Top Ten DeFi Hacks of 2022: Hackers Get More Daring
Decentralized finance (DeFi) has sometimes been criticized as the “wild west” of the crypto industry. If the $2.32 billion stolen from multiple protocols so far this year could be used as an accurate description of the state of DeFi today, then critics are having the last laugh.
Argued to have started with the launch of Bitcoin in 2009, DeFi truly took off in 2020 with the launch of Compound Finance’s so-called “yield farming” investment strategy.
Now, thousands of decentralized applications, or dApps, are in use. DeFiLlama reports that more than $53.73 billion of total value is locked in DeFi — figures so juicy they have drawn the attention of unwanted actors — hackers.
Hacking the system
DeFi is a part of cryptocurrency that has broadly remained true to the foundational ethos of Bitcoin of decentralization and privacy, maintaining cynic detachment from governmental oversight. Unchecked, however, such liberties come with great risk.
According to blockchain security firm PeckShield, hackers have pilfered more than $2.32 billion in over 135 exploits, from the DeFi industry so far this year. The figure is 50% higher than what was stolen from the entire sector for the whole of 2021.
Over the years, online thieves have employed a variety of tactics to carry out their work. The most used methods of attack include honeypot, exit scam, exploit, access control, and flash loan, says the REKT Database. Here are the top ten DeFi exploits of 2022 so far, as curated by PeckShield.
Ronin Network: Loss – $620 million
Ronin Network, the Ethereum-based sidechain for crypto game Axie Infinity, was in March swindled for over $620 million in ETH and USDC. The attacker “used hacked private keys to forge fake withdrawals” from the Ronin bridge contract in two transactions.
The exploit, which occurred on March 23, was only discovered a week later when one user failed to withdraw 5,000 ether. In total, the hacker made off with 173,600 ETH and 25.5 million USDC, valued at more than $620 million at the time.
The Ronin Network hack is considered the largest DeFi hack in history. It remains the biggest so far this year, says PeckShield.
Wormhole Bridge: Loss – $320 million
On Feb. 2, an attacker siphoned over $320 million in wrapped ETH out of the Wormhole protocol, a popular cross-chain crypto bridge between Solana, Ethereum, Avalanche, and others.
Wormhole users are required to stake ethereum to mint wrapped ETH, a type of crypto that is pegged to the price of ethereum.
Analytics firm Elliptic blamed the exploit on Wormhole’s failure to validate “guardian” accounts. allowing the attacker to mint 120,000 wETH with no ethereum backing it. The hacker then exchanged 93,750 wETH for ethereum and exchanged the remainder for Solana. The total value of the loss was over $320 million at the time.
Nomad Bridge: Loss – $190 million
On Aug. 2, hackers drained about $190 million in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another.
The attack began with an upgrade to Nomad’s code. A section of the smart contract was marked as valid each time users made a transaction. This allowed bad actors to withdraw more assets than were deposited on the platform. Hackers repeated the process until $190 million in crypto was moved out of the bridge. Nomad never found out until it was too late.
Beanstalk Farms: Loss $182 million
In April, an attacker drained $182 million of crypto from Beanstalk Farms, a DeFi protocol aimed at balancing the supply and demand of different crypto assets.
PeckShield said the the attacker exploited Beanstalk’s majority vote governance system, and voted to send themselves $182 million. The attacker used a flash loan to obtain a controlling stake in the protocol, but their actual profit was only in the region of $80 million, said the firm.
Wintermute: Loss $160 million
Wintermute is the latest DeFi protocol to fall victim to hackers, who made off with $160 million from the platform’s decentralized finance section. CEO, Evgeny Gaevoy said the hack was linked to a critical bug in the Ethereum vanity address-generating tool Profanity.
He said Wintermute used the tool to generate a unique address in order to cut transaction costs, never for “vanity.” Human error seems to be behind this particular attack.
Elrond: Loss – $113 million
In June, hackers exploited a loophole on decentralized exchange Maiar to steal around 1.65 million of elrond egold (EGLD), the native token of the Elrond blockchain. Researchers said the attacker deployed a smart contract and used three wallets to steal an estimated $113 million worth of EGLD from the exchange.
The hackers immediately sold 800,000 of the token for $54 million on the same DEX, and the remainder was sold on centralized exchanges or swapped for ethereum.
Horizon Bridge: Loss – $100 million
Just days after the Elrond exploit, hackers struck again on June 23, hitting the Horizon bridge for almost $100 million. Horizon is a crosschain interoperability platform between Ethereum, Binance Smart Chain and Harmony blockchain networks.
PeckShield revealed more than $98 million in various tokens was drained off the Harmony-managed platform and exchanged to ether. Over 50,000 user wallets were affected. The hackers later moved $35 million through Tornado Cash.
