defirisk.co
rubric v1.7.0

Bug bounty presence & max payout

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records whether the protocol operates a public bug bounty program and, if so, the maximum payout in USD. The data source is Immunefi API, Sherlock, Code4rena, and the protocol's own documentation. The field captures two values: a boolean (program active / inactive) and the declared maximum payout amount. Both are displayed on the protocol page.

**Why it matters** Bug bounty programs create an economic incentive for external security researchers to disclose vulnerabilities rather than exploit them. Approximately 27 of the hacked protocols in the dataset had no public bounty program at the time of exploit. The absence of a bounty removes one of the few mechanisms by which a pre-existing vulnerability can be surfaced before an attacker finds it. At the same time, a bounty does not prevent exploits -- Euler Finance operated a program and the bug was missed both by internal review and by the bounty community. The bounty maximum payout matters: a $1,000 cap on a $1B TVL protocol provides no meaningful incentive relative to the exploit upside.

**Green / Yellow / Red** Green: active public bug bounty program with a maximum payout of at least $100,000 for critical smart contract vulnerabilities, covering the primary contracts holding user funds. Yellow: program exists but maximum payout is below $100,000, or the program covers only a subset of deployed contracts. Red: no public bug bounty program of any kind, or program is explicitly inactive.

**Common gray cases** Curators cannot grade this factor when the protocol's bounty status cannot be confirmed from public sources and the protocol does not respond to curator queries. Some protocols operate private or invitation-only programs that are not assessable.

**Notable historical examples** - **Harmony Bridge** ($100M, 2022): No confirmed bug bounty program; bridge multisig compromise proceeded without external researcher disclosure. - **Badger DAO** ($120M, 2021): No bug bounty program contributed to the front-end compromise going unreported before the attack. - **Ronin Network** ($624M, 2022): Bug bounty status was unknown; 9-validator private multisig was exploited without prior disclosure. - **Wormhole** ($326M, 2022): No confirmed pre-exploit bounty program; team later offered a $10M whitehat bounty retroactively. - **Beanstalk** ($181M, 2022): No confirmed bug bounty at time of flash-loan governance attack.

Measurement what to look for #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

Data & output #

Data source
Immunefi API (`/bounties` endpoint) + Sherlock contest list + protocol docs security page
Output format
Green / Yellow / Red
Evidence artifact
Immunefi program URL or equivalent + max payout USD + program-active boolean + checked_at timestamp
Confidence signal
green = active program with max payout ≥$500K; yellow = active program with max payout $50K–$499K or program exists but scope unclear; red = no active bounty program; gray = no information found

Scored protocols 80 carry this factor #

Protocol RD-F-007
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum green Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum yellow Chainlink CCIP ethereum green Circle USYC binance red Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum red crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum red Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum red Maple Finance ethereum green Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum red Ondo Finance ethereum green OpenEden ethereum red Orca solana green PancakeSwap bsc green Pendle Finance ethereum yellow Polymarket polygon green QuickSwap polygon red Raydium solana green Rocket Pool ethereum yellow Sanctum solana red Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar red Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum green stHYPE (Valantis Labs) hyperliquid red SUNSwap (sun.io) tron red Superstate ethereum red Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc yellow Wormhole ethereum green Yearn Finance ethereum yellow
15 red · 25 yellow · 39 green

