DeFi hacking incidents in 2021

2022-01-13, 08:32

[TL; DR]

Decentralized Finance (DeFi) has taken a dramatic uptrend in the past years, making the young sector very attractive to blockchain investors. DeFi has accumulated over 100 billion as of Q3 of 2021. Since its inception, this boom has attracted massive attacks from hackers who take advantage of the project loopholes.

To this effect, firms like CipherTrace have released tools and new compliance solutions that will help decentralized exchanges (DEXs) and DeFi projects to abide by regulations of the Office of Foreign Assets Control (OFAC). This development is a big step towards bringing legitimacy to the fastly evolving DeFi space. The CipherTrace DeFi Compliance will make all the relevant data available readily and directly on-chain for easy and quick integration with the existing DeFi frameworks.

Already, this is helping DeFi projects curb this malicious act to a great degree. Generally, Crypto crimes are taking a downward trend in the previous years: $4.5 billion in 2019, $1.9 billion in 2020, $681 million in the first seven months of 2021. But DeFi crimes have Tripled in effect.

This article will examine the causes, 2021 DeFi significant hacks, and the industry's steps to curb repetition. Keep reading!


Keywords: Decentralised Finance(DeFi), DeFi attacks, blockchain hacking, biggest DeFi hack, blockchain hacks, hacker.

Why DeFi projects?

Many questions, therefore, arise as to why many are still interested in this blockchain arm, despite massive attacks. It might interest you to know that, unlike the conventional financial systems where insider operations govern the operation and control the sector, DeFi does not rely on such authorities.

Decentralized finance, powered by blockchain technology, has revolutionized finance as it is fully non-custodial and decentralized. Users are allowed to have complete control and transact their Digital assets: no central authority. This decentralization is made possible by smart contracts on the blockchain network, which only permit actions on the network when set conditions are met. Hence, we have peer-to-peer financial services that permit Decentralised lending, decentralized exchange, derivatives, payment systems, Yield farming, market prediction that are faster, cheaper, auditable, and seamless.


For example, Ethereum DeFi projects have gained wide adoption due to the previous year's high-interest rate, making many users significant profits. Loans and interest earned from loans generated "passive income" for users. Yield farming allows users to leverage their crypto assets to generate handsome returns.

Hacks via weak Smart Contract Design

Despite this decline in widespread attacks on the blockchain industry, DeFi has worsened by a factor of 2.7 compared to last year. These losses have come through various means such as hacks, rug pulls, & system failures, and thefts.


In most cases, DeFi hacking happens when the Smart contracts implemented on the blockchain are faulty, misuse of third-party protocols, developer incompetence, and business logic errors, potentially making the project susceptible to hackers. These contracts mistakes are often almost irrevocable, so are the bugs, thus increasing risk. Unfortunately, these flaws are still prevalent among DeFi.

Experts say that hackers exploit the weakness in cryptography or coding of these DeFi projects to authorize the movement of funds.


P.S: With a total of $906 million, Poly Network, Compound, and Cream Finance have made it to the topmost affected DeFi projects in 2021.

1. The biggest DeFi hacks in 2021: The Poly Network hack

On August 10, the most significant Crypto loss in history, amounting to $612 million, was recorded by Poly Network, topping the losses of MtGox and Coincheck. Usually, DeFi hackers target specific DeFi instruments, but in this case, Poly Network's infrastructure is the focus.

The hacker's goal was to gain complete control of the decentralized exchange's (DEX) smart contracts, giving him access to locked tokens within the contract.

A total of $273 million worth of Ethereum network tokens was stolen; $85 million in USD Coin (USDC) from the Polygon network, and $253 worth of Binance Smart Chain some sizeable amount of renBTC, wrapped Bitcoin (wBTC), and wrapped Ether (wETH).

Poly Network operates with a smart contract that connects independent blockchains to facilitate token transfer. This hacker, reportedly known as white Hat, exploited the CrossChainManager smart contract and swapped the contract's storage key on the Poly Network. This manipulation gave him complete control, allowing him to unlock and move the tokens to his choice addresses.

