Distributed and defenceless: How DeFi hacks happen

The number of attacks on Defi platforms is growing all the time. This isn’t surprising when you consider the fact that tens of billions of dollars are circulating in the decentralized finance space. According to experts, the main reason for the attacks is the rapid development of the DeFi sector, insufficient testing and a lack of security auditing as many projects rush to enter the market. Hackers use different methods to procure crypto, but the most common cause of hacks is vulnerabilities in smart contracts.

Smart contracts are a core element of the decentralized finance ecosystem. As with any other software, they are developed by people, which means there is and always will be a risk of error in the program code and configurations. If a smart contract is vulnerable, the distributed application developed on it will also be vulnerable, providing a point of entry for attackers.

Top 5 hacks on DeFi platforms in 2022

Last year had its fair share of cryptocurrency hacks. According to a Chainalysis report, a total of USD 3 billion in coins and tokens was stolen by hackers. The largest thefts were associated with cross-chain bridges and DeFi protocols.

Ronin (USD 625)

The Ronin network – which hosts the popular blockchain-based game Axie Infinity, developed by Sky Mavis – was robbed of USD 625 million in ETH and USDC in March 2022. The hack wasn’t discovered until a week later, when a user complained that they couldn’t withdraw their ETH from Axie Infinity. This is the largest crypto theft to date and has been blamed on the Lazarus Group, a North Korean hacking team.

The attackers managed to access the company’s IT infrastructure by using an email phishing attack on a former Sky Mavis employee. After locating the private keys to the network validator nodes on the company’s internal servers, they stole them and took control of the entire Ronin network.

The Ronin network was secured by just 9 validators, 4 of which were managed by Sky Mavis, while only 5 of 9 validators were required in order to approve the deposit and withdrawal of funds. This meant that once the attackers had gained control over a fifth node (which was managed by the Axie DAO) using a backdoor, they were able to simply withdraw funds from the network. They took out over 173,600 ETH and 25.5 million USDC.

According to experts, the hackers moved the stolen coins through several crypto mixers including Tornado Cash, Blender and ChipMixer , before apparently transferring them to the Bitcoin network.

Sky Mavis announced that most of the victims of the theft had been compensated in full using the company’s own funds, in addition to USD 150 million from a fundraiser led by Binance.

Wormhole (USD 325 million)

Wormhole is a cross-chain bridge protocol that allows users to transfer ETH to wrapped WETH (Wormhole ETH) tokens on the Solana network.

In February 2022, an unknown hacker attacked the cross-chain bridge. They forged security signatures, conjured 120,000 WETH out of thin air and exchanged it for ETH on the Ethereum network, thereby emptying the Wormhole liquidity pool.

The network bridge stopped working after the hack, but came back online a few days later. All the stolen funds were returned to their owners using funds from Jump Crypto, the company that created Wormhole.

Nomad (USD 190 million)

Another bridge was breached in August 2022. Nomad, a cross-chain bridge connecting the Ethereum, Avalanche, Moonbeam, Evmos and Milkomeda networks, was hacked to the tune of USD 190 million.

The vulnerability was the result of an incorrect configuration of the project’s core smart contract. The developers made a mistake during the update, which allowed anyone with at least basic knowledge of programming code to give themselves permission to withdraw funds. By the time the error was caught, over 300 users had rushed to illegally withdraw funds from the bridge. Some of them, however, turned out to be “white hat” hackers and later returned USD 22 million to the platform. Experts call this hack “the first decentralized mass robbery”.

Beanstalk Farms (USD 182 million)

This stablecoin protocol built on top of Ethereum was attacked in April 2022. The hacker broke in to the network by taking the following steps:

  • Used unsecured flash loans to raise over USD 1 billion in USDC, USDT, DAI and other stablecoins across various decentralized platforms (Uniswap, SushiSwap and Aave);
  • Added these funds to the BEAN pool and received 67% of the Stalk governance tokens that are used to vote on the network;
  • Deployed and approved two malicious governance proposals (BIP-18 and BIP-19) that requested a protocol for donating funds to Ukraine. The hacker had added malicious code  to these proposals which, according to smart contract auditor BlockSec, led to funds being siphoned off from the protocol.

Cybersecurity company PeckShield estimates that the incident cost Beanstalk USD 182 million.

Mango Markets (USD 114 million)

This lending and trading platform, which is built on Solana, lost USD 114 million in October 2022 as a result of market manipulation.

The hacker – it was later revealed that the hacking team was led by trader Avraham Eisenberg – set out to withdraw customer deposits from Mango Markets by manipulating the price of the MNGO token. He took the following steps:

  • Deposited 5 million USDC to Mango Markets;
  • Opened a huge long position on the MNGO token, which caused its price to rise by over 1,000% in just one hour. The value in the hacker’s account also increased as a result;
  • Took out USD 114 million in loans against the now hugely inflated collateral value in a basket of different coins and tokens, withdrew the funds and flew with the money.

Eisenberg later agreed to a settlement agreement with the project developers and returned USD 69 million. He later revealed his identity, which proved to be unwise when the United States Department of Justice arrested him in December 2022 and charged him with crimes related to market manipulation.

How is 2023 going for crypto’s lawless profiteers?

According to PeckShield analysts, hackers carried out 24 cryptocurrency hacks worth a total of USD 8.8 million in January 2023. This is 14 times lower than the amount stolen by hackers in the same period last year. The largest attack occurred on LendHub, when hackers withdrew USD 6 million from the lending platform in a single attack. Other crypto projects that have been hacked so far this year include Mycelium, Thoreum Capital, Midas Capital and OMNI.

PeckShield also revealed that February 2023 saw 209 hacks worth USD 35 million, which is ten times less than was stolen during the same month in 2022.

No new security innovations have taken place in the intervening period, which means DeFi protocol hacks will continue. Here, a piece of ancient wisdom may come in handy: don’t put all your eggs in one basket, or else you could lose everything in one fell swoop.