pcaversaccio / reentrancy-attacks Goto Github PK

A chronological and (hopefully) complete list of reentrancy attacks to date.

License: GNU Affero General Public License v3.0

ethereum reentrancy solidity smart-contracts security exploit

reentrancy-attacks's Introduction

⚔️ A Historical Collection of Reentrancy Attacks

📌 Definition of a Reentrancy Attack

Unsafe external call(s) that allow(s) malicious manipulation of the internal and/or associated external contract state(s).

📚 Types of Reentrancy Attacks

Single-Function Reentrancy
Cross-Function Reentrancy
Cross-Contract Reentrancy
Cross-Chain Reentrancy
Read-Only Reentrancy

📜 Reentrancy Attacks List

A chronological and (hopefully) complete list of reentrancy attacks to date.

WETH white hat attack – 10 June 2016 | Victim contract, Exploit contract, Exploit transaction
The DAO attack – 17 June 2016 | Victim contract, Exploit contract, Exploit transaction
SpankChain attack – 9 October 2018 | Victim contract, Exploit contract, Exploit transaction
imBTC Uniswap pool attack – 18 April 2020 | Victim contract, Exploit contract, Exploit transaction
Lendf.Me attack – 19 April 2020 | Victim contract, Exploit contract, Exploit transaction
Akropolis attack – 12 November 2020 | Victim contract, Exploit contract, Exploit transaction
ValueDeFi attack – 7 May 2021 | Victim contract, Exploit contract, Exploit transaction
Rari Capital attack – 8 May 2021 | Victim contract, Exploit contract, Exploit transaction
BurgerSwap attack – 27 May 2021 | Victim contract, Exploit contract, Exploit transaction
Iron Finance attack – 16 June 2021 | Victim contract, Exploit contract, Exploit transaction
PolyDEX attack – 20 June 2021 | Victim contract, Exploit contract, Exploit transaction
DeFiPie attack – 12 July 2021 | Victim contract, Exploit contract, Exploit transaction
Sanshu Inu attack – 20 July 2021 | Victim contract, Exploit contract, Exploit transaction
XSURGE attack – 16 August 2021 | Victim contract, Exploit contract, Exploit transaction
C.R.E.A.M. Finance attack – 30 August 2021 | Victim contract, Exploit contract, Exploit transaction
Siren Protocol attack¹ – 3 September 2021 | Victim contract, Exploit contract, Exploit transaction
CreatureToadz attack – 21 October 2021 | Victim contract, Exploit contract, Exploit transaction
Grim Finance attack – 18 December 2021 | Victim contract, Exploit contract, Exploit transaction
Visor Finance attack – 21 December 2021 | Victim contract, Exploit contract, Exploit transaction
HypeBears attack – 3 February 2022 | Victim contract, Exploit contract, Exploit transaction
Bacon Protocol attack – 5 March 2022 | Victim contract, Exploit contract, Exploit transaction
Paraluni attack – 13 March 2022 | Victim contract, Exploit contract, Exploit transaction
Agave Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
Hundred Finance attack – 15 March 2022 | Victim contract, Exploit contract, Exploit transaction
Revest Finance attack – 27 March 2022 | Victim contract, Exploit contract, Exploit transaction
Voltage Finance attack – 31 March 2022 | Victim contract, Exploit contract, Exploit transaction
BNB Brokers attack – 27 April 2022 | Victim contract, Exploit contract, Exploit transaction
Fei Protocol attack – 30 April 2022 | Victim contract, Exploit contract, Exploit transaction
Bistroo attack – 7 May 2022 | Victim contract, Exploit contract, Exploit transaction
Ownly attack – 10 May 2022 | Victim contract, Exploit contract, Exploit transaction
Omni attack – 10 July 2022 | Victim contract, Exploit contract, Exploit transaction
