DeFi Hacks Reproduce - Foundry

Reproduce DeFi hack incidents using Foundry.

558 incidents included.

Let's make Web3 secure! Join Discord

Notion: 101 root cause analysis of past DeFi hacked incidents

Transaction debugging tools

Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.

Getting Started

• Follow the instructions to install Foundry.

• Clone and install dependencies:git submodule update --init --recursive

• Contributing Guidelines

Web3 Cybersecurity Academy

All articles are also published on Substack.

OnChain transaction debugging

• Lesson 1: Tools ( English | 中文 | Vietnamese | Korean | Spanish )
• Lesson 2: Warm up ( English | 中文 | Korean | Spanish )
• Lesson 3: Write Your Own PoC (Price Oracle Manipulation) ( English | 中文 | Korean | Spanish )
• Lesson 4: Write Your Own PoC (MEV Bot) ( English | 中文 | Korean | Spanish )
• Lesson 5: Rugpull Analysis ( English | 中文 | Spanish )
• Lesson 6: Write Your Own PoC (Reentrancy) ( English | 中文 | Spanish )
• Lesson 7: Hack Analysis: Nomad Bridge, August 2022 ( English | 中文 | Spanish )

Who Support Us? DeFiHackLabs Received Grant From

Donate us

If you appreciate our work, please consider donating. Even a small amount helps us continue developing and improving our projects, and promoting web3 security.

• Gitcoin - Donate DeFiHackLabs
• EVM Chains - 0xD7d6215b4EF4b9B5f40baea48F41047Eb67a11D5
• Giveth

