Giters

Gokuld6012 / SCV-List

Smart Contract Vulnerabilities (SCV) List

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SCV-List

This list highlights the accomplishments and disclosed vulnerabilities of the top white hat security experts in DeFi.

This list is part HackerOne leaderboard and part CVE database. Contributions are welcome and it would be amazing if the crypto community could crowdsource a CVE-like database. My arbitrary rules to include a vulnerability in this list (until I am convinced otherwise) is that the vulnerability must be discovered on mainnet (meaning most audit findings are excluded) and it must not have resulted in intentional loss of user funds (meaning most rekt.news hacks are excluded).

So far, the sources of this list include postmortems from Immunefi’s Medium posts, samczsun’s research, and assorted vulnerabilities I have seen on crypto twitter. Additional submissions to fill in gaps are welcome.

What about common code weaknesses?

This list only includes actual vulnerabilities. There are CWE-like lists that exist to capture common weaknesses in code, including these lists:

What about hacks that cause protocols to get rekt?

This list does not include black hat hacks which involved user loss of funds, even if the funds are returned. There are other lists for that, including these lists:

Contributions

Contributions are very welcome. This list is guaranteed to be incomplete.

Date Protocol Name Layer 1 Vulnerability Description Writeup Link Additional Links Total Value at Risk Whitehat Bounty Award Vulnerability ID
08/10/21 Belt Finance BSC Bypass of internal balance calculation by sending tokens directly to contract https://medium.com/immunefi/belt-finance-logic-error-bug-fix-postmortem-39308a158291 $60,000,000 @bobface16 $1,050,000
01/30/21 ArmorFi ETH Math error https://medium.com/immunefi/armorfi-bug-bounty-postmortem-cf46eb650b38 Unclear @bobface16 $876,000
05/13/21 Fei Protocol ETH Drain funds using flashloan price manipulation of Uniswap pool https://medium.com/immunefi/fei-protocol-flashloan-vulnerability-postmortem-7c5dc001affb https://medium.com/fei-protocol/fei-bonding-curve-bug-post-mortem-98d2c6f271e9 $240,000,000 @bobface16 $800,000
11/17/21 Enzyme Finance ETH Drain funds using flashloan to manipulate contract internal calculations https://medium.com/immunefi/enzyme-finance-price-oracle-manipulation-bug-fix-postmortem-4e1f3d4201b5 $400,000 setuid0 $90,000
10/05/21 RocketPool ETH A malicious node can frontrun an ETH deposit to take ETH from the protocol’s ETH deposit. https://medium.com/immunefi/rocketpool-lido-frontrunning-bug-fix-postmortem-e701f26d7971 https://twitter.com/rocket_pool/status/1446300700661583876?s=21 Unclear Dmitri Tsumak $100,000
10/05/21 Lido Finance ETH A malicious node can frontrun an ETH deposit to take ETH from the protocol’s ETH deposit. https://medium.com/immunefi/rocketpool-lido-frontrunning-bug-fix-postmortem-e701f26d7971 Unclear Dmitri Tsumak $100,000
06/16/21 Alchemix ETH Unprotected functions could lead to frontrunning and denial of service https://medium.com/immunefi/alchemix-access-control-bug-fix-debrief-a13d39b9f2e0 $300 @ashiqamien $7,500
06/07/21 88mph ETH Unprotected init() function was missing onlyOwner modifier https://medium.com/immunefi/88mph-function-initialization-bug-fix-postmortem-c3a2282894d3 $6,500,000 @ashiqamien $42,069
11/27/21 dYdX StarkWare L2 Low level call() with arbitrary inputs could be performed by untrusted parties. https://dydx.exchange/blog/deposit-proxy-post-mortem $2,000,000 Anon $500,000
12/05/21 Polygon MATIC Bad signature check with ecrecover https://medium.com/immunefi/polygon-lack-of-balance-check-bugfix-postmortem-2-2m-bounty-64ec66c24c7d https://blog.polygon.technology/all-you-need-to-know-about-the-recent-network-upgrade/ $18,000,000,000 Leon Spacewalker $2,200,000
12/21/21 Cronos Cronos https://medium.com/immunefi/cronos-theft-of-transactions-fees-bugfix-postmortem-b33f941b9570 https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r "Rewards only, not original assets" zb3 $40,000 CVE-2021-43839
10/20/21 Harvest Finance ETH Uninitialized proxy https://medium.com/immunefi/harvest-finance-uninitialized-proxies-bug-fix-postmortem-ea5c0f7af96b $6,400,000 Dedaub $200,000
10/05/21 Polygon MATIC Double spend bridge vulnerability https://medium.com/immunefi/polygon-double-spend-bug-fix-postmortem-2m-bounty-5a1db09db7f1 $850,000,000 Gerhard Wegnar $2,000,000
09/02/21 OpenZeppelin ETH Reentrancy vulnerability in OpenZeppelin TimelockController contract https://medium.com/immunefi/openzeppelin-bug-fix-postmortem-66d8c89ed166 https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5#diff-8229f9027848871a1706845a5a84fa3e6591445cfac6e16cfb7d652e91e8d395R307 Unknown zb3 $25,000
07/31/21 Tidal Finance MATIC "Uninitialized or unset rewardDebt variable defaults to zero, allowing free unearned reward" https://medium.com/immunefi/tidal-finance-logic-error-bug-fix-postmortem-3607d8b7ed1f https://github.com/TidalFinance/tidal-contracts/commit/924e87f1aead70abb17760c839b53ba40d80bf2c#diff-46a924754f71a2f8be88d0f20295f40653c881426d64b90e8bdd4f4bed303368 Unclear Csanuragjain $25,000
08/01/21 xDai Stake xDAI Tokens accidentally sent to bridge contract can be stolen https://medium.com/immunefi/xdai-stake-arbitrary-call-method-bug-postmortem-f80a90ac56e3 $4.50 0xadee028d $5,000
07/30/21 Teller ETH Uninitialized proxy https://medium.com/immunefi/teller-bug-fix-postmorten-and-bug-bounty-launch-b3f67a65c5ac $1,000,000 Bugdefeat $50,000
06/14/21 MCDEX Arbitrum "Contract does not validate user-provided contract address input parameter, allowing a user to craft a malicious contract." https://medium.com/immunefi/mcdex-insufficient-validation-bug-fix-postmortem-182fc6cab899 Unclear Lucash-dev $50,000
04/27/21 PancakeSwap BSC Lottery ticket NFT can be redeemed multiple times because first redemption doesn’t invalidate ticket. https://medium.com/immunefi/pancakeswap-logic-error-bug-fix-postmortem-f2d02adb6983 $700,000 Juno
06/13/21 Cream Finance ETH Old contract allow users to receive liquidity mining rewards without participating in liquidity mining. https://medium.com/immunefi/cream-finance-insufficient-validation-bug-fix-postmortem-1ec7248e8865 $100,000 Azeem $20,750
06/08/21 Mushrooms Finance ETH Flashloan function is missing an authorization check that allows any user to call the function. https://medium.com/immunefi/mushrooms-finance-logic-error-bug-fix-postmortem-780122821621 $635,000 ckksec $60,000
04/26/21 SharedStake ETH Low level call() with user-provided inputs could extract timelocked funds https://medium.com/immunefi/sharedstake-insider-exploit-postmortem-17fa93d5c90e $40,000,000 Lucash-dev $5,000
02/09/21 Charged Particles ETH A user could sell their NFT but still maintain possession of the NFT after the sale using a malicious contract. https://medium.com/immunefi/charged-particles-griefing-bug-fix-postmortem-d2791e49a66b https://github.com/Charged-Particles/charged-particles-universe/commit/f4fb60e3f791c1bb3b8907276b27d0319ce46a68#diff-91fca72e3021a185238dd0e82e118ae3ab5993db93dd322d301c665ff74e3eed Unclear unsafe_call $5,000
06/09/21 Zapper ETH Low level call() with user-provided inputs could steal LP tokens https://medium.com/immunefi/zapper-arbitrary-call-data-bug-fix-postmortem-d75a4a076ae9 https://medium.com/zapper-protocol/post-mortem-sushiswap-uniswap-v2-zap-out-exploit-84e5d34603f0 Unclear Lucash-dev $25,000
04/27/21 Mushrooms Finance ETH MEV attack can steal yield https://medium.com/immunefi/mushrooms-finance-theft-of-yield-bug-fix-postmortem-16bd6961388f Unclear Wen-Ding Li $4,000
03/11/21 Sovryn RSK "User could take out a loan using another party’s collateral, allowing theft of the “borrowed” funds" https://medium.com/immunefi/sovryn-loan-vulnerability-postmortem-ffaf4d1d688f $6,800 Whitehat Turbo $76,568
03/16/21 Vesper ETH Drain funds using flashloan price manipulation of Uniswap pool https://medium.com/immunefi/vesper-rebase-vulnerability-postmortem-and-bug-bounty-55354a49d184 https://medium.com/dedaub/yield-skimming-forcing-bad-swaps-on-yield-farming-397361fd7c72 $310,000 Dedaub Unclear
04/06/21 Fei Protocol ETH A combination of Uniswap function calls and Fei incentive calculations around maintaining peg allow a user to receive free WETH https://medium.com/immunefi/fei-protocol-vulnerability-postmortem-483f9a7e6ad1 $5,640,000 0xRevert $300,000
02/22/21 PancakeSwap BSC User can frontrun the winning lottery ticket selection and buy the winning lottery ticket https://medium.com/immunefi/pancakeswap-lottery-vulnerability-postmortem-and-bug-4febdb1d2400 $240,000 Thunder Unclear
02/21/21 Primitive Finance https://primitivefinance.medium.com/postmortem-on-the-primitive-finance-whitehack-of-february-21st-2021-17446c0f3122 https://medium.com/immunefi/inside-the-war-room-that-saved-primitive-finance-6509e2188c86
05/08/21 Meebit NFTs Brute force attack to mint rare Meetbits NFTs https://iphelix.medium.com/meebit-nft-exploit-analysis-c9417b804f89
10/28/21 Aztec https://hackmd.io/@aztec-network/disclosure-of-recent-vulnerabilities Xin Gao and Onur Kilic $50,000
11/15/21 Nerve Bridge https://blocksecteam.medium.com/the-analysis-of-nerve-bridge-security-incident-ead361a21025 $540,000
08/14/21 Curve Bribe ETH https://twitter.com/bantg/status/1426629982328180737 $118,000 @bantg Unknown
08/16/21 SushiSwap ETH https://samczsun.com/two-rights-might-make-a-wrong/ https://hackmd.io/@353yQn6WTImF5o12LQXXfQ/Hy2ZDYFxF $350,000,000 @samczsun Unknown
08/13/21 ENS Name Wrapper ETH https://samczsun.com/the-dangers-of-surprising-code/ @samczsun
02/26/21 Tokenlon https://tokenlon.medium.com/tokenlon-4-0-fee-incident-disclosure-9ee8b5fad564 @samczsun
04/05/21 Ambisafe https://samczsun.com/uncovering-a-four-year-old-bug/ @samczsun
03/26/21 ElasticDAO https://medium.com/elasticdao/elasticdao-smart-contract-and-security-audits-400f424281b6 @samczsun
02/15/21 NFTX https://forum.nftx.org/t/retroactive-bug-bounty/161 @samczsun $50,000
02/09/21 ForTube https://medium.com/the-force-protocol/fortube-security-vulnerability-fix-c5847359ba7d @samczsun
02/21/21 Hashmasks https://samczsun.com/the-dangers-of-surprising-code/ https://thehashmasks.medium.com/hashmask-art-sale-bug-report-13ccd66b55d7 @samczsun $12,500
01/09/21 Optimism ethereum-optimism/contracts#172 ethereum-optimism/contracts#179, ethereum-optimism/contracts#181, ethereum-optimism/contracts#364, ethereum-optimism/contracts#360 @samczsun
12/03/20 Frax Finance FraxFinance/frax-solidity#12 FraxFinance/frax-solidity#7 @samczsun
10/12/20 Yield Protocol yieldprotocol/fyDai#360 @samczsun
10/15/20 Alpha Homora https://blog.alphafinance.io/alpha-homora-adjustments/ @samczsun
10/03/20 Aavegotchi Staking aavegotchi/ghst-staking#2 @samczsun
09/25/20 Incognito Chain https://we.incognito.org/t/how-a-smart-contract-vulnerability-was-discovered-and-fixed/6416 @samczsun
09/15/20 Lien Finance https://samczsun.com/escaping-the-dark-forest/ @samczsun
08/21/20 xTokens https://medium.com/xtoken/xsnxa-false-start-post-mortem-f26a7a735383 @samczsun
07/25/20 yVault https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/ $400,000 @samczsun
Atomic Loans @samczsun
Aragon Court https://blog.aragon.one/aragon-court-v1-upgrades/ @samczsun
Synthetix https://blog.synthetix.io/bug-disclosure @samczsun
Hegic https://twitter.com/0mllwntrmt3/status/1242645476136103936 @samczsun
02/18/20 Nexus Mutual https://medium.com/nexus-mutual/responsible-vulnerability-disclosure-ece3fe3bcefa Mudhit Gupta $2,000
02/20/20 Nexus Mutual https://medium.com/nexus-mutual/responsible-vulnerability-disclosure-ece3fe3bcefa @samczsun $5,000
02/17/20 Authereum https://medium.com/authereum/account-vulnerability-disclosure-ec9e288c6a24 @samczsun
09/13/19 Kyber Network https://blog.kyber.network/anatomy-of-a-bridge-reserve-smart-contract-vulnerability-and-how-we-fixed-it-fc5c50d13238 @samczsun
11/08/19 ENS https://medium.com/the-ethereum-name-service/lets-talk-ens-migration-a92d5c21df28 @samczsun CVE-2020–5232
01/25/20 Curve Finance https://blog.curve.fi/vulnerability-disclosure/ @samczsun
10/17/19 Cheese Wizards https://medium.com/dapperlabs/disclosure-forking-cheeze-wizards-smart-contracts-all-funds-and-wizards-are-secure-3c53af5bc531 @samczsun
09/18/19 Hydro Protocol https://medium.com/ddex/fixed-potential-vulnerability-in-contract-used-during-private-beta-217c0ed6f694 @samczsun
09/03/19 bZx Protocol https://medium.com/@b0xNet/your-funds-are-safe-d35826fe9a87 @samczsun
07/29/19 Livepeer https://forum.livepeer.org/t/protocol-paused-for-bug-fix-upgrade-7-29-19-4-21pm-edt-update-protocol-resumed-as-of-8-40pm-edt/841 @samczsun
07/12/19 0x Exchange https://samczsun.com/the-0x-vulnerability-explained/ @samczsun

About

Smart Contract Vulnerabilities (SCV) List

License:Apache License 2.0