A Historical Collection of Reentrancy Attacks

As part of my effort to prevent reentrancy attacks at the (Solidity) language level, I compiled a list of known reentrancy attacks.

A chronological and (hopefully) complete list of reentrancy attacks to date:

• WETH white hat attack – June 11, 2016
• The DAO attack – June 17, 2016
• SpankChain attack – October 9, 2018
• imBTC Uniswap pool attack – April 18, 2020
• Lendf.Me attack – April 19, 2020
• Akropolis attack – November 12, 2020
• ValueDeFi attack – May 7, 2021
• Rari Capital attack – May 8, 2021
• BurgerSwap attack – May 27, 2021
• Iron Finance attack – June 16, 2021
• PolyDEX attack – June 20, 2021
• DeFiPie attack – July 12, 2021
• Sanshu Inu attack – July 20, 2021
• C.R.E.A.M. Finance attack – August 30, 2021
• Grim Finance attack – December 18, 2021
• Visor Finance attack – December 21, 2021
• HypeBears attack – February 3, 2022
• Bacon Protocol attack – March 5, 2022
• Paraluni attack – March 13, 2022
• Hundred Finance attack – March 15, 2022
• Agave Finance attack – March 16, 2022
• Revest Finance attack – March 27, 2022
• Voltage Finance attack – March 31, 2022
• Fei Protocol attack – April 30, 2022
• Bistroo attack – May 7, 2022
• Ownly attack – May 10, 2022
• Omni attack – July 10, 2022

This list can also be found in my repository here.

I also think I found the first (10 Jun 2016) reentrancy attack contract available on GitHub here. This contract was built by Peter Vessenes who was raising the issue to the Solidity/DAO team.

Finally, for anyone interested in the history behind the first reentrancy attack I really recommend checking out issue 1 in my reentrancy-attacks list repo; awesome historical insights!

I try my best to find internet archive links to all relevant URLs in order to preserve history!