?DeFi: Every hacker’s paradise in 2023.?
Decentralized finance, or DeFi, is a new frontier in the world of finance, offering a more open, transparent, and accessible way for individuals to access financial services. Built on blockchain technology, DeFi allows for peer-to-peer transactions without needing traditional intermediaries like banks or credit card companies.
Decentralized finance, or DeFi, has taken the crypto world by storm in recent years, offering new opportunities to individuals and businesses to delve into the financial space. While DeFi has the potential to revolutionize finance, it has also become a target for malicious actors looking to exploit vulnerabilities in the system. Hackers and cybercriminals can exploit weaknesses in the code or how DeFi systems are used to gain unauthorized access to funds or steal sensitive information.
?According to Chainalysis, Till 2023 over 90% of all crypto hacks belong to decentralized finance.?
Here we will discuss the top 10 DeFi hacks in the history of crypto.
Fei rari
Table of Contents
Blockchain Protocol: Arbitrum
Date: May 1, 2022
Hack Amount: $80M
Hack Technique: Flash loan and Reentrancy attack
On April 30, 2022, a hacker stole over $80 million from Fei Protocol, a DeFi platform created by Arbitrum. The attack utilized a combination of reentrancy and flash loan vulnerabilities.
The reentrancy flaw enabled the hacker to borrow assets while withdrawing the submitted collateral. To do this, the hacker borrowed assets from the pool and used flash loans to obtain a large number of tokens and WETH as collateral. The contract’s borrow function did not have the check-effect-interaction pattern, which allowed the attacker to transfer ETH to their own contract before updating the records of the borrowed assets. This process was repeated with multiple tokens. Finally, the attacker returned the flash loan and transferred their profits through tornado cash.
https://certik.medium.com/fei-protocol-incident-analysis-8527440696cc
Mirror protocol
Blockchain protocol: Terra
Date: May 31, 2022
Hack Amount: $90M
Hack Technique: Smart contract bug: outdated oracle software with vulnerabilities
The digital realm of Terra chain played host to a revolutionary application known as Mirror Protocol, which enabled the creation of virtual synthetics that closely followed the value of tangible assets in the real world. But on a fateful May 17th, a bug in Mirror Protocol’s code was uncovered, revealing that a clever hacker had been stealthily siphoning off as much as $90 million starting from October 8th, 2021. Although DeFi hacks have become commonplace for the crypto world, a $90M hack going unnoticed for 7 days was quite unusual. The decentralized nature of the application left it vulnerable to this insidious attack, shaking the community’s trust and leading to a thorough investigation of the issue.
In fact, the code’s vulnerability has been under hackers’ radar for a long and has been slowly exploiting it since 2021. The attack occurred because the terra nodes were operating on outdated oracle software.
Uranium Finance
Blockchain Protocol: BSC
Date: April 28, 2021
Hack Amount: $57.2M
Hack Technique: Platform’s Swap function compromised
A vulnerability in the Uranium protocol’s smart contract was exploited, swapping a single token for most of the tokens in the protocol’s liquidity pool. Uranium’s v2 contracts had a bug that the attacker exploited. The attacker depleted the liquidity pools for numerous token pairings after submitting the minimal amount of tokens necessary into Uranium’s “pair contracts.” The attack vector was made possible by an incorrect zero in the contract’s balance field.
The hacker took the stolen money to the Ethereum network, converted it for ETH, and then moved it to the privacy-preserving mixer Tornado Cash while the team rushed to remedy the flaw.
https://uraniumfinance.medium.com/exploit-d3a88921531c https://twitter.com/UraniumFinance/status/1387245696454041600
Wormhole
Blockchain protocol: Solana
Date: February 3, 2022
Hack Amount: $326M
Hack Technique: Manipulated into crediting 120k ETH as having been deposited on Ethereum, allowing for the hacker to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana.
Wormhole, one of the most popular bridges on the Solana network, allows users to move their cryptos and NFTs between Ethereum and Solana blockchains.
The hacker here has discovered an exploit in Wormhole’s smart contract code, allowing them to mint 120,000 Wrapped Ethereum on Solana (WeETH) without providing equivalent Ethereum collateral. A $320M exploit led to the WeETH price falling by 13.5%, but still, the disaster was prevented because Wormhole’s parent company? Jump Trading? supplied equivalent Ether to substitute what was stolen.
Cashio
Blockchain Protocol: Solana
Date: March 23, 2022
Hack Amount: ~$52M
Hack Technique: Infinite mint glitch- due to Cashio’s incomplete collateral validation system.
“As March of 2022 dawned, the Solana blockchain-based Cashio stable coin CASH was thrust into the limelight for all the wrong reasons.”
A hack exploiting an “infinite mint” vulnerability had allowed an attacker to make off with a staggering $52 million worth of CASH tokens. The token’s value plummeted to a measly $0.00005 in the aftermath of the breach, sending shockwaves through the cryptocurrency community and raising serious concerns about the security of stablecoins.
