Drift-Protocol-Exploit-2026

Case Study: Drift Protocol $285M Logic Exploit April 2026 A...

Abi-smuggling-exploit

Web3 Security Research Portfolio A collection of smart contra...

Every user's rUSDY balance can be changed suddenly by updating RWADynamicOracle.ranges before block.timestamp

Lines of code Vulnerability details Impact RWADynamicOracle.overrideRange and setRange can change the USDY price in rUSDY and the rUSDY balance in a tx. 1. Users cannot believe the rUSDY balance because ranges can be updated by an admin at any time. 2. When USDY price in rUSDY changes in a tx, a...

Implementation of Well shift() function allows attackers to completely manipulate the oracles

Lines of code Vulnerability details Description The TWAP mechanism relies on measurements sent to the oracle at various points in time. Before reserve counts change, the TWAP is sent the last reserve counts, which are multiplied by the time passed and added to the accumulator. In MultiFlowPump, i...

Underhanded meaning of expirationTime == 0

Lines of code Vulnerability details Impact The pwner of BlurExchange can reject the rigor of code and fulfill the ambiguity of human expression, forcing a reinterpretation of expirationTime == 0 to "no expiration time at all". Unexpirable orders in the vicissitudes of the crypto markets do not...

Stable/non-stable pair creation mistake could be abused

Lines of code Vulnerability details Impact Stable and non-stable pair use different formula to calculate the invariant k. If a non-stable pair is treated as stable, or vice versa. $x^3y+y^3x$ behave quite differently compare with $xy$, on the edge of relative stable price range, price volatility...

Frequent price update make the project vulnerable to price oracle manipulation

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Frequent price update make the project vulnerable to price oracle manipulation Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof...

A cap is needed on the amount of Note than can be borrowed

Lines of code Vulnerability details Impact The fact that there is no cap on the amount of Note that can be borrowed makes the Oracle Extractable Value unlimited. But as you intend to rely on TWAP, you need to make sure the cost of oracle manipulation is lower than the Oracle Extractable Value...

Loss of Funds Via Malicious Oracle Injection

Lines of code Vulnerability details Issue: The admin account can arbitrarily update the oracle at any time. If the oracle is changed to a malicious or vulnerable oracle, the price may be manipulated to allow undercollateralized borrowing. Consequences: Total loss of protocol funds for an attacker...

Borrower can frontrun lender's call to lend to change the price oracle

Lines of code Vulnerability details Impact In NFTPairWithOracle.lend, params.oracle is not checked. This allow a borrower to watch the mempool and front-run the lender's call and change oracle to avoid liquidation. Proof of Concept function lend address lender, uint256 tokenId, TokenLoanParams...