This document catalogs the most significant DeFi vault exploits between 2020 and 2026. The goal is not to shame protocols, but to extract technical lessons for builders. Each entry includes what happened, the financial impact, the parties involved, and the precise technical attack vector. If you are building treasury infrastructure, these are the failure modes you must design against.
2026 Update: The Year of Key Compromises
2026 has seen a dramatic shift in attack vectors. According to Chainalysis, private key compromises now account for 88% of all crypto theft (up from 55% in 2024). Step Finance, IoTeX, and other major protocols have lost over $60M combined not to code bugs, but to compromised executive devices and stolen keys. The attack surface has moved from smart contracts to humans holding signing authority.
The Attack Chronology
Step Finance — Private Key Compromise
What happened: An attacker compromised Step Finance executive devices through a phishing/social engineering attack. Using the stolen keys, they transferred stake authorization to their own wallet, unstaked 261,854 SOL ($27.3M), and drained the treasury. The smart contracts worked flawlessly — the humans failed.
$27.3 million (261,854 SOL)
Step Finance (victim), executive team (compromised), CertiK (auditor of contracts)
- • Attacker gained access to executive team devices (likely via phishing email)
- • Transferred stake authorization from Step's treasury wallets to attacker-controlled address
- • Unstaked 261,854 SOL (requires direct wallet permissions on Solana)
- • Withdrew all SOL to attacker wallet in single transaction
- • Bridge-hopped funds via THORChain to Bitcoin (66.77 BTC parked in 4 wallets)
- • Step recovered $4.7M via Token22 protections on Remora assets
Root cause: Weak key management with insufficient access controls. No multi-sig requirement for treasury operations. Single points of failure in signing authority. No monitoring/offline alerting during APAC hours when attack occurred.
Truebit — Integer Overflow in Legacy Code
What happened: An attacker exploited a 5-year-old unaudited contract with unverified bytecode. By passing astronomical values to the minting function, they triggered an integer overflow in an unprotected addition operation, minting 240M+ TRU tokens for essentially zero cost, then burning them for ETH at a 12.5% buyback rate.
$26.2 million (8,535 ETH)
Truebit Protocol (victim), no auditors (code unverified), Banteg (flagged risk in 2021)
- • Target: 5-year-old contract with unverified bytecode (Solidity v0.5.3)
- • Attacker reverse-engineered bytecode to find overflow vulnerability
- • Called getPurchasePrice() with absurdly large mint amounts
- • Unprotected addition overflowed, wrapping to near-zero
- • Cost to mint 240M TRU: essentially zero ETH
- • Burned tokens for ETH at 12.5% buyback rate (bonding curve mechanic)
- • Five iterations in single transaction extracted 8,535 ETH
Root cause: Pre-Solidity 0.8.x compiler without automatic overflow protection. Unverified bytecode meant no community audit. Contract sat dormant for 5 years — a "relic hunter" target. No supply cap or per-transaction limits.
YieldBlox — Oracle Manipulation via Illiquid Collateral
What happened: An attacker exploited a community-managed Blend V2 pool by manipulating the price of USTRY — a yield-bearing stablebond with effectively zero market depth. A single trade pumped USTRY 100x on the Stellar DEX, which the VWAP oracle dutifully reported as truth, allowing the attacker to borrow $10.97M against collateral worth ~$160K.
$10.97 million (1M USDC + 61M XLM)
YieldBlox/Script3 (victim), Reflector (oracle), Code4rena/Certora (auditors of Blend V2)
- • USTRY/USDC market on SDEX had <$1 in hourly volume, effectively a ghost town
- • Attacker placed sell offer for 1.2 USTRY at 107 USDC (100x real price)
- • Bought 0.05 USTRY against their own offer — that 50¢ trade became the VWAP
- • Reflector oracle reported $106.74 (poisoned) vs real $1.06
- • Deposited 153K USTRY (~$160K real) as collateral worth $16M per oracle
- • Borrowed 1M USDC + 61M XLM against inflated collateral
- • No circuit breaker fired; no deviation check; no staleness flag on dead market
Root cause: Four stacked failures: (1) Illiquid collateral listed without liquidity thresholds, (2) Single-source VWAP oracle with no median/deviation checks, (3) Oracle adapter passed raw last price without validation, (4) No circuit breakers for dead markets. Auditors checked contract logic but never scoped the economic reality of the collateral market.