List of Past DeFi Incidents

20250221 Bybit

20250211 FourMeme

20250123 ODOS

20250121 Ast

20250118 Paribus

20250113 Mosca2

20250111 RoulettePotV2

20250110 JPulsepot

20250108 LPMine

20250107 IPC

20250106 Mosca

20250104 SorStaking

20250104 98#Token

20250101 LAURAToken

2024

20241223 Moonhacker

20241203 Pledge

20241119 PolterFinance

20241111 DeltaPrime

20241026 CompoundFork

20241022 Erc20transfer

20241022 VISTA

20241013 MorphoBlue

20241011 P719Token

20241006 HYDT

20241006 SASHAToken

20241005 AIZPTToken

20241002 LavaLending

20241001 FireToken

20240926 OnyxDAO

20240926 Bedrock_DeFi

20240924 MARA

20240923 Bankroll_Network

20240913 OTSeaStaking

20240910 Caterpillar_Coin_CUT

20240903 Penpiexyz_io

20240816 Zenterest

20240816 OMPxContract

20240828 AAVE

20240814 YodlRouter

20240813 VOW

20240812 iVest

20240806 Novax

20240801 Convergence

20240724 Spectra_finance

20240723 MEVbot_0xdd7c

20240716 Lifiprotocol

20240714 Minterest

20240712 DoughFina

20240711 SBT

20240711 GAX

20240708 LW

20240705 DeFiPlaza

20240703 UnverifiedContr_0x452E25

20240702 MRP

20240628 Will

20240627 APEMAGA

20240618 INcufi

20240617 Dyson_money

20240616 WIFCOIN_ETH

20240611 Crb2

20240611 JokInTheBox

20240610 UwuLend - Price Manipulation

20240610 Bazaar

20240608 YYStoken

20240606 SteamSwap

20240606 MineSTM

20240604 NCD

20240601 VeloCore

20240531 Liquiditytokens

20240531 MixedSwapRouter

20240529 SCROLL

20240529 MetaDragon

20240528 Tradeonorion

20240528 EXcommunity

20240527 RedKeysCoin

20240526 NORMIE

20240522 Burner

20240516 TCH

20240514 Sonne Finance

20240514 PredyFinance

20240512 TGC

20240510 GFOX

20240510 TSURU

20240508 GPU

20240507 SATURN

20240506 OSN

20240430 Yield

20240430 PikeFinance

20240427 BNBX

20240425 NGFS

20240424 XBridge

20240424 YIEDL

20240422 Z123

20240420 Rico

20240419 HedgeyFinance

20240417 UnverifiedContr_0x00C409

20240416 SATX

20240416 MARS_DEFI

20240415 GFA

20240415 ChaingeFinance

20240414 Hackathon

20240412 FIL314

20240412 SumerMoney

20240412 GROKD

20240410 BigBangSwap

20240409 UPS

20240408 SQUID

20240404 WSM

20240402 HoppyFrogERC

20240401 ATM

20240401 OpenLeverage

20240329 ETHFIN

20240329 PrismaFi

20240328 LavaLending

20240325 ZongZi

20240314 ARK

20240323 CGT

20240321 SSS

20240320 Paraswap

20240314 MO

20240313 IT

20240312 BBT

20240311 Binemon

20240309 Juice

20240309 UnizenIO

20240307 GHT

20240306 ALP

20240306 TGBS

20240305 Woofi

20240228 Seneca

20240228 SMOOFSStaking

20240223 Zoomer

20240223 CompoundUni

20240223 BlueberryProtocol

20240222 SwarmMarkets

20240221 DeezNutz404

20240221 GAIN

20240220 EGGX

20240219 RuggedArt

20240216 ParticleTrade

20240215 DualPools

20240215 Babyloogn

20240215 Miner

20240213 MINER BSC

20240211 Game

20240210 FILX DN404

20240208 Pandora404

20240205 BurnsDefi

20240202 ADC

20240201 AffineDeFi

20240130 XSIJ

20240130 MIMSpell

20240129 PeapodsFinance

20240128 BarleyFinance

20240127 CitadelFinance

20240125 NBLGAME

20240122 DAO_SoulMate

20240117 BmiZapper

20240117 SocketGateway

20240115 Shell_MEV_0xa898

20240112 WiseLending

20240110 Freedom

20240110 LQDX Alert

20240104 Gamma

20240102 MIC

20240102 RadiantCapital

20240101 OrbitChain

2023

20231231 Channels BUSD&USDC

20231230 ChannelsFinance

20231228 CCV

20231228 DominoTT

20231225 Telcoin

20231222 PineProtocol

20231220 TransitFinance

20231217 Bob

20231217 FloorProtocol

20231216 GoodDollar

20231216 KEST

20231216 NFTTrader

20231214 PHIL

20231213 HYPR

20231211 GoodCompound

20231209 BCT

20231207 HNet

20231206 TIME

20231206 ElephantStatus

20231205 MAMO

20231205 BEARNDAO

20231202 bZxProtocol

20231201 UnverifiedContr_0x431abb

20231130 EEE

20231130 CAROLProtocol

20231129 Burntbubba

20231129 AIS

20231128 FiberRouter

20231125 MetaLend

20231125 TheNFTV2

20231122 KyberSwap

20231117 Token8633_9419

20231117 ShibaToken

20231116 WECO

20231115 EHX

20231115 XAI

20231115 LinkDAO

