Euler, Sentiment, Safemoon: What These Exploits Reveal About DeFi’s Weak Points
DeFi isn’t failing because of zero-days — it’s failing because of missed checks, lazy assumptions, and brittle logic. This breakdown of recent exploits (Euler, Sentiment, Safemoon, and more) traces the fault lines back to their origin: unchecked flows, vulnerable primitives, and avoidable patterns. Each case reinforces a simple truth: if you’re waiting for an audit to catch these, you’re already too late.
Hacks Analysis
Euler Finance | Amount Lost: $197M
The attacker used a flash loan to borrow DAI and leveraged Euler Protocol to borrow eDAI and dDAI. By exploiting a vulnerability in the donateToReserves function, the attacker was able to initiate the liquidation process and profit from it. The vulnerability was due to the missing checkLiquidity step in the donateToReserves function, allowing users to enter a state of liquidation and complete the liquidation process.
Olympix has developed a tool to protect against flash loan attacks resulting from missing check vulnerabilities. These vulnerabilities and resulting attack vectors have become increasingly common and dangerous throughout the defi ecosystem. The Olympix tool uses static code analysis, traditional statistics, and AI to detect anomalies throughout the code base by comparing the code base against itself.
Sentiment Protocol | Amount Lost: $1M
An attack on Sentiment Protocol resulted in the loss of almost $1 million worth of various tokens and stablecoins. The attacker borrowed 606 WBTC, 10,050 WETH, and 18 million USDC using a flash loan, and deposited these tokens into the Balancer pool on Sentiment. The attacker exploited a reentrancy vulnerability during the exitPool function to transfer back the deposited tokens to their account, which decreased the pool token’s total supply but token balance state remained the same. The exploit contract recursively borrowed assets using the inflated price of the pool token as collateral. Sentiment is continuing to investigate the attack and has implemented a fix to address the vulnerability exploited in the attack.
Poolz Finance | Amount Lost: $500K
The attacker used a vulnerability in the smart contract by invoking the CreateMassPools() method and causing an overflow in the array using the GetArraySum() method. This allowed the attacker to use the TransferInToken() function to establish liquidity in the pool and withdraw the gained tokens using the withdraw feature.
Safemoon | Amount Lost: $8.9M
The hacker exploited a public burn()* function in the Safemoon contract, which allowed any user to burn tokens from any other address. This function was used to remove SFM tokens from the liquidity pool, raising their price artificially and allowing the attacker to sell them back to the pool at a profit.
*A burn() function allows the destruction of tokens or coins that exist on a blockchain. When tokens are “burned”, they are permanently removed from circulation, decreasing total supply of the token.
Hedera | Amount Lost: $515K
An attacker used a suspicious address to deploy a malicious contract that stole assets from various pools. The attack was on Hedera’s mainnet Smart Contract Service code, which resulted in the transfer of Hedera Token Service tokens from victims’ accounts to the attacker’s account. The targeted accounts were on multiple decentralized exchanges that used Uniswap v2-derived contract code, including Pangolin, SaucerSwapLabs, and HeliSwap_DEX.
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
