โ๏ธ A Historical Collection of Reentrancy Attacks
๐ Definition of a Reentrancy Attack
Unsafe external call(s) that allow(s) malicious manipulation of the internal and/or associated external contract state(s).
๐ Types of Reentrancy Attacks
- Single-Function Reentrancy
- Cross-Function Reentrancy
- Cross-Contract Reentrancy
- Cross-Chain Reentrancy
- Read-Only Reentrancy
๐ Reentrancy Attacks List
A chronological and (hopefully) complete list of reentrancy attacks to date.
-
WETH white hat attack โ 10 June 2016 | Victim contract, Exploit contract, Exploit transaction
-
The DAO attack โ 17 June 2016 | Victim contract, Exploit contract, Exploit transaction
-
SpankChain attack โ 9 October 2018 | Victim contract, Exploit contract, Exploit transaction
-
imBTC Uniswap pool attack โ 18 April 2020 | Victim contract, Exploit contract, Exploit transaction
-
Lendf.Me attack โ 19 April 2020 | Victim contract, Exploit contract, Exploit transaction
-
Akropolis attack โ 12 November 2020 | Victim contract, Exploit contract, Exploit transaction
-
ValueDeFi attack โ 7 May 2021 | Victim contract, Exploit contract, Exploit transaction
-
Rari Capital attack โ 8 May 2021 | Victim contract, Exploit contract, Exploit transaction
-
BurgerSwap attack โ 27 May 2021 | Victim contract, Exploit contract, Exploit transaction
-
Iron Finance attack โ 16 June 2021 | Victim contract, Exploit contract, Exploit transaction
-
PolyDEX attack โ 20 June 2021 | Victim contract, Exploit contract, Exploit transaction
-
DeFiPie attack โ 12 July 2021 | Victim contract, Exploit contract, Exploit transaction
-
Sanshu Inu attack โ 20 July 2021 | Victim contract, Exploit contract, Exploit transaction
-
XSURGE attack โ 16 August 2021 | Victim contract, Exploit contract, Exploit transaction
-
C.R.E.A.M. Finance attack โ 30 August 2021 | Victim contract, Exploit contract, Exploit transaction
-
Siren Protocol attack[^1] โ 3 September 2021 | Victim contract, Exploit contract, Exploit transaction
-
CreatureToadz attack โ 21 October 2021 | Victim contract, Exploit contract, Exploit transaction
-
Grim Finance attack โ 18 December 2021 | Victim contract, Exploit contract, Exploit transaction
-
Visor Finance attack โ 21 December 2021 | Victim contract, Exploit contract, Exploit transaction
-
HypeBears attack โ 3 February 2022 | Victim contract, Exploit contract, Exploit transaction
-
Bacon Protocol attack โ 5 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
Paraluni attack โ 13 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
Agave Finance attack โ 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
Hundred Finance attack โ 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
Revest Finance attack โ 27 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
Voltage Finance attack โ 31 March 2022 | Victim contract, Exploit contract, Exploit transaction
-
BNB Brokers attack โ 27 April 2022 | Victim contract, Exploit contract, Exploit transaction
-
Fei Protocol attack โ 30 April 2022 | Victim contract, Exploit contract, Exploit transaction
-
Bistroo attack โ 7 May 2022 | Victim contract, Exploit contract, Exploit transaction
-
Ownly attack โ 10 May 2022 | Victim contract, Exploit contract, Exploit transaction
-
Omni attack โ 10 July 2022 | Victim contract, Exploit contract, Exploit transaction
-
Stader Labs NearX attack โ 16 August 2022 | Victim contract, Exploit contract[^2], Exploit transaction
-
Thunder Brawl attack โ 30 September 2022 | Victim contract, Exploit contract, Exploit transaction
-
QuickSwap Lend attack โ 23 October 2022 | Victim contract, Exploit contract, Exploit transaction
-
n00dleSwap attack โ 25 October 2022 | Victim contract, Exploit contract, Exploit transaction
-
DFX Finance attack โ 10 November 2022 | Victim contract, Exploit contract, Exploit transaction
-
Defrost Finance attack โ 23 December 2022 | Victim contract, Exploit contract, Exploit transaction
-
Jaypeggers attack โ 29 December 2022 | Victim contract, Exploit contract, Exploit transaction
-
Midas Capital attack โ 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
-
2Pi Network attack โ 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
-
Abracadabra Money white hat attack โ 16 January 2023 | Victim contract, Exploit contract, Exploit transaction
-
Orion Protocol attack โ 2 February 2023 | Victim contract, Exploit contract, Exploit transaction
-
dForce Network attack[^3] โ 9 February 2023 | Victim contract, Exploit contract, Exploit transaction
