DeFi Hacks Reproduce - Foundry
June 27, 2026 · View on GitHub
Reproduce DeFi hack incidents using Foundry.
763 incidents included.
Let's make Web3 secure! Join Discord
Notion: 101 root cause analysis of past DeFi hacked incidents
Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.
Table of Contents
- Getting Started
- Who Support Us
- Donate Us
- List of Past DeFi Incidents
- Transaction debugging tools
- Ethereum Signature Database
- Useful tools
- Hacks Dashboard
- List of DeFi Hacks & POCs
Getting Started
-
Follow the instructions to install Foundry.
-
Clone and install dependencies:
git submodule update --init --recursive
Web3 Cybersecurity Academy
All articles are also published on Substack.
OnChain transaction debugging
- Lesson 1: Tools ( English | 中文 | Vietnamese | Korean | Spanish | 日本語 )
- Lesson 2: Warm up ( English | 中文 | Korean | Spanish | 日本語 )
- Lesson 3: Write Your Own PoC (Price Oracle Manipulation) ( English | 中文 | Korean | Spanish | 日本語 )
- Lesson 4: Write Your Own PoC (MEV Bot) ( English | 中文 | Korean | Spanish | 日本語 )
- Lesson 5: Rugpull Analysis ( English | 中文 | Spanish | 日本語 )
- Lesson 6: Write Your Own PoC (Reentrancy) ( English | 中文 | Spanish | 日本語 )
- Lesson 7: Hack Analysis: Nomad Bridge, August 2022 ( English | 中文 | Spanish | 日本語 )
Donate us
If you appreciate our work, please consider donating. Even a small amount helps us continue developing and improving our projects, and promoting web3 security.
- Gitcoin - Donate DeFiHackLabs
- EVM Chains - 0xD7d6215b4EF4b9B5f40baea48F41047Eb67a11D5
- Giveth
List of Past DeFi Incidents
20260625 LixirPermitDrain 20260625 OceanBPoolSideStaking 20260624 DLMC 20260623 RoyalRoyalties
20260617 LBP 20260617 Aztec V1
20260511 INKFinance 20260511 HumaFinance
20260420 ThetanutsVaultShareRounding
20260419 AaveRebalancerCreditDelegation
20260407 SquidMulticallAllowanceDrain
20260331 WhalebitOracleManipulation
20260328 VTSwapHook 20260327 EST Token
20260319 Revamp 20260316 unverified 20260315 Venus THE
20260315 StakeOnMe 20260310 AlkemiEarn
2024
20240703 UnverifiedContr_0x452E25
20240610 UwuLend - Price Manipulation
2023
20231201 UnverifiedContr_0x431abb
20230715 USDTStakingContract28
2022
20221024 MulticallWithoutCheck
20221011 Rabby Wallet SwapRouter
20220908 Ragnarok Online Invasion
20220701 Quixotic - Optimism NFT Marketplace
20220624 Harmony's Horizon Bridge
20220608 Optimism - Wintermute
20220430 Rari Capital/Fei Protocol
2021
Before 2020
Transaction debugging tools
Phalcon | Tx tracer | Cruise | Ethtx | Tenderly | eigenphi
Ethereum Signature Database
Useful tools
ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools
Hacks Dashboard
Slowmist | Defillama | De.Fi | Rekt | Cryptosec | BlockSec
List of DeFi Hacks & POCs
20260625 LixirPermitDrain - Broken Signature Verification
Lost: 2.60 ETH, 4,477.72 USDC, 3,609.95 USDT, 24,182.56 LIX
forge test --contracts ./src/test/2026-06/LixirPermitDrain_exp.sol -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2070362661691207935
20260625 OceanBPoolSideStaking - BPool single-sided join/exit math with SideStaking gulp accounting
Lost: 127.86K mOCEAN
forge test --contracts ./src/test/2026-06/OceanBPoolSideStaking_exp.sol -vvv
Contract
Link reference
http://x.com/defimonalerts/status/2070362661540286735
20260624 DLMC - Reserve-derived livePrice manipulation
Lost: 222,560.22 USDT
