⚔️ A Historical Collection of Reentrancy Attacks

📌 Definition of a Reentrancy Attack

Unsafe external call(s) that allow(s) malicious manipulation of the internal and/or associated external contract state(s).

📚 Types of Reentrancy Attacks

• Single-Function Reentrancy
• Cross-Function Reentrancy
• Cross-Contract Reentrancy
• Cross-Chain Reentrancy
• Read-Only Reentrancy

📜 Reentrancy Attacks List

A chronological and (hopefully) complete list of reentrancy attacks to date.

• WETH white hat attack – 10 June 2016 | Victim contract, Exploit contract, Exploit transaction
• The DAO attack – 17 June 2016 | Victim contract, Exploit contract, Exploit transaction
• SpankChain attack – 9 October 2018 | Victim contract, Exploit contract, Exploit transaction
• imBTC Uniswap pool attack – 18 April 2020 | Victim contract, Exploit contract, Exploit transaction
• Lendf.Me attack – 19 April 2020 | Victim contract, Exploit contract, Exploit transaction
• Akropolis attack – 12 November 2020 | Victim contract, Exploit contract, Exploit transaction
• ValueDeFi attack – 7 May 2021 | Victim contract, Exploit contract, Exploit transaction
• Rari Capital attack – 8 May 2021 | Victim contract, Exploit contract, Exploit transaction
• BurgerSwap attack – 27 May 2021 | Victim contract, Exploit contract, Exploit transaction
• Iron Finance attack – 16 June 2021 | Victim contract, Exploit contract, Exploit transaction
• PolyDEX attack – 20 June 2021 | Victim contract, Exploit contract, Exploit transaction
• DeFiPie attack – 12 July 2021 | Victim contract, Exploit contract, Exploit transaction
• Sanshu Inu attack – 20 July 2021 | Victim contract, Exploit contract, Exploit transaction
• XSURGE attack – 16 August 2021 | Victim contract, Exploit contract, Exploit transaction
• C.R.E.A.M. Finance attack – 30 August 2021 | Victim contract, Exploit contract, Exploit transaction
• Siren Protocol attack¹ – 3 September 2021 | Victim contract, Exploit contract, Exploit transaction
• CreatureToadz attack – 21 October 2021 | Victim contract, Exploit contract, Exploit transaction
• Grim Finance attack – 18 December 2021 | Victim contract, Exploit contract, Exploit transaction
• Visor Finance attack – 21 December 2021 | Victim contract, Exploit contract, Exploit transaction
• HypeBears attack – 3 February 2022 | Victim contract, Exploit contract, Exploit transaction
• Bacon Protocol attack – 5 March 2022 | Victim contract, Exploit contract, Exploit transaction
• Paraluni attack – 13 March 2022 | Victim contract, Exploit contract, Exploit transaction
• Agave Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
• Hundred Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
• Revest Finance attack – 27 March 2022 | Victim contract, Exploit contract, Exploit transaction
• Voltage Finance attack – 31 March 2022 | Victim contract, Exploit contract, Exploit transaction
• BNB Brokers attack – 27 April 2022 | Victim contract, Exploit contract, Exploit transaction
• Fei Protocol attack – 30 April 2022 | Victim contract, Exploit contract, Exploit transaction
• Bistroo attack – 7 May 2022 | Victim contract, Exploit contract, Exploit transaction
• Ownly attack – 10 May 2022 | Victim contract, Exploit contract, Exploit transaction
• Omni attack – 10 July 2022 | Victim contract, Exploit contract, Exploit transaction
• Stader Labs NearX attack – 16 August 2022 | Victim contract, Exploit contract², Exploit transaction
• Thunder Brawl attack – 30 September 2022 | Victim contract, Exploit contract, Exploit transaction
• QuickSwap Lend attack – 23 October 2022 | Victim contract, Exploit contract, Exploit transaction
• n00dleSwap attack – 25 October 2022 | Victim contract, Exploit contract, Exploit transaction
• DFX Finance attack – 10 November 2022 | Victim contract, Exploit contract, Exploit transaction
• Defrost Finance attack – 23 December 2022 | Victim contract, Exploit contract, Exploit transaction
• Jaypeggers attack – 29 December 2022 | Victim contract, Exploit contract, Exploit transaction
• Midas Capital attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
• 2Pi Network attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
