Review the 13 largest hacking incidents in the history of DeFi

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

Review the 13 largest hacking incidents in the history of DeFi

Unitimes

2022-04-20 02:53

本文约5063字，阅读全文需要约20分钟

There have been 8 DeFi security incidents that cost more than $100 million.

Written by: Ekin Genç & Stephen Graves

Compilation: South Wind

Decentralized finance (DeFi) are blockchain applications designed to cut out middlemen from financial products and services such as lending, savings, and exchange. Although DeFi has high returns, it also comes with many risks.

Since almost anyone can launch a DeFi protocol and write some smart contracts, bugs in the code are common. In the DeFi space, there are many unscrupulous people who are ready and able to exploit these loopholes. When this happens, millions of dollars in funds are at risk, and users often have no recourse.

According to a report from Elliptic last November, DeFi users lost $10.5 billion to theft in 2021. But that number has grown into the millions, as we'll list some of the biggest DeFi exploits below. (All figures below are the value of funds at the time of the attack.)

13. Grim Finance: $30 million

Often, Dapps (decentralized applications) take their thematic inspiration from the blockchains they're built on. As such, the ecosystem of the Avalanche (Avalanche) blockchain is full of “snow” themed applications such as Snowtrace, Blizz, and Defrost. Meanwhile, the Fantom blockchain ecosystem is like an on-chain Halloween party. This adds an even darker layer when things go wrong, like what happened with Grim Finance, a yield optimization protocol on the Fantom chain.

In December 2021, the Grim Finance protocol suffered from a reentrancy attack, an exploit in which an attacker forges additional deposits into a vault while a previous transaction has not settled. Ultimately, the attack resulted in the theft of $30 million worth of Fantom tokens.

DeFi protocols often use reentrancy guards, or pieces of code that prevent such attacks. A Grim Finance audit report published by blockchain security audit firm Solidity Finance incorrectly stated that the protocol already uses reentrancy protection. This reminds us that auditing does not guarantee that vulnerabilities will not occur.

12. Meerkat Finance: $31 million

Sometimes it doesn’t take long for a DeFi protocol to suffer its first attack. Meerkat Finance, a BSC (Binance Smart Chain)-based lending protocol, lost $31 million in user funds in just one day after it went live in March 2021.

The attacker called a function in the contract, making the attacker's address the owner of its vault contract, and took away $13.96 million worth of Binance stablecoin BUSD and another 73,000 BNB (Binance native token), the stolen BNB was worth about $17.4 million at the time.

Many users believe this is an insider operation: the protocol developers implemented a Rug Pull. Meerkat has denied the allegations.

11. Vee Finance: $35 million

The summer of 2021 saw a surge in activity on the Avalanche chain, which also attracted those eager to attack the nascent ecosystem of the blockchain network.

In September 2021, lending platform Vee Finance had just celebrated its TVL (Total Locked Volume) milestone of $300 million, and a week later, the protocol suffered the largest vulnerability attack on the Avalanche network.

The attack occurred mainly because Vee Finance’s leveraged trading function relied on token prices provided by Pangolin, the main liquidity protocol on Avalanche. To exploit this, the attackers created 7 trading pairs on Pangolin, provided liquidity, and finally traded with leverage on Vee Finance. This allowed the attacker to siphon $35 million worth of cryptocurrency from the Vee Finance protocol.

In a tweet addressed to “Dear Mr./Madam 0x**95BA” (see below), the Vee Finance protocol asked the attacker to return the funds and, as part of the protocol’s bounty program, let the attacker keep part of the funds. But the attacker has no intention of returning the funds.

10. Pancake Bunny: $45 million

The crypto space often experiences short but strong trends. In the spring of 2021, Binance Smart Chain (BSC) (now renamed BNB Chain) has the hottest DeFi trend, especially for retail users, due to the chain’s low network fees.

But there have also been many scams and hacks on the BSC chain, the largest of which was an attack in May 2021 on the yield farming protocol PancakeBunny.

A hacker manipulated PancakeBunny's pricing algorithm through eight flash loan attacks, driving up the price of the protocol's native token, BUNNY. The hacker first bought BUNNY at a low market price, then sold it at an artificially high price, making a profit of $45 million.

9. bZx: $55 million

In November 2021, the multi-chain lending protocol bZx was hacked after its "private key" was leaked. The protocol lost a total of $55 million on the BSC and Polygon chains.

But bZx has experienced similar pain twice before.

Although flash loan attacks are currently a common attack strategy in the DeFi field, bZx is an "OG" (veteran project) in this regard. In February 2020, the protocol was the target of a flash loan attack targeting its margin trading platform Fulcrum. The hacker stole 1,300 wETH, worth $366,000 at the time.

In another attack in September 2020, bZx lost 30% of the funds locked in its vaults, worth $8 million at the time. However, users with open margin positions did not suffer losses because, as the protocol later stated in a report, the funds were taken from bZx’s insurance fund.

8. Badger DAO: $120 million

Smart contract bugs don’t always just cost a DeFi project millions of dollars.

In December 2021, Badger DAO, the bridge that brings Bitcoin to DeFi, suffered a loss of $120 million. Attackers implanted malicious wallet requests in the user interface, inducing Badger DAO users to approve token usage permissions for malicious addresses, thereby Allowing an attacker to take control of a user's vault funds and transfer funds. The attack caused losses of $120.3 million, including approximately 2,100 BTC and 151 ETH.

Blockchain security firm PeckShield said the protocol's contracts were secure and only the user interface was affected.

7. Cream Finance: $130 million

DeFi lending protocol Cream Finance lost $130 million in a flash loan attack in October 2021, the third attack on the protocol.