Linked hacks 175 historical incidents #

relatedRhea Finance (merged entity of Ref Finance DEX + Burrow Finance lending; launched February 2025) — Permissionless fake-token pool creation → spot-price oracle acceptance → margin-trading `min_amount_out` double-counting across sequential swaps2026-04-16 · $18M · Permissionless fake-token pool creation → spot-price oracle acceptance → margin-trading `min_amount_out` double-counting across sequential swaps · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: [PENDING: no confirmed Immunefi program identified in sources]]
relatedDango (custom-L1 perpetual DEX; Grug engine on Tendermint) — Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction2026-04-13 · $2M · Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Partial — no formal program disclosed pre-incident; a negotiated post-exploit bounty was paid to the white-hat (amount undisclosed)]
relatedAethir (decentralized GPU compute / DePIN; ATH token bridge) — Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key2026-04-09 · $400K · Access control — unprotected/misauthorized `transferOwnership()` on AethirOFTAdapter; either missing `onlyOwner` modifier or compromised single-EOA admin key · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: [PENDING: no confirmed Immunefi program for the bridge adapter]]
relatedDrift Protocol (Solana perpetual futures DEX) — Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle2026-04-01 · $285M · Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: [PENDING: no confirmed Immunefi or equivalent program found in sources]]
relatedSolv Protocol (BRO vault) — ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update)2026-03-05 · $3M · ERC-3525 Callback Reentrancy — Double Mint (onERC721Received fires before state update) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No — HackenProof programs excluded EVM contracts; only Web2 infrastructure and Solana covered]
relatedYieldBlox / Script3 (Blend V2 community-managed pool) — Illiquid collateral oracle manipulation — single USTRY/USDC trade pumped price 100x → inflated collateral → undercollateralized borrow drain2026-02-22 · $11M · Illiquid collateral oracle manipulation — single USTRY/USDC trade pumped price 100x → inflated collateral → undercollateralized borrow drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedIoTeX (ioTube Bridge) — Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse2026-02-21 · $4M · Private key compromise → malicious contract upgrade → TokenSafe drain + MinterPool abuse · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Announced post-hack ($440K, 10% of stolen funds, 48h window — no response)]
relatedMoonwell — Oracle Misconfiguration (Missing ETH/USD Multiplier)2026-02-15 · $2M · Oracle Misconfiguration (Missing ETH/USD Multiplier) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSaga (SagaEVM / Saga Dollar) — IBC Precompile Input Validation Bypass → Infinite Mint2026-01-21 · $7M · IBC Precompile Input Validation Bypass → Infinite Mint · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None pre-exploit (10% offered post-hack)]
relatedTruebit — Integer Overflow in Unverified Bytecode / Bonding Curve Exploit2026-01-08 · $26M · Integer Overflow in Unverified Bytecode / Bonding Curve Exploit · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedTMXTribe — Logic Bug — Mint/Stake/Swap Loop2026-01-05 · $1M · Logic Bug — Mint/Stake/Swap Loop · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedUSPD — CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain2025-12-04 · $1M · CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: 10% offered post-hack; no pre-hack bounty publicized]
relatedGANA Payment — Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)2025-11-20 · $3M · Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedNew Gold Protocol (NGP) — Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits)2025-09-17 · $2M · Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedSwissBorg (via Kiln staking partner) — Partner API compromise — withdrawal authority transfer via hidden staking instructions2025-09-08 · $42M · Partner API compromise — withdrawal authority transfer via hidden staking instructions · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedOdin.Fun — AMM Liquidity Manipulation (Governance Token Price Pump + Drain)2025-08-12 · $7M · AMM Liquidity Manipulation (Governance Token Price Pump + Drain) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedArcadiaFi — Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain2025-07-14 · $4M · Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedResupplyFi — ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)2025-06-25 · $10M · ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in source]
relatedForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N — none mentioned]
relatedZunami Protocol — Admin key compromise → withdrawStuckToken() drain of LP collateral2025-05-14 · $500K · Admin key compromise → withdrawStuckToken() drain of LP collateral · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMobiusDAO — Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation2025-05-11 · $2M · Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedKiloEx — Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain2025-04-14 · $7M · Missing signature verification in MinimalForwarder → unvalidated oracle price update → multi-chain drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None pre-exploit (10% offered post-hack)]
relatedAbracadabra Money — Logic bug — phantom collateral / post-liquidation state inconsistency2025-03-25 · $13M · Logic bug — phantom collateral / post-liquidation state inconsistency · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned in report]