20231114 OKC Project

20231112 MEV_0x8c2d

20231112 MEV_0xa247

20231111 Mahalend

20231110 Raft_fi

20231110 GrokToken

20231107 RBalancer

20231107 MEVbot

20231106 TrustPad

20231106 TheStandard_io

20231106 KR

20231102 BRAND

20231102 3913Token

20231101 SwampFinance

20231101 OnyxProtocol

20231031 UniBotRouter

20231030 LaEeb

20231028 AstridProtocol

20231024 MaestroRouter2

20231022 OpenLeverage

20231019 kTAF

20231018 HopeLend

20231018 MicDao

20231013 BelugaDex

20231013 WiseLending

20231012 Platypus

20231011 BH

20231008 ZS

20231008 pSeudoEth

20231007 StarsArena

20231005 DePayRouter

20230930 FireBirdPair

20230929 DEXRouter

20230926 XSDWETHpool

20230924 KubSplit

20230921 CEXISWAP

20230916 uniclyNFT

20230911 0x0DEX

20230909 BFCToken

20230908 APIG

20230907 HCT

20230905 QuantumWN

20230905 JumpFarm

20230905 HeavensGate

20230905 FloorDAO

20230902 DAppSocial

20230829 EAC

20230827 Balancer

20230826 SVT

20230824 GSS

20230821 EHIVE

20230819 BTC20

20230818 ExactlyProtocol

20230814 ZunamiProtocol

20230809 EarningFram

20230802 CurveBurner

20230802 Uwerx

20230801 NeutraFinance

20230801 LeetSwap

20230731 GYMNET

20230730 Curve

20230726 Carson

20230724 Palmswap

20230723 MintoFinance

20230722 ConicFinance02

20230721 ConicFinance

20230721 SUT

20230720 Utopia

20230720 FFIST

20230718 APEDAO

20230718 BNO

20230717 NewFi

20230715 USDTStakingContract28

20230712 Platypus

20230712 WGPT

20230711 RodeoFinance

20230711 Libertify

20230710 ArcadiaFi

20230708 CIVNFT

20230708 Civfund

20230707 LUSD

20230704 BambooIA

20230704 BaoCommunity

20230703 AzukiDAO

20230630 Biswap

20230630 MyAi

20230628 Themis

20230627 UnverifiedContr_9ad32

20230627 STRAC

20230623 SHIDO

20230621 BabyDogeCoin02

20230621 BUNN

20230620 MIM

20230619 Contract_0x7657

20230618 ARA

20230617 MidasCapitalXYZ

20230617 Pawnfi

20230615 CFC

20230615 DEPUSDT_LEVUSDC

20230612 Sturdy Finance

20230611 SellToken04

20230607 CompounderFinance

20230606 VINU

20230606 UN

20230602 NST SimpleSwap

20230601 DDCoin

20230601 Cellframenet

20230531 ERC20TokenBank

20230529 Jimbo

20230529 BabyDogeCoin

20230529 FAPEN

20230529 NOON_NO

20230525 GPT

20230524 LocalTrade

20230524 CS

20230523 LFI

20230514 landNFT

20230514 SellToken03

20230513 Bitpaidio

20230513 SellToken02

20230512 LW

20230511 SellToken01

20230510 SNK

20230509 MCC

20230509 HODL

20230506 Melo

20230505 DEI

20230503 NeverFall

20230502 Level

20230428 0vix

20230427 SiloFinance

20230424 Axioma

20230419 OLIFE

20230416 Swapos V2

20230415 HundredFinance

20230413 yearnFinance

20230412 MetaPoint

20230411 Paribus

20230409 SushiSwap

20230405 Sentiment

20230402 Allbridge

20230328 SafeMoon Hack

20230328 THENA

20230325 DBW

20230322 BIGFI

20230317 ParaSpace NFT

20230315 Poolz

20230313 EulerFinance

20230308 DKP

20230307 Phoenix

20230227 LaunchZone

20230227 SwapX

20230224 EFVault

20230222 DYNA

20230218 RevertFinance

20230217 Starlink

20230217 Dexible

20230217 Platypusdefi

20230210 Sheep Token

20230210 dForce

20230207 CowSwap

20230206 FDP Token

20230203 Orion Protocol

20230203 Spherax USDs

20230202 BonqDAO

20230130 BEVO

20230126 TomInu Token

20230119 SHOCO Token

20230119 ThoreumFinance

20230118 QTN Token

20230118 UPS Token

20230117 OmniEstate

20230116 MidasCapital

20230111 UFDao

20230111 ROE

20230110 BRA

20230103 GDS

2022

20221230 DFS

20221229 JAY

20221225 Rubic

20221223 Defrost

20221214 Nmbplatform

20221214 FPR

20221213 ElasticSwap

20221212 BGLD

20221211 Lodestar

20221211 MEVbot_0x28d9

20221210 MUMUG

20221210 TIFIToken

20221209 NOVAToken

20221207 AES

20221205 RFB

20221205 BBOX

20221202 OverNight

20221201 APC

20221129 MBC & ZZSH

20221129 SEAMAN

20221123 NUM

20221122 AUR

20221121 SDAO

20221119 AnnexFinance

20221118 Polynomial

20221117 UEarnPool

20221116 SheepFarm

20221110 DFXFinance

20221109 brahTOPG

20221108 MEV_0ad8

20221108 Kashi

20221107 MooCAKECTX

