These are real world cases of bug fixes reported through Immunefi. To learn more about smart contract vulnerabilities theory check: Vulnerabilities
A smart contract MEV bot was hacked on the Ethereum blockchain, losing around 1,101 WETH. The hack took place just 30 minutes after the MEV bot pulled off a notoriously profitable arbitration that earned it 804 WETH. Since the smart contract code is unverified, this article shows how one can go about finding a vulnerability in a smart contract by just looking at its bytecode, past transactions and a bit of PoC trial and error action.
- Vulnerability type: Lack of sufficient validation of flashloan caller leading to arbitrary function execution
A routine upgrade on the implementation of one of Nomad’s proxy contracts marked a zero hash value as a trusted root, which allowed messages to get automatically proved. The hacker leveraged this vulnerability to spoof the bridge contract and trick it to unlock funds.
- Vulnerability type: CommittedRoot set to ZERO.
Beanstalk was the victim of a whopping $181M hack, which leveraged the lack of execution delay to push through a malicious governance proposal.
- Vulnerability type: Lack of execution delay.
The underlying vulnerability, reentrancy, was exploited across two different functions of the same smart contract. Notably, these functions were lacking reentrancy locks and did not follow the checks-effects-interactions pattern. By leveraging the re-entrancy vulnerability on two different functions and using two attacker contracts, the hacker was able to borrow against the collateral and make the market forget about it.
- Vulnerability type: Re-entrancy.
Price miscalculation when swapping a token for an LP token.
- Vulnerability type: Logic, price calculation.
Analysis of Cream Finance exploit on Oct 2021, resulting in loss of $130m in available liquidity.
- Vulnerability type: Oracle manipulation, Uncapped supply of token.
Hack analysis of 101 DeFi hack & exploit incidents.