It appears that the DeFi community falls more behind in addressing security vulnerabilities for investors the faster they work on it. It appears that DeFi hackers are outnumbering security development teams and are winning the war, as reported by journalist David Hamilton in the piece that follows.
Learning about the top 10 DeFi hacks is a smart move that can help you to better understand the market’s history and future. The world of DeFi (Decentralized Finance) remains an exciting and expanding sector of the blockchain industry. These unique and often experimental platforms focus on bringing more flexibility, privacy, and ROI opportunities to users. To accomplish this task, they utilize a decentralized structure, which can improve user profitability.
The DeFi movement is in full swing, and the technology continues to innovate. However, this massive growth has been accompanied by some noteworthy growing pains. Around every new technology, there is someone waiting to exploit any errors, and DeFi is no different. Here are the top 10 DeFi hacks you need to know.
1. Ronin Network – $625M
At the top of the list of DeFi hacks is one incident that resulted in the loss of over half a billion dollars. The Ronin network suffered a $625M hack when infiltrators were able to find a weakness in the sidechain. Notably, the Ronin Network operates as the primary way for Axie Infinity players to bridge assets.
Axie Infinity is one of the most popular play-to-earn titles available. Users collect, battle, and breed their Axies to secure rewards. Notably, each Axie has distinct characteristics that make it scarce and add to its value.
The hackers were able to gain control of the network’s withdrawal processes by corrupting five validators at the same time. This maneuver enabled the attackers to easily steal $25 million USDC and 173,600 ETH. To this day, the funds have not been recovered.
2. Poly Network – $601M
Another DeFi hack that topped over half a billion dollars occurred in August 2021. This attack shared similarities with the Ronin Network in that the hacks occurred at validation nodes. The hackers targeted the cross-chain bridges’ bookkeeper nodes specifically to gather enough information to access the network’s private keys. Once the keys were obtained, the hackers quickly drained millions in Ethereum, Polygon, and BNB tokens.
Additionally, a final $268 million in tokens is locked in an account that requires passwords from both the hacker and the Poly Network. What makes this incident more interesting is the fact that the Poly network offered the hacker $500K and immunity if they returned the funds. The hacker, of course, denied the offer as it would be nearly impossible to guarantee that government officials wouldn’t choose to prosecute such an audacious heist.
Notably, this hack has a happy ending, unlike most of the others on this list. The majority of the funds were returned, with only $33 million left unaccounted for. In one of their final interactions, the hacker said they pulled off the heist “just for fun.”
3. Wormhole Bridge – $325 million
The Wormhole Bridge is another sad tale of DeFi networks getting hacked for substantial losses. The Wormhole bridge serves as a vital cross-chain DeFi bridge. The goal of the project is to improve liquidity by eliminating friction points. Specifically, the network uses a process called wrapping to enable assets to venture onto other networks.
In this incident, the hackers were able to access the liquidity mechanism and start minting wrapped tokens without any deposit. Interestingly, to accomplish this task, they used coins minted on the Solana blockchain. The wrapped ETH on Solana totaled over 93,750 tokens. From there, the hackers quickly swapped the assets for ETH directly.
4. Nomad Bridge – $190M
The Nomad Bridge hack caught the market by surprise. Intruders were able to make off with a hefty $190M in crypto using a loophole they created, which enabled them to withdraw more than they deposited. This process was repeated a staggering 1175 times before the network admins caught onto the scheme.
The delay resulted in $190 million in tokens being stolen from the network. Forensics revealed that more than one hacker was involved in the heist as the news spread, and more groups joined in the pillage. The Nomad team made a desperate plea to have their users’ funds returned.
Surprisingly, over $30M actually did get sent back, thanks to their efforts. The rest of the funding remains at large. This hack does show that, in some instances, communication can result in the recovery of millions in funding.