Qubit Finance: Loss – $80 million
The DeFi protocol said on Jan. 28 that it had been exploited by an attacker who stole 206,809 binance coin (BNB) from its QBridge protocol. In total, the tokens were valued at $80 million.
According to security company Certik, the attacker leveraged a deposit option in the QBridge contract to mint 77,162 qXETH – some sort of crypto used to represent ethereum bridged via Qubit. The attacker fooled the platform into believing they made a deposit. After repeating the process enough times, they exchanged the assets into BNB and vanished.
Cashio: Loss – $48 million
Cashio, a stablecoin protocol on Solana, suffered what the team called an “infinite mint glitch” exploit in March. Hackers siphoned $48 million from the protocol, prompting a collapse of Cashio’s CASH stablecoin.
Cashio allows users to mint the CASH stablecoin with all deposits backed by interest-bearing liquidity provider tokens. The attacker minted billions of CASH and swapped them for USDC and UST, itself collapsed, before withdrawing through the DEX Saber.
Dollar-pegged CASH crashed to $0 after the hack. Attacker returned money to accounts that held less than $100,000 and promised to donate the rest to charity. That’s the last we heard ever of it, the Cashio loot. CASH is dead.
Scream: Loss – $38 million
Fantom-based lending platform Scream suffered perhaps one of the most careless exploits in DeFi this year, from a protocol security perspective. Scream took on a $38 million debt after stablecoins, Fantom USD (fUSD) and DEI, whose valued it had fixed to $1, lost peg.
Because the protocol had hardcoded the value of the two stablecoins, a decline in value of the assets did not show on Scream. Whales utilized this loophole to drain the protocol of any other valuable stablecoins while depositing the de-pegged fUSD and DEI.
A total of $38 million in the stablecoins FRAX, USDT, USDC, and MIM were whisked away from the network. After the incident, Scream dumped hardcore pricing and switched to Chainlink oracles for real-time pricing data. Whales kept their loot. Good pay day for degens!.
What happened to the stolen billions?
Well, it was lost. Much of it permanently.
PeckShield said around 50%, or $1.16 billion, of the money stolen from the above protocols was washed via Tornado Cash, the Ethereum-based cryptocurrency mixer sanctioned by the U.S. government in August, provoking a strong reaction from the crypto community.
Tornado Cash allows crypto users to obfuscate the history of their financial transactions, making it harder to trace. According to the U.S. security agency FBI, the mixer has been leveraged by the likes of North Korean-linked hacker group Lazarus to launder over $7 billion in crypto since 2019.
While hackers disappeared with billions, affected DeFi protocols made a series of attempts to regain their money, with little success. One way of doing so is to simply plead with the attacker to return the ill-gotten loot in return for some kind of incentive. Or none at all.
Qubit Finance tried that and offered a $2 million bounty, the maximum it could offer for any such so-called white hacking plea. It didn’t work. Harmony toyed with the same idea also. It offered a $1 million bounty for the return of the $100 million stolen from Horizon bridge and promised not to press criminal charges. Hackers ignored the call. Nothing was recovered.
However, a similar strategy worked for the Poly Network in August 2021, with the attacker returning most of the $600 million they had stolen.
That luck extends to Ronin. Earlier this month, the network recovered $30 million of the money it lost, with help from crypto security firm Chainalysis, the U.S. Treasury and the FBI. But that’s just 5% of the $620 million stolen during the hack. The FBI estimates that around $455 million was washed via Tornado Cash by the Lazarus Group, the alleged attacker.
Hackers of the Nomad Bridge also sent back $9 million to the platform a day after the cross-chain bridge was exploited for $190.4 million. After a 10% bounty on any funds returned, white hackers hacked back another $32 million of the total plundered and returned it to the cross-chain bridge. The rest, much of it, was shuffled between different addresses by the hacker, as they tried desperately to keep their stolen wealth. They did.
Wormhole never recovered its $320 million. It had to be rescued. Jump Trading Group, which has a stake in the protocol, jumped in to replace the 120,000 in ETH stolen, after the vulnerability had been patched up.
How to not get hacked
Clearly, blockchain bridges appear to be the weakest link in DeFi. There are ways for individuals and protocols to stay safe.
“It is necessary to draft clear terms of reference when developing projects, cover the functionality of projects with tests as much as possible to avoid logical errors,” Alex Belets, founder of blockchain security firm Smart State, told Be[In]Crypto.
“Use automatic vulnerability scanners, do not try to implement things for which there are libraries Perform audits and keep your private keys safe. Don’t use third party applications like Profanity to generate private keys (Wintermute’s hack reason),” he added.