-
Dynamic attack โ 22 February 2023 | Victim contract, Exploit contract, Exploit transaction
-
Sentiment attack โ 4 April 2023 | Victim contract[^4], Exploit contract, Exploit transaction
-
Paribus attack โ 11 April 2023 | Victim contract[^5], Exploit contract, Exploit transaction
-
MuratiAI attack โ 6 June 2023 | Victim contract, Exploit contract, Exploit transaction
-
Sturdy attack โ 12 June 2023 | Victim contract, Exploit contract, Exploit transaction
-
Arcadia Finance attack[^6] โ 10 July 2023 | Victim contract, Exploit contract, Exploit transaction
-
Libertify attack[^7] โ 11 July 2023 | Victim contract, Exploit contract, Exploit transaction
-
Conic Finance attack โ 21 July 2023 | Victim contract, Exploit contract, Exploit transaction
-
EraLend attack โ 25 July 2023 | Victim contract, Exploit contract, Exploit transaction
-
Curve attack[^8] โ 30 July 2023 | Victim contract, Exploit contract, Exploit transaction
-
Earning.Farm attack โ 9 August 2023 | Victim contract, Exploit contract, Exploit transaction
-
Defiway attack โ 3 October 2023 | Victim contract, Exploit contract, Exploit transaction
-
Stars Arena attack โ 7 October 2023 | Victim contract, Exploit contract, Exploit transaction
-
0x0 attack โ 27 October 2023 | Victim contract, Exploit contract, Exploit transaction
-
Peapods Finance attack โ 13 December 2023 | Victim contract, Exploit contract, Exploit transaction
-
NFT Trader attack โ 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
-
GoodDollar attack โ 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
-
Nebula Revelation attack โ 25 January 2024 | Victim contract, Exploit contract, Exploit transaction
-
Barley Finance attack โ 28 January 2024 | Victim contract, Exploit contract, Exploit transaction
-
ChainPaint attack โ 12 February 2024 | Victim contract, Exploit contract, Exploit transaction
-
Rugged Art attack โ 19 February 2024 | Victim contract, Exploit contract, Exploit transaction
-
The Smoofs attack โ 28 February 2024 | Victim contract, Exploit contract, Exploit transaction
-
Sumer Money attack โ 12 April 2024 | Victim contract, Exploit contract, Exploit transaction
-
Predy Finance attack โ 14 May 2024 | Victim contract, Exploit contract, Exploit transaction
-
Mint Raises Prices attack โ 2 July 2024 | Victim contract, Exploit contract, Exploit transaction
-
Minterest attack โ 14 July 2024 | Victim contract, Exploit contract, Exploit transaction
-
Terra attack[^9] โ 31 July 2024 | Victim contract, Exploit contract, Exploit transaction
-
Lien attack โ 23 August 2024 | Victim contract, Exploit contract, Exploit transaction
-
Pythia attack โ 3 September 2024 | Victim contract, Exploit contract, Exploit transaction
-
Penpie attack โ 3 September 2024 | Victim contract, Exploit contract, Exploit transaction[^10]
Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.
๐ข Disclaimer
[^1]: To prevent the article from constantly reloading, deactivate JavaScript in your browser.
[^2]: We list the attacker's address here for the sake of completeness, but technically the attack was executed with a Near-specific transaction type called "Batch Transaction" and not with a specific exploit contract.
[^3]: We list the victim contract, the exploit contract, and the exploit transaction on Arbitrum. However, the same exploit was carried out on Optimism with almost the same amount of loss: Victim contract, Exploit contract, Exploit transaction.
[^4]: The same exploit hit another victim with almost the same amount of loss: Victim contract.
[^5]: The same exploit hit two other victims with almost the same amount of loss: Victim contract 2, Victim contract 3.
[^6]: We list the victim contract, the exploit contract, and the exploit transaction on Optimism. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction.
[^7]: We list the victim contract, the exploit contract, and the exploit transaction on Polygon. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction.
[^8]: The technical post-mortem on the reentrancy lock vulnerability from Vyper can be found here.
[^9]: The details of the GitHub Security Advisory (GHSA) used to exploit the Terra blockchain can be found here.
[^10]: We list the victim contract, the exploit contract, and the exploit transaction on Ethereum. However, the same exploit was carried out on Arbitrum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction.