Exactly Protocol suffered a $7.3M loss due to missing input validation.
LeetSwap got exploited due to price manipulation.
JPEG’d lost $11.4M due to reentrancy vulnerability.
Pond0x coin launch was blamed for rug pull.
Hacks
Hacks Analysis
Exactly Protocol | Amount Lost: $7.3M
On August 18, the Exactly Protocol exploit on the Optimism Mainnet resulted in a $7.3M loss. The root cause was the public leverage() function in the DebtManager contract of Exactly Protocol. This function was missing proper input validation. The attacker exploited this vulnerability by passing in an invalid market address when using the leverage() function and created a UniswapV3 liquidity position with WETH and a fake token. Due to the lack of input validation, the attacker could manipulate the _msgSender parameter to target victim addresses and drain their funds.
Exploit Contract (on Optimism Mainnet): 0x16748cb753a68329ca2117a7647aa590317ebf41
On August 1, the LeetSwap exploit on the Base Chain resulted in a $624K loss due to a price manipulation vulnerability. The root cause of the exploit was the incorrect visibility of the _transferFeesSupportingTaxTokens() function in the LeetSwapV2Pair contract. This function was meant to be private, but it mistakenly had a public visibility specifier. This mistake enabled the attacker to invoke this function to transfer tokens to LeetSwap's fee collection address. This reduced the liquidity of the axlUSD token, leading to an artificial price increase and allowing the attacker to make a profit from this manipulation.
Exploit Contract (on Base Chain): 0xEA8f89F47f3D4293897b4fe8cB69B5C233b9f560
On July 30, the JPEG’d exploit on the Ethereum Mainnet resulted in a $11.4M loss due to a reentrancy attack. The attacker exploited Curve Finance’s Factory Pool contract by invoking the remove_liquidity() function while reentering the add_liquidity() function. This led to an issue where the total_supply amount wasn't updated during the reentry into the add_liquidity() function. The attacker made a profit by manipulating the pETH token price. The lending platform reported recovering nearly $10M of assets and offering a 10% white hat fee to the exploiter.
On July 28, the Pond0x exploit resulted in a $2.2M loss due to a contract logic vulnerability. The directTransfer() function in the vulnerable contract allowed users to transfer PNDX tokens from any address. During the launch of the token, traders purchased PNDX tokens, increasing the token price. The exploiter then revoked the directTransfer() function to transfer the minted PNDX tokens and sold them for profit. This led some investors to accuse the platform of a rug pull.
