Bars reflect gross losses in this 24-exploit dataset. Poly Network ($611M, 2021) and Euler Finance ($197M, 2023) were fully recovered. For total industry losses see the Statistics page.
| Protocol | Year | USD Lost | Vulnerability Class | Audited? | Recovered? |
|---|
The foundational exploit that defined smart contract security. A reentrancy bug in the DAO's withdrawal function allowed an attacker to recursively drain funds before the balance was updated. The response — an Ethereum hard fork to reverse the theft — remains unique in blockchain history and established community precedent for when code-is-law has limits. Every developer must understand this pattern before writing any contract that moves value.
A "user" accidentally called initWallet() on the uninitialized Parity multi-sig library contract,
becoming its owner, then called kill() which permanently self-destructed the library. All wallets depending
on that library were permanently frozen. $150M is frozen to this day. This established the critical lesson:
library contracts require their own access control and initialization checks.
A pristine case study in governance attack design. The attacker pre-submitted a malicious proposal (BIP-18 to transfer
all assets to themselves), waited 24 hours for the governance delay, then in a single transaction flash-borrowed $1B+,
acquired 79% of governance tokens, passed the proposal via emergencyCommit(), extracted all assets, and
repaid the loan. Total elapsed time: ~13 seconds. No code bug. The governance system worked exactly as designed.
The design was fatally flawed.
Euler was audited 10 times by 6 firms, yet a function (donateToReserves()) added after the majority of
audits skipped a crucial health check, allowing attackers to create an artificially insolvent position and drain funds.
The most important lesson: code added after an audit is unaudited code. The attacker ultimately
returned all funds after on-chain negotiation — a near-unique outcome in DeFi history.
The largest single theft in cryptocurrency history. The Lazarus Group (North Korea) compromised Safe's frontend infrastructure, injecting malicious JavaScript that replaced legitimate transaction calldata with a call to a malicious delegate contract. Bybit's multisig signers saw a legitimate-looking UI while approving a transaction that transferred control of the cold wallet. No smart contract was vulnerable. No code audit could have prevented this. FBI confirmed DPRK attribution (IC3, Feb 2025).
| Audit Status | Count | % of Exploits |
|---|---|---|
| Audited (relevant code) | 12 | 50% |
| Audited (not vulnerable component) | 5 | 21% |
| Not audited | 4 | 17% |
| Unknown / unclear | 3 | 12% |
All 4 unaudited protocols suffered 100% loss with zero recovery. Being audited is a necessary but insufficient condition for security.
Web2 / infrastructure attacks (BadgerDAO, Bybit, Radiant) • Operational security failures (key management, social engineering) • Economic design attacks (Mango Markets price self-pump) • Compiler bugs (Curve Vyper 2023) • Code added after the audit was completed (Euler Finance, Cream Aug 2021)
10 audits by 6 firms did not prevent a $197M exploit. The vulnerable function was in scope for only 1 of 10 engagements, and had been added after the majority of audits. Continuous auditing and invariant-based on-chain monitoring are the necessary evolution beyond point-in-time audits.