Surprisingly, the hacker rejected the offers made by Poly network, but on August 11, the attacker started returning some of the stolen funds to Poly Network.

At the hacker's attempt, it appeared that he re-used a wallet with prominent exchanges that had some information on him through their know your customer protocol.
According to CipherTrace, most of the stolen funds have been returned to Poly Network selected addresses.
These addresses are:

· 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f
· 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17
· 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc

2. Compound Finance hack

April 19, 2021, EasyFI lost about $75 million EASY token and $6M of user’s liquidity. EasyFi is a Compound Finance fork operating on the Polygon Layer 2 Network. The hacker accessed the project's admin key, which permits developers to update their protocol. Therefore, the team has altered the blockchain network protocol to offset their losses and avoid future attacks.

3. Yearn finance flash loan attack

Yearn Finance (YFI) was attacked y a hacker in February 2021, escaping with $2.8 million. The hackers diverted $11 million from the DIA vault via flash loans to make a collateralized loan. This mysterious hacker took advantage of the design flaw to initiate a "flash loan attack" by engaging five different DeFi protocols; Compound Finance (COMP), Aave Protocol (AAVE), Curve Protocol (CRV), dYdX, and Yearn. Finance (YFI).

4. PAID Network 2021 hack

The hacker manipulated the Smart contract upgrade function by using a compromised key to the Paid Network contract deployer. This access permitted him to mint and dump over 100 million, resulting in an inflationary pull which caused the token to lose about 85%.in market value.

5. Cream Finance $130 million hack

In 2021 alone, Cream Finance has suffered three different attacks summing up to $186.6 million. - in February, hackers penetrated by dubbing the smart contract of the Alpha Homora protocol. About $ 37.5 million in ETH and stablecoins was found missing.

- At the end of August, Cream Finance suffered a similar attack when hackers stole $ 18.8 million in Ether (ETH) and AMP tokens.

-Cream Finance suffered a new attack on October 27, 2021. The loss was estimated to be worth about $ 130 million this time. Making it ranked the 3rd highest attack of 2021
The attacker exploited a vulnerability in the smart contract of flash loans (instant loans) from Cream Finance on the Ethereum network.

6.BadgerDAO $120 million token theft.

In its protocol, Bitcoin holders are able to "bridge" their cryptocurrency over to Ethereum's platform via its token, enabling them to benefit from DeFi opportunities they might not have access to.

According to a security source, pecksheild, working with Badger DAO to investigate the stolen tokens, confirmed that a malicious actor pocketed about $120 million tokens on December 1, 2020. They claimed that the bad actor inserted _script_s on their website to interrupt Web3 transactions, requesting a transfer of the victim's tokens to the attacker's chosen address. Badger's team claimed that they noticed some trace as early as November 10, but it was barely traceable because the hacker ran it severely at different intervals.

Although there was no fault within Blockchain tech itself, the hacker exploited the users on Badger’s web2.0 site while performing their transactions. This led the badger to freeze its platform because of unauthorized transfers detected by its team. It paused all Smart contracts and asked users to reject all transactions to the attacker's addresses.
Since then, the company has retained data forensics experts Chainalysis to investigate the full scale while cooperating fully with external bodies for investigation.


Conclusion

-According to coin Telegraph, among 2021 crypto hacks, only 37% were audited.
-About 60 % less attack impact compared to unaudited projects.
-This result also claims that up to $1.3 billion were from unaudited ones.

We can then infer that auditing is essential to providing a secured DeFi protocol for blockchain adopters. Recently, there has been more demand for smart contract security audits and third-party audit procedures to ensure these projects' viability before they go public. In conclusion, investors need to conduct thorough research before allocating funds to DeFi projects. Nevertheless, these hacks and theft have emphasized caution to the blockchain community, driving the sector to advancement and credibility.

Author: Gate.io Observer: M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
Compartilhar
gate logo
Credit Ranking
Complete Gate Post tasks to upgrade your rank