This list highlights the accomplishments and disclosed vulnerabilities of the top white hat security experts in DeFi.
This list is part HackerOne leaderboard and part CVE database. Contributions are welcome and it would be amazing if the crypto community could crowdsource a CVE-like database. My arbitrary rules to include a vulnerability in this list (until I am convinced otherwise) is that the vulnerability must be discovered on mainnet (meaning most audit findings are excluded) and it must not have resulted in intentional loss of user funds (meaning most rekt.news hacks are excluded).
So far, the sources of this list include postmortems from:
- Immunefi’s Medium posts
- samczsun’s research
- Yearn Finance security disclosures
- Assorted vulnerabilities from CT
Additional submissions to fill in gaps are welcome.
This list only includes actual vulnerabilities. There are CWE-like lists that exist to capture common weaknesses in code, including these lists:
- https://swcregistry.io/
- https://securing.github.io/SCSVS/
- https://github.com/sigp/solidity-security-blog
This list does not include black hat hacks which involved user loss of funds, even if the funds are returned. There are other lists for that, including these lists:
- https://rekt.news/
- https://hacked.slowmist.io/
- https://cryptosec.info/defi-hacks/
- https://github.com/jwparktom/GutteDeFi
This list is focused on smart contract vulnerabilities. Some layer 1 vulnerabilities may be included below, but there are separate lists for this topic
Contributions are very welcome. This list is guaranteed to be incomplete.
Yes, it renders weird on github, but you can view the markdown in your own local markdown editor instead of github. Or you can search for a web-based markdown-to-csv converter and copy the data to a spreadsheet.
| Date | Protocol Name | Blockchain | Vulnerability Description | Writeup Link | Additional Links | Total Value at Risk | Whitehat | Bounty Award | Vulnerability ID |
|---|---|---|---|---|---|---|---|---|---|
| 05/15/22 | Balancer | ETH | Double entry point tokens (e.g., SNX and sBTC) can cause a DoS condition, caused by the pool thinking it has more tokens than it actually does | https://forum.balancer.fi/t/medium-severity-bug-found/3161 | shw9453 and gpersoon of Spearbit | ||||
| 04/13/22 | Solidly | FTM | Depositing or withdrawing frequently from a gauge increases the rewards received, so all rewards can be drained with spam deposits and withdrawal actions for small amounts | belbix/solidly#1 | belbix | ||||
| 04/07/22 | Aave | ETH | Aave fallback oracle had no access controls on the setPrice function, allowing an arbitrary price to be set if the fallback oracle was ever used. Production fallback oracle contract is identical to the mock PriceOracle code and may have been an accidental deployment. | https://medium.com/@hacxyk/aave-v3s-price-oracle-manipulation-vulnerability-168e44e9e374 | $2,900,000,000.00 | Hacxyk | $50,000.00 | ||
| 04/06/22 | Rari Capital | ETH | Uniswap V3 oracle manipulation was possible because a pool with only $1k liquidity was used | https://medium.com/@hacxyk/we-rescued-4m-from-rari-capital-but-was-it-worth-it-39366d4d1812 | $4,000,000.00 | Hacxyk | $10,000.00 | ||
| 04/06/22 | ENS | ETH | ENS did not properly filter spoofed domains with 1. homograph characters 2. uppercase letters 3. period in them | https://medium.com/@hacxyk/how-we-spoofed-ens-domains-52acea2079f6 | Hacxyk | $15,000.00 | |||