5. Beanstalk Farms – $182M
Beanstalk Farms served as a DeFi system supported by algorithmic stablecoins. Algorithmic stablecoins use protocols and digital currency reserves, which makes them different than most stablecoins. Notably, this type of stablecoin has been around for a while but has proven to be extremely difficult to maintain.
In this hack, attackers focused on the community governance system. They exploited a weakness that enabled them to pass proposals. After gaining control, they passed multiple proposals that minted hundreds of millions in the stablecoin. Notably, the funds were transferred to two addresses.
One was the hacker’s assumed address, and the other was a Ukrainian donation address. In the end, the hacker kept around $70M of the heist, and the rest went to help Ukrainian refugees. In this way, this hack remains a conundrum as the millions donated did some good.
6. Wintermute – $160M
Wintermute was a popular DeFi liquidity platform that had the unfortunate judgment of using the Vanity Wallet as its primary storage for users. The Vanity Wallet had an attack vector that enabled hackers to leverage address recreation attacks to drain the network of $160 million.
This hack was a prime example of why DeFi networks need to leverage cold storage systems rather than using hot wallets. Cold storage is a method of storing your crypto offline or with what’s called an “air gap.” It prevents online threats and has since become the industry standard following the massive losses.
7. Compound – $150M
Compound was, and remains, one of the top-performing DeFi liquidity markets in the sector. The network saw a massive $150M loss after a combination of bad coding and hackers set on creating havoc. The coding error, now referred to as the “Leaky Tap,” was a smart contract issue that allowed new tokens to be minted without cause.
The DeFi hacks first created a massive liquidity pool that contained 280,000 network utility COMP tokens. Once they had the pool open, they began siphoning funding out. Since it was a coding error and not a hack directly, the developers had to pass a community governance proposal to alter the error. The process ended up taking days to complete.
The delays resulted in additional funds lost as users were forced to watch the account slowly drain. At least the developers recovered more than half of the funds shortly after the incident occurred, which helped limit the losses to users considerably. Today, Compound still operates as a top-performing DeFi protocol, albeit with improved security protections against this type of attack.
8. Vulcan Forged $140M
The Vulcan Forged hack represented one of the first times a play-to-earn network was successfully targeted for hundreds of millions in losses. The platform gained popularity by providing access to a host of popular P2E titles. Additionally, users could take their winnings and improve their ROIs, leveraging the many DeFi options offered.
In December 2021, things went bad for a large group of network users after hackers were able to access the backend of the network and remove 96 wallet keys. The coding issue resulted in the gamers’ Venally wallets being drained of $140M in PYR tokens. Due to the fact it was a coding error, the project promptly paid back the losses to all affected.
9. BadgerDAO – $120M
The BadgerDAO hack occurred in December 2021 and resulted in the loss of 2,100 BTC and 151 ETH. The BadgerDAO operated as a high-performance Bitcoin bridge into the DeFi world. Everything went wrong when hackers were able to locate a weakness in the platform user interface.
After careful review following the losses, it was determined that the hacker used a multi-step approach, which began with hacking the security firm Cloudflare first. This hack gave them access to the information they needed to add permissions to transactions. Today, the website lists the discontinuation of all remaining vaults.
10. Horizon Bridge – $100M
The Horizon Bridge hack occurred fairly recently compared to many others on this list. In June 2022, $100M was stolen from this cross-chain bridge. The bridge’s operator, Harmony, was forced to halt operations temporarily to stop the attack and prevent further losses.
A careful review showed that Harmony’s multi-sig wallet was set up to hold four signatures. However, it only required two signatures to transfer funds. Sadly, these concerns hadn’t been raised before the attack. In the end, the issues turned out to be solid advice as the network found itself on the other side of a nine-figure loss.
Growing Pains are Part of Life
There is no universe in which new technologies can innovate and expand without there being a risk of scammers and hackers exploiting any opportunity they find. Thankfully, the silver lining behind every hack is that it reveals a new strategy which can then be prevented on other platforms. With that being said, malicious hackers are, unfortunately, a part of the crypto community – whether people like it or not.
Via this site