Module · 3

Where systems fail. And why.

The first column groups failure types by category. The second column places each historical incident on its category. Every dot is a real loss; every dot is a specific assumption that did not survive.

Total losses catalogued

$17.91B

25 events catalogued

By category

Chronological

2014-02-01

Mt. Gox

Centralized exchange · Custodian disappearance

$470M

Hot-wallet drain over years; custodian failure to detect.

2016-06-17

The DAO

Smart contract · Smart contract bug

$60M

Reentrancy in splitDAO. Forced Ethereum hard fork.

2016-08-02

Bitfinex

Centralized exchange · Key compromise

$72M

Hot wallet keys (BitGo multisig integration) compromised.

2017-11-06

Parity Multisig (frozen)

Multisig wallet · Smart contract bug

$280M

Library contract self-destructed by accident; all dependent multisigs bricked.

2018-01-26

Coincheck

Centralized exchange · Key compromise

$530M

Hot wallet keys stolen; NEM held without cold storage.

2020-09-26

KuCoin

Centralized exchange · Key compromise

$280M

Hot wallet private keys leaked.

2021-05-19

PancakeBunny

DeFi (BSC) · Oracle manipulation

$45M

Flash-loan manipulated oracle drove BUNNY mint exploit.

2021-07-10

Anyswap

Cross-chain swap (MPC) · Signature replay / forge

$8M

Reused MPC nonces leaked private key.

2021-08-10

Poly Network

Cross-chain bridge · Smart contract bug

$611M

Bridge keeper contract verified user-supplied function selector; attacker swapped it for changeOwner.

2021-09-30

Compound (mistaken comp)

DeFi protocol · Smart contract bug

$90M

Bug in upgrade caused over-distribution of COMP rewards.

2022-01-28

Qubit Finance

Cross-chain bridge · Smart contract bug

$80M

tokenAddress 0x0 accepted as deposit; minted unbacked tokens.

2022-02-02

Wormhole

Cross-chain bridge · Signature replay / forge

$325M

Verify_signatures used a deprecated Solana sysvar; attacker forged guardian signatures.

2022-03-23

Ronin Bridge

Validator-set bridge (5-of-9) · Key compromise

$625M

Attacker compromised 5 of 9 validator keys via spear-phishing of a Sky Mavis engineer.

2022-04-17

Beanstalk Farms

DeFi DAO · Governance attack

$182M

Flash-loaned voting power passed a malicious 'emergency' proposal.

2022-06-23

Harmony Horizon Bridge

Multisig bridge (2-of-5) · Key compromise

$100M

Two of five private keys compromised.

2022-07-13

Celsius Network

Custodial yield platform · Custodian disappearance

$4,700M

Misallocated customer deposits in failing strategies; insolvency.

2022-08-01

Nomad

Optimistic bridge · Smart contract bug

$190M

Initialization set zero hash to trusted; any message validated. Massed-copycat looting.

2022-10-06

BNB Bridge

Cross-chain bridge (multisig) · Smart contract bug

$570M

Forged Merkle proof accepted by bridge precompile due to verification flaw.

2022-10-11

Mango Markets

DeFi (Solana) · Oracle manipulation

$116M

Manipulated MNGO price feed via thin order book; borrowed against inflated collateral.

2022-11-11

FTX

Centralized exchange · Custodian disappearance

$8,000M

Customer funds rehypothecated to Alameda; bankruptcy.

2023-02-23

Atomic Wallet

Wallet software · Key compromise

$100M

Wallet binaries compromised; private keys exfiltrated client-side.

2023-03-13

Euler Finance

DeFi protocol · Smart contract bug

$197M

donateToReserves miscalculated health factor; attacker borrowed against bad debt.

2023-07-06

Multichain

Federated bridge · Custodian disappearance

$126M

CEO arrested in China holding all MPC keys; team lost access; funds drained.

2023-07-30

Curve Finance (Vyper)

DeFi protocol · Smart contract bug

$70M

Reentrancy guard bug in Vyper compiler versions 0.2.15–0.3.0.

2023-12-31

Orbit Chain

Multisig bridge (7-of-10) · Key compromise

$82M

7 of 10 multisig keys compromised in unknown attack.