Approval Hacks & Exploits

Over $385M stolen since 2020.

Report Exploit

This page contains an list of known crypto hacks and exploits in which approved user funds are at risk. Many other crypto hacks only affect the funds kept in the exploited smart contract. But the exploits listed on this page abuse unlimited token approvals to steal approved funds. By using Banditproof to manage your approvals, you can keep your funds safe from these exploits. Check if your wallet is affected by clicking on the exploits below.

CivFund Hack

Discovered On2023-07-08
Stolen Amount$180k
Affected Networks
Ethereum

Description

Over $180k was stolen from users of CivFund. It is still uncertain how the hack happened because the smart contract is not open source, but it is likely that there was an issue with access control allowing the attackers to call privileged functions, and steal approved user funds in the process.

Check

2023 Multichain Hack

Discovered On2023-07-07
Stolen Amount$120M
Affected Networks
Ethereum
BNB Chain
Polygon
Arbitrum
Optimism
zkSync Era
Avalanche
Fantom
Celo
Gnosis

Description

Over $120M was stolen by hackers that exploited the Multichain MPC wallets. As of now it is unclear how this compromise happened. No approved user funds have been stolen, but the Multichain team has recommended revoking approvals due to the uncertainty of the exploit.

Check

Biswap v3 Migrator Hack

Discovered On2023-06-30
Stolen Amount$850k
Affected Networks
BNB Chain

Description

Over $850k was stolen from liquidity providers of Biswap, a decentralized exchange on BNB Chain. Biswap recently launched their v3, and the team created a migrator contract to help users migrate their liquidity from v2 to v3. The migrator contract lacked proper access control, and an attacker was able to call the migrator contract to steal funds from liquidity providers. The Biswap team has started reimbursing affected users.

Check

Unagii Whitehat Hack

Discovered On2023-06-28
Stolen Amount$60k
Affected Networks
Ethereum

Description

About $100k was rescued from a vulnerable contract of Unagii, an Ethereum DeFi yield aggregator. The funds were rescued from the vulnerable contract by the Unagii team, but close to $60k was still taken from a single user by an automated MEV operator. The Unagii team has since reimbursed all the affected users.

Check

Hashflow Whitehat Hack

Discovered On2023-06-14
Stolen Amount$100k
Affected Networks
Ethereum
BNB Chain
Polygon
Arbitrum
Avalanche

Description

Over $600k was rescued from deprecated contracts of decentralised exchange Hashflow. A whitehat hacker created a contract to rescue the funds and return them to the rightful owners. Users of Hashflow are advised to revoke all approvals to these deprecated contracts before claiming their rescued funds. Some user funds were still stolen by black-hat hackers after the initial rescue though.

Check

Atlantis Loans Hack

Discovered On2023-06-11
Stolen Amount$2.5M
Affected Networks
BNB Chain

Description

Over $2.5M was stolen from users of Atlantis Loans, a DeFi protocol on BNB Chain. The attacker created a malicious governance proposal that maliciously updated the contracts of several contracts in the system. These updated smart contracts were then used to drain approved user funds.

Check

SushiSwap Hack

Discovered On2023-04-09
Stolen Amount$3.5M
Affected Networks
Ethereum
BNB Chain
Polygon
Polygon zkEVM
Arbitrum
Arbitrum Nova
Optimism
Avalanche
Fantom
Gnosis
Moonbeam
Moonriver
Boba
Fuse

Description

Over $3.5M was stolen from users of the popular DEX SushiSwap. The vulnerability only concerns a recently deployed Sushiswap contract, so only users who interacted with the exchange between the 1st and the 9th of April are affected.

Check

BSCex Hack

Discovered On2023-03-27
Stolen Amount$8.2M
Affected Networks
BNB Chain

Description

Over $8.2M was stolen from users of BSCex / SwapX, a DEX on BNB Chain. Vulnerabilities were found in four old contracts belonging to the DEX. Many users still have active approvals to these contracts, even though they haven't used it for a long time.

Check

Harvest Keeper Rug Pull

Discovered On2023-03-19
Stolen Amount$700k
Affected Networks
BNB Chain

Description

Over $700k has been stolen by Harvest Keeper from their users. Haarvest Keeper claimmed to be an "AI-powered" trading platform that provided unsustainably high yields, but turned out to be a scam. When they rugpulled they didn't just steal the deposited funds, but also all approved user funds.