Stader Labs NearX attack – 16 August 2022 | Victim contract, Exploit contract², Exploit transaction
Thunder Brawl attack – 30 September 2022 | Victim contract, Exploit contract, Exploit transaction
QuickSwap Lend attack – 23 October 2022 | Victim contract, Exploit contract, Exploit transaction
n00dleSwap attack – 25 October 2022 | Victim contract, Exploit contract, Exploit transaction
DFX Finance attack – 10 November 2022 | Victim contract, Exploit contract, Exploit transaction
Defrost Finance attack – 23 December 2022 | Victim contract, Exploit contract, Exploit transaction
Jaypeggers attack – 29 December 2022 | Victim contract, Exploit contract, Exploit transaction
Midas Capital attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
2Pi Network attack – 15 January 2023 | Victim contract, Exploit contract, Exploit transaction
Abracadabra Money white hat attack – 16 January 2023 | Victim contract, Exploit contract, Exploit transaction
Orion Protocol attack – 2 February 2023 | Victim contract, Exploit contract, Exploit transaction
dForce Network attack³ – 9 February 2023 | Victim contract, Exploit contract, Exploit transaction
Dynamic attack – 22 February 2023 | Victim contract, Exploit contract, Exploit transaction
Sentiment attack – 4 April 2023 | Victim contract⁴, Exploit contract, Exploit transaction
Paribus attack – 11 April 2023 | Victim contract⁵, Exploit contract, Exploit transaction
MuratiAI attack – 6 June 2023 | Victim contract, Exploit contract, Exploit transaction
Sturdy attack – 12 June 2023 | Victim contract, Exploit contract, Exploit transaction
Arcadia Finance attack⁶ – 10 July 2023 | Victim contract, Exploit contract, Exploit transaction
Libertify attack⁷ – 11 July 2023 | Victim contract, Exploit contract, Exploit transaction
Conic Finance attack – 21 July 2023 | Victim contract, Exploit contract, Exploit transaction
EraLend attack – 25 July 2023 | Victim contract, Exploit contract, Exploit transaction
Curve attack⁸ – 30 July 2023 | Victim contract, Exploit contract, Exploit transaction
Earning.Farm attack – 9 August 2023 | Victim contract, Exploit contract, Exploit transaction
Defiway attack – 3 October 2023 | Victim contract, Exploit contract, Exploit transaction
Stars Arena attack – 7 October 2023 | Victim contract, Exploit contract, Exploit transaction
0x0 attack – 27 October 2023 | Victim contract, Exploit contract, Exploit transaction
Peapods Finance attack – 13 December 2023 | Victim contract, Exploit contract, Exploit transaction
NFT Trader attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
GoodDollar attack – 16 December 2023 | Victim contract, Exploit contract, Exploit transaction
Nebula Revelation attack – 25 January 2024 | Victim contract, Exploit contract, Exploit transaction
Barley Finance attack – 28 January 2024 | Victim contract, Exploit contract, Exploit transaction
ChainPaint attack – 12 February 2024 | Victim contract, Exploit contract, Exploit transaction
Rugged Art attack – 19 February 2024 | Victim contract, Exploit contract, Exploit transaction
The Smoofs attack – 28 February 2024 | Victim contract, Exploit contract, Exploit transaction
Sumer Money attack – 12 April 2024 | Victim contract, Exploit contract, Exploit transaction

Some of the exploits carried out involve multiple separate transactions as well as multiple victim and exploit contracts. For each attack, I have listed the most affected victim contract, the most critical exploit contract, and the most devastating exploit transaction.

