Defi Exploits And Access Control Hacks Cost Crypto Investors Billions In 2022 – Decentralized finance (DeFi) is sometimes criticized as the “wild west” of the cryptocurrency industry. If the $2.32 billion stolen from various protocols so far this year can be used as an accurate description of the state of DeFi today, critics will have the last laugh.
Said to have started with Bitcoin in 2009, DeFi actually took off in 2020 with the launch of Compound Finance’s so-called “harvest farm” investment strategy.
Defi Exploits And Access Control Hacks Cost Crypto Investors Billions In 2022
Thousands of decentralized applications or dApps are now in use. DeFiLlama reports that more than $53.73 billion in total value is locked up in DeFi — numbers so juicy that they’ve caught the attention of unwanted actors — hackers.
Tradfi And Defi: Same Problems, Different Solutions — Money, Banking And Financial Markets
DeFi is a cryptocurrency that broadly adheres to Bitcoin’s founding ethos of decentralization and privacy, while maintaining an unmistakable separation from government control. However, without control, this freedom is at great risk.
According to blockchain security firm PeckShield, hackers stole more than $2.32 billion from the DeFi industry in 135 exploits this year. This number is 50% more than what was stolen from the entire industry in 2021.
Over the years, online thieves have used various tactics to accomplish their task. Commonly used attack methods include honeypots, phishing, exploits, access control, and flash credit, according to the REKT database. Here are the top ten DeFi exploits of 2022 compiled by PeckShield.
#PeckShieldAlert Wintermute lost ~$160 and ranked fifth in the ranking of the top DeFi exploits in 2022. In this case, the exploiters were immediately put into the 3CRV pool to avoid being blacklisted, and about 50% of the top 10 exploiters were moved to the pre-mixer. Tornado Alert pic.twitter.com/RxMPOIypSz — PeckShieldAlert (@PeckShieldAlert) September 21, 2022
The 7 Biggest Crypto Hacks Of 2022 (so Far)
Ronin Network, the Ethereum sidebar for the crypto game Axie Infinity, cheated over $620 million in ETH and USDC in March. The attacker “used compromised private keys to simulate the withdrawal of funds” from the Ronin currency contract in two transactions.
The exploit, which took place on March 23, was only discovered a week later when a user failed to withdraw 5,000 Ether. In total, the hacker earned 173,600 ETH and $25.5 million USDC, which was more than $620 million at the time.
Network hacker Ronin is considered the biggest DeFi hacker in history. It remains the largest to date, PeckShield says.
On February 2, an attacker stole more than $320 million in ETH from the wormhole protocol, a popular cryptocurrency shared between Solana, Ethereum, Avalanche, and others.
The Nine Largest Crypto Hacks In 2022
The wormhole requires users to contribute ethereum to process ETH, a type of cryptocurrency linked to the price of ethereum.
The exploit by analytics firm Elliptic was attributed to the wormhole’s inability to verify “custodial” accounts. Allows an attacker to support 120,000 WETH without any ethereum. The hacker then traded 93,750 WETH for Ethereum and the rest for Solana. The total loss at that time was more than 320 million dollars.
On August 2, hackers stole nearly $190 million worth of cryptocurrency from Nomad, which allows users to transfer tokens from one blockchain to another.
The attack started by updating the Nomad code. Each time users completed a transaction, a portion of the smart contract was marked as valid. This allowed bad actors to reclaim more assets deposited on the platform. The hackers repeated this process until they withdrew $190 million worth of cryptocurrency. Nomad found out before it was too late.
Defi Hacking Incidents In 2021
In April, an attacker stole $182 million worth of cryptocurrency from Beanstalk Farms, a DeFi protocol aimed at balancing the supply and demand of cryptocurrencies.
PeckShield said the attacker used Beanstalk’s majority voting system and voted to send them $182 million. The company said the attacker used a flash loan to get a controlling stake in the protocol, but their actual profit was around $80 million.
Wintermute is the latest DeFi protocol to fall victim to hackers who took $160 million from the platform’s decentralized finance arm. CEO Yevgeny Gaevoi said the hack was related to a critical flaw in Ethereum’s obscenity cheating tool.
Wintermute used the tool to reduce transaction costs, not to “fake it,” he said. Human error appears to be behind this attack.