relatedInfini (Crypto Neobank) — Retained Admin Privileges — Rogue Developer Backdoor2025-02-24 · $50M · Retained Admin Privileges — Rogue Developer Backdoor · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
relatedThe Idols NFT — Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook)2025-01-14 · $324K · Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMoby Trade — Private key compromise → proxy admin key stolen → vault ownership transfer → drain2025-01-08 · $1M · Private key compromise → proxy admin key stolen → vault ownership transfer → drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedOrange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedGemPad — Reentrancy — Missing Guards on collectFees / Withdrawal Function2024-12-17 · $2M · Reentrancy — Missing Guards on collectFees / Withdrawal Function · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedTapioca DAO — Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain2024-10-18 · $4M · Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedBedrock (uniBTC vault) — Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)2024-09-25 · $2M · Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None active at time of exploit; Bedrock invited attacker to become white-hat post-hack]
relatedOnyx Protocol (2nd incident) — Compound V2 empty-market donation attack — VUSD governance-added market2024-09-25 · $4M · Compound V2 empty-market donation attack — VUSD governance-added market · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not advertised publicly]
relatedGriffin AI ($GAIN token) — Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit)2024-09-24 · $3M · Fake LayerZero Peer Initialization (Cross-Chain Minting Exploit) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None mentioned]
relatedPenpie — Reentrancy via fake Pendle market → staking balance inflation → excess reward drain2024-09-03 · $27M · Reentrancy via fake Pendle market → staking balance inflation → excess reward drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedUnnamed Crypto Whale (Maker DSProxy vault) — Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain2024-08-20 · $55M · Phishing → EOA compromise → DSProxy ownership transfer → DAI vault drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A (personal wallet / Maker DSProxy — no user-level bug bounty)]
relatedRonin Network (Bridge) — Uninitialized Variable in Contract Upgrade (initializeV3 Skipped)2024-08-06 · $12M · Uninitialized Variable in Contract Upgrade (initializeV3 Skipped) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedETHTrustFund (ETF) — Insider Rug Pull — Deployer Drains Treasury Smart Contract2024-07-21 · $2M · Insider Rug Pull — Deployer Drains Treasury Smart Contract · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedRho Market — Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain2024-07-19 · Oracle misconfiguration (deployment error) → MEV bot price manipulation → USDC/USDT drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedLiFi Protocol (Jumper Exchange) — Call Injection via Unvalidated Swap Function2024-07-16 · $10M · Call Injection via Unvalidated Swap Function · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedVelocore — Fee Multiplier Manipulation + Underflow → Liquidity Token Mint2024-06-02 · $7M · Fee Multiplier Manipulation + Underflow → Liquidity Token Mint · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Yes — 10% bug bounty offered post-hack (no pre-hack bounty mentioned)]
relatedGala Games (GALA token contract) — Compromised Admin Account — Unauthorized Token Minting2024-05-21 · $22M · Compromised Admin Account — Unauthorized Token Minting · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedPike Finance — Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover2024-04-26 · $2M · Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedPrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in source]
relatedMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalCurio (CurioDAO) — Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting2024-03-23 · $16M · Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
relatedUnizen — Unvalidated external call in upgraded DEX Aggregation contract — approval drain2024-03-08 · $2M · Unvalidated external call in upgraded DEX Aggregation contract — approval drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSeneca Protocol — Approval Exploit — Arbitrary transferFrom via Constructed Calldata2024-02-28 · $6M · Approval Exploit — Arbitrary transferFrom via Constructed Calldata · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N — no bug bounty program]
relatedIonic Money (formerly Midas) — Fake Collateral Listing (Social Engineering → On-chain Exploit)2024-02-04 · $7M · Fake Collateral Listing (Social Engineering → On-chain Exploit) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSocket (Bungee Bridge) — Unvalidated user input in new route — transferFrom injection via approval drain2024-01-16 · $3M · Unvalidated user input in new route — transferFrom injection via approval drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedGamma Strategies — Flash Loan — LP Token Price Manipulation (Price Threshold Bypass)2024-01-04 · $5M · Flash Loan — LP Token Price Manipulation (Price Threshold Bypass) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedOrbit Bridge (by Ozys) — Compromised Multisig Signer Keys (via rogue former CISO)2023-12-31 · $82M · Compromised Multisig Signer Keys (via rogue former CISO) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedYearn Finance (legacy iearn TUSD V1 vault — deployed 2020) — Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain2023-12-16 · $293K · Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedLevana Protocol — Oracle Price Delta Manipulation (Timing + Network Congestion)2023-12-13 · $1M · Oracle Price