💢 Disclaimer

To prevent the article from constantly reloading, deactivate JavaScript in your browser. ↩
We list the attacker's address here for the sake of completeness, but technically the attack was executed with a Near-specific transaction type called "Batch Transaction" and not with a specific exploit contract. ↩
We list the victim contract, the exploit contract, and the exploit transaction on Arbitrum. However, the same exploit was carried out on Optimism with almost the same amount of loss: Victim contract, Exploit contract, Exploit transaction. ↩
The same exploit hit another victim with almost the same amount of loss: Victim contract. ↩
The same exploit hit two other victims with almost the same amount of loss: Victim contract 2, Victim contract 3. ↩
We list the victim contract, the exploit contract, and the exploit transaction on Optimism. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩
We list the victim contract, the exploit contract, and the exploit transaction on Polygon. However, the same exploit was carried out on Ethereum, albeit with a smaller loss amount: Victim contract, Exploit contract, Exploit transaction. ↩
The technical post-mortem on the reentrancy lock vulnerability from Vyper can be found here. ↩

reentrancy-attacks's People

Contributors

Stargazers

Watchers

Forkers

darwindeveloper901 samgmk sambacha armathor all-forks bolabola finn79426 0x0918 xjjda22 yanrising ardakalayci woods1060 chirag21 lexlion11 umamaquinadeondas libaice dec3ntraliz3d whitespur mmc6185 emptysec1 0xfuje 0xkmg adeshkolte gmh5225 demon1k drelick sprtd shonker nametsego joselvelez mounotain hawk-liu xzone911 zorrosword u20024804 paulatsydney johnashu a-n-d-i-l-e chanpu9 snooowgh darwincapital unordered-set zha0 nonsoamadi10 defistar degatchi asante-ntiro bbenzikry audityourcontracts wangluxu quicklearnpro jamestangeres shantanu561993 thanhtoantnt kalikho beillahi fakemonkgin lazaermaks phuong39 smartcontract-detect-yzu sajibekanti 0xciphky risame-blockchain sujantkumarkv netzulo billyjitsu offsecpedia lucmuhizi crypto-zone ofiryc alexanderkirilov ololade97 bigpingge zhwanwancn aboudoc pheonix244001 cation-cmd nishchit-dev abbasali1994 yixincertik noorahsmith rookiedrummer 3rinubrevke tradersnow222 shobeirimajid loose-dreiy cryptoholder-la 0x13lin goncalomagalhaes bubblyorca web3secresearch hackervip996 5l1v3r1 mliserb patrickalphac buildwithme sunrise1002 vjgaur zoeyyyzou iampatel23

reentrancy-attacks's Issues

🔎 Dynamic Attack Seems Not Be Caused by Reentrancy

the function redeem follow the check-affect-interaction pattern
and this attack is caused by its wrong logic

💥 Add Address and Transaction Information

It'd be nice to provide an etherscan link to the contract and attack tx hash so that it's easy to find the source code and exploit.

🌪 Nebula Revelation Attack

Attack transaction: https://optimistic.etherscan.io/tx/0xf4fc3b638f1a377cf22b729199a9aeb27fc62fe2983a65c4d14b99ee5c5b2328
Tweet: https://twitter.com/NBLGAME/status/1750540148050391210

🔎 Reference Data to Attacks Listed

Reference attack data sets

(incomplete, but can make it complete if you would like to add it)

This is sourced from https://github.com/uni-due-syssec/sereum-results/blob/v2/contracts.md.