forge test --contracts ./src/test/2026-06/DLMC_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/TenArmorAlert/status/2069957542109958498
20260623 RoyalRoyalties - Zero-amount ERC1155 batch transfer inflated Royal LDA tier balance
Lost: 261,162.93 USDC
forge test --contracts ./src/test/2026-06/RoyalRoyalties_exp.sol -vvv
Contract
Link reference
https://x.com/TenArmorAlert/status/2069596801725002121
20260622 Aztec Escape Hatch - proof_id Accounting Bypass (whitehat reproduction)
Lost: N/A (purely educational; worst-case impact would have been ~$2M, matching the separate vulnerability that actually drained the contracts)
forge test --contracts src/test/2026-06/AztecEscapeHatch_exp.sol -vvv
Contract
Link reference
https://github.com/AztecProtocol/aztec-2.0
https://x.com/ivanbogatyy/status/2069159603942596830
20260622 ATM - LP Token Burn
Lost: 1,603.99 WBNB
forge test --contracts ./src/test/2026-06/ATM_LP_Burn_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/TenArmorAlert/status/2068993748936151209
20260620 OLPC - OLPC pair reserve manipulation
Lost: 1,115,903.66 USDT
forge test --contracts ./src/test/2026-06/OLPC_exp.sol --evm-version shanghai -vvv
Contract
Link reference
https://x.com/exvulsec/status/2068308334512365924
20260618 JB - JB helper repeated cycle drains JB/USDT pair
Lost: 49,958.06 USDT
forge test --contracts ./src/test/2026-06/JB_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/audit_911/status/2067943961327763788
20260617 Aztec V1 - escapeHatch Proof-Forgery (permissionless RollupProcessor exit)
Lost: ~$2.2M (1158 ETH + 150,000 DAI + 0.4696 renBTC)
forge test --contracts src/test/2026-06/AztecEscapeHatch_exp.sol -vvv
Contract
20260617 WHALE - Transfer Accounting Reserve Desync
Lost: 3,460.41 USDT
forge test --contracts ./src/test/2026-06/WHALE_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/audit_911/status/2067451654694412720
20260617 LBP - LBP balanceOf reward accounting
Lost: 610.56 BNB
forge test --contracts ./src/test/2026-06/LBP_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/DefimonAlerts/status/2067329401977532429
20260616 DIP - Fee-on-Transfer Reserve Manipulation
Lost: 111,097.59 USDC
forge test --contracts ./src/test/2026-06/DIP_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/TenArmorAlert/status/2067059314519417163
20260615 Thetanuts - Index vault component-share accounting flaw
Lost: 105471.50 USDC
forge test --contracts ./src/test/2026-06/Thetanuts_exp.sol -vvv
Contract
Link reference
https://x.com/PeckShieldAlert/status/2066540451126190312
20260614 Aztec Connect - numRealTxs Proof/Settlement Mismatch (permissionless RollupProcessorV3)
Lost: ~$2.19M (this PoC reproduces the 908.99 ETH leg)
forge test --contracts src/test/2026-06/AztecConnect_exp.sol -vvv
Contract
Link reference
https://www.cryptotimes.io/2026/06/15/aztec-exploit-drains-2-19m-from-dormant-privacy-protocol/
20260609 TOPBPool - Governance-controlled token mint and Balancer pool drain
Lost: 944.20 WETH
forge test --contracts ./src/test/2026-06/TOPBPool_exp.sol -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2064616112822583505
20260609 NovaBox - Constructor Dividend Checkpoint Bypass
Lost: 56.73 ETH
forge test --contracts ./src/test/2026-06/NovaBox_exp.sol --evm-version prague -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2064616360466919793
20260607 AmbientCrocSwapDex - Native surplus accounting flaw
Lost: 67.85 ETH