IoTeX — Private Key Compromise (Bridge)
What happened: An attacker obtained the owner key to IoTeX's ioTube bridge validator contract. With unchecked upgrade authority, they pushed a malicious contract version, seized control of the TokenSafe and MinterPool, drained $4.4M in real assets, and minted 821M CIOTX tokens. A single EOA held the keys to everything.
$4.4 million + 821M CIOTX minted (86% frozen by team)
IoTeX (victim), ioTube bridge (compromised), Specter/PeckShield (on-chain analysts)
- • Attacker compromised validator owner EOA (0x6dd...148e) after 6-18 months of reconnaissance
- • Called upgrade() on TransferValidatorWithPayload contract
- • Deployed malicious contract with all validation checks stripped
- • No multisig, no timelock, no second signature required for upgrade
- • With ownership secured, transferred TokenSafe and MinterPool control
- • Drained 9 tokens from reserves: USDC, USDT, WBTC, WETH, IOTX, DAI, PAXG, BUSD, UNI
- • Minted 821M CIOTX across 10 transactions via MinterPool
Root cause: Single EOA held unchecked upgrade authority over contracts custodying millions. No multisig requirement, no timelock, no circuit breaker. Architecture assumed the key would never be compromised. IIP-55 (decentralized validator set) was drafted in December 2025 — two months before the hack — but not prioritized until after the vault emptied.
Solv Protocol — Self-Reentrancy via ERC-3525
What happened: Solv's BitcoinReserveOffering (BRO) contract used ERC-3525 (semi-fungible token standard with NFT-like callbacks). The mint function triggered onERC721Received before updating state, allowing the attacker to re-enter and mint twice. The contract was unaudited and excluded from bug bounty coverage despite five audits on other Solv contracts.
$2.73 million (38.05 SolvBTC)
Solv Protocol (victim), Quantstamp/Salus/OpenZeppelin (auditors of OTHER contracts), unaudited BRO contract
- • Contract used doSafeTransferIn() to receive NFT deposits during minting
- • This triggered onERC721Received callback in attacker's contract
- • Callback minted BRO tokens BEFORE execution returned to original mint()
- • Original mint() then minted BRO tokens again
- • Same deposit minted twice (double-mint)
- • Attacker started with 135 BRO, ended with 567 million BRO after 22 loops
- • Swapped BRO for 38.05 SolvBTC (~$2.73M), exited via Tornado Cash
Root cause: Missing reentrancy guard and improper ordering of state updates vs. external calls. The BRO contract was unaudited and explicitly excluded from bug bounty coverage (which only covered Web2 infrastructure and Solana contracts). Security theater: five audits on other contracts created false confidence while the new product shipped without review.
Venus Protocol — Donation Attack (Thena Market)
What happened: An attacker spent 9 months accumulating THE tokens, then bypassed Venus's supply cap via direct ERC-20 transfers (donations) to inflate the vToken exchange rate. This allowed borrowing against collateral that exceeded protocol limits, ultimately leaving $2.15M in bad debt. Code4rena had flagged this exact vector in May 2023; Venus dismissed it as "supported behavior with no negative side effects."
