List of Ethereum Smart Contracts Post-Mortems

Note: Also check our Compiled List of Solidity Vulnerabilities.

When things go wrong with the development, testing and auditing processes, vulnerable contracts are deployed to mainnet and go into production.
These vulnerabilities are then either found by the good hackers and the project is patched, or they are exploited by the bad hackers and the project crashes. Sometimes weird things happen, when the definitions of good, bad, and crash are not very clear.

But this is how we learn. Things go wrong and then we figure out ways to make it better next time. It’s a very interesting cycle, full of drama and epic moments that we will always remember.

In here we would like to make a list of the post-mortems that describe why things went wrong. We are not in a hurry, so this will be a wiki post to which we can all contribute and complete over time. Let’s start…


non-standard ERC20 deflationary tokens on Balancer

Bancor public safeTransferFrom function


Etheroll fork manipulation

Hedgic wrong loop

sUSD pool contract vulnerability

ERC777 Reentrancy exploit in Uniswap and


Hegic DAI liquidity pool exploit

Aragon bugs in Jurors Registry and Dispute Manager


Authereum Metatransactions Order

Published on February 18th, 2020.

Fulcrum Flash Loan and Oracle Manipulation

Published on February 17th, 2020.


Curve Finance exchange of the same asset

ENS shady transfer


Synthetix Reentrancy in Withdrawals


Cheeze Wizards Timeout


DDEX and bZx Exchange Price Manipulation

ENS Short Domains Auction


MakerDao Auction Lack of Validation


Livepeer Slashing Vulnerability

Published on July 29th, 2019.

0x Invalid Signatures

Published on July 13th, 2019.

Edgeware Lockdrop Denial of Service

The Edgeware project plans to give away their EDG tokens in exchange for locked ether or a signal of interest by ether holders. There was a bug in the contract that allowed people to deposit ether to a future lock contract and bring the lockdrop to a halt. The bug was patched and a new lockdrop contract was deployed. No funds were at risk.
Found and responsibly disclosed by Neil McLaren. Published on July 1st, 2019.


MakerDAO’s Governance Vulnerability

Published on May 6th, 2019.


Genesis Alpha DAO Untrusted Repeated Calls


SpankChain Reentrancy Issue in Payment Channels

Published on October 8th, 2018.


PoWH Coin Ponzi Scheme Overflow

Published on February 1st, 2018


Parity Multi-Sig Library Self-Destruct

Published on November 8th, 2017.


Bancor Front-running

Published on August 17th, 2017.


Parity Multi-Sig Unguarded Reset Ownership

Published on July 21th, 2017.


The DAO Reentrancy Hack

Published on June 17th, 2016.


GovernMental Denial of Servie

Published on April 26th, 2016.


King of the Ether Unchecked Return Value

Published on February 20th, 2016.

Other classifications of vulnerabilities