• Abracadabra Money white hat attack – 16 January 2023 | Victim contract, Exploit contract, Exploit transaction
• Orion Protocol attack – 2 February 2023 | Victim contract, Exploit contract, Exploit transaction
• dForce Network attack³ – 9 February 2023 | Victim contract, Exploit contract, Exploit transaction
• Dynamic attack – 22 February 2023 | Victim contract, Exploit contract, Exploit transaction
• Sentiment attack – 4 April 2023 | Victim contract⁴, Exploit contract, Exploit transaction
• Paribus attack – 11 April 2023 | Victim contract⁵, Exploit contract, Exploit transaction
• MuratiAI attack – 6 June 2023 | Victim contract, Exploit contract, Exploit transaction
• Sturdy attack – 12 June 2023 | Victim contract, Exploit contract, Exploit transaction
• Arcadia Finance attack⁶ – 10 July 2023 | Victim contract, Exploit contract, Exploit transaction
• Libertify attack⁷ – 11 July 2023 | Victim contract, Exploit contract, Exploit transaction
• Conic Finance attack – 21 July 2023 | Victim contract, Exploit contract, Exploit transaction
• EraLend attack – 25 July 2023 | Victim contract, Exploit contract, Exploit transaction
• Curve attack⁸ – 30 July 2023 | Victim contract, Exploit contract, Exploit transaction
• Earning.Farm attack – 9 August 2023 | Victim contract, Exploit contract, Exploit transaction
• Defiway attack – 3 October 2023 | Victim contract, Exploit contract, Exploit transaction
• Stars Arena attack – 7 October 2023 | Victim contract, Exploit contract, Exploit transaction
• 0x0 attack – 27 October 2023 | Victim contract, Exploit contract, Exploit transaction
• Peapods Finance attack – 13 December 2023 | Victim contract, Exploit contract, Exploit transaction
• NFT Trader attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
• GoodDollar attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
• Nebula Revelation attack – 25 January 2024 | Victim contract, Exploit contract, Exploit transaction
• Barley Finance attack – 28 January 2024 | Victim contract, Exploit contract, Exploit transaction
• ChainPaint attack – 12 February 2024 | Victim contract, Exploit contract, Exploit transaction
• Rugged Art attack – 19 February 2024 | Victim contract, Exploit contract, Exploit transaction
• The Smoofs attack – 28 February 2024 | Victim contract, Exploit contract, Exploit transaction
• Sumer Money attack – 12 April 2024 | Victim contract, Exploit contract, Exploit transaction
• Predy Finance attack – 14 May 2024 | Victim contract, Exploit contract, Exploit transaction
• Mint Raises Prices attack – 2 July 2024 | Victim contract, Exploit contract, Exploit transaction
• Minterest attack – 14 July 2024 | Victim contract, Exploit contract, Exploit transaction
• Terra attack⁹ – 31 July 2024 | Victim contract, Exploit contract, Exploit transaction

Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.

💢 Disclaimer

Footnotes

1. To prevent the article from constantly reloading, deactivate JavaScript in your browser. ↩

2. We list the attacker's address here for the sake of completeness, but technically the attack was executed with a Near-specific transaction type called "Batch Transaction" and not with a specific exploit contract. ↩

3. We list the victim contract, the exploit contract, and the exploit transaction on Arbitrum. However, the same exploit was carried out on Optimism with almost the same amount of loss: Victim contract, Exploit contract, Exploit transaction. ↩

4. The same exploit hit another victim with almost the same amount of loss: Victim contract. ↩

5. The same exploit hit two other victims with almost the same amount of loss: Victim contract 2, Victim contract 3. ↩

6. We list the victim contract, the exploit contract, and the exploit transaction on Optimism. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩

7. We list the victim contract, the exploit contract, and the exploit transaction on Polygon. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩

8. The technical post-mortem on the reentrancy lock vulnerability from Vyper can be found here. ↩

9. The details of the GitHub Security Advisory (GHSA) used to exploit the Terra blockchain can be found here. ↩