Introduction On September 27th, 2022, a smart contract MEV bot was hacked on the Ethereum blockchain, losing around 1,101 WETH, which amounted to approximately $1.46m on the day of the exploit. …

Introduction The Nomad bridge was hacked on August 1st, 2022, and $190m of locked funds were drained. After one attacker first managed to exploit the vulnerability and struck gold, other dark forest travelers jumped to replay the exploit in what eventually became a colossal, “crowdsourced” hack. A routine upgrade on the…

Introduction Beanstalk, a permissionless fiat stablecoin protocol, was the victim of a whopping $181m hack on April 17, 2022, which leveraged the lack of execution delay to push through a malicious governance proposal. The hacker submitted two Beanstalk Improvement Proposals: Bip18 and Bip19. The first one proposed the full transfer of…

Summary On June 27th, whitehat pwning.eth submitted a critical bug report that impacted the Polkadot ecosystem via Immunefi, demonstrating the possibility of minting valid but depegged wrapped tokens. The bug, which was found within Frontier — the Substrate pallet that provides core Ethereum compatibility features within the Polkadot ecosystem–impacted Moonbeam, Astar…

Introduction Omni, an NFT money market platform, was the victim of a $1.4M hack on July 10, 2022, which exploited a reentrancy vulnerability on its Ethereum smart contracts. The hacker used a Doodles NFTX vault to deposit Doodles NFTs as collateral on an Omni pool. By leveraging a reentrancy vulnerability on…

Immunefi is partnering with CryptoStats, a public goods data company that provides neutral crypto metrics for the community, to provide bug bounty data on web3’s biggest chains and bridges. CryptoStats’ latest project, CryptoFlows.info, is a visualizer that provides in-depth information on where value flows between chains and bridges across crypto. …

Summary On September 25, 2022, 0xSzeth reported a high severity bug in 88mph’s vesting03 smart contract via Immunefi. This bug allowed some malicious users to drain the vesting contract of unclaimed MPH rewards (88mph tokens). While looking through the contract, the whitehat discovered that some users were able to steal most…

Summary On September 21, 2022, an anonymous whitehat reported a critical severity bug in Mt Pelerin’s bridge-protocol-v2 via Immunefi, which could have allowed an attacker to drain the contract of funds. However, thanks to the efforts of the whitehat, no user funds were lost. …

Introduction Saddle Finance, an automated market maker (AMM) on Ethereum, was the victim of a series of transactions on April 30, 2022, that exploited deployed smart contracts. Over the course of three attack transactions, roughly $11m in crypto was taken. One of these three attacks was a whitehat who rescued roughly…