forge test --contracts ./src/test/2026-06/AmbientCrocSwapDex_exp.sol -vvv
Contract
Link reference
https://x.com/TenArmorAlert/status/2063816231023427861
20260606 BOSS - BOSS helper mint/burn and transfer-tax pool skew
Lost: 10,207.54 USDT
forge test --contracts ./src/test/2026-06/BOSS_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/audit_911/status/2063819348305985748
20260605 DTXT - Liquidity Misclassification Fee Bypass
Lost: 35,041.11 USDT
forge test --contracts ./src/test/2026-06/DTXT_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/audit_911/status/2063793931138347015
20260605 AISOTHPresale - Fixed-price presale arbitrage
Lost: 30,314.76 USDT
forge test --contracts ./src/test/2026-06/AISOTHPresale_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/audit_911/status/2063565495073415618
20260604 BYToken - Permissionless triggerAutoBurn Reserve Manipulation
Lost: ~$87,402 (146.60 WBNB)
forge test --contracts src/test/2026-06/BYToken_exp.sol -vvv
Contract
Link reference
20260604 ATM Token - Hidden transferFrom Auto-Swap Drain
Lost: ~$243,543 USDT
forge test --contracts src/test/2026-06/ATM_exp.sol -vvv
Contract
Link reference
20260530 AROS - Signature Replay
Lost: ~$295K
forge test --contracts src/test/2026-05/AROS_exp.sol -vvv --evm-version prague
Contract
Link reference
https://bscscan.com/tx/0xe89fe640ec5241edfca7d8dcae77a0a4270dee15e4bbd043fc60e393aabf41e1 https://x.com/TenArmorAlert/status/2061289921990570349
20260529 YSDAO - Price Manipulation and Tax Bypass
Lost: ~19.49K USDT
forge test --contracts src/test/2026-05/YSDAO_exp.sol -vvv
Contract
Link reference
https://bscscan.com/tx/0x91f26d96373bbec6a6a8517c7be995a739d65f20fed589d53bc47d8140f91907
20260528 LegendaryMoneyMonNft - ecrecover address(0) Signature Bypass
Lost: ~$85.5K USD (85,519 USDT)
forge test --contracts src/test/2026-05/LegendaryMoneyMonNft_exp.sol -vvv
Contract
Link reference
https://x.com/SlowMist_Team/status/2060205558687486441
20260528 DxSale - Ownership Override Attack
Lost: ~7.3M USD
forge test --contracts src/test/2026-05/DxSale_exp.sol -vvv
Contract
Link reference
https://crypto.news/dxsale-exploit-drains-7-3m-in-bnb-through-hidden-contract-backdoor/ https://x.com/Tahax1/status/1928169316736651568 https://x.com/CoinsultAudits/status/1928203831996297670
20260527 Joe Agent - Reentrancy in removeLiquidityViaContract
Lost: ~$45K USD (62.5 BNB + ~1.196M JOE)
forge test --contracts src/test/2026-05/JoeAgent_exp.sol -vvv
Contract
Link reference
https://x.com/SlowMist_Team/status/2059887450663551352
20260525 SquidRouterModule - Missing caller check
Lost: 0.25 WBTC + 0.29 wTAO + 0.02 WETH
FOUNDRY_EVM_VERSION=cancun forge test --contracts ./src/test/2026-05/SquidRouterModule_exp.sol -vvv
Contract
Link reference
https://t.me/defimon_alerts/3045
20260525 New Market Trading - SquidRouterModule Missing Caller Check
Lost: ~$3.98M USD
FOUNDRY_EVM_VERSION=cancun forge test --contracts src/test/2026-05/NewMarketTrading_exp.sol --match-contract NewMarketTradingExploit -vv
Contract
Link reference
https://rekt.news/newmarkettrading-rekt
20260526 SKP Token - Owner Backdoor LP Burn + Price Manipulation
Lost: ~$212K USD
forge test --contracts src/test/2026-05/SKP_exp.sol -vvv
Contract
Link reference
20260526 SKP Token - Deliberately Engineered Drain (Insider Exploit / Rug Pull)
Lost ~$212,195 USDT
Classification: Premeditated insider exploit — NOT a conventional external hack.