Flash loans allow you to get an instant loan, provided you repay the loan in the same transaction. While flash loans are useful for arbitrage, they are widely used by malicious actors to exploit vulnerabilities in DeFi protocols. In the case of Cream Finance, flash loan attackers were able to exploit the pricing loophole to repeatedly obtain flash loans from different Ethereum addresses.

Cream Finance has also experienced flash loan attacks before this. In August 2021, a hacker stole approximately $25 million from Cream Finance in another flash loan attack, mainly targeting Flexa Network's native token AMP. In a flash loan attack in February 2021, hackers stole $37.5 million from the Cream Finance protocol pool.

6. Vulcan Forged: $140 million

Play-to-earn (P2E) is one of the latest trends in the crypto space, but it hasn’t gotten rid of old-fashioned scams and pitfalls — especially those that take advantage of centralized functionality. Vulcan Forged, a P2E platform on Polygon, has learned the hard way that its users lost $140 million in December 2021.

According to a post-mortem report, a hacker obtained credentials for Venly, the platform’s centralized user wallet, and thus obtained the private keys to 96 encrypted wallets. Later, the hacker used it to obtain the private key in MyForge, the platform's asset portfolio function, and eventually stole 4.5 million Vulcan Forged's native token PYR from its users.

Speaking to the community, Vulcan Forged CEO Jamie Thomson said: “Of course, in the future we will only use decentralized wallets so we never have this problem again.”

5. Compound: $150 million

Like most DeFi protocols, lending protocol Compound has a governance token, COMP, which the protocol distributes to users under certain conditions.

In October 2021, it was reported that Compound had a loophole that allowed borrowers to demand more than their expected share of COMP. This loophole involved Compound's two vaults (fund pools). A user can call a specific function drip() on a Reservoir vault, triggering $80 million worth of COMP to be sent to another vault, the Comptroller. The vault automatically distributed a large amount of COMP tokens to the wrong address. This "leaky faucet" was caused by a bug introduced in a previous protocol update.

The team hastily put together a patch after $80 million worth of COMP was sent to the wrong address. But before any fixes can be implemented, the protocol requires the adoption of a governance proposal. The proposal was created on October 2 and finally accepted on October 9. While the community was arguing, the two vaults lost another $68.8 million.

How Compound founder Robert Leshner is trying to get his money back Almost half of the funds were returned after he called on Twitter to “return COMP to the community.”

4. Beanstalk: $182 million

Flash loans, so useful yet so dangerous! Just two days after celebrating $150 million in TVL, Ethereum-based stablecoin protocol Beanstalk discovered $182 million was missing in a flash loan attack. The attacker successfully laundered $80 million worth of ETH through Tornado Cash. Beanstalk is best known for its algorithmic stablecoin BEAN, which is supposed to be pegged to $1. While the stablecoin managed to maintain its peg shortly after the attack, the incident showed that algorithmic stablecoins are only as stable as the contracts that underpin them.

3. Wormhole: $326 million

As more and more DeFi are built on L1 (layer one) blockchains, there is a growing desire for users to move funds between L1 chains. "Cross-chain bridges" address this need, but they also introduce new vulnerabilities. The most damaging cross-chain event occurred in January 2022, when the popular cross-chain bridge Wormhole (connecting Solana and Ethereum) was hacked, losing $320 million in wETH. wETH is a cryptocurrency pegged 1:1 to the price of Ethereum.

When users use the Wormhole cross-chain bridge, they must first lock ETH in a smart contract to obtain an equivalent amount of wETH. The hacker managed to find a way around this, minting WETH without locking up ETH in the Wormhole contract.

Jump Trading Group is one of the stakeholders in Wormhole development, and the team proactively replenished Wormhole's lost ETH. Just one day later, the Wormhole Bridge was back online.

2. Ronin Bridge: $552 million

NFT-based game Axie Infinity was one of the most successful crypto games of the past year. On March 23, 2022, it became the victim of one of the largest hacks in the cryptocurrency space, where the attackers used "stolen private keys" to transfer approximately $552 million worth of cryptocurrency toStolen from the Ronin Bridge。

A week later, when Axie Infinity developer Sky Mavis disclosed the breach, the value of the stolen funds had risen to $622 million.

According to a Sky Mavis report, the attackers "found a backdoor through our gas-free RPC node and then abused this backdoor to obtain signatures from Axie DAO validators."

The Ronin sidechain is secured by 9 validator nodes, and in order to identify a Deposit event or a Withdraw event, 5 of these 9 validator nodes are required to sign. On March 23, attackers managed to take control of 5 of these nodes (including 4 nodes run by Sky Mavis itself and 1 node run by Axie DAO), and the private keys of these 5 validators were stolen. This allowed the attacker to forge transactions and take away 173,600 wETH and 25.5 million USDC, for a total of approximately $622 million.

"This is one of the largest hacks in history," said Jeff Zirlin, co-founder of Axie Infinity. "(The hacker) has the potential to be discovered and brought to justice."

1. Poly Network: $611 million

The Poly Network hack remains the largest breach in the crypto space. Fortunately, the saga that began on August 10, 2021 ended with a happy ending three days later after a series of strange twists.

The theft began when attackers exploited a vulnerability in Poly Network's "contract call." The hacker quickly stole $611 million worth of various cryptocurrencies, leading Poly Network to publish a letter of desperation complete with a "Dear Hacker."

This attempt at communication, and subsequent efforts, ultimately worked. The agreement offered a $500,000 bounty and offered the hacker the opportunity to become its chief security advisor. But during an on-chain Q&A session, the attacker explained that the attack was just to teach Poly Network a lesson. The attacker said returning the funds was "a long-standing plan."

Cryptocurrency security firm SlowMist said it had identified the attacker's IP and email information and that the attack "could be a long-term planned, organized and prepared attack."

source link