WEB3-BZX-2020

On June 10, 2024, UwU Lend, an Aave-fork lending protocol on Ethereum, lost about $19.3 million, followed by a second ~$3.7 million drain on June 13, 2024 (combined ~$23 million). The root cause was flash-loan oracle manipulation of the sUSDe price feed: the custom sUSDePriceProviderBUniCatch oracle priced sUSDe as the median of 11 sources, 5 of which read instantaneous Curve pool spot prices via get_p (no TWAP/EMA smoothing) across the FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD and GHOUSDe pools. Using a roughly $3.8 billion flash loan, the attacker swapped large USDe amounts to suppress the median sUSDe price, set up positions, then reversed the swaps to inflate it, rendering their own leveraged position liquidatable and self-liquidating repeatedly to harvest base assets at favorable rates. Curve explicitly advises against using get_p spot reads for oracles. The June 13 follow-up reused collateral left from the first attack, since sUSDe was not disabled as borrowable collateral.

On 2 April 2022 Inverse Finance lost approximately $15.6 million on Ethereum when an attacker manipulated the INV price oracle feeding its Anchor money market. INV was priced by a Keep3r TWAP over the SushiSwap INV/ETH pair, but the oracle only folded a new price cumulative into the average when the elapsed time exceeded its 30-minute period, so shortly after a fresh update the oracle effectively returned the current manipulable spot price instead of a true time-weighted average. Using about 500 ETH of their own funds (no flash loan), the attacker bought INV on SushiSwap and routed ETH through Curve and DOLA into more INV, draining the thin INV/ETH pool and spiking the reported INV price, then deposited the inflated INV as collateral and borrowed ETH, WBTC, DOLA and YFI far exceeding its real value. The root cause was a TWAP whose update window let a single-block spot manipulation pass through as the reported price.

On February 2, 2022, the Wormhole Solana-Ethereum bridge was exploited for about $326 million (120,000 wETH). On Solana, Wormhole's core bridge confirmed guardian signatures by reading the Instructions sysvar to verify that the Secp256k1 verification instruction had run, but its verify_signatures function received the sysvar as a caller-supplied account and called load_instruction_at against it without checking that the account's address equaled the genuine Instructions sysvar (solana_program::sysvar::instructions::id()). The attacker passed a spoofed account crafted to mimic a successful verification of fabricated guardian signatures, so the program accepted a forged VAA and minted 120,000 wETH with no Ethereum collateral, bridging roughly 93,750 ETH back to Ethereum. The real fix added an explicit address check rejecting any instruction account whose key did not match the sysvar id. Jump Crypto (parent of Wormhole developer Certus One) replaced the full 120,000 ETH the next day to keep the bridge solvent; about $225 million was later clawed back via an English High Court order in February 2023.

On 26 October 2020 Harvest Finance lost approximately $33.8 million (with about $2.5 million later returned) on Ethereum in a flash-loan price-manipulation attack against its fUSDT and fUSDC vaults. The vaults priced shares from the live spot exchange rate of Curve's Y-pool, so the attacker flash-borrowed tens of millions in USDT and swapped roughly $17M USDT into USDC through the pool to temporarily depress USDC and lift the pool's reported USDC value to about $1.01. While the pool was skewed, the attacker deposited USDC into the vault and minted shares at the inflated price, then reversed the Curve swap to restore the rate and redeemed the shares for more underlying than deposited, repeating the loop many times. The root cause was deriving deposit/withdraw share value from a single Curve pool's instantaneous spot rate, which is fully manipulable inside one flash-loan transaction.

A frontend hijack leaves the on-chain contracts untouched but replaces the Web2 surface serving the dApp UI with a wallet-drainer clone, so no Solidity audit can catch it. The recurring pattern: attackers take over the domain registrar or DNS provider account (or a CDN/tag-manager account), repoint the domain to a cloned site, and prompt visitors to sign malicious token approvals, EIP-2612 permit signatures, or transfers. Curve Finance was hit twice: on August 9-10, 2022 its curve.fi domain was DNS-hijacked via a compromised nameserver and drained ~$570K in USDC/DAI; and again around May 12, 2025 at the registrar level, after which Curve permanently migrated to curve.finance and announced an ENS move (Convex Finance and Resupply, which depend on Curve's data feeds, suffered dependency-driven outages but were not themselves compromised). In July 2024 a mass wave hit DeFi domains registered through Squarespace, whose forced migration off Google Domains stripped 2FA: Compound's frontend redirected to an Inferno Drainer clone and 100+ protocols were exposed (Celer blocked its takeover via domain monitoring). Ambient Finance's domain was hijacked through stolen registrar credentials on October 17, 2024. Most recently, on April 14, 2026 attackers used forged identity documents to social-engineer the registrar into handing over DNS control of CoW Swap's swap.cow.fi and cow.fi domains, redirecting users to a pixel-perfect drainer clone for about 90 minutes; over $1M was taken in roughly three hours, including 219 ETH (~$750K) from a single wallet, while CoW's contracts, backend APIs, and solver network were untouched. The same bucket includes CDN-account injections (KyberSwap's September 2022 Cloudflare/Google Tag Manager compromise, ~$265K) and BGP route hijacks that swap signed bundles for drainer code.

On April 14, 2025 the perpetuals DEX KiloEx lost about $7.5 million across BNB Chain, Base, opBNB, and Taiko to what was reported as oracle price manipulation but was really an access-control failure. KiloEx's price feed (KiloPriceFeed.setPrices) was meant to be reachable only through a keeper-gated call chain, but the top-level MinimalForwarder.execute function was publicly callable and validated an attacker-supplied signature against attacker-supplied data, letting anyone forge a trusted call that reached setPrices and write an arbitrary price. The attacker set a market price far below true value, opened a leveraged position, then set the price far above value and closed it in the same flow, extracting fabricated profit from the vault; the sequence was repeated across all four chains, with a single transaction netting $3.12M. Reporting that framed it as flash-loan oracle manipulation was imprecise: no market liquidity was moved, the price was simply written directly through the unprotected forwarder. After KiloEx offered a 10% (~$750K) whitehat bounty and no legal action, the attacker returned essentially all of the funds by April 18, 2025.