The bug was there in the validation process of the collateral, which allowed the creation of a fake crate_collateral_tokens accounts, allowing worthless collateral deposition. The attacker deposited worthless collateral and, in turn, minted real CASH tokens.
Compound Finance
Blockchain Protocol: Ethereum
Date: October 4, 2021
Hack Amount: $147M
Hack Technique: Comptroller vault vulnerability
An accounting bug was introduced during an upgrade to the Compound Comptroller vault, resulting in more COMP rewards being distributed to historical suppliers than expected. Initially, ~$80M tokens were wrongly distributed, and later additional $68.8M tokens.
Later the compound community tried fixing the bug through a governance protocol. Still, till then, almost $150M of excess COMP tokens were wrongly distributed, leading to a total loss of nearly ~$147M.
Creme Finance
Blockchain Protocol: Ethereum
Date: October 28, 2021
Hack Amount: $130M
Hack Technique: Flash loan attack
On October 27, 2021, Cream Finance, an Ethereum-based DeFi platform, suffered a massive loss of $130 million in a flash loan attack. The attack was not a simple flash loan, rather was carried out using complex tactics by the hacker.
The hacker started by borrowing $1.5 billion in Yearn protocol’s yUSD vault shares against $2 billion in collateral. They then doubled the value of the shares by donating the same yUSD to the yearn vault, resulting in a debt of $3 billion on Cream Finance against $2 billion in collateral. The hacker’s profit was $1 billion, but since Cream Finance only had $130 million worth of assets, that became the hacker’s total gain. The hacker manipulated the system and walked away with a significant profit by exploiting the vulnerabilities in Cream Finance’s flash loan system.
Badger
Blockchain Protocol: Ethereum
Date: December 2, 2021
Hack Amount: $120M
Hack Technique: Front-end compromised- unauthorized withdrawal of user’s fund
Badger DAO? an Ethereum’s DeFi protocol? fell victim to an attack that drained the wallets of a number of users of the Badger DAO yield vault protocol. The attacker used malicious contract permissions to gain access to these wallets. The total loss amount was ~2100BTC and ~151 ETH tokens.
After noticing the attack, the platform froze all the vaults to prevent any movement in the funds. Also, the badger native token suffered a fall of 21% post the hack.
https://twitter.com/BadgerDAO/status/1466263899498377218
https://www.coindesk.com/business/2021/12/02/badger-dao-protocol-suffers-10m-exploit/
Mango Markets
Blockchain Platform: Solana
Date: October 12, 2022
Hack Amount: $117M
Hack Technique: Oracle price manipulation
Mango markets? one of the latest victims to the DeFi hacks? suffered a $117M hack caused by a price manipulation bug on the Market’s native token MNGO.
The hacker manipulated the price of the platform’s native token, Mango (MNGO) collateral, draining it of massive loans. He then took out an $11Mn loan that left the Mango market’s treasury with a negative balance of 116.7 million.
Before opening an unusually large long position, the attacker deposited 5 million USD Coin (USDC) to the network. He purchased 438 million Mango tokens, quickly accruing $420 million in unrealized profits. MNGO’s price increased by about 1,000%, increasing the collateral value of the hacker’s account. He eventually wiped out the protocol by stealing more than $116 million in liquidity from all available tokens.
EasyFi
Blockchain Platform: Polygon
Date: April 20, 2021
Hack Amount: $81M
Hack Technique: Hot wallet compromise: mnemonic key hack
As the EasyFi project’s official transfer machine lay dormant, an insidious threat crept into its digital landscape. A malicious version of Metamask had been injected, and with it, the attacker stole the mnemonic and private keys that lay within. Armed with this knowledge, they could conduct nefarious transactions without detection.
Despite being offline for over a week, the machine had not escaped the notice of the attacker. They had previously gained access to the keys, biding their time until the perfect moment to strike. When the machine was finally activated, it was too late. The attacker had already drained liquidity from the protocol, leaving the project in disarray.
The response to the attack was delayed due to the machine’s inactive status, allowing the attacker to make a clean getaway. It was a calculated and cunning move that will not soon be forgotten by the EasyFi team.
https://medium.com/easify-network/easyfi-security-incident-pre-post-mortem-33f2942016e9
Concluding Remarks
In the world of decentralized finance, smart contracts reign supreme. These automated agreements facilitate the exchange of value without needing a third party. While this technology has revolutionized the world of finance, it has also presented a tempting target for hackers.
Investing in DeFi is like skating on thin ice. When a vulnerability presents itself, they pounce, exploiting the network and draining money like water from a sieve. These digital predators have chosen DeFi trading platforms as their favorite target in the year 2023.
The only way out is to prioritize security in your DeFi projects. An unaudited project could be a nightmare in your blockchain journey. To have a reliable smart contract audit, ImmuneBytes has got your back. We are a professional team of experienced auditors who thoroughly assess your smart contracts for flawless execution. In fact, it is the first step to ensuring that your project is devoid of bugs and coding errors.
To know more: Visit https://www.immunebytes.com/
DeFi has become one of the most enticing targets for hackers lately. Know about the top 10 DeFi hacks in crypto history