20221105 BDEX

20221027 VTF

20221027 Team Finance

20221026 N00d Token

20221025 ULME

20221024 Market

20221024 MulticallWithoutCheck

20221021 OlympusDAO

20221020 HEALTH Token

20221019 BEGO Token

20221018 HPAY

20221018 PLTD Token

20221017 Uerii Token

20221014 INUKO Token

20221014 EFLeverVault

20221014 MEVBOT a47b

20221012 ATK

20221011 Rabby Wallet SwapRouter

20221011 Templedao

20221010 Carrot

20221009 Xave Finance

20221006 RES-Token

20221002 Transit Swap

20221001 BabySwap

20221001 RL

20221001 Thunder Brawl

20220929 BXH

20220928 MEVBOT Badc0de

20220923 RADT-DAO

20220913 MevBot Private TX

20220909 DPC

20220908 YYDS

20220908 NewFreeDAO

20220908 Ragnarok Online Invasion

20220906 NXUSD

20220905 ZoomproFinance

20220902 ShadowFi

20220902 Bad Guys by RPF

20220828 DDC

20220824 LuckyTiger NFT

20220816 Circle_2

20220813 Circle

20220810 XSTABLE Protocol

20220809 ANCH

20220807 EGD Finance

20220804 EtnProduct

20220803 Qixi

20220802 Nomad Bridge

20220801 Reaper Farm

20220725 LPC

20220723 Audius

20220713 SpaceGodzilla

20220710 Omni NFT

20220706 FlippazOne NFT

20220701 Quixotic - Optimism NFT Marketplace

20220626 XCarnival

20220624 Harmony's Horizon Bridge

20220618 SNOOD

20220616 InverseFinance

20220608 GYMNetwork

20220608 Optimism - Wintermute

20220606 Discover

20220529 NOVO Protocol

20220524 HackDao

20220517 ApeCoin

20220508 Fortress Loans

20220430 Saddle Finance

20220430 Rari Capital/Fei Protocol

20220428 DEUS DAO

20220424 Wiener DOGE

20220423 Akutar NFT

20220421 Zeed Finance

20220416 BeanstalkFarms

20220415 Rikkei Finance

20220412 ElephantMoney

20220411 Creat Future

20220409 GYMNetwork

20220329 Ronin Network

20220329 Redacted Cartel

20220327 Revest Finance

20220326 Auctus

20220322 CompoundTUSDSweepTokenBypass

20220321 OneRing Finance

20220320 LI.FI

20220320 Umbrella Network

20220315 Agave Finance

20220315 Hundred Finance

20220313 Paraluni

20220309 Fantasm Finance

20220305 Bacon Protocol

20220303 TreasureDAO

20220214 BuildFinance - DAO

20220208 Sandbox LAND

20220205 Meter

20220204 TecraSpace

20220128 Qubit Finance

20220118 Multichain (Anyswap)

2021

20211221 Visor Finance

20211218 Grim Finance

20211214 Nerve Bridge

20211130 MonoX Finance

20211123 Ploutoz Finance

20211027 Cream Finance

20211015 Indexed Finance

20210916 SushiSwap Miso

20210915 Nimbus Platform

20210915 NowSwap Platform

20210912 ZABU Finance

20210903 DAO Maker

20210830 Cream Finance

20210817 XSURGE

20210811 Poly Network

20210804 WaultFinance

20210728 Levyathan Finance

20210710 Chainswap

20210702 Chainswap

20210628 SafeDollar

20210625 xWin Finance

20210622 Eleven Finance

20210607 88mph NFT

20210603 PancakeHunny

20210527 JulSwap

20210527 BurgerSwap

20210519 PancakeBunny

20210516 bEarn

20210508 Rari Capital

20210508 Value Defi

20210502 Spartan

20210428 Uranium

20210308 DODO

20210305 Paid Network

20210204 Yearn YDai

20210125 Sushi Badger Digg

Before 2020

20201229 Cover Protocol

20201121 Pickle Finance

20201026 Harvest Finance

20200912 bzx

20200804 Opyn Protocol

20200628 Balancer Protocol

20200618 Bancor Protocol

20200419 LendfMe

20200418 UniSwapV1

20181007 SpankChain

20180424 SmartMesh

20180422 Beauty Chain

20171106 Parity - 'Accidentally Killed It'

---

Transaction debugging tools

Phalcon | Tx tracer | Cruise | Ethtx | Tenderly | eigenphi

Ethereum Signature Database

4byte | sig db | etherface

Useful tools

ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools

Hacks Dashboard

Slowmist | Defillama | De.Fi | Rekt | Cryptosec | BlockSec

---

List of DeFi Hacks & POCs

20250221 Bybit - Phishing attack

Lost: 1.5B

forge test --contracts ./src/test/2025-02/Bybit_exp.sol -vvv

Contract

Bybit_exp.sol

Link reference

https://x.com/dhkleung/status/1893073663391604753

---

20250211 FourMeme - Logic Flaw

Lost: ~186k

forge test --contracts ./src/test/2025-02/FourMeme_exp.sol -vvv --evm-version shanghai