Check

Revert Finance Hack

Discovered On2023-02-18
Stolen Amount$30k
Affected Networks
Ethereum
Polygon
Arbitrum
Optimism

Description

About $30k was stolen from users of Revert Finance. Hackers were able to execute arbitrary code from the context of the vulnerable contract, allowing them to transfer approved user funds.

Check

Dexible Hack

Discovered On2023-02-17
Stolen Amount$2M
Affected Networks
Ethereum
Arbitrum

Description

Over $2M was stolen from users of Dexible, a DEX aggregator. Hackers exploited a vulnerability that allowed them to provide their own Router contract, which they programmed to steal all approved user funds.

Check

Rubic Hack

Discovered On2022-12-25
Stolen Amount$1.4M
Affected Networks
Ethereum

Description

Over $1.4M was stolen from the users of cross-chain DEX Rubic. Hackers were able to exploit active approvals because the USDC contract was mistakenly added as a whitelisted "Router contract". The Rubic team has compensated affected users.

Check

Polynomial Protocol Hack

Discovered On2022-12-12
Stolen Amount$7k
Affected Networks
Optimism

Description

Around $7k was stolen from a select number of users of Polynomial Protocol, a derivatives platform on Optimism. Since this contract was no used for all functionality, only a few users were affected. Polynomial Protocol reimbursed the affected users.

Check

Brahma Hack

Discovered On2022-11-09
Stolen Amount$90k
Affected Networks
Ethereum

Description

Around $90k was stolen from users of Brahma, a cross-chain DeFi protocol. Hackers were able to exploit a vulnerability due to incorrect access control.

Check

BitKeep Swap Hack

Discovered On2022-10-18
Stolen Amount$1.1M
Affected Networks
BNB Chain
Polygon

Description

Over $1.1M was stolen from users of the BitKeep Wallet. Hackers were able to abuse unlimited approvals to steal approved user funds on BNB Chain ans Polygon. The BitKeep reimbursed affected users.

Check

Rabby Swap Hack

Discovered On2022-10-11
Stolen Amount$200k
Affected Networks
Ethereum
BNB Chain
Polygon
Arbitrum
Arbitrum Nova
Optimism
Avalanche
Fantom
Cronos
Celo
Gnosis
Moonbeam
Astar
Metis
Aurora
Harmony
Boba
Klaytn (Unsupported)
HECO (Unsupported)

Description

About $200k was stolen from users of the Rabby Wallet. Only users who used the wallet's Swap function and have active approvals are at risk.

Check

Transit Swap Hack

Discovered On2022-10-02
Stolen Amount$21M
Affected Networks
Ethereum
BNB Chain

Description

Over $21M was stolen from users of Transit Swap, a DEX on Ethereum and BNB Chain. Any wallets with active approvals to these smart contracts are at risk.

Check

Celer Frontend Hack

Discovered On2022-08-17
Stolen Amount$240k
Affected Networks
Ethereum
BNB Chain
Polygon
Arbitrum
Optimism
Avalanche
Fantom
Astar
Metis
Aurora

Description

Over $200k was stolen from users of Celer. Hackers were able to compromise their official website and inject malicious code into it. This malicious code requested users to grant unlimited approvals to the hackers' wallets.

Check

Curve Frontend Hack

Discovered On2022-08-09
Stolen Amount$575k
Affected Networks
Ethereum

Description

Over $500k was stolen from users of the popular DEX Curve. Hackers were able to compromise their official website and inject malicious code into it. They injected malicious approval transactions into the frontend, draining users' wallets. Anyone that interacted with the Curve frontend on the 9th of August is at risk.

Check

PREMINT Frontend Hack

Discovered On2022-07-17
Stolen Amount$400k
Affected Networks
Ethereum

Description

Over $400k was stolen from users of PREMINT, a popular NFT platform. Hackers were able to compromise their official website and inject malicious code into it. This malicious code requested users to grant unlimited approvals to the hackers' wallets.

Check

Quixotic Hack

Discovered On2022-07-01
Stolen Amount$200k
Affected Networks
Optimism

Description

Over $200k was stolen from users of Quixotic, an NFT marketplace on Optimism. The contract allowed malicious actors to sell worthless NFTs to victims for high prices due to missing signature verifications. The smart contract is now paused, but it is still recommended to revoke approvals.

Check

Namecheap DNS Hijack

Discovered On2022-06-23
Stolen Amount$500k
Affected Networks
Ethereum

Description

Over $500k was stolen from users of several popular dapps, including Convex, Ribbon, and DeFiSaver. Hackers were able to access these webites' Namecheap settings to inject malicious code into the websites. This malicious code requested users to grant unlimited approvals to the hackers' wallets.

