Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Decentralized finance (DeFi) refers to blockchain applications that remove middlemen from financial products and services such as loans, savings and swaps. While DeFi brings high rewards, it also brings a lot of risk. 

Since almost anyone can start a DeFi protocol and write some smart contracts, flaws in the code are common. In DeFi, there are many unscrupulous actors ready and able to exploit these flaws. When this happens, millions of dollars are stolen, and users often have no recourse .

According to a November report by Elliptic, DeFi users lost $10.5 billion to theft in 2021. But as our list of the largest DeFi exploits shows, that number has grown by the millions.

(All numbers below are the value of funds at the time of the event.)

13. Grim Finance: $30 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

dApps often take their theme inspiration from the blockchains on which they are built. As such, the Avalanche ecosystem is full of references such as Snowtrace, Blizz, and Defrost. Meanwhile, the Fantom ecosystem feels like an on-chain Halloween party. This adds a darker spin when things go wrong, as was the case with yield optimizer protocol Grim Finance.

In December 2021, the protocol suffered a reentrancy attack, a vulnerability in which an attacker forges additional deposits to a vault when a previous transaction has not yet settled. Ultimately, the attack tricked the smart contract into releasing $30 million worth of Fantom tokens.

DeFi protocols often use reentrancy protections — snippets of code that prevent such attacks. An audit report from Solidity Finance’s Grim Finance incorrectly states that the protocol has reentrancy protections – a reminder that audits do not guarantee that vulnerabilities will not occur.

12. Meerkat Finance: $31 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Sometimes, DeFi protocols suffer their first attack very quickly. Binance Smart Chain-based lending protocol Meerkat Finance lost $31 million in user funds just one day after its launch in March 2021.

The attacker called a function in the contract that made their address the owner of the vault, draining the project’s $13.96 million in Binance’s stablecoin, BUSD, and another 73,000 BNB (Binance’s native token). The BNB robbery was worth about $17.4 million at the time.

Many users see this as an inside job: a blanket pull by the protocol developers . Meerkat Finance denies the allegations.

11. Vee Finance: $35 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Summer 2021 saw increased activity at Avalanche, which also attracted those eager to take advantage of the emerging ecosystem of blockchain networks.

In September 2021, just a week after lending platform Vee Finance celebrated a milestone of $300 million in total locked assets, it suffered the largest attack on the Avalanche network .

The attack was successful primarily because Vee Finance’s leveraged trading functionality relied on token prices provided by Pangolin, Avalanche’s primary liquidity protocol. To abuse this, the attackers created 7 trading pairs on Pangolin, provided liquidity, and ended up trading with leverage on Vee. This allowed them to drain $35 million in cryptocurrency from the protocol.

In a tweet to “Dear Sir/Madam 0x**95BA,” the protocol required attackers to return funds as part of a bounty program, which would allow attackers to keep a portion. But the Vee hackers have shown no willingness to return the funds.

10. PancakeBunny: $45 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Cryptocurrencies often go through brief but intense fads. And in Spring 2021, Binance Smart Chain (BSC) (now just BNB Chain) is the hottest DeFi trend, especially for retail users due to its lower network fees. 

But BSC has also suffered from a number of scams and hacks, the biggest of which was the May 2021 attack on yield farming protocol PancakeBunny. 

A hacker manipulated PancakeBunny’s pricing algorithm through a series of eight flash loan attacks, inflating the price of the protocol’s native token, $BUNNY. Hackers made $45 million by buying BUNNY at a low market price and selling it at an artificially inflated price.

9. bZx: $55 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Multi-chain lending protocol bZx was hacked in November 2021 after the “private keys” were leaked. The protocol lost a combined $55 million on Binance Smart Chain and Polygon.

But bZx has experienced similar pain twice before.

While flash loan attacks are a common DeFi attack tactic today, bZx is an “OG” in this regard. It suffered a flash loan attack on its margin trading platform Fulcrum in February 2020. Hackers stole 1,300 packages of ETH, worth $366,000 at the time.

In another attack in September 2020, bZx lost 30% of the funds locked in its vaults, worth $8 million at the time. However, users who held open margin positions did not suffer because, as the protocol later stated in a report, the funds were deducted from bZx’s insurance fund.

8. Badger DAO: $120 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Smart contract bugs that evaporate millions of dollars from DeFi projects are not always the case.

In December 2021, Bitcoin-to-DeFi bridge Badger DAO lost $120 million after scammers tricked Badger DAO members into approving malicious transactions, giving them control of users’ vault funds and transferring funds.

Blockchain security firm PeckShield said the protocol’s contracts were immune to attacks, and only the user interface was affected.

7. Cream Finance: $130 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Lending protocol Cream Finance lost $130 million in a flash loan attack in October 2021 — the third attack on the protocol.

Flash loans allow you to get a loan instantly if you pay it back in the same transaction. Although useful for arbitrage trading, they are widely deployed by malicious actors to exploit vulnerabilities in DeFi protocols. In Cream Finance’s case, a flash loan hacker was able to exploit a pricing vulnerability by repeatedly making flash loans on different Ethereum addresses.

Cream Finance has seen this all before. In August 2021, a hacker stole around $25 million in another flash loan attack that primarily targeted Flexa Network’s native token, AMP. In a flash loan attack in February 2021, hackers siphoned $37.5 million from the protocol pool.

