The DeFi industry has grown rapidly this year, with a large number of DeFi projects emerging one after another, with total lockups topping out at nearly $90 billion, but they have also become a coveted target for a large number of hackers due to the lax code auditing of many projects, among other reasons. Especially in May, the frequency of DeFi security incidents increased significantly.
According to Chain Catcher, a total of 27 projects in the DeFi industry have been hacked so far this year, and at least 14 projects have been hacked this month, with an average of 1 DeFi project being attacked every two days and a total loss of at least $250 million, making it the most frequent and costly month in DeFi history.
Specifically, DeFi projects that were hacked this month include BurgerSwap, Julswap, Merlin, AutoShark Finance, Bogged Finance, Pancake Bunnny, Venus, FinNexus, bEarn Fi, EOS Nation, xToken, Rari Capital, Value DeFi, and Spartan.
Among them, Lightning Lending was the main hacking method, at least 7 projects were attacked as a result; BSC was the most active hacking platform, at least 11 attacks happened on BSC public chain; the amount of attacks was generally large, at least 7 projects lost more than $10 million, the highest amount of Venus lost more than $100 million.
The following is a detailed compilation of the 14 attacks on DeFi projects this month by Chain Catcher.
Amount lost: about $7 million
Brief description: On February 28, BergerSwap, a BSC-based AMM project, was attacked by Lightning Lending and over 432,874 BURGERs were stolen.
Loss amount: Unknown
简述：On February 28, Julswap, a BSC-based AMM project, was hit by a lightning lending attack, and its coin price dropped by up to 90%.
Loss amount: About $680,000
Description: On May 26, BSC eco-automated revenue aggregator Merlin was hacked. Due to a vulnerability in the project’s getReward code, a large number of CAKE tokens were manually transferred to the Vault contract, resulting in a total of about 59,000 MERL increments and 240 ETH gained through the sale.
Solution: The team will airdrop the compensation token cMERL to users, and holders of this token will be able to receive BNB rewards from the compensation pool. At the same time, additional development team funds will be used to perform a burn and buyback campaign to restore the token price.
Amount lost: approximately $820,000
Short Description: On May 25, AutoShark Finance, a BSC-based fixed-rate protocol, was attacked by a lightning loan. With the wrong LP value and the wrong number of fees captured, the SharkMinter contract ended up calculating a very large value in the calculation of the attacker’s contribution, resulting in The SharkMinter contract minted a large amount of SHARK tokens to the attacker, causing its price to crash from $1.20 to $0.01, with the attacker making $820,000 in profit.
Solution: Officials said they will issue a new token, JAWS, to compensate damaged users.
Loss amount: $3 million
Description: On May 23, Bogged Finance, a BSC-based aggregator trading platform, officially stated that hackers conducted a lightning credit attack on the vulnerability of the pledge function of the BOG token contract. The hackers used the Pancake Pair Swap code to withdraw the pledge proceeds before the contract verification was completed, resulting in the minting of over 15 million BOG tokens, most of which would have been distributed to BOG pledgers.
Solution: Issue new coins and return the stolen BOG tokens to the pledged users.
Amount lost: approximately $42 million
Brief description: On May 20, PancakeBunny, a BSC-based DeFi revenue aggregator, suffered a lightning loan attack, losing 114,631 BNBs and 697,245 BUNNYs, the latter of which was minted and sold off in large quantities by hackers, with the price flash crashing from $240 to below $2 at one point. According to the CertiK security team’s investigation, since PancakeBunny uses PancakeSwap AMM for asset price calculation, the hackers maliciously exploited the flash credit to manipulate the price of the AMM pool and successfully completed the attack by taking advantage of Bunny’s computational issues when minting tokens.
Treatment: PancakeBunny will compensate the original BUNNY holders for the loss caused by the token price crash by issuing a new token, pBUNNY, and creating a compensation pool.
Loss amount: over $100 million
Description: On the evening of May 18, Venus token XVS, a BSC-based DeFi lending platform, was doubled by a giant whale, after which hundreds of millions of dollars worth of BTC and ETH were borrowed and transferred out using XVS as collateral assets, after which the price of collateral asset XVS plummeted and faced liquidation, but due to the lack of liquidity in the XVS market the system failed to liquidate in time, resulting in a huge loss of hundreds of millions of dollars for Venus.
Solution: Venus sold some XVS tokens to Coin Security to cover the platform’s losses.
Loss amount: $7 million
Description: On May 17, FinNexus, an on-chain options protocol, was hacked. The hacker infiltrated and managed to recover the private keys of the FNX token contract manager, and the attacker minted over 323 million FNX, which were then sold on centralized and decentralized exchanges, causing the price to plummet.
The solution: The FinNexus team says it will issue new coins and compensate all users who held FNX before the hack on a 1-for-1 basis; liquidity providers on DEX will receive additional compensation for suffering higher losses.
Amount lost: approximately $10.86 million
Short Description: On May 16, bEarn Fi’s bVaults’ BUSD-Alpaca strategy, a cross-chain DeFi protocol based on BSC, suffered a lightning lending attack that depleted the pool of nearly 10.86 million BUSD.
The solution: bEarn Fi said it will create a compensation fund consisting of remaining savings, development funds, DAO funds and a portion of the fees incurred by the protocol, after which a snapshot of the balance will be taken to deploy the compensation contract.
Amount lost: $15 million
Description: On May 14, the EOS Nation lightning loan smart contract suffered a re-entry attack, and about 1.2 million EOS and 462,000 USDT were stolen one after another.
Solution: flash.sx said that all the lost funds are under the security control of eosio.prods, and a proposal has been launched to change the hacker’s EOS account permissions, and the funds will be returned to the user after passing.
Amount lost: approximately $25 million
Description: On May 13, DeFi pledge and liquidity strategy platform xToken was hit by a lightning lending attack that immediately depleted liquidity in the xBNTa Bancor pool and the xSNXa Balancer pool, resulting in a loss of approximately $25 million.
Solution: The xToken team stated that it plans to use 2% of the total XTK supply to cover the stolen losses.
Loss amount: $14 million
Description: On May 8, Rari Capital, a DeFi smart investment protocol, experienced a vulnerability in its ETH pool caused by the integration of the Alpha Finance Lab protocol, which allowed the attacker to manipulate the price of ibETH Token in ibETH by deploying a helper contract, resulting in a large loss of $14 million for Rari.
Solution: Rari Capital will return the 2 million reserved RGTs used to scale the team to DAO to compensate users affected by the attack and reward contributors.
Loss amount: $15 million in total on two occasions
Brief description: Value DeFi, a DeFi protocol based on Ether and BSC, suffered two attacks on May 5 and May 7, respectively. The first attack was caused by a code vulnerability in Value DeFi’s ProfitSharingRewardPool contract, which affected its vStake pool, with a total loss of over 200,000 BUSD and 8790 BNB; the second attack was caused by a code vulnerability in Value DeFi’s vSwap contract, which affected some IRON Finance pools and products.
Solution: The team will use 8,530 VALUE from the insurance fund and 122,463 VALUE from the multi-signature, for a total of 130,994 VALUE, while the remaining 251,702 VALUE will be compensated using the team’s VALUE.
Loss amount: $30 million
Short Description: On May 2, the BSC-based synthetic asset protocol Spartan Pools V1 was attacked and the attackers transferred approximately $30 million from the pool due to a vulnerability in the liquidity share miscalculation.
Solution: Issue new SPARTA tokens and compensate the pool LPs that suffered losses due to the attack with the original 20 million unissued tokens.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/defi-again-a-high-security-incident-area-14-defi-projects-attacked-this-month-total-losses-over-250-million/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.