Acala's Homa staking protocol contained an unbounded loop in the process_redeem_requests function that could be exploited by an attacker with 12,000+ DOT to create 22,000 redemption requests, causing the validator's on_initialize function to exceed block finalization time limits and halt the entire parachain's block production.
A critical integer truncation vulnerability was discovered in Astar's assets-erc20 precompile that allowed attackers to steal approximately $400,000 USD worth of tokens by exploiting how uint256 amounts are truncated to u128 during ERC-20 transfers, enabling zero-token transfers to appear successful. The vulnerability affected smart contracts that relied on the transfer/transferFrom functions without proper validation of the return value.