| 04/06/22 | ENS | ETH | Null characters are silently discarded, so strings with null characters look identical to strings without null characters | https://twitter.com/ENS_DAO/status/1516220205168754688?cxt=HHwWgIDUpcmP2YoqAAAA | https://twitter.com/lcfr_eth/status/1516255494071062528 | lcfr_eth | $45,000.00 | ||
| 03/25/22 | Gearbox | ETH | Data is parsed differently by Uniswap and Gearbox, enabling parser confusion | https://medium.com/@nnez/different-parsers-different-results-acecf84dfb0c | $10,000,000.00 | nnez | $150,000.00 | ||
| 03/21/22 | ENS | ETH | Premium price for all ENS domains set to zero | https://discuss.ens.domains/t/postmortem-ep9-deployment/11662 | nicksdjohnson | ||||
| 03/21/22 | Compound | ETH | The issue was a combination of TUSD token having two entrypoints controlling the same balances and the sweep function not having any access controls. Sweeping TUSD using the 2nd entrypoint would change the exchange rate which can allow the attacker to profit | https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2 | https://blog.openzeppelin.com/compound-tusd-integration-issue-retrospective/ | $3,100,000 | ChainSecurity | ||
| 03/04/22 | Convex | ETH | Expired vote-locked CVX could be relocked to a new address after the original lock expired, allowing excess cxvCRV rewards to be claimed | https://convexfinance.medium.com/vote-locked-cvx-contract-migration-8546b3d9a38c | Popcorn | ||||
| 03/03/22 | Rari Capital | ETH | Cross-asset reentrancy was possible in all fuse pools that did not use upgraded cToken and Comptroller contract implementations. The old code used .call.value to transfer ETH, the new code uses .transfer. | https://medium.com/@JackLongarzo/rari-capital-fuse-security-upgrade-report-e5d154c16250 | samczsun, hritzdorf, and YSmaragdakis | ||||
| 02/24/22 | Wormhole | ETH | Uninitialized proxy | https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a | satya0x | $10,000,000.00 | |||
| 02/24/22 | Solidex | FTM | When a transaction is finalized past the voting deadline, the votes become reset to their default state. This results in Solidex's own gauges receiving far too many votes. | https://docs.solidexfinance.com/security/disclosures/2022-02-24 | |||||
| 02/02/22 | Optimism | ETH | Calling selfdestruct creates new tokens out of thin air while destroyed contract retains balance | https://optimismpbc.medium.com/disclosure-fixing-a-critical-bug-in-optimisms-geth-fork-a836ebdf7c94 | https://www.saurik.com/optimism.html, https://github.com/ethereum-optimism/optimism/blob/master/technical-documents/postmortems/2022-02-02-inflation-vuln.md | saurik | $2,000,042 | ||
| 02/02/22 | Solidly | FTM | veNFT double counting error | https://twitter.com/AndreCronjeTech/status/1488883057654386695?cxt=HHwWjsCyuZTQyakpAAAA | $200,000 | ||||
| 01/30/22 | Yearn Finance | ETH, FTM | Flashloan price manipulation of Balancer LP pool could lead to strategy buying stablecoin at inflated price | https://github.com/yearn/yearn-security/blob/master/disclosures/2022-01-30.md | https://twitter.com/bantg/status/1492225113286135809, https://medium.com/immunefi/nexus-mutual-bug-bounty-matching-program-pays-200-000-to-whitehat-4985d752dc46 | $15,500,000 | Anon | $400,000 | |
| 01/24/22 | ZORA | ETH | Infinite approval during NFT purchase can be attacked. A NFT bid could be frontrun by increasing NFT price to steal 100% of token held in bidder’s wallet | https://zora.mirror.xyz/JeFZXnWb6jfJPon1rruXW-XJcoUVfgeNhu4XTYO3yFM | 0x Protocol team | $25,000 | |||