forge test --contracts src/test/2026-05/SKP_exp2.sol -vvv
Contract
Link reference
- https://bscscan.com/tx/0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee
- https://bscscan.com/tx/0xadf1b6ff02a917043c816bc8bd1ed67038d64a19d06544b09ceeb872518fda37
- https://www.bitget.com/amp/news/detail/12560605230076
20260525 WUSD.fi - _englove Sybil Incentive Abuse
Lost: ~$200K USD (GLOVE emissions + LP drain)
forge test --contracts src/test/2026-05/WUSD_exp.sol -vvv
Contract
Link reference
https://x.com/exvulsec/status/2058803971947385330
20260522 FractalProtocol - Business Logic Flaw
Lost: ~$13.7K
forge test --contracts src/test/2026-05/FractalProtocol_exp.sol -vvv
Contract
Link reference
https://arbiscan.io/tx/0x20db78913a51c3b3aece860ea142c240f3f8fa3b5bbf533a3d1d48eed857e10f https://x.com/DefimonAlerts/status/2058619391776878967
20260521 MureDistribution - Signature Verification Bypass
Lost: ~5.45 ETH
forge test --contracts src/test/2026-05/MureDistribution_exp.sol -vvv
Contract
Link reference
https://etherscan.io/tx/0xb83040361a0ec72fa2d06ad69493226518a5f8b5d96c19b400626248f9c5b798 https://x.com/DefimonAlerts/status/2058211424761942226
20260520 MAPProtocol - Arbitrary Mint
Lost: ~$180K
forge test --contracts src/test/2026-05/MAPProtocol_exp.sol -vvv
Contract
Link reference
https://etherscan.io/tx/0x31e56b4737649e0acdb0ebb4eca44d16aeca25f60c022cbde85f092bde27664a https://x.com/MapProtocol/status/2059587998409490510
20260519 ElevateFi - Reserve Price Manipulation
Lost: ~16,000 USD
forge test --contracts ./src/test/2026-05/ElevateFi_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://t.me/defimon_alerts/3040
20260518 TesseraSwap - Callback Repayment Price Spread
Lost: ~$20K
forge test --contracts ./src/test/2026-05/TesseraSwap_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://t.me/defimon_alerts/3038
20260517 VerusBridge - Insufficient Validation
Lost: ~$11.58M
forge test --contracts src/test/2026-05/VerusBridge_exp.sol -vvv
Contract
Link reference
https://etherscan.io/tx/0x6990f01720f57fc515d0e976a0c4f8157e0a9529194c4c15d190e98d087eb321 https://x.com/VerusCoin/status/2057465214975492358
20260517 SEAToken - Business Logic Flaw
Lost: ~$110K
forge test --contracts src/test/2026-05/SEAToken_exp.sol -vvv
Contract
Link reference
https://arbiscan.io/tx/0x001cb16e17c4c5a5c4d02423c9e9b2f2b11ab6b2a1baf2ba53b8fcaf06167716 https://anomly.rs/metasea-redeemposition-distributor-drain-arb-2026-05-17
20260515 AdsharesBridge - Insufficient Validation
Lost: ~$628K
forge test --contracts src/test/2026-05/AdsharesBridge_exp.sol -vvv
Contract
Link reference
https://etherscan.io/tx/0x8844b4ec371c4b13d7fac701b5d546a7c2fba12621a9596dd14b662b14408789 https://etherscan.io/tx/0xfba82bb34515d7aefbf0c89582b71d915ec8861c96babaafdc882743dbc23509 https://etherscan.io/tx/0xa3476575183204b4a662dd6ee56f6499d806e4f41ce83d98366752d31e9e9ca3 https://x.com/DefimonAlerts/status/2055751467579936770
20260512 SQTokenStaking - Access Control
Lost: ~$346.1K
forge test --contracts src/test/2026-05/SQTokenStaking_exp.sol -vvv --evm-version prague
Contract
Link reference
https://bscscan.com/tx/0x1bae633eda9b3d98999ea116bc403712eaa07093ec32bd6d559085cc4607f5b8 https://x.com/Defi_Nerd_sec/status/2054425936746148148
20260511 INKFinance - Business Logic Flaw
Lost: ~$140K
forge test --contracts src/test/2026-05/INKFinance_exp.sol -vvv
Contract
Link reference
https://polygonscan.com/tx/0xb469a24ec737be16fe41367a7b5b315c7f03b4e0ff3af50b3a2db03b3066b982 https://www.cryptotimes.io/2026/05/11/ink-finance-exploited-on-polygon-140k-usdt-drained-in-flash-loan-attack/
20260511 HumaFinance - Credit Approval Bypass
Lost: ~$101K (82,315 USDC + 19,074 USDC.e)
forge test --contracts src/test/2026-05/HumaCreditApprovalBypass_exp.sol -vv
Contract