Delta Manipulation (Timing + Network Congestion) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedYearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) — Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain2023-11-30 · $9M · Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedHECO Bridge (Huobi ECO Chain Ethereum Bridge) — Compromised Bridge Operator Account (Private Key / Off-chain)2023-11-22 · $87M · Compromised Bridge Operator Account (Private Key / Off-chain) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relateddYdX v3 — Market Manipulation (Low-Liquidity Token — YFI Long + Spot Dump)2023-11-20 · $9M · Market Manipulation (Low-Liquidity Token — YFI Long + Spot Dump) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedRaft — Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump2023-11-10 · $3M · Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedAnonymous MEV Sandwich Bot (on-chain MEV contract) — Unprotected public swap function → sandwich attack via Curve WETH/WBTC pool — $50M flash loan2023-11-07 · $2M · Unprotected public swap function → sandwich attack via Curve WETH/WBTC pool — $50M flash loan · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
relatedOnyx Protocol — Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation2023-10-31 · $2M · Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedUnibot — Unvalidated arbitrary call in new router — transferFrom injection via approval drain2023-10-31 · $640K · Unvalidated arbitrary call in new router — transferFrom injection via approval drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedFantom Foundation (employee wallets) — Off-chain Key Compromise (suspected password manager / phishing)2023-10-17 · $8M · Off-chain Key Compromise (suspected password manager / phishing) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
relatedPlatypus Finance (3rd exploit) — Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output2023-10-12 · $2M · Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedStars Arena — Reentrancy2023-10-07 · $3M · Reentrancy · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedMixin Network — Off-chain Cloud Database Breach → Hot Wallet / Private Key Compromise2023-09-25 · $200M · Off-chain Cloud Database Breach → Hot Wallet / Private Key Compromise · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedHypr Network — Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch)2023-09-12 · $220K · Bridge Contract Reinitialization (OP Stack Unpatched Dev Branch) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
relatedExactly Protocol — Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy2023-08-18 · $7M · Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown (no mention in rekt.news article; $700K bounty offered post-hack for attacker information)]
relatedRocketSwap — Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions2023-08-14 · $869K · Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedZunami Protocol — Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain2023-08-13 · $2M · Flash loan + SDT token swap → totalHoldings price calculation manipulation → zETH/UZD LP price manipulation → drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSteadefi — Compromised Deployer Key → Ownership Transfer2023-08-07 · $1M · Compromised Deployer Key → Ownership Transfer · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedDeFiLabs — Backdoor Function in Staking Contract (Insider Rug Pull)2023-07-27 · $2M · Backdoor Function in Staking Contract (Insider Rug Pull) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None mentioned]
relatedEraLend (formerly Nexon Finance) — Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)2023-07-25 · $3M · Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMultichain (formerly Anyswap) — Private Key Compromise (MPC Address) — suspected backend breach or insider2023-07-07 · $126M · Private Key Compromise (MPC Address) — suspected backend breach or insider · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedPoly Network (2nd incident) — Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain2023-07-01 · $4M · Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMidas Capital — Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying2023-06-17 · $600K · Compound V2 empty-market donation attack — exchange rate inflation + rounding error in redeemUnderlying · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSturdy Finance — Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain2023-06-12 · $800K · Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedAtlantis Loans — Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals2023-06-10 · $3M · Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None (project abandoned)]
causalAtomic Wallet (non-custodial multi-chain wallet) — Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed2023-06-02 · $100M · Unknown officially; suspected: BGP hijacking combined with client-side vulnerability (possibly private key logging); Least Authority had flagged vulnerabilities in 2021 that were never addressed · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
relatedJimbo's Protocol — Flash loan + missing slippage control in rebalancing function → liquidity drain2023-05-28 · $8M · Flash loan + missing slippage control in rebalancing function → liquidity drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No (10% offered after hack via on-chain message)]
relatedTornado Cash (Governance) — Metamorphic contract (CREATE + CREATE2 + selfDestruct) — trojan horse governance proposal2023-05-20 · $750K · Metamorphic contract (CREATE + CREATE2 + selfDestruct) — trojan horse governance proposal · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A (Tornado Cash is community-governed, no active bug bounty post-OFAC sanctions)]
