Math overflow in Cetus AMM's tick-math allowed minting of liquidity positions claiming many orders of magnitude more value than collateral.

Malicious JavaScript injected into Safe.global UI rewrote the multisig payload between the browser and hardware wallet, overwriting the proxy implementation slot.

Lazarus-attributed compromise of WazirX-Liminal multisig signing flow drained approximately $235M of users' Ethereum and ERC-20 holdings.

Vyper compiler 0.2.15-0.3.0 emitted broken @nonreentrant decorators, allowing reentrancy across multiple Curve stable pools.

donateToReserves omitted the post-call solvency check, enabling a flash-loan, mint-leverage, donate-collateral, self-liquidate sequence; funds were later returned in full.

FTX commingled customer deposits with Alameda Research's working capital under a sister-company prime-brokerage arrangement; a CoinDesk leak and CZ tweet triggered a five-day run that exposed the shortfall.

UST's Luna-burn arbitrage failed reflexively when depeg pressure exceeded Luna's market depth; Anchor's 19.5% yield concentrated 75% of UST in a single yield-aggregator that turned depeg into instant exit-flow.

Attacker submitted a malicious BIP titled as Ukraine relief, then in one transaction flash-loaned $1B from Aave to mint majority Stalk voting power, passed the proposal, and drained the silo.

Lazarus spear-phished a Sky Mavis engineer to capture 4 of 9 validator keys, plus a dormant Axie DAO permission for a 5th, breaching the 5-of-9 multisig.

Solana-side verify_signatures used a deprecated function that didn't validate account ownership, letting the attacker forge a synthetic sysvar account vouching for an empty guardian set.