| 01/15/22 | Polygon | MATIC | Polygon consensus mechanism could be broken, but a large amount of MATIC would have to be held for an extended period to carry out the attack | https://medium.com/immunefi/polygon-consensus-bypass-bugfix-review-7076ce5047fe | Niv Yehezkel | $75,000 | |||
| 01/11/22 | Redacted Cartel | ETH | Custom ERC20 implementation had an error in transferFrom function that improperly approved funds | https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5 | https://twitter.com/redactedcartel/status/1482497480541544455 | $3,000,000.00 | Tommaso Pifferi | $560,000 | |
| 01/10/22 | Multichain | Multiple | Fallback function in ERC20 tokens allow a phantom permit function to not revert, allowing unauthorized token transfer from accounts that have a non zero approval or allowance | https://media.dedaub.com/phantom-functions-and-the-billion-dollar-no-op-c56f062ae49f | https://medium.com/multichainorg/action-required-critical-vulnerability-for-six-tokens-6b3cbd22bfc0 | $471,000,000 | Dedaub | $2,000,000 | |
| 01/07/22 | Notional | ETH | Internal accounting error | https://medium.com/immunefi/notional-double-counting-free-collateral-bugfix-review-28b634903934 | notional-finance/contracts-v2#92 | $26,200,000 | 0x60511e57 | $1,000,000 | |
| 01/05/22 | APWine | ETH | Incorrect check in delegation allows yield theft | https://medium.com/immunefi/apwine-incorrect-check-of-delegations-bugfix-review-7e401a49c04f | setuid0 | $100,000 | |||
| 12/21/21 | Cronos | Cronos | Theft of transaction fee for current block by receiving a gas refund when no gas was paid | https://medium.com/immunefi/cronos-theft-of-transactions-fees-bugfix-postmortem-b33f941b9570 | https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r | Rewards only, not original assets | zb3 | $40,000 | CVE-2021-43839 |
| 12/05/21 | Polygon | MATIC | Bad signature check with ecrecover | https://medium.com/immunefi/polygon-lack-of-balance-check-bugfix-postmortem-2-2m-bounty-64ec66c24c7d | https://blog.polygon.technology/all-you-need-to-know-about-the-recent-network-upgrade/ | $18,000,000,000 | Leon Spacewalker | $2,200,000 | |
| 11/27/21 | dYdX | StarkWare L2 | Low level call() with arbitrary inputs could be performed by untrusted parties. | https://dydx.exchange/blog/deposit-proxy-post-mortem | $2,000,000 | Anon | $500,000 | ||
| 11/17/21 | Enzyme Finance | ETH | Drain funds using flashloan to manipulate contract internal calculations | https://medium.com/immunefi/enzyme-finance-price-oracle-manipulation-bug-fix-postmortem-4e1f3d4201b5 | $400,000 | setuid0 | $90,000 | ||
| 10/28/21 | Aztec | ETH | Improper integer casting, improper value constraints for cryptographic operations | https://hackmd.io/@aztec-network/disclosure-of-recent-vulnerabilities | Xin Gao and Onur Kilic | $50,000 | |||
| 10/27/21 | Robo Vault | ETH | Flashloan price manipulation of Uniswap pool | https://medium.com/@RoboVault/post-mortem-next-steps-3556820b7470 | https://twitter.com/FP_Crypto/status/1453437385405046787 | FP_Crypto | |||
| 10/20/21 | Harvest Finance | ETH | Uninitialized proxy | https://medium.com/immunefi/harvest-finance-uninitialized-proxies-bug-fix-postmortem-ea5c0f7af96b | $6,400,000 | Dedaub | $200,000 | ||