$3.7 million extracted, $2.15M bad debt remaining (1.18M CAKE + 1.84M THE)
Venus Protocol (victim, 4th exploit in 5 years), Thena (token), Code4rena (flagged M-10 in May 2023 — dismissed)
- • Supply cap enforced only in mint() function, not in direct transfer()
- • Attacker accumulated 84% of supply cap via normal deposits (12.2M THE)
- • Transferred 49.5M THE directly to vTHE contract (bypassing cap)
- • Exchange rate inflated 3.81x because contract balance increased without new vTokens minted
- • Same position now represented $12M+ in collateral vs original $3.3M
- • Borrowed against inflated collateral in recursive loop
- • Pumped THE price via buy pressure, borrowed more as oracle caught up
- • Got greedy, liquidation triggered, $30M nominal collateral → $0
Root cause: Supply cap only checked in mint(), bypassable via direct ERC-20 transfers. Code4rena flagged this in May 2023 as M-10; Venus dismissed as "supported behavior with no negative side effects." February 2025 exploit on ZKSync deployment (same vector) was not patched on BNB Chain. This is the 4th Venus exploit in 5 years — institutional memory failure.
Resolv — No Circuit Breakers on Compromised SERVICE_ROLE Key
What happened: A malicious actor gained unauthorized access to Resolv infrastructure through a compromised private key, minting approximately $80M of tokens. No circuit breakers existed to pause minting when abnormal volumes were detected. A single SERVICE_ROLE key had unilateral mint authority.
$25M+ (attacker minted $80M, portion recovered)
Resolv (victim), compromised SERVICE_ROLE key holder, no circuit breaker in place
- • Attacker compromised infrastructure access (likely via phishing/social engineering)
- • Gained control of SERVICE_ROLE key with unilateral mint authority
- • No multi-sig requirement on mint function — single key could mint unlimited supply
- • No circuit breaker to auto-pause when mint volume exceeded thresholds
- • No anomaly detection on mint rate (historical avg vs. attack volume)
- • Minted ~$80M in tokens before manual intervention stopped the drain
Root cause: Single point of failure in key management (no SERVICE_ROLE redundancy) combined with complete absence of circuit breakers. The protocol relied entirely on manual monitoring and response, which was too slow to prevent massive dilution.
Aave — CAPO Oracle Misconfiguration
What happened: Aave's Correlated Asset Price Oracle (CAPO) had a stale snapshot ratio from 2024. When Chaos Labs' automated risk engine pushed an update, a rate limiter prevented the ratio from catching up to market rates, causing the oracle to undervalue wstETH by 2.85% and trigger liquidation of healthy positions. 34 accounts were liquidated for a configuration error they had no part in.
$27.78 million (10,938 wstETH liquidated from 34 accounts)
Aave (victim), Chaos Labs (risk oracle provider), 34 liquidated users
- • CAPO initialized in 2024 with snapshotRatio of ~1.15 for wstETH/stETH
- • Off-chain engine computed correct update: snapshotRatio ~1.2282, timestamp 7 days ago
- • On-chain rate limiter capped single updates at 3% per 3 days
- • Ratio could only update to ~1.1919, but timestamp updated to 7 days ago
- • Formula extrapolated from wrong base: computed ceiling ~1.1939 vs market ~1.2285
- • Aave priced wstETH 2.85% below actual value
- • E-Mode (high leverage) positions liquidated despite being healthy in real markets
- • Similar misconfiguration nearly triggered a month earlier but agent wasn't connected
Root cause: Configuration mismatch between snapshotRatio and snapshotTimestamp parameters. Rate limiter prevented correction as effectively as it prevented manipulation. Stale 2024 anchor couldn't catch up to two years of yield growth. Near-miss a month earlier wasn't investigated thoroughly — institutional memory failure.
Historical exploits from 2020-2025 — foundational patterns that continue to repeat
Harvest Finance — Price Oracle Manipulation
What happened: An attacker exploited Harvest Finance's yield vaults by manipulating the price of stablecoins within Curve pools. Using a $50 million flash loan, the attacker artificially inflated the price of USDT during deposits and deflated it during withdrawals, extracting more value than deposited.