here is the entire list in csv format if you would like to add it

Earliest Reentrancy Attacks

Name	Address	Count	Percentage	Attack	Codehash	First Block with Attack	Last Block with Attack
DSEthToken	0xd654bdd32fc99471455e86c2e7f7d7b6437e9179	42	0.2	Yes	0x5030ef85cd4668380445bc7a67bfceb66555b98905aeebbfa4057ccc90fc5191	1680024 (2016-06-10)	1680353 (2016-06-10)
N/A	0xf01fe1a15673a5209c94121c45e2121fe2903416	1	0	Yes	0xd39b80a4f0a184363d79e89bc4d113538d91679321d35c2430ae8a2912b98340	1743596 (2016-06-21)	1743596 (2016-06-21)
TheDarkDAO	0x304a554a310c7e546dfe434669c62820b7d83490	174	0.84	Yes	0x6a5d24750f78441e56fec050dc52fe8e911976485b7472faac7464a176a67caa	1881284 (2016-07-14)	1911084 (2016-07-19)
?	0x7660727d3cb947e807acead927ef3ede24c4a18d	4	0.02	?	0xe9435c1fa4d66d60c25546e8391c63b97251a46baa0c2eaf9f67a9e4344b2832	1956895 (2016-07-26)	2016761 (2016-08-05)
TheDAO	0xbb9bc244d798123fde783fcc1c72d3bb8c189413	2112	10.2	Yes	0x6a5d24750f78441e56fec050dc52fe8e911976485b7472faac7464a176a67caa	1718497 (2016-06-17)	2130764 (2016-08-24)
proxyCC (CC)	0x238f99a33f6a1c78187b5b0d645cb4606aebf9e3	38	0.18	No	0x3ccbb4d23c292d1f38b8bd3a4b0f3903c915fe1eb483cc2a2e07f0ac7253eae7	2753269 (2016-12-05)	3151437 (2017-02-09)
Spankchain(PaymentChannel)	0xf91546835f756da0c10cfa0cda95b15577b84aa7	8	0.04	Yes	0x46a8b25053a9cf565e3032a4e9348281eda7cc5f3837a3613aea7a3dd9b9d3c2	6467246 (2018-10-07)	7168364 (2019-02-03)
BlockchainCuties	0xd73be539d6b2076bab83ca6ba62dfe189abc6bbe	2597	12.54	No	0x9d9df1dc920c01efbd3ce3c17f6b1e8ee0185675511af5b5231ed5476eb4d7c3	7725341 (2019-05-09)	9064560 (2019-12-07)

Additional information

it may be helpful also to define re-entrancy:

Reentrancy: The untrusted external call allows the attacker to re-enter the target contract, thus making
it is possible to operate in an inconsistent internal state.

Types of Reentrancy

Delegate-based reentrancy
Cross-function reentrancy

I will wait until the final post-mortem is released to decide whether to add the recent Defrost Finance attack (maybe can be also classified as a rug pull): https://twitter.com/PeckShieldAlert/status/1606276020276891650

🌪 XSURGE Attack

Consider adding XSURGE to the list it was an Flashloan + Reentrancy attack that lost $5 million.

Date: August 16, 2021
Medium Article
bscscan link

🌪 Paribus Attack

🌪 Curve Attack

https://twitter.com/peckshield/status/1685647455382355970
0-day by Vyper compiler: https://twitter.com/vyperlang/status/1685692973051498497
Post-mortem: https://hackmd.io/@LlamaRisk/BJzSKHNjn

📌First Ever Reentrancy Attack

The first reentrency attck was a whitehack attack by me against my first WETH deployment.

https://old.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/

Here you can see me thank the researcher for pointing out this general class of issues, which made us realize our contract was vulnerable.

I can’t find it now because all the slockit websites have been deleted, but shortly after this post, TheDAO devs made a blog post boasting that their contract was not vulnerable.

It has been a repeated theme for the last 5 years that people take worse versions of what I or some other good-faith inventor come up with, attach a scam token, and try to erase history. Please help preserve this historical record that TheDAO disaster could have been averted, but people who pay to market tokens to retail are more concerned about a quick flip than they are about building sound systems.

🌪 Earning.Farm Attack

Earning.Farm attack – 9 August 2023 | Victim contract, Exploit contract, Exploit transaction

The underlying reason for choosing 0x12Df0C95D2c549bbBC96cf8FbA02cA4Bc541aFD9 as the victim contract is that ultimately it's the proxy contract from Earning.Farm's leverage address that got affected the most.

https://explorer.phalcon.xyz/tx/eth/0x6e6e556a5685980317cb2afdb628ed4a845b3cbd1c98bdaffd0561cb2c4790fa

🌪 Orion Protocol Attack

Orion Protocol attack – February 2, 2023 | Victim contract, Exploit contract, Exploit transaction

-> Waiting until an official post-mortem is available.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.