Contract

FourMeme_exp.sol

Link reference

https://www.chaincatcher.com/en/article/2167296

---

20250123 ODOS - invalid-signature-verification

Lost: ~50k

forge test --contracts ./src/test/2025-01/ODOS_exp.sol -vvv

Contract

OODS_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/base/0xd10faa5b33ddb501b1dc6430896c966048271f2510ff9ed681dd6d510c5df9f6

20250121 Ast - Price-Manipulation

Lost: ~65K

forge test --contracts ./src/test/2025-01/Ast_exp.sol -vvv

Contract

Ast_exp.sol

Link reference

https://medium.com/@joichiro.sai/ast-token-hack-how-a-faulty-transfer-logic-led-to-a-65k-exploit-da75aed59a43

---

20250118 Paribus - Bad oracle

Lost: ~86k

forge test --contracts ./src/test/2025-01/Paribus_exp.sol -vvv

Contract

Paribus_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/arbitrum/0xf5e753d3da60db214f2261343c1e1bc46e674d2fa4b7a953eaf3c52123aeebd2?line=415

---

20250113 Mosca2 - Logic Flaw

Lost: 37.6K

forge test --contracts ./src/test/2025-01/Mosca2_exp.sol -vvv --evm-version shanghai

Contract

Mosca2_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1878699517450883407

---

20250111 RoulettePotV2 - Price Manipulation

Lost: ~28K

forge test --contracts ./src/test/2025-01/RoulettePotV2_exp.sol -vvv --evm-version shanghai

Contract

RoulettePotV2_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1878008055717376068

---

20250110 JPulsepot - Logic Flaw

Lost: 21.5K

forge test --contracts ./src/test/2025-01/JPulsepot_exp.sol -vvv --evm-version shanghai

Contract

JPulsepot_exp.sol

Link reference

https://x.com/CertiKAlert/status/1877662352834793639

---

20250108 LPMine - Incorrect reward calculation

Lost: ~24k USDT

forge test --contracts ./src/test/2025-01/LPMine.sol  -vvv --evm-version cancun

Contract

LPMine_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1877030261067571234

---

20250107 IPC Incorrect burn pairs

Lost: ～590k USDT

forge test --contracts ./src/test/2025-01/IPC_exp.sol  -vvv --evm-version cancun

Contract

IPC_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1876663900663370056

---

20250106 Mosca - Logic Flaw

Lost: 19K

forge test --contracts ./src/test/2025-01/Mosca_exp.sol -vvv --evm-version shanghai

Contract

Mosca_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1876884383736430821

---

20250104 SorStaking - Incorrect reward calculation

Lost: ～8 ETH

forge test --contracts ./src/test/2025-01/sorraStaking.sol  -vv --evm-version cancun

Contract

sorraStaking.sol

Link reference

https://x.com/TenArmorAlert/status/1875582709512188394

---

20250104 98Token - Unprotected public function

Lost: 28K USDT

forge test --contracts ./src/test/2025-01/98Token_exp.sol  -vvvv --evm-version cancun

Contract

98#Token_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1875462686353363435

---

20250101 LAURAToken - Pair Balance Manipulation

Lost: 12.34 ETH (~$41.2K USD)

forge test --contracts ./src/test/2025-01/LAURAToken_exp.sol -vvv

Contract

LAURA_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1874455664187023752

---

View Gas Reports

Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter. Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.

Every poc in this repository can produce a gas report like this:

forge test --gas-report --contracts <contract> -vvv

For Example: Let us find out the gas used in the Audius poc

Execution

forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv

Demo

Bug Reproduce

Moved to DeFiVulnLabs

FlashLoan Testing

Moved to DeFiLabs