HumaCreditApprovalBypass_exp.sol
Link reference
https://www.cryptotimes.io/2026/05/11/huma-finance-v1-exploit-on-polygon-drains-101k-in-usdc/
20260510 Renegade - Uninitialized Proxy
Lost: ~$209K
forge test --contracts src/test/2026-05/Renegade_exp.sol -vvv
Contract
Link reference
https://arbiscan.io/tx/0x0e494685ace16d372066c5b4db959b58ebac6d88166c2d9d618e0e421dc0c77e https://x.com/renegade_fi/status/2053531772634427599 https://x.com/DefimonAlerts/status/2053538325969977801
20260507 TrustedVolumes - Signature Replay
Lost: ~$5.87M
forge test --contracts src/test/2026-05/TrustedVolumes_exp.sol --match-contract TrustedVolumesExploit -vv
Contract
Link reference
https://rekt.news/trustedvolumes-rekt https://www.darknavy.org/web3/exploits/trustedvolumes-rfq-proxy-drain/ https://blog.verichains.io/p/trustedvolumes-exploit-analysis
20260505 Ekubo - Business Logic Flaw
Lost: ~$1.4M
forge test --contracts src/test/2026-05/Ekubo_exp.sol -vvv
Contract
Link reference
https://etherscan.io/tx/0x770bc9a1f7c32cb63a5002b9ceb5c7994cd3af0fc6b2309cb32d3c46f629daa0 https://x.com/EkuboProtocol/status/2051754481465856038 https://x.com/blockaid_/status/2051757787714118125
20260501 SharwaMarginTrading - Hegic collateral spot price manipulation
Lost: 32.85K USDC
forge test --contracts ./src/test/2026-05/SharwaMarginTrading_exp.sol -vvv
Contract
Link reference
https://t.me/defimon_alerts/2975
20260428 RWAVault - Missing ERC4626 allowance check
Lost: 398,655.47 USDC
forge test --contracts ./src/test/2026-04/RWAVault_exp.sol -vvv
Contract
Link reference
https://t.me/defimon_alerts/2958
20260428 JUDAO - JUDAO sell-hook reserve drain
Lost: 205K USDT + 36 BNB
forge test --contracts ./src/test/2026-04/JUDAO_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://t.me/defimon_alerts/2955
20260427 Unverified_a152 - AllowanceTarget approval drain
Lost: 229K USDT
forge test --contracts ./src/test/2026-04/unverified_a152_exp.sol -vvv
Contract
Link reference
https://t.me/defimon_alerts/2987
20260425 SingularityDynaVault - Oracle Misconfiguration / Share Inflation
Lost: 413.13K USDC
forge test --contracts ./src/test/2026-04/SingularityDynaVault_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/DefimonAlerts/status/2048698708309705069
20260423 GiddyVaultV3 - Incomplete Signature Coverage
Lost: $1.3M
forge test --contracts ./src/test/2026-04/giddyvaultv3_compound_auth_exp.sol -vvv --evm-version cancun
Contract
giddyvaultv3_compound_auth_exp.sol
Link reference
https://x.com/DefimonAlerts/status/2047334517535642024
20260421 KipseliPropAMM - Pricing / Decimals Mismatch
Lost: 0.93 cbBTC
forge test --contracts ./src/test/2026-04/KipseliPropAMM_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/DefimonAlerts/status/2046873857571934254
20260420 JuiceboxREVLoans - Fake terminal loan source validation bypass
Lost: 21.77 ETH
forge test --contracts ./src/test/2026-04/JuiceboxREVLoans_exp.sol -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2046862935650345139
20260420 ThetanutsVaultShareRounding - Vault Share Rounding Manipulation
Lost: 0.15 WBTC
forge test --contracts ./src/test/2026-04/ThetanutsVaultShareRounding_exp.sol -vvv
Contract
ThetanutsVaultShareRounding_exp.sol
Link reference
https://t.me/defimon_alerts/2933
20260419 AaveRebalancerCreditDelegation - Arbitrary External Call / Credit Delegation Abuse
Lost: 6,999.91 WAVAX
forge test --contracts ./src/test/2026-04/AaveRebalancerCreditDelegation_exp.sol -vvv
Contract
AaveRebalancerCreditDelegation_exp.sol
Link reference
https://x.com/DefimonAlerts/status/2046504796463808991
20260415 XLootStaking - Duplicate xLOOT Redemption
Lost: 6.21 ETH
forge test --contracts ./src/test/2026-04/XLootStaking_exp.sol -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2044709964091187660
