Web3 is Going Just Great

October 4, 2025

Abracadabra loses more "Magic Internet Money" to third hack in two years

In their third major hack in two years, the Abracadabra defi lending project lost $1.8 million of their Magic Internet Money stablecoin. An attacker took advantage of a bug in the project smart contracts to borrow more than their provided collateral would normally allow. The attack was funded via Tornado Cash, and the exploiter then swapped the stolen tokens for ETH and laundered them back through Tornado.

The project disclosed the theft, describing the exploit as affecting "some deprecated contracts". They downplayed the theft, saying they'd bought back the stolen assets using treasury funds.

Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.

"Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024", The Block

September 26, 2025

Hypervault rug pulls for $3.6 million

(attribution)

Only days after the Hypervault yield farming platform announced on Twitter that they'd surpassed $5 million in total value locked, the platform suddenly shut down its website and social media accounts. Simultaneously, the crypto security firm PeckShield observed an "abnormal withdrawal" of a large quantity of various crypto assets priced at around $3.6 million, which were swapped to 752 ETH (~$3.1 million) and laundered through Tornado Cash.

The project had attracted customers by advertising yields of 76–95%.

"$3.6M Drained From Hyperliquid DeFi Platform Hypervault in ‘Abnormal Withdrawal’", Decrypt [archive]

September 12, 2025

Shibarium bridge hit with $2.4 million flash loan attack

(attribution)

A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.

The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.

September 7, 2025

Nemo Protocol exploited for $2.4 million

(attribution)

The Nemo Protocol on the Sui blockchain suffered a $2.4 million exploit. The defi yield infrastructure protocol acknowledged the theft shortly after, explaining they had paused the protocol smart contracts as they investigated the theft. It appears the thief was able to manipulate a price oracle, siphoning $2.4 million in USDC from the project. They then bridged the funds from Arbitrum to Ethereum.

"Sui-based Nemo Protocol exploited for $2.4 million", The Block [archive]

September 2, 2025

Bunni decentralized exchange exploited for $8.4 million

(attribution)

The Bunni decentralized exchange was exploited for approximately $8.4 million across the Unichain Ethereum layer 2 network and the Ethereum mainnet. Bunni acknowledged the theft and paused the protocol shortly after the attack.

"Decentralized exchange Bunni loses an estimated $8.4 million in smart contract exploit", The Block [archive]

July 15, 2025

Arcadia Finance exploited for $3.5 million

(attribution)

The Arcadia Finance defi margin protocol was exploited for $3.5 million after an attacker found a vulnerability in a project smart contract. The attacker quickly swapped the stolen tokens and bridged them from Base to the Ethereum mainnet. The attacker stole the funds in two separate transactions that were more than four hours apart.

Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.

July 10, 2025

Kinto token crashes; community claims rug pull, Kinto claims hack

(attribution)

The price of Kinto's $K token suddenly crashed 90%, sparking accusations of a rug pull. A tranche of investor tokens had just been unlocked recently, leading some to speculate that investors dumped their tokens on retail buyers.

However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that "we got hacked by a state actor". Venn seemed to corroborate Kinto's explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, "Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate."

Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.

July 9, 2025

GMX exchange hacked for $42 million

(attribution)

The decentralized perpetual exchange GMX has been exploited for $42 million. The exploit involved a vulnerability in one version of the exchange's price calculation smart contract. GMX paused some trading while they investigated the hack, and placed other temporary restrictions on the platform.

GMX offered a 10% "bug bounty" to the hacker if they returned the funds. The attacker later returned $40.5 million in stolen assets; unusually, this is more than the 90% return requested by GMX.

May 28, 2025

Cork Protocol exploited for $12 million

(attribution)

Cork Protocol, a defi project aimed at "tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens", suffered a $12 million loss after an attacker exploited a bug in how the project's smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.

Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.

May 22, 2025

Cetus DEX exploited for $223 million; some funds "paused"

(attribution)

An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $163 million of the funds had been frozen, leaving around $60 million unaccounted for.

This led some to question how decentralized the project truly is if the funds can be frozen in such a way.

Sui validators later voted to return the frozen assets to the Cetus project. Cetus also announced that users would be fully compensated, and that they would cover the $60 million gap with project treasury funds and a loan from the Sui Foundation.

Tweet by Cetus [archive]