| 10/05/21 | RocketPool | ETH | A malicious node can frontrun an ETH deposit to take ETH from the protocol’s ETH deposit. | https://medium.com/immunefi/rocketpool-lido-frontrunning-bug-fix-postmortem-e701f26d7971 | https://twitter.com/rocket_pool/status/1446300700661583876?s=21 | Unclear | Dmitri Tsumak | $100,000 | |
| 10/05/21 | Lido Finance | ETH | A malicious node can frontrun an ETH deposit to take ETH from the protocol’s ETH deposit. | https://medium.com/immunefi/rocketpool-lido-frontrunning-bug-fix-postmortem-e701f26d7971 | Unclear | Dmitri Tsumak | $100,000 | ||
| 10/05/21 | Polygon | MATIC | Double spend bridge vulnerability | https://medium.com/immunefi/polygon-double-spend-bug-fix-postmortem-2m-bounty-5a1db09db7f1 | $850,000,000 | Gerhard Wegnar | $2,000,000 | ||
| 09/02/21 | OpenZeppelin | ETH | Reentrancy vulnerability in OpenZeppelin TimelockController contract | https://medium.com/immunefi/openzeppelin-bug-fix-postmortem-66d8c89ed166 | https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5#diff-8229f9027848871a1706845a5a84fa3e6591445cfac6e16cfb7d652e91e8d395R307 | Unknown | zb3 | $25,000 | |
| 08/16/21 | SushiSwap | ETH | Reusing msg.value in a loop allows payment to be reused multiple times | https://samczsun.com/two-rights-might-make-a-wrong/ | https://hackmd.io/@353yQn6WTImF5o12LQXXfQ/Hy2ZDYFxF, https://blog.trailofbits.com/2021/12/16/detecting-miso-and-opyns-msg-value-reuse-vulnerability-with-slither/, https://twitter.com/josephdelong/status/1431314816698916865 | $350,000,000 | @samczsun | $1,000,000 | |
| 08/14/21 | Curve Bribe | ETH | https://twitter.com/bantg/status/1426629982328180737 | $118,000 | @bantg | Unknown | |||
| 08/13/21 | ENS Name Wrapper | ETH | ERC-1155 callback function reentrancy | https://samczsun.com/the-dangers-of-surprising-code/#ens-name-wrapper | @samczsun | ||||
| 08/10/21 | Belt Finance | BSC | Bypass of internal balance calculation by sending tokens directly to contract | https://medium.com/immunefi/belt-finance-logic-error-bug-fix-postmortem-39308a158291 | $60,000,000 | @bobface16 | $1,050,000 | ||
| 08/01/21 | xDai Stake | xDAI | Tokens accidentally sent to bridge contract can be stolen | https://medium.com/immunefi/xdai-stake-arbitrary-call-method-bug-postmortem-f80a90ac56e3 | $4.50 | 0xadee028d | $5,000 | ||
| 07/31/21 | Tidal Finance | MATIC | Uninitialized or unset rewardDebt variable defaults to zero, allowing free unearned reward | https://medium.com/immunefi/tidal-finance-logic-error-bug-fix-postmortem-3607d8b7ed1f | https://github.com/TidalFinance/tidal-contracts/commit/924e87f1aead70abb17760c839b53ba40d80bf2c#diff-46a924754f71a2f8be88d0f20295f40653c881426d64b90e8bdd4f4bed303368 | Unclear | Csanuragjain | $25,000 | |
| 07/30/21 | Teller | ETH | Uninitialized proxy | https://medium.com/immunefi/teller-bug-fix-postmorten-and-bug-bounty-launch-b3f67a65c5ac | $1,000,000 | Bugdefeat | $50,000 | ||
| 06/29/21 | Yearn Finance | ETH | Flashloan of zero value bypassed safety checks and could result in liquidation of strategy’s debt position | https://github.com/yearn/yearn-security/blob/master/disclosures/2021-06-29.md | xyzaudits | $200,000 | |||
| 06/16/21 | Alchemix | ETH | Unprotected functions could lead to frontrunning and denial of service | https://medium.com/immunefi/alchemix-access-control-bug-fix-debrief-a13d39b9f2e0 | $300 | @ashiqamien | $7,500 | ||
| 06/14/21 | MCDEX | Arbitrum | Contract does not validate user-provided contract address input parameter, allowing a user to craft a malicious contract. | https://medium.com/immunefi/mcdex-insufficient-validation-bug-fix-postmortem-182fc6cab899 | Unclear | Lucash-dev | $50,000 | ||