20260414 MONA LisaVault - reward-farming / BurnAddress accounting exploit!
Lost ~60.95K USDT
forge test --contracts src/test/2026-04/MONA_LisaVault_exp.sol -vvv
Contract
Link reference
https://x.com/exvulsec/status/2043928546662592949
20260414 Saturn Protocol - Vulnerability Disclosure
Lost: 0 (Disclosure only; no exploit occurred)
TVL at Risk: ~$35.7M
forge test --contracts src/test/2026-04/SaturnProtocol_exp.sol -vvv --fork-url https://rpc.ankr.com/eth
Contract
Link reference
https://gist.github.com/sgInnora/b70ad98327649ed4ab976a122f45e485
Note: Vendor states SAT-001 (underflow) is mitigated by _validateTotals, and SAT-002 (tolerance compound) is a trusted-role design observation.
20260412 SubQuerySettings - Settings access control
Lost: 218.07M SQT
forge test --contracts ./src/test/2026-04/SubQuerySettings_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://t.me/defimon_alerts/2909
20260407 SquidMulticallAllowanceDrain - Arbitrary Call / Wrong Approval
Lost: 1 ETH
forge test --contracts ./src/test/2026-04/SquidMulticallAllowanceDrain_exp.sol -vvv --evm-version shanghai
Contract
SquidMulticallAllowanceDrain_exp.sol
Link reference
https://x.com/DefimonAlerts/status/2041530294369386806
20260405 PerpPair - Virtual AMM Manipulation
Lost: 165K USDC
forge test --contracts ./src/test/2026-04/PerpPair_exp.sol -vvv --evm-version prague
Contract
Link reference
https://x.com/DefimonAlerts/status/2041070927908126897
20260331 WhalebitOracleManipulation - Algebra spot-price oracle manipulation
Lost: 824K USD
forge test --contracts ./src/test/2026-03/WhalebitOracleManipulation_exp.sol -vvv
Contract
WhalebitOracleManipulation_exp.sol
Link reference
https://x.com/DefimonAlerts/status/2039372077686251787
20260328 VTSwapHook - Pricing Error in UniswapV4 Hook
Lost: 4,507,034.03 vATH + 2,007,935.14 ATH
forge test --contracts ./src/test/2026-03/VTSwapHook_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/DefimonAlerts/status/2038647146098954283
20260327 EST Token - Incorrect Token Burn Mechanism
Lost: 150.2 WBNB
forge test --contracts src/test/2026-03/EST_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://bscscan.com/address/0xD4524Be41cd452576aB9FF7b68a0b89aF8498a91
20260324 XocolatlLiquidator - Access Control / Input Validation
Lost: 3.25 cbETH and 0.22 WETH
forge test --contracts ./src/test/2026-03/XocolatlLiquidator_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://t.me/defimon_alerts/2834
20260324 Univ3CollateralToken - Logic Error
Lost: 57K USD
forge test --contracts ./src/test/2026-03/Univ3CollateralToken_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/DefimonAlerts/status/2036449500512891317
20260323 BCE - Deflationary Token Logic Error
Lost: ~800,000 USDT
forge test --contracts ./src/test/2026-03/bce_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://t.me/defimon_alerts/2814
20260319 ATMBlindBox - Weak Randomness / Predictable RNG
Lost: 99K USD
forge test --contracts ./src/test/2026-03/ATMBlindBox_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://t.me/defimon_alerts/2808
20260319 Revamp - Reward Accounting Drain
Lost: 2.99 BNB
forge test --contracts ./src/test/2026-03/Revamp_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/DefimonAlerts/status/2034532544239088053
20260316 unverified - CheckoutPool Old BOC Missing Access Control
Lost: 85,730 USDC
forge test --contracts ./src/test/2026-03/unverified_1304_exp.sol -vvv --evm-version cancun
Contract
Link reference
https://x.com/DefimonAlerts/status/2034532547191820390
20260315 Venus THE - BorrowBehalf + Donation Attack
Lost: 913,858.263360521396654198 CAKE + 1,972.530910582753621682 WBNB
forge test --contracts src/test/2026-03/Venus_THE_exp.sol --match-test testTraceDrivenPoC -vvv
Contract
Link reference