$33.8 million (24,830 ETH)
Harvest Finance (victim), PeckShield / Haechi Labs / CertiK (auditors), Curve Finance (external dependency)
- • The vault calculated share prices using on-chain DEX prices that could be manipulated
- • Attacker swapped $11M USDC → USDT on Curve, inflating USDT price
- • Deposited 60.6M USDT into vault at inflated price (receiving fewer shares)
- • Swapped back, deflating USDT price
- • Withdrew at deflated price, receiving more USDT than deposited (~$500K profit per cycle)
- • Repeated 32 times in 7 minutes
Root cause: Using manipulable on-chain price sources (Curve's get_virtual_price) for vault share calculations without sufficient slippage tolerance checks.
Euler Finance — Donate-to-Reserves Exploit
What happened: An attacker exploited Euler's donateToReserves() function combined with liquidation logic. The donation function failed to update the user's health factor, allowing the attacker to donate away their collateral, become artificially insolvent, then liquidate themselves for profit. All funds later returned by attacker.
$200 million (all funds returned)
Euler Finance (victim), Omniscia (auditor), Aave (flash loan source)
- • Flash borrowed 30M DAI from Aave V2
- • Deposited into Euler to receive eDAI, then borrowed 10x via leverage
- • Called donateToReserves() to donate leveraged eDAI to protocol reserves
- • Function failed to update attacker's health score/accounting
- • Attacker now "underwater" according to Euler's accounting
- • Self-liquidated their own position — liquidation awarded massive collateral at discount
- • Cycle repeated across multiple assets (DAI, WETH, USDC, stETH)
Root cause: donateToReserves() failed to update user health factor after donation. Created path where attacker could donate away debt collateral (but not their debt), then liquidate themselves for profit on collateral they never truly lost.
Curve Finance — Vyper Compiler Reentrancy
What happened: A compiler bug in Vyper (versions 0.2.15, 0.2.16, 0.3.0) caused the @nonreentrant decorator to fail when raw_call was used with default_return_value. This allowed reentrancy attacks against multiple Curve pools simultaneously.
$70+ million (pETH-ETH, msETH-ETH, alETH-ETH, CRV/ETH pools)
Curve Finance (victim), Vyper compiler (bug source), multiple pool LPs
- • Attacker identified Curve pools written in Vyper using affected compiler versions
- • Vyper's raw_call with default_return_value had a bug in @nonreentrant
- • First call triggered external call to token contract
- • Compiler bug: reentrancy lock was not properly set on revert with default return value
- • Attacker re-entered pool contract before first call completed
- • Manipulated balance calculations during reentrancy window
- • Withdrew more than deposited
Root cause: Vyper compiler bug affecting all contracts compiled with versions 0.2.15-0.3.0 using raw_call with default_return_value and @nonreentrant. The reentrancy guard state was reset before external call completed.
The DAO — Recursive Call Reentrancy
What happened: An attacker exploited a reentrancy vulnerability in The DAO's splitDAO function to recursively drain ether from the contract before the balance could be updated. The attacker called the withdraw function repeatedly before the state change, extracting 3.6M ETH (~$60M at the time). This exploit led to the Ethereum hard fork that created Ethereum Classic.
3.6M ETH (~$60 million at time of attack, ~$50M+ recovered later)
The DAO (victim), no formal auditors, Ethereum Foundation (emergency response)
- • Attacker identified reentrancy in splitDAO() function
- • Created a malicious child DAO contract with fallback function
- • Called splitDAO() to withdraw ETH to child DAO
- • Child DAO fallback function recursively called splitDAO() again
- • Each recursive call transferred ETH before parent call updated balance
- • Repeated ~46 times per transaction, draining ~50M ETH per block
- • Attacker also recruited others to use same exploit simultaneously
Root cause: Contract sent ETH before updating internal accounting (checks-effects-interactions pattern violation). No reentrancy guards. Fallback functions in child DAO enabled recursive calls back into parent.