| 06/13/21 | Cream Finance | ETH | Old contract allow users to receive liquidity mining rewards without participating in liquidity mining. | https://medium.com/immunefi/cream-finance-insufficient-validation-bug-fix-postmortem-1ec7248e8865 | $100,000 | Azeem | $20,750 | ||
| 06/09/21 | Zapper | ETH | Low level call() with user-provided inputs could steal LP tokens | https://medium.com/immunefi/zapper-arbitrary-call-data-bug-fix-postmortem-d75a4a076ae9 | https://medium.com/zapper-protocol/post-mortem-sushiswap-uniswap-v2-zap-out-exploit-84e5d34603f0 | Unclear | Lucash-dev | $25,000 | |
| 06/08/21 | Mushrooms Finance | ETH | Flashloan function is missing an authorization check that allows any user to call the function. | https://medium.com/immunefi/mushrooms-finance-logic-error-bug-fix-postmortem-780122821621 | $635,000 | ckksec | $60,000 | ||
| 06/07/21 | 88mph | ETH | Unprotected init() function was missing onlyOwner modifier | https://medium.com/immunefi/88mph-function-initialization-bug-fix-postmortem-c3a2282894d3 | $6,500,000 | @ashiqamien | $42,069 | ||
| 05/13/21 | Fei Protocol | ETH | Flashloan price manipulation of Uniswap pool | https://medium.com/immunefi/fei-protocol-flashloan-vulnerability-postmortem-7c5dc001affb | https://medium.com/fei-protocol/fei-bonding-curve-bug-post-mortem-98d2c6f271e9 | $240,000,000 | @bobface16 | $800,000 | |
| 05/08/21 | Meebit NFTs | Brute force attack to mint rare Meetbits NFTs | https://iphelix.medium.com/meebit-nft-exploit-analysis-c9417b804f89 | ||||||
| 04/27/21 | PancakeSwap | BSC | Lottery ticket NFT can be redeemed multiple times because first redemption doesn’t invalidate ticket. | https://medium.com/immunefi/pancakeswap-logic-error-bug-fix-postmortem-f2d02adb6983 | $700,000 | Juno | |||
| 04/27/21 | Mushrooms Finance | ETH | MEV attack can steal yield | https://medium.com/immunefi/mushrooms-finance-theft-of-yield-bug-fix-postmortem-16bd6961388f | Unclear | Wen-Ding Li | $4,000 | ||
| 04/26/21 | SharedStake | ETH | Low level call() with user-provided inputs could extract timelocked funds | https://medium.com/immunefi/sharedstake-insider-exploit-postmortem-17fa93d5c90e | $40,000,000 | Lucash-dev | $5,000 | ||
| 04/06/21 | Fei Protocol | ETH | A combination of Uniswap function calls and Fei incentive calculations around maintaining peg allow a user to receive free WETH | https://medium.com/immunefi/fei-protocol-vulnerability-postmortem-483f9a7e6ad1 | $5,640,000 | 0xRevert | $300,000 | ||
| 04/05/21 | Ambisafe | ETH | Transferring ownership grants ownership to sender and receiver at the same time, allowing receiver to steal tokens | https://samczsun.com/uncovering-a-four-year-old-bug/ | @samczsun | ||||
| 03/26/21 | ElasticDAO | ETH | Missing authorization allowed excess token minting | https://medium.com/elasticdao/elasticdao-smart-contract-and-security-audits-400f424281b6 | $5,000,000 | @samczsun | |||
| 03/16/21 | Vesper | ETH | Drain funds using flashloan price manipulation of Uniswap pool | https://medium.com/immunefi/vesper-rebase-vulnerability-postmortem-and-bug-bounty-55354a49d184 | https://medium.com/dedaub/yield-skimming-forcing-bad-swaps-on-yield-farming-397361fd7c72 | $310,000 | Dedaub | Unclear | |