https://bscscan.com/tx/0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f
20260315 StakeOnMe - Owner-privileged JAKE burn reserve drain
Lost: 0.28 ETH
forge test --contracts ./src/test/2026-03/unverified_237d_exp.sol -vvv
Contract
Link reference
https://x.com/DefimonAlerts/status/2034532549905580417
20260310 AlkemiEarn - Business Logic
Lost: 43.45 ETH
forge test --contracts ./src/test/2026-03/AlkemiEarn_exp.sol -vvv
Contract
Link reference
https://x.com/blockaid_/status/2031351881029546194
20260302 Curve LlamaLend - Share price manipulation
Lost: ~240,000 US$
forge test -vvv --contracts ./src/test/2026-03/Curve_LlamaLend_exp.sol
Contract
Link reference
https://x.com/yieldsandmore/status/2028368378457362629
20260222 LAXO Token - Incorrect Burn Logic
Lost: ~137,000 US$
forge test src/test/2026-02/LAXO_Token_exp.sol -vvv
Contract
Link reference
https://x.com/CertiKAlert/status/2027317095420072317
20260216 XDKRecycle - XDK recycle reserve manipulation
Lost: 6.84 WBNB
forge test --contracts ./src/test/2026-02/XDKRecycle_exp.sol -vvv --evm-version shanghai
Contract
Link reference
https://x.com/DefimonAlerts/status/2024163654631882916
20260215 Moonwell - Faulty Oracle
Lost: 1.78M USD
forge test --contracts ./src/test/2026-02/Moonwell_exp.sol -vvv
Contract
Link reference
https://forum.moonwell.fi/t/mip-x43-cbeth-oracle-incident-summary/2068
https://forum.moonwell.fi/t/recovery-plan-cbeth-incident-and-moonwell-apollo-onboarding/2084
https://x.com/pashov/status/2023872510077616223
https://x.com/moo9000/status/2024040101982990534
20260120 SynapLogic - Business Logic Flaw
NOTICE: SynapLogic is totally a cheat contract, with backdoors, vulnerabilities and rug pulls.
Lost: 27.6 ETH & 3450 USDC
forge test -vvv --contracts ./src/test/2026-01/SynapLogic_exp.sol
Contract
Link reference
https://x.com/TenArmorAlert/status/2013432861366292520?s=20
https://x.com/hklst4r/status/2013440353844461979?s=20
https://x.com/CertiKAlert/status/2013440963851755610?s=20
https://x.com/nn0b0dyyy/status/2013445844394279260?s=20
20260120 Makina - Price Oracle Manipulation
Lost: 5.1M USD
forge test -vvv --contracts ./src/test/2026-01/makina_exp.sol --evm-version cancun
# MUST use evm >= cancun
Contract
Link reference
https://x.com/nn0b0dyyy/status/2013472538832314630
https://x.com/TenArmorAlert/status/2013460083078836342
https://x.com/CertiKAlert/status/2013473512116363734
20260112 MTToken - Incorrect Fee Logic
Lost: 37K USD
forge test -vvv --contracts ./src/test/2026-01/MTToken_exp.sol
Contract
Link reference
https://x.com/TenArmorAlert/status/2010630024274010460?s=20
https://x.com/nn0b0dyyy/status/2010638145155661942?s=20
20260110 FutureSwap - Unit Mismatch
Lost: 433K USD
forge test -vvv --contracts ./src/test/2026-01/futureswap_exp.sol.sol
Contract
Link reference
https://x.com/nn0b0dyyy/status/2009922304927731717?s=20
20260109 Truebit - OverFlow
Lost: 8540ETH
forge test --contracts ./src/test/2026-01/Truebit_exp.sol -vvv
Contract
Link reference
https://www.certik.com/zh-CN/resources/blog/truebit-incident-analysis
20260101 PRXVT - Bussiness Logic Flaw
Lost: 32.8 ETH
forge test --contracts ./src/test/2026-01/PRXVT_exp.sol -vvv --block-gas-limit 60000000 # use gas limit control iterations
Contract
Link reference
https://x.com/CertiKAlert/status/2006685174587605315
View Gas Reports
Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter. Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.
Every poc in this repository can produce a gas report like this:
forge test --gas-report --contracts <contract> -vvv
For Example: Let us find out the gas used in the Audius poc
Execution
forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv
Demo
Bug Reproduce
Moved to DeFiVulnLabs
FlashLoan Testing
Moved to DeFiLabs
License
This project is licensed under the Apache License 2.0.