Top Ten DeFi Hacks of 2022: Hackers Get More Daring

Please fol­low and like us:
Pin Share

Decen­tral­ized finance (DeFi) has some­times been crit­i­cized as the “wild west” of the cryp­to indus­try. If the $2.32 bil­lion stolen from mul­ti­ple pro­to­cols so far this year could be used as an accu­rate descrip­tion of the state of DeFi today, then crit­ics are hav­ing the last laugh.

Argued to have start­ed with the launch of Bit­coin in 2009, DeFi tru­ly took off in 2020 with the launch of Com­pound Finance’s so-called “yield farm­ing” invest­ment strategy.

Now, thou­sands of decen­tral­ized appli­ca­tions, or dApps, are in use. DeFiLla­ma reports that more than $53.73 bil­lion of total val­ue is locked in DeFi — fig­ures so juicy they have drawn the atten­tion of unwant­ed actors — hackers.

Hacking the system

DeFi is a part of cryp­tocur­ren­cy that has broad­ly remained true to the foun­da­tion­al ethos of Bit­coin of decen­tral­iza­tion and pri­va­cy, main­tain­ing cyn­ic detach­ment from gov­ern­men­tal over­sight. Unchecked, how­ev­er, such lib­er­ties come with great risk.

Accord­ing to blockchain secu­ri­ty firm Peck­Shield, hack­ers have pil­fered more than $2.32 bil­lion in over 135 exploits, from the DeFi indus­try so far this year. The fig­ure is 50% high­er than what was stolen from the entire sec­tor for the whole of 2021.

Over the years, online thieves have employed a vari­ety of tac­tics to car­ry out their work. The most used meth­ods of attack include hon­ey­pot, exit scam, exploit, access con­trol, and flash loan, says the REKT Data­base. Here are the top ten DeFi exploits of 2022 so far, as curat­ed by PeckShield.

Ronin Network: Loss – $620 million

Ronin Net­work, the Ethereum-based sidechain for cryp­to game Axie Infin­i­ty, was in March swin­dled for over $620 mil­lion in ETH and USDC. The attack­er “used hacked pri­vate keys to forge fake with­drawals” from the Ronin bridge con­tract in two transactions.

The exploit, which occurred on March 23, was only dis­cov­ered a week lat­er when one user failed to with­draw 5,000 ether. In total, the hack­er made off with 173,600 ETH and 25.5 mil­lion USDC, val­ued at more than $620 mil­lion at the time.

The Ronin Net­work hack is con­sid­ered the largest DeFi hack in his­to­ry. It remains the biggest so far this year, says PeckShield. 

Wormhole Bridge: Loss – $320 million

On Feb. 2, an attack­er siphoned over $320 mil­lion in wrapped ETH out of the Worm­hole pro­to­col, a pop­u­lar cross-chain cryp­to bridge between Solana, Ethereum, Avalanche, and others.

Worm­hole users are required to stake ethereum to mint wrapped ETH, a type of cryp­to that is pegged to the price of ethereum. 

Ana­lyt­ics firm Ellip­tic blamed the exploit on Wormhole’s fail­ure to val­i­date “guardian” accounts. allow­ing the attack­er to mint 120,000 wETH with no ethereum back­ing it. The hack­er then exchanged 93,750 wETH for ethereum and exchanged the remain­der for Solana. The total val­ue of the loss was over $320 mil­lion at the time.

Nomad Bridge: Loss – $190 million

On Aug. 2, hack­ers drained about $190 mil­lion in cryp­tocur­ren­cy from Nomad, a tool that lets users swap tokens from one blockchain to another.

The attack began with an upgrade to Nomad’s code. A sec­tion of the smart con­tract was marked as valid each time users made a trans­ac­tion. This allowed bad actors to with­draw more assets than were deposit­ed on the plat­form. Hack­ers repeat­ed the process until $190 mil­lion in cryp­to was moved out of the bridge. Nomad nev­er found out until it was too late.

Beanstalk Farms: Loss $182 million

In April, an attack­er drained $182 mil­lion of cryp­to from Beanstalk Farms, a DeFi pro­to­col aimed at bal­anc­ing the sup­ply and demand of dif­fer­ent cryp­to assets.

