Typical reentrancy attack. Victim contract is a contract for NFT sale. As you can see in picture, there’s no reentrance check in “claimReferral” function, also state is updated after token transfer, this is vulnerable to reentrancy attack. Hacker bought some NFTs he made to increase “referral” value, then called “claimReferral” recursively to drain victim contract.…

“transfer” function of BOLT token burns some BOLT of pancake pair when “to” address is pancake pair. Hacker was able to manipulate pair state leveraging this logic. He exchanged a huge amount of USDT to BOLT, BOLT balance of pancake pair decreased. After that he transferred some BOLT to pancake pair and called “skim”, repeated…

Those contracts have functions(like “0xa6efca62”) that can be used for swap tokens on uniswap v3, and there’re no access check in those functions. Hacker created fake uniswap v3 pool with his own token and let victim contract exchange tokens on that pool by calling vulnerable function, then removed liquidity from pool. Contracts on Ethereum, Bsc,…

Peapods reward contract was drained by sandwich attack. “depositFromPairedLpToken” function of reward contract exchanges all pOHM token to PEAS token. It has “_slippageOverride” parameter, hacker was able to do sandwich attack by setting this value to 999. Total loss is $3.5k.

XSD(Uniswap v2 fork project) router has functionality that burns XSD token of XSD/ETH pair. Hacker was able to manipulate pair state using this functionality. Also, he leveraged reentrance to reduce pair balance dramatically. After that, he was able to drain all ETH in XSD/ETH pair. This project was attacked on several chains, total loss is…

Ionic Finance was hacked because they’ve listed fake market. LBTC is currently deployed on Eth,Base, BNB, Corn, Bob and swell, but Ionic team listed LBTC market on Mode chain. LBTC on Mode was fake LBTC token that was deployed 26 days ago. Owner of fake LBTC can mint any amount of LBTC. He was able…

OdosLimitOrderRouter contract was exploited due to insufficient input check. Interestingly, function for validating signature used for call injection. “isValidSigImpl” function parses factory address and calldata and makes an external call using parsed data, this is used for call injection. Hacker provided token contract address and calldata for “transfer” as input of “isValidSigImpl” function, all tokens…

An unverified contract on Base was exploited, root cause is improper input check. It seems that this function is used for token exchange, but as there’s no check about input for external call, this can be used for call injection. Hacker took fund from users who approved to this contract, gained $125k.

AST token on BSC was hacked because of wrong transfer logic. When remove liquidity from pancake pair, AST token decreases pancake pair balance and burn tokens of pancake pair, not increase user’s balance. This means AST token balance of pancake pair decreased 2 times. Hacker exchanged a huge amount of USDT to AST, small amount…