6. Vulcan Forged: $140 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Play-to-earn is one of the latest trends in crypto, but it’s not free from old-school tricks and pitfalls — especially those that take advantage of centralized functionality. Vulcan Forged, the gaming monetization platform on Polygon, learned this lesson hard when it lost $140 million in users in December 2021.

According to the report, a hacker obtained the credentials of the platform’s centralized user wallet Venly in order to obtain the private keys of 96 crypto wallets. Later, hackers used it to obtain the private key in MyForge, the platform’s portfolio feature, and eventually stole 4.5 million Vulcan Forged native PYR tokens.

Speaking to the community, Vulcan Forged CEO Jamie Thomson said: “Certainly going forward, we will only be using decentralized wallets, so we will never have to face this problem again.”

5. Compound: $150 million 

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Like most DeFi protocols, lending protocol Compound has a governance token, COMP. The protocol distributes tokens to users under certain conditions.

In October 2021, Compound had a bug — “ the best-kept secret in DeFi ” — that allowed borrowers to claim more COMP shares than they expected. The vulnerability involved two of its vaults, or pools of funds on smart contracts. The user will call a specific function on the Reservoir vault—drip(), which repopulates another vault Comptroller. The vault automatically assigns a large amount of COMP to the wrong address. The leaking faucet is the result of a bug introduced in a previous protocol update.

After sending $80 million in COMP to the wrong people, the team rushed to patch. But before any fixes can be implemented, the protocol needs to pass a governance proposal. It was created on October 2nd and finally accepted on October 9th. The vault lost another $68.8 million during the community debate.

How did Compound founder Robert Leshner try to get his money back? Via Twitter, ” Anyone who returns COMP to the community is an alien. If a team of alien trolls call me, I’ll show up .” Almost half of the funds were returned. 

4. Beanstalk: $182 million 

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Flash loans – so useful, but so dangerous. Just two days after celebrating $150 million in assets locked in its protocol, Ethereum-based Beanstalk discovered that $182 million was lost in a flash loan attack. Hackers managed to launder $80 million in Ethereum via Tornado Cash.

Beanstalk is best known for its algorithmic stablecoin BEAN , which should be worth $1. While it manages to remain anchored immediately after the attack, the vulnerability proves that algorithmic stablecoins are only as stable as the contracts that underpin them.

3. Wormhole: $326 million 

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

As more and more layer 1 blockchains are built on top of it, there is a growing desire among users to move funds between chains. Cross-chain bridges address this need, but they also introduce new vulnerabilities. The most damaging cross-chain event occurred in January 2022, when the popular bridge Wormhole lost $320 million in Wrapped Ethereum (wETH). WETH is a cryptocurrency pegged 1:1 to the price of Ethereum.

Hackers targeted bridges on Solana, where users had to first lock up Ethereum in a smart contract in order to receive an equal amount of Wrapped Ethereum. Hackers managed to find a way around this by minting WETH without locking ETH in Wormhole.

The Wormhole development stakeholder, Jump Trading Group, proactively replenishes Wormhole’s Ethereum vault, making it complete again.

2. Ronin: $552 million 

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

NFT-powered gaming money-making game Axie Infinity was one of last year’s biggest crypto success stories. On March 23, 2022, it fell victim to one of the biggest hacks in the crypto space, with an estimated $552 million in cryptocurrency flowing from the bridge to its Ronin sidechain using “hacked private keys.”

A week later, when Axie Infinity developer Sky Mavis disclosed the exploit, the value of the stolen funds had risen to $622 million.

According to a report by Sky Mavis, the attackers used “a backdoor through our gasless RPC node, which they abused to obtain the signature of the Axie DAO validator”.

Explaining that due to high user load, Sky Mavis turned to Axie DAO to distribute free transactions in November 2021, the report added, “Axie DAO allows Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but not Revoke allowlist access.”

Exploiting the vulnerability, an attacker was then able to sign transactions from five of the nine validating nodes on the Ronin network, including AxieDAO’s nodes and four of Sky Mavis’ own. This in turn allowed the attackers to forge transactions and claim 173,600 WETH (Wrapped Ethereum) and $25.5 million, for a total of about $622 million.

Axie Infinity co-founder Jeff Zirlin called it “one of the biggest hacks in history,” noting that “it is possible that [the hackers] will be identified and brought to justice.”

1. Poly Network: $611 million

Inventory: 13 of the biggest DeFi hacks and heists in crypto history

Poly Network hackers are still the biggest hackers in crypto — not just DeFi . Fortunately, though, the saga that began on August 10, 2021, comes to a successful conclusion three days after a series of strange twists and turns.

The theft began when a hacker exploited a vulnerability in the Poly Network’s “contract invocation,” the snippet of code that powers the protocol. Hackers quickly stole $611 million in various cryptocurrencies, leading Poly to issue a desperate letter calling it “Dear Hacker.”

This communication attempt, and subsequent outreach efforts, ultimately worked. The agreement offers a $500,000 bounty and gives hackers the opportunity to become its lead security advisor. But during an on-chain Q&A session, the hacker explained that the vulnerability was only meant to teach Poly Network a lesson. Returning the stolen funds was “always the plan”, they said.

Cryptocurrency security firm SlowMist said it identified the attacker’s identity markers and that the breach was “likely to be a long-planned, organized and prepared attack.” 

“Everyone smells the conspiracy now,” the hackers said, denying they were insiders. “But who knows?”

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-12 09:32
Next 2022-05-12 09:34

Related articles