Protect Your Project Today
Strengthen your project with the largest web3 security provider.
A CertiK security expert will review your request and follow up shortly.

YOLO Games (Bazaar) Incident Analysis

Reports ·Incident Analysis ·
YOLO Games (Bazaar) Incident Analysis

Incident summary

On 10 June 2024, YOLO Games announced via their X account that a security vulnerability had been reported on the Bazaar LBP contract. As a consequence the YOLO LBP sale was ended early and users holding rYOLO would be refunded.

YOLO8

The security vulnerability was due to unchecked arguments in the Bazaar LBP smart contract. Anyone was able to withdraw assets from the Bazaar pool using the BazaarLBPFactoryBlast address as a sender address. A whitehat was first to notice the vulnerability which they exploited and rescued 392 ETH (~$1,387,475) and 880,539,680 rYOLO. The amount rescued consisted of 354 ETH added to the pool by the project and approximately 39 ETH of user’s funds.

Exploit Transactions

Attack Flow

  1. On 9 June at 07:27:23 PM 0xaEc7, creator of Bazaar Receipt YOLO (rYOLO), added 354 ETH and 888,888,888 YOLO, swapped for rYOLO, to the BazaarVaultBlast pool (0xefb4). https://blastscan.io/tx/0xa99a60a7cfc316c80b3b6450bd2c10ba87a51bde7262fed4cd27c723b4d70e45

  2. On 10 June, a little over 24 hours later, the whitehat called BazaarVaultBlast.exitPool(), withdrawing 392.3689 ETH and 880,539,680 rYOLO.

YOLO3

  1. Within 3 minutes of the exploit transaction the white indicated to the project to initiate dialogue.

YOLO4

Vulnerability

Exploiter address: 0x3cf5B87726Af770c94494E886d2A69c42A203884 Vulnerable Contract Address: 0xdC4A9779D6084C1ab3e815B67eD5e6780cCF4d90

The root cause of the incident was due to unchecked arguments. The exitPool() function takes four arguments:

  • poolID
  • sender
  • recipient
  • request The whitehat passed in 0xb66585C4E460D49154D50325CE60aDC44bc900E9 (BazaarLBPFactoryBlast) as the sender. As there were no checks to make sure the whitehat is the owner of that address they were allowed to withdraw the tokens in the pool.

YOLO5

Whitehat

Fortunately, this exploit was carried out by a whitehat who immediately reached out to the team. The team responded and immediately offered a bounty. Though negotiations were held in private, we can see on-chain that the whitehat returned 353 ETH (90%) ($1,274,040) of the stolen funds, keeping 10% as a reward.

YOLO6

After the return of funds YOLO confirmed that refunds had been sent to all users who had entered the YOLO LBP sale.

YOLO9

Conclusion

In this exploit, the whitehat has returned a large part of the stolen funds. Since the beginning of 2024, we have observed that out of approximately $1B stolen, around $177,728,142 (about 17%) has been returned. For comparison, that percentage is more than in 2023, where $1.8 billion of funds were stolen with approximately $219 million returned, around 11,81%. To raise your enhance your web3 security knowledge, join Skynet Quest and check out our dedicated article CertiK - Introducing Skynet Quest: The Web3 Security Journey of a Lifetime.

Related Blogs

SOF/LAXO Incident Analysis
Reports ·Incident Analysis

SOF/LAXO Incident Analysis

In February 2026 two separate exploits occurred on the BNB Smart Chain (BSC), affecting SOF and LAXO tokens, leveraging the same class of vulnerability: a flawed token burn mechanism that allowed price manipulation within a single transaction.

Gyroscope Incident Analysis
Reports ·Incident Analysis

Gyroscope Incident Analysis

On 30 January 2026, Gyroscope announced via their X account that they had paused liquidity pools due to an issue with their cross-chain contract. The issue led to losses of 6M Gyro Dollar (GYD) tokens with approximately $807k of liquidity extracted by the attacker.

Makina Incident Analysis
Reports ·Incident Analysis

Makina Incident Analysis

On 20 January 2026, DeFi protocol MakinaFi suffered an exploit resulting in the theft of 1,299 ETH, valued at approximately $4.13 million.