Check

Zapper Whitehat Hack

Discovered On2022-06-14
Stolen Amount$0
Affected Networks
Ethereum

Description

Over $2.5M was rescued from a vulnerable Zapper contract. The Zapper team was notified of the vulnerability by whitehat hackers and were able to rescue the approved user funds. After revoking active approvals, users were reimbursed their funds.

Check

BasketDAO Hack

Discovered On2022-03-30
Stolen Amount$1.2M
Affected Networks
Ethereum

Description

Over $1.2M was stolen from users of BasketDAO, a DeFi protocol for creating token baskets. Two of their contracts contained vulnerabilities that allowed hackers to steal approved user funds. Since then, BasketDAO has shut down and was acquired by another DeFi protocol, PieDAO.

Check

Auctus Hack

Discovered On2022-03-29
Stolen Amount$700k
Affected Networks
Ethereum

Description

Over $700k has been stolen from users of Auctus, a decentralized options protocol on Ethereum. The Auctus team discovered a vulnerability in one of their older Beta contracts, which allowed attackers to drain approved funds from users' wallets.

Check

LI.FI Hack

Discovered On2022-03-20
Stolen Amount$600k
Affected Networks
Ethereum

Description

Around $600k was stolen from users of LI.FI, a cross-chain bridge and DEX aggregator. Hackers exploited a vulnerability that allowed them to execute arbitrary functions from the context of the smart contract, including transactions that drained approved user funds. LI.FI has since then patched the vulnerability and reimbursed affected users.

Check

2022 Multichain Hack

Discovered On2022-01-17
Stolen Amount$3M
Affected Networks
Ethereum
BNB Chain
Avalanche
IoTeX (Unsupported)
Telos (Unsupported)

Description

Over $3M was stolen by hackers that exploited a bug in the contracts of Multichain (formerly Anyswap), a cross-chain swap router. Any wallets that granted approvals to their smart contracts are at risk.

Check

Sorbet Finance Whitehat Hack

Discovered On2021-12-11
Stolen Amount$0
Affected Networks
Ethereum

Description

About $26M was rescued from a vulnerable Sorbet Finance smart contract. The team was able to drain all vulnerable funds and has placed it in a special escrow smart contract, where the original owners can reclaim them. Active approvals must be revoked before receiving refunds.

Check

BadgerDAO Frontend Hack

Discovered On2021-12-02
Stolen Amount$120.3M
Affected Networks
Ethereum

Description

Over $120M was stolen from users of BadgerDAO, a popular DeFi platform. Hackers were able to compromise their official website and inject malicious code into it. This malicious code requested users to grant unlimited approvals to the hackers' wallets.

Check

dYdX Whitehat Hack

Discovered On2021-11-27
Stolen Amount$200k
Affected Networks
Ethereum

Description

About $2M was rescued from a vulnerable dYdX smart contract. The team was able to drain all vulnerable funds and has been refunding users once they revoke their active approvals. Despite their efforts, hackers were still able to steal just over $200k, which the dYdX team has reimbursed out of their own pocket.

Check

bZx Hack

Discovered On2021-11-05
Stolen Amount$55M
Affected Networks
BNB Chain
Polygon

Description

Over $55M was stolen from users of DeFi platform bXz. Hackers gained access to the private keys of an admin account and deployed a malicious update to bZx' smart contracts. This new code allowed them to drain bZx' contracts and all approved user funds. This was the final nail in the coffin for bZx, which was exploited multiple times before.

Check

StableMagnet Rug Pull

Discovered On2021-06-24
Stolen Amount$27M
Affected Networks
BNB Chain

Description

Over $27M was stolen from users of StableMagnet, a DEX on BNB Chain. The StableMagnet team built a backdoor into their smart contract that allowed them to drain the funds in liquidity pools and from users with active approvals.

Check

Furucombo Hack

Discovered On2021-02-27
Stolen Amount$14M
Affected Networks
Ethereum

Description

Over $14M was stolen from users of Furucombo, an app that helps users compose DeFi transactions. Hackers were able to trick the Furucombo governance to whitelist a scam contract, which was subsequently able to drain all approved user funds.

Check

Bancor Whitehat Hack

Discovered On2020-06-18
Stolen Amount$135k
Affected Networks
Ethereum

Description

About $400k was rescued from a vulnerable Bancor contract. A vulnerability was discovered by the 1inch team and reported to Bancor. Most of the vulnerable funds were saved by the Bancor team, but just over $100k was still taken by automated front-running bots.

Check