| 03/11/21 | Sovryn | RSK | User could take out a loan using another party’s collateral, allowing theft of the “borrowed” funds | https://medium.com/immunefi/sovryn-loan-vulnerability-postmortem-ffaf4d1d688f | $6,800 | Whitehat Turbo | $76,568 | ||
| 02/26/21 | Tokenlon | ETH | Signature verification does not properly handle zero address | https://tokenlon.medium.com/tokenlon-4-0-fee-incident-disclosure-9ee8b5fad564 | $750,000 | @samczsun | $50,000 | ||
| 02/22/21 | PancakeSwap | BSC | User can frontrun the winning lottery ticket selection and buy the winning lottery ticket | https://medium.com/immunefi/pancakeswap-lottery-vulnerability-postmortem-and-bug-4febdb1d2400 | $240,000 | Thunder | Unclear | ||
| 02/21/21 | Primitive Finance | ETH | Flashloan with a Uniswap pool containing an attacker-controlled token and abuse infinite allowance to steal funds | https://primitivefinance.medium.com/postmortem-on-the-primitive-finance-whitehack-of-february-21st-2021-17446c0f3122 | https://medium.com/immunefi/inside-the-war-room-that-saved-primitive-finance-6509e2188c86 | $1,300,000 | Dedaub | $188,000 | |
| 02/21/21 | Hashmasks | ETH | ERC721 _safeMint callback reentrancy allows more NFTs to be minted than expected | https://samczsun.com/the-dangers-of-surprising-code/#hashmasks | https://thehashmasks.medium.com/hashmask-art-sale-bug-report-13ccd66b55d7 | 19 hashmasks | @samczsun | $12,500 | |
| 02/15/21 | NFTX | ETH | Internal accounting error allows multiple NFTs to be associated with the same custom ERC20 | https://forum.nftx.org/t/retroactive-bug-bounty/161 | @samczsun | $50,000 | |||
| 02/09/21 | Charged Particles | ETH | A user could sell their NFT but still maintain possession of the NFT after the sale using a malicious contract. | https://medium.com/immunefi/charged-particles-griefing-bug-fix-postmortem-d2791e49a66b | https://github.com/Charged-Particles/charged-particles-universe/commit/f4fb60e3f791c1bb3b8907276b27d0319ce46a68#diff-91fca72e3021a185238dd0e82e118ae3ab5993db93dd322d301c665ff74e3eed | Unclear | unsafe_call | $5,000 | |
| 02/09/21 | ForTube | ETH | Authorization bypass by creating fake ERC20 Ftoken | https://medium.com/the-force-protocol/fortube-security-vulnerability-fix-c5847359ba7d | @samczsun | ||||
| 01/30/21 | ArmorFi | ETH | Internal accounting error caused by extra 10**18 multiplier | https://medium.com/immunefi/armorfi-bug-bounty-postmortem-cf46eb650b38 | Unclear | @bobface16 | $876,000 | ||
| 01/16/21 | Yearn Finance | ETH | Internal accounting error resulted in incorrect share price calculation | https://github.com/yearn/yearn-security/blob/master/disclosures/2021-01-17.md | |||||
| 01/09/21 | Optimism | ethereum-optimism/contracts#172 | ethereum-optimism/contracts#179, ethereum-optimism/contracts#181, ethereum-optimism/contracts#364, ethereum-optimism/contracts#360 | @samczsun | |||||
| 12/03/20 | Frax Finance | FraxFinance/frax-solidity#12 | FraxFinance/frax-solidity#7 | @samczsun | |||||
| 10/30/20 | Yearn Finance | ETH | Flashloan price manipulation from missing slippage protection when earn() function is called | https://github.com/yearn/yearn-security/blob/master/disclosures/2020-10-30.md | $650,000 | Wen-Ding Li | |||
| 10/12/20 | Yield Protocol | yieldprotocol/fyDai#360 | @samczsun | ||||||
| 10/10/20 | Alpha Homora | ETH | Opening a position when LP price is skewed and lowering the price after the position is opened can allow the position to be liquidated by a user, who would profit 5% of position value | https://blog.alphafinance.io/alpha-homora-adjustments/ | @samczsun | ||||