Defi Protocol Cream Finance Loses $130 Million In Latest Crypto Hack
In June, hackers exploited a vulnerability in the decentralized exchange Maiar to steal around 1.65 million Elrond Egold (EGLD), the original token of the Elrond blockchain. Researchers said the attacker used a smart contract to use three wallets to steal an estimated $113 million in EGLD from the exchange.
The hackers immediately sold 800,000 tokens worth $54 million on that DEX, and the rest were sold on centralized exchanges or traded for ethereum.
A few days after the Elrond exploit, hackers struck again on June 23 and hacked Horizon Bridge for nearly $100 million. Horizon is a crosschain synchronization platform between Ethereum, Binance Smart Chain and Harmony blockchain networks.
PeckShield revealed that more than $98 million in various tokens were withdrawn from the Harmony-powered platform and traded for Ether. More than 50,000 user wallets are affected. The hackers then transferred $35 million through Tornado Cash.
Report: $2.4b+ Lost In Defi Exploits And Scams In 2021
The DeFi protocol announced on January 28 that it was exploited by an attacker who stole 206,809 coins (BNB) from its QBridge protocol. In total, the tokens are worth $80 million.
According to security firm Certik, the attacker used a deposit option for 77,162 qXETH in the QBridge contract, a crypto used to represent ethereum via the paid Qubit. The attacker tricked the platform into thinking he was buried. After repeating the process several times, they changed the assets to BNB and disappeared.
Cashio, Solana’s stablecoin protocol, suffered what the team called “infinite destruction” in March. Hackers took $48 million from the protocol, leading to the collapse of Cashio’s CASH stablecoin.
Cashio allows users to mint the CASH stablecoin with all deposits backed by tokens from interest-bearing liquidity providers. The attacker grabbed billions and exchanged it for USDC and UST, hacking DEX Saber himself before backing off.
The Wormhole Hack: 2022’s Largest Defi Hack (so Far)
CASH, pegged to the dollar, dropped to $0 after the hack. The attacker refunded less than $100,000 to accounts and promised to give the rest to charity. That’s what we heard about the Cashio robbery. CASH is dead.
Scream’s Fantom-based lending platform is perhaps the most ill-advised DeFi exploit in terms of protocol security. Scream borrowed $38 million after losing its stablecoin, Fantom USD (fUSD) and DEI, to $1.
Since the protocol encrypted the value of the two stablecoins, the decline in value of the asset was not expressed in Scream. Sharks used these loops to empty the protocol of any valuable stablecoins when depositing fUSD and DEI.
$38 million worth of stablecoins FRAX, USDT, USDC and MIM have been removed from the network. After this incident, Scream reversed their hard pricing and turned to the Chainlink oracle for live pricing information. The sharks grabbed their prey. Good day people!
Crypto Crime: Defi Hack Drains Record $625m
PeckShield said that 50% of the money stolen by the above protocols, or about $1.16 billion, was in the US. Tornado Cash, an Ethereum-based cryptocurrency mix that was approved by the government in August, sparked a backlash from the crypto community.
Tornado Cash allows cryptocurrency users to obfuscate their financial transaction history and make them more difficult to trace. According to the US security agency FBI, Mixer has been used by the North Korean hacker group Lazarus to launder more than $7 billion in cryptocurrency since 2019.
Hackers lost billions, and affected DeFi protocols made several attempts to recover their funds with limited success. One way to do this is to ask the attacker to return the ill-gotten loot. Or not at all.
Qubit Finance tried this and offered a reward of $2 million, the maximum that can be offered for any so-called white-collar hacking claim. It didn’t work. Harmony also played with that idea. He offered a $1 million reward for the return of $100 million stolen from Horizon Money and promised no criminal charges. The hackers ignored the call. Nothing has been restored.
Defi Security Best Practices
However, a similar strategy worked for Poly Network in August 2021 and the attacker recovered most of the stolen $600 million.
This luck goes to Ronin. Earlier this month, the network recovered $30 million in missing funds with the help of crypto security firm Chainalysis, the US Treasury and the FBI. But that’s only 5% of the $620 million stolen in the hack. The FBI estimates that the alleged attacker, the Lazarus Group, laundered approximately $455 million through Tornado Cash.
After nominal currency hackers mined the chain’s currency for $190.4 million, they sent $9 million to the platform in a day. After receiving a 10% reward for any amount returned, the white hackers hacked another