An economic attack rooted in the design of WUSD — WUSD is a stable coin backed by USDT and WEX. When you mint WUSD with USDT, 1/10 of the deposit will be used for market buy WEX and then use the WEX bought as part of the reserve. The Exploit At around 2 AM UTC on Aug 4, Wault’s WUSD on BSC…

The Exploit At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon. Check out the Transaction Details on PolygonScan. How? Borrowed 24M DAI and 54M MATIC of flash loans from Aave. Created 25M DAIMATIC LP. …

The Exploit At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap. Check out the Transaction Details on BscScan. How? Borrowed 1.6M CAKE ($21.8M) of flash loan from PancakeSwap. Added 509K CAKE of deposit to the CAKE…

Those who cannot learn from history are doomed to repeat it. — The Exploit At around 3:48 AM UTC on Jun 28, a hacker managed to mint a huge amount of SDO (an algo stablecoin on Polygon) and dumped them into the market. How many? 831,309,277,244,108,000 SDO That’s a lot. As a result, the hacker has taken out 202k USDC and 46k USDT. …

How does Impossible Finance make the impossible possible? — The Exploit At around 4:40 AM UTC on Jun 21, $0.5M (229.84 ETH) was stolen from Impossible Finance. Using a vulnerability in the LP contract, the hacker managed to swap IF into BUSD at about the price 2 times in a row, which is usually “Impossible” because of the slippage. As a…

The Exploit On Jun 03, about 2 AM UTC, with a lot of Hunny tokens minted out and dumped, the hacker has taken out 38.9 ETH.

Fool me once, shame on you. Fool me twice, shame on me. Fool me three times, shame on both of us. — Disclosures: Merlin Lab has engaged WatchPug to perform the 4th audit on their updated security code. The Exploit On May 26, 2021, 03:59:05 AM +UTC, less than 48 hrs after the Autoshark hack. Merlin Lab, well, another Bunny fork, been attacked in a similar fashion to the Bunny and the Autoshark hack.

A copycat hack targeted at a copycat platform — The Exploit On May 24, 2021, 09:41:49 PM +UTC, less than 5 days after the bunny hack. A copycat hacker used 100K BNB of flash loan and minted 135M of SHARK token from Autoshark, a copycat of Bunny. As a result, the hacker has taken out 2.2k WBNB. Check out the Transaction…

The root cause: lack of understanding of the dependent smart contracts. The Exploit On May 19, 2021, 10:34:28 PM +UTC, with two transactions, the hacker used 2.3M BNB and 2.9M USDT of flash loan and minted 6,972,455 BUNNY token. As a result of this exploit, the hacker has taken out 114k WBNB…