Root cause is wrong ltv validation logic. Victim contract has “mintWithStable” function that exchanges received tokens to collateral tokens and mints ZeUSD tokens. “handleDeposit” function is used for token exchange on uniswap v3. In this function, “amount”(amount of received tokens) is used for ltv validation. But if uniswap v3 pool is manipulated, exchanged collateral tokens…

Hegic Options related contract lost $80k. Victim contract has “withdrawWithoutHegic” function that withdraws user fund. Unfortunately, developer forgot to reduce “t.share” value, user can withdraw multiple times. Hacker just called withdraw function multiple times, drained all fund in victim contract.

Typical reentrancy attack. Victim contract is a contract for NFT sale. As you can see in picture, there’s no reentrance check in “claimReferral” function, also state is updated after token transfer, this is vulnerable to reentrancy attack. Hacker bought some NFTs he made to increase “referral” value, then called “claimReferral” recursively to drain victim contract.…

“transfer” function of BOLT token burns some BOLT of pancake pair when “to” address is pancake pair. Hacker was able to manipulate pair state leveraging this logic. He exchanged a huge amount of USDT to BOLT, BOLT balance of pancake pair decreased. After that he transferred some BOLT to pancake pair and called “skim”, repeated…

Those contracts have functions(like “0xa6efca62”) that can be used for swap tokens on uniswap v3, and there’re no access check in those functions. Hacker created fake uniswap v3 pool with his own token and let victim contract exchange tokens on that pool by calling vulnerable function, then removed liquidity from pool. Contracts on Ethereum, Bsc,…

Peapods reward contract was drained by sandwich attack. “depositFromPairedLpToken” function of reward contract exchanges all pOHM token to PEAS token. It has “_slippageOverride” parameter, hacker was able to do sandwich attack by setting this value to 999. Total loss is $3.5k.

XSD(Uniswap v2 fork project) router has functionality that burns XSD token of XSD/ETH pair. Hacker was able to manipulate pair state using this functionality. Also, he leveraged reentrance to reduce pair balance dramatically. After that, he was able to drain all ETH in XSD/ETH pair. This project was attacked on several chains, total loss is…

Ionic Finance was hacked because they’ve listed fake market. LBTC is currently deployed on Eth,Base, BNB, Corn, Bob and swell, but Ionic team listed LBTC market on Mode chain. LBTC on Mode was fake LBTC token that was deployed 26 days ago. Owner of fake LBTC can mint any amount of LBTC. He was able…

OdosLimitOrderRouter contract was exploited due to insufficient input check. Interestingly, function for validating signature used for call injection. “isValidSigImpl” function parses factory address and calldata and makes an external call using parsed data, this is used for call injection. Hacker provided token contract address and calldata for “transfer” as input of “isValidSigImpl” function, all tokens…