBUNNY minter exploited, producing 2.1M polyBUNNY||07/16/2021||[Link]||[Link]|
|ThorChain||Multi||Exploit||Attacker exploited BiFrost, a middleware that allows for multichain operations, with a custom wrapper contract, stealing 4,000 ETH worth of ERC20 tokens and ETH.||07/15/2021||[Link]||[Link]|
|Bondly||BSC||Exploit||Attacker exploited "infinite mint" bug & dumped 373M tokens||07/15/2021||[Link]||[Link]|
|ApeRocket||Poly||Exploit||Flash loan exploit of code vulnerability||07/14/2021||[Link]||[Link]|
|ApeRocket||BSC||Exploit||Flash loan exploit of code vulnerability||07/14/2021||[Link]||[Link]|
|Chainswap||Multi||Exploit||Attacker exploited a bug in the cross-chain quota code. This quota is ordinarily increased automatically by the signature node, but due to the bug, addresses that were not whitelisted were able to increase the amount.||07/11/2021||[Link]||[Link]|
|Anyswap||ETH||Exploit||An attacker was able to deduce the private key to the MPC account by analyzing two transactions that occurred on the V3 router with matching R value signatures.||07/10/2021||[Link]||[Link]|
|Whalefarm||BSC||Rugpull||Obvious pump & dump scheme (7,217,848% APY promised), Twitter page & Telegram group deleted immediately following event||06/29/2021||N/A||N/A|
|SafeDollar||Poly||Exploit||Attacker exploited a bug in the code that would allow them to drain the balance of PLX nearly to zero which would raise the exchange rate to SDO tremendously. Using this new rate, they were able to mint 831,309,277,244,108,000 SDO and begin dumping them on the market.||06/28/2021||[Link]||[Link]|
|SharedStake||ETH||Rugpull||Dev member withdrew and dumped $500k worth of the org's governance token (SGT), dropping its value by 95%||06/24/2021||[Link]||[Link]|
|Eleven Finance||BSC||Exploit||100% loss of funds from vaults (~$4.5m USD) due to a fault in the "emergencyBurn()" function. Issue was present since inception.||06/23/2021||[Link]||[Link]|
|StableMagnet||BSC||Rugpull||StableMagnet's SwapUtils library was written with functionality to drain all pairs||06/23/2021||[Link]||N/A|
|Polywhale||Poly||Soft Rug||Soft rug(?) - Dev team claimed they were shutting down due to bad tokenomics & market conditions. Community thinks otherwise due to deleted Telegram chat room & treasury withdrawals to dev wallets leading up to exit||06/21/2021||[Link]||N/A|
|Impossible Finance||BSC||Exploit||Attacker exploited a vulnerability in the LP contract to swap IF into BUSD twice in a row without incurring slippage. 229.84ETH Stolen||06/21/2021||[Link]||[Link]|
|Iron Finance||Poly||Collapse||Bank run on Iron Finance's governance token (TITAN) occurred as their stablecoin (IRON) lost its peg due to arbitrageurs' repeated purchasing & exchanging of the IRON token for USDC & TITAN, before selling off the TITAN for a profit & furthering the off-peg condition||06/17/2021||[Link]||[Link]|
|Alchemix||ETH||Exploit||Users were able to withdraw their collateral from the protocol before completing the repayment of their loan.||06/16/2021||[Link]||[Link]|
|PolyButterfly||Poly||Rugpull||600 ETH stolen by dev team through the use of a backdoor.
Website, Twitter, and Telegram all shut down
|Belt Finance||BSC||Exploit||Flash loan exploit of beltBUSD pool. 6,234,753BUSD lost. Vault users lost 21.36% of funds, pool users lost 5.51%||05/29/2021||[Link]||[Link]|
|BurgerSwap||BSC||Exploit||Due to a missing line of code from the original Uniswap V2 fork, an attacker was able to use a flash loan to exploit the service||05/27/2021||[Link]||[Link]|
|Merlin Labs||BSC||Exploit||Copycat of Pancake Bunny vulnerability 05/19/2021||05/26/2021||N/A||N/A|
|Autoshark||BSC||Exploit||Copycat of Pancake Bunny vulnerability 05/19/2021||05/24/2021||[Link]||[Link]|
|Bogged Finance||BSC||Exploit||Due to a flaw in the staking section of the BOG smart contract, an attacker was able to use a flash loan to inflate the supply of staking rewards||05/22/2021||[Link]||[Link]|
|Pancake Bunny||BSC||Exploit||Flash loan exploit of LP ratios of USDT/BNB & BUNNY/BNB||05/19/2021||[Link]||[Link]|
(now Pheonix Finance)
|ETH||Hack||Admin keys were used (potentially stolen) to mint tokens on BSC & Ethereum and began dumping them.||05/17/2021||[Link]||[Link]|
|bEarn Fi||BSC||Exploit||Exploit allowed an attacker to continuously deposit and withdraw BUSD from bEarn's vault, earning more of the stablecoin with every transaction.||05/16/2021||[Link]||[Link]|
|X-Token||ETH||Exploit||Attacker exploited xBNTa and xSNXa contracts simulatenously & drained their pools immediately. 416ETH stolen.||05/12/2021||[Link]||[Link]|
|Spartan Protocol||BSC||Exploit||Flash loan exploit of a bug in Spartan Protocol's code which utilized current balances instead of cached balances. This allowed LP tokens to be exchanged for more of the constituent tokens than it should have.||05/03/2021||[Link]||[Link]|
|Rari Capital Ethereum Pool||ETH||Exploit||Flash loan exploit of code vulnerability||05/08/2021||[Link]||[Link]|
|Uranium Finance||BSC||Exploit||Attacker (possible inside job) exploited token migration event||04/27/2021||[Link]||N/A|
|EasyFi||Poly||Hack||Attacker gained remote access to the admin's machine and stole private keys to drain the protocol's pools of roughly $6m.||04/19/2021||[Link]||[Link]|
|ForceDAO||ETH||Exploit||Attacker exploited known Solidity issue to mint xFORCE tokens without needing to lock their (nonexistant, in this case) FORCE tokens.||04/04/2021||[Link]||[Link]|
Website, Telegram, Twitter page deleted
|Roll||ETH||Hack||Hot wallet private keys compromised||03/14/2021||[Link]||[Link]|
|DODO||ETH||Exploit||Attacker exploited a bug within DODO's V2 Crowdpool||03/08/2021||[Link]||[Link]|
|PAID Network||ETH||Hack||"The attacker used a compromised private key to the original contract deployer to leverage the upgrade function of the smart contract. The attacker then proceeded to ‘upgrade’ to a new smart contract which had the ability to burn and re-mint tokens."||03/05/2021||[Link]||[Link]|
|Meerkat Finance||BSC||Rugpull||Exit scam.
Website, Twitter page deleted
|Alpha Finance||ETH||Exploit||Flash loan exploit of Alpha vulnerability||02/13/2021||[Link]||[Link]|
|Yearn Finance||ETH||Exploit||Using flash loans, the attacker was able to debalance the exchange rate in Curve's 3CRV pool, deposit into the pool with the yDAI vault, correct the imbalance, and profit the difference.||02/04/2021||[Link]||N/A|