Bybit Safe — Multisig Compromise
What happened: An attacker compromised Bybit's Gnosis Safe multisig through a sophisticated supply chain attack. The attacker gained access to the Safe Wallet developer infrastructure, injected malicious JavaScript into the frontend, and intercepted signing requests. When Bybit signers approved what appeared to be legitimate transactions, the malicious code altered the transaction parameters to send funds to attacker-controlled addresses.
$1.5 billion in ETH and staked ETH derivatives (largest crypto theft in history)
Bybit (victim), Safe Wallet (compromised infrastructure), Gnosis Safe (multisig contracts)
- • Attacker compromised Safe Wallet developer machine or build pipeline
- • Injected malicious JavaScript into Safe Wallet web application
- • JavaScript intercepted legitimate signing requests from Bybit signers
- • Displayed fake transaction details to signers while altering actual payload
- • Signers approved what appeared to be routine transfers
- • Malicious code substituted attacker addresses in final signed transaction
- • Multiple signers approved without detecting the parameter manipulation
Root cause: Supply chain compromise of trusted frontend infrastructure. No code vulnerability in Gnosis Safe contracts — the attack was at the application layer where user interface was compromised to mislead signers about what they were approving.
Beanstalk — Flash Loan Governance Attack
What happened: An attacker used a flash loan to acquire majority voting power and passed an emergency governance proposal that drained the protocol treasury. The key vulnerability was that governance tokens were not locked and voting + execution could happen in the same transaction.
$181 million (attacker kept ~$76M)
Beanstalk (victim), Omniscia (auditor), Aave/Uniswap/SushiSwap (flash loan sources)
- • Flash loaned $1B+ in stablecoins from Aave
- • Added liquidity to BEAN Curve pools, acquiring 32M BEAN governance tokens
- • Voted on malicious BIP-18 proposal (submitted 1 day earlier)
- • Called emergencyCommit() to execute immediately in same transaction
- • Proposal transferred all protocol assets to attacker
- • Removed liquidity, repaid flash loans, kept ~$76M profit
Root cause: No vote-escrow locking mechanism; governance tokens could be flash-borrowed. Voting and execution in same block allowed atomic governance takeover.
Pattern Analysis
Common Attack Categories
1. Private Key Compromise (2026 Trend — 88% of theft)
Step Finance, IoTeX. The attack surface has moved from smart contracts to humans holding signing authority. Executive devices compromised via phishing, social engineering, or long-horizon infiltration. Single EOAs holding upgrade authority with no multisig/timelock. Mitigation: Multi-sig requirements (3-of-5 minimum), hardware wallets with offline signing, timelocks on all sensitive operations, executive security training, and monitoring during off-hours.
2. Oracle Manipulation (~35% of exploits)
YieldBlox, Harvest, Yearn, Radiant, Venus, Aave. Whether using spot DEX prices, internal exchange rates, VWAP from ghost-town markets, or stale configuration snapshots — the lesson is consistent: on-chain prices can lie, and your protocol will believe them. Use multi-source oracles with deviation checks. Cap prices to prevent outliers. Circuit-break dead markets.
3. Reentrancy (~20% of exploits)
Solv, Cream (ERC-777), Curve/Vyper (compiler bug). Any external call during state transitions is a risk. Checks-effects-interactions pattern and reentrancy guards are mandatory when integrating tokens with callbacks or making external calls. New token standards (ERC-3525) carry old risks.
4. Legacy Code / Relic Hunters (~15% of 2026 exploits)
Truebit. Contracts sitting dormant for years with unverified bytecode, old compiler versions, and known but unpatched vulnerabilities. Attackers now systematically hunt legacy contracts. Mitigation: Deprecate or sunset old contracts. Re-audit legacy code. Verify all bytecode on Etherscan. Upgrade to modern compiler versions with overflow protection.