relatedSwaprum — Rug Pull via Malicious Contract Upgrade2023-05-18 · $3M · Rug Pull via Malicious Contract Upgrade · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedLevel Finance — Logic bug — referral reward claimMultiple() epoch not checked for reuse2023-05-01 · $1M · Logic bug — referral reward claimMultiple() epoch not checked for reuse · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalMerlin DEX — Insider rug — max approval drain via privileged Feeto address2023-04-25 · $2M · Insider rug — max approval drain via privileged Feeto address · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedYearn Finance (iearn yUSDT) — Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted2023-04-13 · $10M · Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Yearn has a bug bounty; immutable contract meant no patch was possible even with disclosure]
relatedSafemoon — Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain2023-03-28 · $9M · Upgrade introduced public burn() function → LP token burn → pool price manipulation → BNB drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedHedera (Network-level — Hashgraph Smart Contract Service) — Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit2023-03-09 · $515K · Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalHope Finance — Insider Exit Scam — Malicious Fake Router Pre-Deployed2023-02-20 · $2M · Insider Exit Scam — Malicious Fake Router Pre-Deployed · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
relatedDexible — Unvalidated router — selfSwap() transferFrom injection via approval drain2023-02-17 · $2M · Unvalidated router — selfSwap() transferFrom injection via approval drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned]
relatedPlatypus Finance — Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP2023-02-16 · $9M · Flash loan + emergencyWithdraw() solvency check bypass — collateral withdrawal without repaying borrowed USP · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relateddForce Network — Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation)2023-02-13 · $4M · Read-Only Reentrancy (Curve wstETH/ETH LP Oracle Manipulation) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedOrion Protocol — Fake token reentrancy — depositAsset() double-credit via ATK token transfer hook2023-02-02 · $3M · Fake token reentrancy — depositAsset() double-credit via ATK token transfer hook · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMidas Capital — Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation2023-01-15 · $660K · Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
illustrativeRaydium — Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation2022-12-16 · $4M · Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedLodestar Finance — Oracle Price Manipulation (LP Token Donation)2022-12-10 · $7M · Oracle Price Manipulation (LP Token Donation) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — team asked hacker to negotiate white-hat]
relatedTeam Finance — Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation2022-10-27 · $16M · Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMoola Markets — Price Manipulation (Native Token Collateral)2022-10-19 · $8M · Price Manipulation (Native Token Collateral) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSovryn — External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn2022-10-04 · $1M · External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalTransit Swap — Controllable transferFrom() in unverified (closed-source) swap contract — approval drain2022-10-01 · $21M · Controllable transferFrom() in unverified (closed-source) swap contract — approval drain · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
related0xbad MEV Bot (on-chain MEV arbitrage contract) — Unprotected flashloan callback — arbitrary execution via callFunction → WETH approval exploit2022-09-27 · $2M · Unprotected flashloan callback — arbitrary execution via callFunction → WETH approval exploit · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
relatedNomad Bridge — Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass)2022-08-02 · $190M · Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedNirvana Finance — Flash Loan + AMM Price Manipulation (Treasury Drain)2022-07-28 · $4M · Flash Loan + AMM Price Manipulation (Treasury Drain) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalHarmony Horizon Bridge — Compromised Multisig Private Keys (Hot Wallets)2022-06-23 · $100M · Compromised Multisig Private Keys (Hot Wallets) · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedInverse Finance — Oracle Price Manipulation (Flash Loan)2022-06-16 · $6M · Oracle Price Manipulation (Flash Loan) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedGym Network (GymNet) — Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain2022-06-10 · $2M · Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMirror Protocol (REKT 2) — Missing Duplicate-Call Check (Re-entrancy variant)2022-05-31 · $92M · Missing Duplicate-Call Check (Re-entrancy variant) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedFortress Protocol (lending arm of JetFuel Finance) — Oracle Manipulation + Malicious Governance Proposal2022-05-09 · $3M · Oracle Manipulation + Malicious Governance Proposal · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMad Meerkat Finance (MM.Finance) — DNS Hijack / Front-End Attack (Router Address Substitution)2022-05-04 · $2M · DNS Hijack / Front-End Attack (Router Address Substitution) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSaddle Finance — Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library)2022-05-01 · $11M · Flash Loan + LP Token Price Manipulation (Old MetaSwapUtils Library) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedBeanstalk — Flash Loan + Governance Exploit2022-04-17 · $181M · Flash Loan + Governance Exploit · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty existed (Y/N): Unknown — not mentioned in source] || Bug bounty absent — alternate field name [via dashboard_risk_factors/Bug bounty existed (Y/N): Unknown — not mentioned in source]
causalElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No evidence]
causalInverse Finance — SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token2022-04-02 · $16M · SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedVoltage Finance / Ola Finance — ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update2022-03-31 · $4M · ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedRonin Network (Bridge) — Compromised Validator Keys + Unrevoked Whitelist Access2022-03-29 · $624M · Compromised Validator Keys + Unrevoked Whitelist Access · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedRevest Finance — ERC1155 reentrancy via onERC1155Received — fnftId update timing flaw inflates FNFT redemption value2022-03-27 · $2M · ERC1155 reentrancy via onERC1155Received — fnftId update timing flaw inflates FNFT redemption value · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalCashio — Infinite mint via incomplete collateral validation — fake account chain bypasses all verification2022-03-23 · $48M · Infinite mint via incomplete collateral validation — fake account chain bypasses all verification · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
relatedDeus DAO (DEI lending contract) — Flash loan oracle manipulation via Solidly AMM pool → user position liquidation2022-03-15 · $3M · Flash loan oracle manipulation via Solidly AMM pool → user position liquidation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
relatedDeus DAO (1st incident) — Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated2022-03-15 · $3M · Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
relatedAgave DAO + Hundred Finance (dual attack) — ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain2022-03-15 · $12M · ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Agave: Yes (Aave-like program); Hundred: Unknown]
relatedTreasure DAO (Marketplace) — Logic Bug (Zero-Quantity Purchase)2022-03-03 · $1M · Logic Bug (Zero-Quantity Purchase) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedDego Finance + Cocos-BCX — Compromised Private Key — Multi-chain LP Drain + Token Mint2022-02-10 · $10M · Compromised Private Key — Multi-chain LP Drain + Token Mint · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedSuperfluid — Composability Exploit (ctx Manipulation)2022-02-08 · $9M · Composability Exploit (ctx Manipulation) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMeter (Passport Bridge) — Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path2022-02-05 · $8M · Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
illustrativeWormhole Bridge (Solana ↔ Ethereum) — Signature verification bypass via deprecated sysvar → fraudulent SignatureSet → fake mint of 120k wETH on Solana2022-02-02 · $326M · Signature verification bypass via deprecated sysvar → fraudulent SignatureSet → fake mint of 120k wETH on Solana · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — no public bug bounty program referenced; post-exploit the team offered a $10M whitehat bounty]
relatedArbix Finance — Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap2022-01-04 · $10M · Insider rug pull — deployer drained user vaults and disappeared, then dumped native token via PancakeSwap · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedVisor Finance — Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting2021-12-22 · $8M · Vulnerable require() in vVISR deposit() — self-referential ownership bypass → unlimited share minting · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedGrim Finance — Reentrancy2021-12-18 · $30M · Reentrancy · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
related8ight Finance — Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain2021-12-07 · $2M · Admin key compromise — private key shared via Facebook chat and Google Drive → treasury drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
causalBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
causalMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
causalIndexed Finance — Flash Loan — Rebalancing Delay Pool Oracle Manipulation2021-10-14 · $16M · Flash Loan — Rebalancing Delay Pool Oracle Manipulation · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedVee Finance — Pangolin spot price oracle manipulation via custom trading pairs + decimal handling bug2021-09-21 · $34M · Pangolin spot price oracle manipulation via custom trading pairs + decimal handling bug · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown (team offered bug bounty to hacker post-attack)]
relatedDAO Maker — Reinitializable init() function + emergencyExit() drain on token vesting contracts2021-09-04 · $4M · Reinitializable init() function + emergencyExit() drain on token vesting contracts · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
causalCream Finance — ERC-777 Reentrancy (Token Integration Vulnerability)2021-08-30 · $19M · ERC-777 Reentrancy (Token Integration Vulnerability) · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in post-mortem]
relatedxToken Market — Public callFunction() in xSNXAdmin — same SNX price manipulation, different access control bug2021-08-30 · $5M · Public callFunction() in xSNXAdmin — same SNX price manipulation, different access control bug · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedPoly Network — Cross-chain Message Forgery — Privileged Contract Caller Manipulation2021-08-11 · $611M · Cross-chain Message Forgery — Privileged Contract Caller Manipulation · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedPopsicle Finance (Sorbetto Fragola) — Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint2021-08-04 · $20M · Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedTHORChain — Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse2021-07-26 · $8M · Fake deposit via fake Asgard vault + malicious memo — Bifrost refund logic abuse · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No (hacker demanded 10% bounty be established; THORChain committed to one post-incident)]
