WEB3-INVERSE-2022

On June 10, 2024, UwU Lend, an Aave-fork lending protocol on Ethereum, lost about $19.3 million, followed by a second ~$3.7 million drain on June 13, 2024 (combined ~$23 million). The root cause was flash-loan oracle manipulation of the sUSDe price feed: the custom sUSDePriceProviderBUniCatch oracle priced sUSDe as the median of 11 sources, 5 of which read instantaneous Curve pool spot prices via get_p (no TWAP/EMA smoothing) across the FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD and GHOUSDe pools. Using a roughly $3.8 billion flash loan, the attacker swapped large USDe amounts to suppress the median sUSDe price, set up positions, then reversed the swaps to inflate it, rendering their own leveraged position liquidatable and self-liquidating repeatedly to harvest base assets at favorable rates. Curve explicitly advises against using get_p spot reads for oracles. The June 13 follow-up reused collateral left from the first attack, since sUSDe was not disabled as borrowable collateral.

On February 2, 2022, the Wormhole Solana-Ethereum bridge was exploited for about $326 million (120,000 wETH). On Solana, Wormhole's core bridge confirmed guardian signatures by reading the Instructions sysvar to verify that the Secp256k1 verification instruction had run, but its verify_signatures function received the sysvar as a caller-supplied account and called load_instruction_at against it without checking that the account's address equaled the genuine Instructions sysvar (solana_program::sysvar::instructions::id()). The attacker passed a spoofed account crafted to mimic a successful verification of fabricated guardian signatures, so the program accepted a forged VAA and minted 120,000 wETH with no Ethereum collateral, bridging roughly 93,750 ETH back to Ethereum. The real fix added an explicit address check rejecting any instruction account whose key did not match the sysvar id. Jump Crypto (parent of Wormhole developer Certus One) replaced the full 120,000 ETH the next day to keep the bridge solvent; about $225 million was later clawed back via an English High Court order in February 2023.

On 26 October 2020 Harvest Finance lost approximately $33.8 million (with about $2.5 million later returned) on Ethereum in a flash-loan price-manipulation attack against its fUSDT and fUSDC vaults. The vaults priced shares from the live spot exchange rate of Curve's Y-pool, so the attacker flash-borrowed tens of millions in USDT and swapped roughly $17M USDT into USDC through the pool to temporarily depress USDC and lift the pool's reported USDC value to about $1.01. While the pool was skewed, the attacker deposited USDC into the vault and minted shares at the inflated price, then reversed the Curve swap to restore the rate and redeemed the shares for more underlying than deposited, repeating the loop many times. The root cause was deriving deposit/withdraw share value from a single Curve pool's instantaneous spot rate, which is fully manipulable inside one flash-loan transaction.

In February 2020 bZx suffered two flash-loan price-manipulation attacks days apart, losing roughly $350,000 then roughly $650,000 (about $1M total) on Ethereum, the first widely studied flash-loan oracle attacks. In the first attack on 15 February the attacker flash-borrowed 10,000 ETH, opened a leveraged WBTC position through bZx's Fulcrum that internally swapped a large amount of ETH via Kyber into a thin Uniswap WBTC pool, spiking the WBTC spot price bZx read as its oracle, while a buggy collateral check skipped shouldLiquidate() and let the under-collateralized position stand. In the second attack on 18 February the attacker flash-borrowed ETH and pushed sUSD up to about $2 by buying it across Kyber reserves, then posted that sUSD at its manipulated spot value as collateral on bZx to borrow far more ETH than the position was worth. The root cause was pricing collateral from a single DEX's manipulable spot rate within one atomic transaction rather than a manipulation-resistant feed.

A frontend hijack leaves the on-chain contracts untouched but replaces the Web2 surface serving the dApp UI with a wallet-drainer clone, so no Solidity audit can catch it. The recurring pattern: attackers take over the domain registrar or DNS provider account (or a CDN/tag-manager account), repoint the domain to a cloned site, and prompt visitors to sign malicious token approvals, EIP-2612 permit signatures, or transfers. Curve Finance was hit twice: on August 9-10, 2022 its curve.fi domain was DNS-hijacked via a compromised nameserver and drained ~$570K in USDC/DAI; and again around May 12, 2025 at the registrar level, after which Curve permanently migrated to curve.finance and announced an ENS move (Convex Finance and Resupply, which depend on Curve's data feeds, suffered dependency-driven outages but were not themselves compromised). In July 2024 a mass wave hit DeFi domains registered through Squarespace, whose forced migration off Google Domains stripped 2FA: Compound's frontend redirected to an Inferno Drainer clone and 100+ protocols were exposed (Celer blocked its takeover via domain monitoring). Ambient Finance's domain was hijacked through stolen registrar credentials on October 17, 2024. Most recently, on April 14, 2026 attackers used forged identity documents to social-engineer the registrar into handing over DNS control of CoW Swap's swap.cow.fi and cow.fi domains, redirecting users to a pixel-perfect drainer clone for about 90 minutes; over $1M was taken in roughly three hours, including 219 ETH (~$750K) from a single wallet, while CoW's contracts, backend APIs, and solver network were untouched. The same bucket includes CDN-account injections (KyberSwap's September 2022 Cloudflare/Google Tag Manager compromise, ~$265K) and BGP route hijacks that swap signed bundles for drainer code.

On April 14, 2025 the perpetuals DEX KiloEx lost about $7.5 million across BNB Chain, Base, opBNB, and Taiko to what was reported as oracle price manipulation but was really an access-control failure. KiloEx's price feed (KiloPriceFeed.setPrices) was meant to be reachable only through a keeper-gated call chain, but the top-level MinimalForwarder.execute function was publicly callable and validated an attacker-supplied signature against attacker-supplied data, letting anyone forge a trusted call that reached setPrices and write an arbitrary price. The attacker set a market price far below true value, opened a leveraged position, then set the price far above value and closed it in the same flow, extracting fabricated profit from the vault; the sequence was repeated across all four chains, with a single transaction netting $3.12M. Reporting that framed it as flash-loan oracle manipulation was imprecise: no market liquidity was moved, the price was simply written directly through the unprotected forwarder. After KiloEx offered a 10% (~$750K) whitehat bounty and no legal action, the attacker returned essentially all of the funds by April 18, 2025.