Peck­Shield said the the attack­er exploit­ed Beanstalk’s major­i­ty vote gov­er­nance sys­tem, and vot­ed to send them­selves $182 mil­lion. The attack­er used a flash loan to obtain a con­trol­ling stake in the pro­to­col, but their actu­al prof­it was only in the region of $80 mil­lion, said the firm.

Wintermute: Loss $160 million

Win­ter­mute is the lat­est DeFi pro­to­col to fall vic­tim to hack­ers, who made off with $160 mil­lion from the platform’s decen­tral­ized finance sec­tion. CEO, Evge­ny Gaevoy said the hack was linked to a crit­i­cal bug in the Ethereum van­i­ty address-gen­er­at­ing tool Profanity.

He said Win­ter­mute used the tool to gen­er­ate a unique address in order to cut trans­ac­tion costs, nev­er for “van­i­ty.” Human error seems to be behind this par­tic­u­lar attack.

Elrond: Loss – $113 million

In June, hack­ers exploit­ed a loop­hole on decen­tral­ized exchange Maiar to steal around 1.65 mil­lion of elrond egold (EGLD), the native token of the Elrond blockchain. Researchers said the attack­er deployed a smart con­tract and used three wal­lets to steal an esti­mat­ed $113 mil­lion worth of EGLD from the exchange.

The hack­ers imme­di­ate­ly sold 800,000 of the token for $54 mil­lion on the same DEX, and the remain­der was sold on cen­tral­ized exchanges or swapped for ethereum.

Horizon Bridge: Loss – $100 million

Just days after the Elrond exploit, hack­ers struck again on June 23, hit­ting the Hori­zon bridge for almost $100 mil­lion. Hori­zon is a cross­chain inter­op­er­abil­i­ty plat­form between Ethereum, Binance Smart Chain and Har­mo­ny blockchain networks.

Peck­Shield revealed more than $98 mil­lion in var­i­ous tokens was drained off the Har­mo­ny-man­aged plat­form and exchanged to ether. Over 50,000 user wal­lets were affect­ed. The hack­ers lat­er moved $35 mil­lion through Tor­na­do Cash.

Qubit Finance: Loss – $80 million

The DeFi pro­to­col said on Jan. 28 that it had been exploit­ed by an attack­er who stole 206,809 binance coin (BNB) from its QBridge pro­to­col. In total, the tokens were val­ued at $80 million.

Accord­ing to secu­ri­ty com­pa­ny Cer­tik, the attack­er lever­aged a deposit option in the QBridge con­tract to mint 77,162 qXETH – some sort of cryp­to used to rep­re­sent ethereum bridged via Qubit. The attack­er fooled the plat­form into believ­ing they made a deposit. After repeat­ing the process enough times, they exchanged the assets into BNB and vanished.

Cashio: Loss – $48 million

Cashio, a sta­ble­coin pro­to­col on Solana, suf­fered what the team called an “infi­nite mint glitch” exploit in March. Hack­ers siphoned $48 mil­lion from the pro­to­col, prompt­ing a col­lapse of Cashio’s CASH stablecoin.

Cashio allows users to mint the CASH sta­ble­coin with all deposits backed by inter­est-bear­ing liq­uid­i­ty provider tokens. The attack­er mint­ed bil­lions of CASH and swapped them for USDC and UST, itself col­lapsed, before with­draw­ing through the DEX Saber.

Dol­lar-pegged CASH crashed to $0 after the hack. Attack­er returned mon­ey to accounts that held less than $100,000 and promised to donate the rest to char­i­ty. That’s the last we heard ever of it, the Cashio loot. CASH is dead.

Scream: Loss – $38 million

Fan­tom-based lend­ing plat­form Scream suf­fered per­haps one of the most care­less exploits in DeFi this year, from a pro­to­col secu­ri­ty per­spec­tive. Scream took on a $38 mil­lion debt after sta­ble­coins, Fan­tom USD (fUSD) and DEI, whose val­ued it had fixed to $1, lost peg.

Because the pro­to­col had hard­cod­ed the val­ue of the two sta­ble­coins, a decline in val­ue of the assets did not show on Scream. Whales uti­lized this loop­hole to drain the pro­to­col of any oth­er valu­able sta­ble­coins while deposit­ing the de-pegged fUSD and DEI.