| 10/10/20 | Yearn Finance | ETH | The address input parameter for the deposit function is not validated, so a fake gauge contract can be provided | https://github.com/yearn/yearn-security/blob/master/disclosures/2020-10-10.md | $20,000 | Emiliano Bonassi | |||
| 10/03/20 | Aavegotchi Staking | aavegotchi/ghst-staking#2 | @samczsun | ||||||
| 09/25/20 | Incognito Chain | ETH | No validation check around token duplicating, allowing for double spend | https://we.incognito.org/t/how-a-smart-contract-vulnerability-was-discovered-and-fixed/6416 | $2,690,000 | @samczsun | |||
| 09/25/20 | Yearn Finance | ETH | Earn function can run out of gas before completing fully, which alters the share price and can lead to buying the dip with a flashloan | https://github.com/yearn/yearn-security/blob/master/disclosures/2020-09-25.md | Andre Cronje | ||||
| 09/15/20 | Lien Finance | https://samczsun.com/escaping-the-dark-forest/ | @samczsun | ||||||
| 08/21/20 | xTokens | ETH | Flashloan price manipulation of Uniswap pool | https://medium.com/xtoken/xsnxa-false-start-post-mortem-f26a7a735383 | @samczsun | ||||
| 07/25/20 | yVault | https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/ | $400,000 | @samczsun | |||||
| 06/21/20 | Atomic Loans | https://web.archive.org/web/20200926093030/https://atomic.loans/blog/vulnerability-disclosure-and-pause-new-loan-requests/ | @samczsun | ||||||
| 06/18/20 | Bancor | ETH | safeTransferFrom does not validate message sender is authorized to spend “from” address funds, so funds can be stolen from addresses with non-zero allowance | https://zengo.com/bancor-smart-contracts-vulnerability-its-not-over/ | $460,000 | ||||
| 03/26/20 | Synthetix | https://blog.synthetix.io/bug-disclosure | @samczsun | ||||||
| 02/20/20 | Nexus Mutual | https://medium.com/nexus-mutual/responsible-vulnerability-disclosure-ece3fe3bcefa | @samczsun | $5,000 | |||||
| 02/18/20 | Nexus Mutual | https://medium.com/nexus-mutual/responsible-vulnerability-disclosure-ece3fe3bcefa | Mudhit Gupta | $2,000 | |||||
| 02/17/20 | Authereum | https://medium.com/authereum/account-vulnerability-disclosure-ec9e288c6a24 | @samczsun | ||||||
| 02/09/20 | Aragon Court | https://web.archive.org/web/20210306232055/https://blog.aragon.one/aragon-court-v1-upgrades/ | @samczsun | ||||||
| 01/25/20 | Curve Finance | https://blog.curve.fi/vulnerability-disclosure/ | @samczsun | ||||||
| 11/08/19 | ENS | https://medium.com/the-ethereum-name-service/lets-talk-ens-migration-a92d5c21df28 | @samczsun | CVE-2020–5232 | |||||
| 10/17/19 | Cheese Wizards | https://medium.com/dapperlabs/disclosure-forking-cheeze-wizards-smart-contracts-all-funds-and-wizards-are-secure-3c53af5bc531 | @samczsun | ||||||
| 09/18/19 | Hydro Protocol | https://medium.com/ddex/fixed-potential-vulnerability-in-contract-used-during-private-beta-217c0ed6f694 | @samczsun | ||||||
| 09/13/19 | Kyber Network | https://blog.kyber.network/anatomy-of-a-bridge-reserve-smart-contract-vulnerability-and-how-we-fixed-it-fc5c50d13238 | @samczsun | ||||||
| 09/03/19 | bZx Protocol | https://medium.com/@b0xNet/your-funds-are-safe-d35826fe9a87 | @samczsun | ||||||
| 07/29/19 | Livepeer | https://forum.livepeer.org/t/protocol-paused-for-bug-fix-upgrade-7-29-19-4-21pm-edt-update-protocol-resumed-as-of-8-40pm-edt/841 | @samczsun | ||||||
| 07/12/19 | 0x Exchange | https://samczsun.com/the-0x-vulnerability-explained/ | @samczsun |