5. Audit Scope Gaps (Security Theater)
Solv, YieldBlox. Five audits on some contracts, zero on the one that got exploited. Auditors scoped contract logic but not economic reality of collateral markets. Bug bounty programs that exclude new contracts. Lesson: Audit every contract that touches user funds. Economic audit of collateral markets is as important as code audit.
6. Supply Cap / Collateral Accounting Bypass
Venus, Euler. Every path that affects effective collateral must be accounted for — including direct transfers, donations, and rounding at the extremes. Code4rena flagged Venus's donation vector in 2023; it was dismissed. Near-misses should trigger reviews, not relief.
8. Missing Circuit Breakers
Resolv. No automatic pause when $80M was minted in minutes. No volume anomaly detection. No mint caps per block. Every protocol should have automated circuit breakers: mint caps, volume thresholds, price deviation triggers, and hot wallet limits. Manual response is too slow.
Design Recommendations
For vault developers, the following mitigations address the failure modes documented above:
⚡ CIRCUIT BREAKERS (Post-Resolv Update)
The Resolv $25M+ hack (March 2026) exposed a critical gap: no automatic pause when anomalies are detected. A single compromised SERVICE_ROLE key minted $80M tokens with no circuit breaker to stop it.
- • Mint caps per block: Hard limit on mintable supply within single block (e.g., max 1% of total supply per hour). Require multi-sig to exceed.
- • Volume anomaly detection: Auto-pause if daily volume exceeds 3-sigma historical average. Requires governance vote to unpause.
- • Price deviation triggers: Pause minting/borrowing if oracle price deviates >5% from reference sources. Prevent oracle manipulation exploits.
- • Hot wallet limits: Treasury wallets should auto-pause if outbound transfers exceed daily limits. Require cold wallet multi-sig to resume.
- • SERVICE_ROLE redundancy: No single key should have unilateral mint/upgrade authority. Require 2-of-3 or 3-of-5 for all privileged operations.
- Use manipulation-resistant oracles: Never use raw DEX spot prices for share calculations. Use TWAPs, Chainlink feeds, or the lower of two sources. Cap prices to prevent outliers. Implement deviation checks (>5% triggers circuit breaker).
- Implement comprehensive reentrancy protection: Use OpenZeppelin's ReentrancyGuard on all functions that make external calls or accept callbacks. Apply checks-effects-interactions pattern religiously. New token standards (ERC-3525, ERC-777) carry old risks.
- Audit every contract that touches user funds: Security theater is dangerous. Five audits on some contracts while shipping unaudited new products creates false confidence. Include economic audits of collateral markets, not just code.
- Deprecate or sunset legacy contracts: Contracts sitting dormant for years are being systematically hunted. Verify all bytecode. Upgrade to modern compiler versions. If not maintained, sunset it.
- Validate all entry points: Supply caps, deposit limits, and access controls must apply to every function path — including direct ERC-20 transfers to the contract. Don't dismiss audit findings as "supported behavior."
- Account for rounding: Use virtual shares/assets pattern (OpenZeppelin v4.9+) to prevent inflation attacks. Be especially careful when totalSupply is small.
- Review configuration drift: Stale parameters are silent killers. Automated oracles need human oversight. Near-misses should trigger reviews, not relief. Investigate every anomaly.
- Pin compiler versions: Use specific compiler versions, verify bytecode matches source, and stay aware of compiler-level bugs that could affect security assumptions.
- Block arbitrary external calls: Never allow user-controlled target addresses or calldata in contracts that hold funds. All external calls should be to whitelisted targets with validated parameters.
- Use vote-escrow for governance: If governance controls funds, require token locking (1+ weeks minimum). This eliminates flash loan governance attacks entirely.
Last Updated: March 22, 2026 · Sources: Rekt News, protocol post-mortems, on-chain analysis, Chainalysis Q1 2026 report