A total of $38 mil­lion in the sta­ble­coins FRAX, USDT, USDC, and MIM were whisked away from the net­work. After the inci­dent, Scream dumped hard­core pric­ing and switched to Chain­link ora­cles for real-time pric­ing data. Whales kept their loot. Good pay day for degens!.

What happened to the stolen billions?

Well, it was lost. Much of it permanently.

Peck­Shield said around 50%, or $1.16 bil­lion, of the mon­ey stolen from the above pro­to­cols was washed via Tor­na­do Cash, the Ethereum-based cryp­tocur­ren­cy mix­er sanc­tioned by the U.S. gov­ern­ment in August, pro­vok­ing a strong reac­tion from the cryp­to community.

Tor­na­do Cash allows cryp­to users to obfus­cate the his­to­ry of their finan­cial trans­ac­tions, mak­ing it hard­er to trace. Accord­ing to the U.S. secu­ri­ty agency FBI, the mix­er has been lever­aged by the likes of North Kore­an-linked hack­er group Lazarus to laun­der over $7 bil­lion in cryp­to since 2019.

While hack­ers dis­ap­peared with bil­lions, affect­ed DeFi pro­to­cols made a series of attempts to regain their mon­ey, with lit­tle suc­cess. One way of doing so is to sim­ply plead with the attack­er to return the ill-got­ten loot in return for some kind of incen­tive. Or none at all.

Qubit Finance tried that and offered a $2 mil­lion boun­ty, the max­i­mum it could offer for any such so-called white hack­ing plea. It didn’t work. Har­mo­ny toyed with the same idea also. It offered a $1 mil­lion boun­ty for the return of the $100 mil­lion stolen from Hori­zon bridge and promised not to press crim­i­nal charges. Hack­ers ignored the call. Noth­ing was recovered.

How­ev­er, a sim­i­lar strat­e­gy worked for the Poly Net­work in August 2021, with the attack­er return­ing most of the $600 mil­lion they had stolen.

That luck extends to Ronin. Ear­li­er this month, the net­work recov­ered $30 mil­lion of the mon­ey it lost, with help from cryp­to secu­ri­ty firm Chainal­y­sis, the U.S. Trea­sury and the FBI. But that’s just 5% of the $620 mil­lion stolen dur­ing the hack. The FBI esti­mates that around $455 mil­lion was washed via Tor­na­do Cash by the Lazarus Group, the alleged attacker.

Hack­ers of the Nomad Bridge also sent back $9 mil­lion to the plat­form a day after the cross-chain bridge was exploit­ed for $190.4 mil­lion. After a 10% boun­ty on any funds returned, white hack­ers hacked back anoth­er $32 mil­lion of the total plun­dered and returned it to the cross-chain bridge. The rest, much of it, was shuf­fled between dif­fer­ent address­es by the hack­er, as they tried des­per­ate­ly to keep their stolen wealth. They did.

Worm­hole nev­er recov­ered its $320 mil­lion. It had to be res­cued. Jump Trad­ing Group, which has a stake in the pro­to­col, jumped in to replace the 120,000 in ETH stolen, after the vul­ner­a­bil­i­ty had been patched up.

How to not get hacked

Clear­ly, blockchain bridges appear to be the weak­est link in DeFi. There are ways for indi­vid­u­als and pro­to­cols to stay safe.

“It is nec­es­sary to draft clear terms of ref­er­ence when devel­op­ing projects, cov­er the func­tion­al­i­ty of projects with tests as much as pos­si­ble to avoid log­i­cal errors,” Alex Belets, founder of blockchain secu­ri­ty firm Smart State, told Be[In]Crypto.

“Use auto­mat­ic vul­ner­a­bil­i­ty scan­ners, do not try to imple­ment things for which there are libraries Per­form audits and keep your pri­vate keys safe. Don’t use third par­ty appli­ca­tions like Pro­fan­i­ty to gen­er­ate pri­vate keys (Wintermute’s hack rea­son),” he added.


All the infor­ma­tion con­tained on our web­site is pub­lished in good faith and for gen­er­al infor­ma­tion pur­pos­es only. Any action the read­er takes upon the infor­ma­tion found on our web­site is strict­ly at their own risk.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.