Exploit Analysis Reports

On March 10, 2026, an attacker exploited the `liquidateBorrow` function of the Alkemi Earn Public lending protocol on Ethereum mainnet (block 24,626,979) to self-liquidate their own solvent position. The root cause is a compound vulnerability: `liquidateBorrow` lacks both a …

On 2026-03-09, the `PurchaseBundler` contract (`0xc10472ac`) deployed on Ethereum (block 24618641) was exploited through an access control bypass in its `executeSell` function. The attacker (`0x8d171c74`) used a purpose-built contract (`0xe95e3cfc`) to call `executeSell` 81 …

On 2026-03-08 at 20:36 UTC (Base block 43093167), an attacker exploited a trivially bypassable `onlySpawnerToken` modifier on the MoltEVM token contract (`0x225da3d879d379ff6510c1cc27ac8535353f501f`) to mint 100,000,000 mEVM tokens at zero cost. The modifier requires only that …

On March 5, 2026, Solv Protocol's Bitcoin Reserve Offering on Ethereum was exploited through a callback-driven logic error in the BRO wrapper at `0x15f7c1ac69f0c102e4f390e45306bd917f21cfcf`, accessed through the beacon proxy at `0x014e6f6ba7a9f4c9a51a0aa3189b5c0a21006869`. The …

**Transaction:** `0xe94a5ed54d0a9aa317c997607d7d1ea9828ad47626d7794b0e4020ff49cdf9a0` **Chain:** Base (Chain ID: 8453) **Block:** 42832267 **Date of Analysis:** 2026-03-04 **Debate Round:** 1

On March 3, 2026, the Inugami staking contract on BNB Chain (`0x2001144a0485b0b3748a167848cdd73837345d73`) was exploited via a logic error in reward-debt initialization. The attacker staked a small amount of LP, sent 1 wei WBNB to reactivate the reward window, and then claimed …

On March 3, 2026 (block 24,575,085), the UniswapV4Router04 contract at `0x00000000000044a361ae3cac094c9d1b14eece97` on Ethereum mainnet was exploited via an authorization bypass vulnerability in its `swap(bytes,uint256)` function. The root cause is a hardcoded calldata offset in …

On March 2, 2026 at 03:00:11 UTC (block 24566937), an attacker exploited an oracle misconfiguration in the Curve LlamaLend sDOLA/crvUSD market on Ethereum. The root cause was the `CryptoFromPoolVaultWAgg` oracle contract (`0x88822ee5`) calling `sDOLA.convertToAssets()` as a spot …

On March 1, 2026, the BUBU2/WBNB PancakeSwap pair on BNB Chain (block 83,955,808) was drained by flash-loan sandwiching a permissionlessly-triggerable burn mechanism inside the BUBU2 token contract.

On 2026-02-28 (BSC block 85677691), the Movie Token ($MT) project was exploited for approximately **381.75 WBNB (~$242K USD)** in a single transaction. The attacker abused the MT token's `extractFromPoolForLpMining` function, which burns tokens directly from the PancakeSwap …