From Bug to Rekt — 4 New Real DeFi Exploits Reproduced on Ethereum

We’ve added four new exploit reproductions to Learn EVM Attacks, our EVM exploit library of real-world DeFi exploit reproductions. Each case includes a structured writeup, runnable tests, and an on-chain grounded breakdown of what failed and how to prevent it. The intent is to make real incidents easier to explore and learn from, without scavenger hunts across threads, dashboards, and partial PoCs.

Futureswap

A fee calculation bug mixed token units with basis points, letting an attacker inflate fee shares and drain funds during position settlement.

1inch Calldata Corruption

A crafted nested-order payload triggered an underflow in Yul assembly, corrupting calldata and hijacking the resolver callback path into a victim contract.

Bunni

A rounding-direction bug in withdrawals became exploitable when repeated, allowing liquidity accounting to drift far enough to support extreme price and liquidity manipulation.

LyraDepositWrapper

Missing validation allowed a zero-amount call to grant an unlimited approval to an arbitrary address, enabling a bot to pull funds that had been mistakenly sent to the contract.

Explore the Full Writeups and Reproductions

Each case on our attack explorer includes the full writeup, references, and a reproduction command so you can run the exploit and follow the call flow end-to-end. If you want to contribute, the repository is open for new reproductions, issues, and pull requests.