relatedPancakeBunny (Polygon deployment — polyBUNNY) — Flash Loan + Reward Minting Manipulation (Performance Fee Inflation)2021-07-18 · $2M · Flash Loan + Reward Minting Manipulation (Performance Fee Inflation) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedTHORChain — ETH Bifrost override loop — msg.value spoofing via wrapped router2021-07-16 · $5M · ETH Bifrost override loop — msg.value spoofing via wrapped router · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No — hacker noted explicitly in the exploit that "10% VAR bounty would have prevented this"; THORChain had paused bounty refresh for MCCN]
relatedChainSwap — Auth bypass in Factory minting contract — sloppy signature check bypassed with fresh addresses2021-07-11 · $4M · Auth bypass in Factory minting contract — sloppy signature check bypassed with fresh addresses · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
relatedMerlin Labs (REKT 3) — Reward Minting Manipulation (Balance Inflation)2021-06-29 · $330K · Reward Minting Manipulation (Balance Inflation) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedAutoShark Finance — Flash loan + SharkMinter balance spoofing → excess native token minting2021-06-01 · $745K · Flash loan + SharkMinter balance spoofing → excess native token minting · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
relatedLevyathan Finance — Exposed Private Key + Minting + emergencyWithdraw Bug2021-06-01 · $2M · Exposed Private Key + Minting + emergencyWithdraw Bug · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
relatedBurgerSwap — Reentrancy via non-standard BEP-20 + missing x*y=k invariant check2021-05-28 · $7M · Reentrancy via non-standard BEP-20 + missing x*y=k invariant check · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
relatedMerlin Labs (REKT 2) — Oracle Mispricing2021-05-27 · $550K · Oracle Mispricing · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedMerlin Labs — External token balance spoofing → excess native token minting2021-05-26 · $680K · External token balance spoofing → excess native token minting · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned]
causalPancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalbEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in report]
relatedxToken Market — Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain2021-05-12 · $24M · Flash loan + SNX/BNT price manipulation → xSNX/xBNT share price inflation → drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalRari Capital — Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain2021-05-08 · $10M · Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedValue DeFi — Bancor Power Function Misuse (Weighted AMM Invariant Bypass)2021-05-08 · $11M · Bancor Power Function Misuse (Weighted AMM Invariant Bypass) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedValue DeFi — Uninitialized Pool Re-initialization (Missing initialized = true)2021-05-05 · $10M · Uninitialized Pool Re-initialization (Missing initialized = true) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalEasyFi (Easy Network) — Admin key theft via compromised machine (malicious MetaMask binary)2021-04-19 · $59M · Admin key theft via compromised machine (malicious MetaMask binary) · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No evidence of bug bounty program at time of hack]
relatedPAID Network — Infinite Mint — Compromised Deployer Key (Suspected Insider)2021-03-05 · $27M · Infinite Mint — Compromised Deployer Key (Suspected Insider) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalFurucombo — Evil Contract — Delegatecall Storage Collision2021-02-27 · $14M · Evil Contract — Delegatecall Storage Collision · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalAlpha Finance / Alpha Homora V2 (leveraged yield farming) — Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required2021-02-13 · $38M · Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
relatedBT Finance + Growth DeFi (two separate hacks, one article) — BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection2021-02-09 · $2M · BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown (both)]
relatedYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown at time of exploit]
relatedWarp Finance — Flash loan + Uniswap V2 LP token spot oracle manipulation → inflated collateral → over-borrow drain2020-12-17 · $8M · Flash loan + Uniswap V2 LP token spot oracle manipulation → inflated collateral → over-borrow drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown; attacker left collateral locked creating a natural bounty for liquidation]
relatedCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None mentioned]
causalPickle Finance — Fake jar injection — missing whitelist in Controller's jar-swap function2020-11-22 · $20M · Fake jar injection — missing whitelist in Controller's jar-swap function · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
relatedValue DeFi — Flash loan + Curve spot price oracle manipulation → inflated collateral → over-borrow drain2020-11-14 · $7M · Flash loan + Curve spot price oracle manipulation → inflated collateral → over-borrow drain · Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
causalEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
rubric_version v1.7.0 factor RD-F-007 category 1 carried 80 critical no