Here’s how three DeFi protocols lost $115M in one day

Listen to this article.

Three DeFi protocols were hacked and drained of $115 million yesterday, marking one of the most devastating 24-hour periods in DeFi’s recent history.

Mango Markets, Stax, and Rabby Swap were relieved of $112 million, $2.36 million, and $200,000 respectively. Decentralized exchange aggregator ParaSwap was also reported to have been hit but has since denied the rumors.

Yesterday’s hacks have added to an already bad month for DeFi. Transit swap, a multi-chain decentralized aggregator lost ~$21 million a week ago when a bug was exploited in its smart contract, and on October 7, Binance’s BSC Token Hub was exploited for two million BNB, worth over $580 million.

So, how did the three most recent attacks go down?

Mango Markets

The Solana-based platform, which focused on trading perpetual futures and margin, lost $112 million. 

On Tuesday, a hacker apparently manipulated Mango Markets’ collateral to take out a loan of $116 million that essentially drained the platform of its liquidity. FTX is investigating the matter after online sleuths noticed the hacker used the exchange. Mango Markets has offered a bug bounty if the funds are returned. 

A full breakdown was provided by @joshua_j_lim.

Temple DAO’s Stax

The DeFi protocol, which offers yields on deposits, lost $2.36 million (1,831 ETH) yesterday. 

The hacker exploited a flaw in Temple DAO’s Stax contract system which was meant for switching old stakes to newer contracts using the migrate stake function. According to blockchain security firm Paladin, the contract and the vulnerability that allowed the attack were deployed for over 100 days before someone took advantage.

The auditor also described the hack as “one of the most trivial exploits at scale in a while.”

Read more: Explained: Why hackers keep exploiting cross-blockchain bridges

Rabby Swap

The open-source browser plugin, which allows users to make transfers between different chains was reportedly exploited for $200,000.

The exploit found in its smart contract allowed hackers to transfer user funds. Rabby Swap has since asked users to revoke approvals on all chains and has warned of fake accounts offering help.

Read more: Zcash chain triples in size thanks to $10-a-day spam attack


The decentralized exchange aggregator, which offers users the option to exchange various crypto tokens, was reportedly exploited and it was claimed that funds were stolen on multiple chains. However, ParaSwap quickly shut down claims of a DeFi hack. 

ParaSwap said that it’s not exposed to the profanity vulnerability.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.