DeFi Featured Guest Posts

DeFi Insights: Top 5 Most Common Crypto Hacks in 2021

by Ronghui Gu0
DeFi Insights: Top 5 Most Common Crypto Hacks in 2021

2021 witnessed an explosion in the number of DeFi projects, users, and the value secured by smart contracts. Yet it was not all linear growth, up and to the right. Dozens of projects came and went overnight, taking millions of dollars of investor deposits in the process. 

There were other, more sophisticated attacks too. BadgeDAOi fell prey to an advanced attack that compromised their website’s front end, leaving their smart contracts untouched. We’ll examine this and many more exploits in this article.

Read Fintech News: Canadian InvesTech Firm Wealthsimple Raises $750 Million

Despite the frustratingly common recurrence of rugpulls, there are many lessons to be learned from the security vulnerabilities we saw exploited in 2021.

Rugpulls

It wouldn’t be an understatement to say that 2021 was the Year of the Rugpull. Hundreds of millions of dollars were lost to rugpulls in 2021, billions if you count Turkish exchange Thodex rugpulling their customers for more than $2 billion when the CEO disappeared shortly after disabling withdrawals.

Thodex was an exception to the rule, however, and the rule was that unaudited, fly-by-night DeFi platforms were the most likely to be rugpulls.

Two things combined to make this possible: strong retail interest and investment in crypto; and the development of the industry to the point where it is no longer a major challenge for someone with moderate experience to launch their own token or DeFi platform.

Get-rich-quick became get-rich-overnight for dozens of unscrupulous developers who were willing to steal all their investors’ money and walk away with the proceeds.

AnubisDAO for $58 million, Meerkat Finance for $31 million, PAID Network for $27 million, a Squid Games token that ripped off the hit Netflix show for $3.4 million, the list goes on… 

Rugpulls are possible as a result of centralized privileges, which were the most common smart contract vulnerability we found throughout 2021 in our audits.

Fintech Updates: Bitcoin IRA Now Offers Over 60 Types of Cryptocurrencies Inside Your IRA

Currently, the average lifespan of a crypto scam has been dropping steadily over the years, down to just 70 days in 2021 from 192 in 2020. This 63% decrease in just one year is undoubtedly influenced by the proliferation of rugpulls, which can happen in the blink of an eye.

Phishing & Code Injection

Phishing and code injection, a more sophisticated attack than the classic rugpull, turned up a couple of times in 2021. BadgerDAO users lost roughly $120 million of assets when an attacker compromised the DeFi platform’s front-end, not their back-end smart contracts. The attacker inserted malicious code into Badger’s website that intercepted users’ Web3 transactions and replaced them with transactions that transferred tokens to the attacker’s addresses.

EasyFi fell victim to a different kind of phishing attack.

According to their post-mortem analysis of the incident, a computer which was only used for official EasyFi administrative functions was compromised, with the attacker gaining control of the mnemonic phrase that secured the administrator’s Metamask wallet. The result was a loss of $59 million in stablecoins and EASY tokens.

Again, this kind of attack highlights the risks that come with granting centralized powers to a single wallet.

Oracle Manipulation

Oracle manipulation – also known as flash loan attacks– was more prevalent in 2019 and 2020, when much of DeFi had not yet adopted decentralized oracle infrastructure. They’ve become less common, but apparently some platforms have still not learned the lessons of their predecessors. 

Top Crypto News: DISQO Insights: Crypto and Newer Financial Services Gain Consumer Traction

PancakeBunny users saw the value of the BUNNY token drop from $146 to $6 in the space of seconds. This came as a result of the actions of an attacker who used eight separate flash loans to manipulate the price of BUNNY on eight different PancakeSwap pools. They exploited the fact that PancakeBunny used PancakeSwap as a price oracle, minting 697,000 BUNNY tokens due to a divergence between the market price of the token and the manipulated PancakeSwap price. This netted the hacker $45 million and saw the total value locked in PancakeBunny pools decrease by an order of magnitude: from $10 billion to $1 billion.

Smart Contract Logic Errors

A thorough smart contract audit will verify that a platform’s code is logically consistent. This means that all variables are properly denominated and functions calling on these variables verify their input before execution. Lack of input validation is one of the most common vulnerabilities found in smart contract audits.

bEarn suffered a loss of nearly $11 million as a result of a relatively simple code error. The vault’s withdrawal logic denominated the amount to be withdrawn in BUSD, while a different function assumed it was denominated in ibBUSD. ibBUSD is an interest-bearing stablecoin, and thus trades at a premium to the non-interest-bearing token. After noticing this logic error, an attacker made use of flash loans to exploit the vulnerability and walk away with 10,859,319 BUSD.

Exchange Hacks

Until just a couple of years ago, exchanges were at the top of the list for crypto-hackers. They were the only organizations that held millions of dollars of customer deposits, and while they paid special attention to the security of their funds, at the end of the day it was still a person that had access to deposits. People make mistakes, and they can be bribed, coerced, and tricked into handing over sensitive information. This made exchanges a prominent target.

Bitfinex, Binance, Kucoin, Crypto.com – hardly a single major exchange has gone completely unscathed.

In the last couple of years, however, the trend seemed to be abating.

Recently, DeFi platforms have become the major targets, as a single code error can compromise millions or even billions of dollars of value.

However, in 2021, at least two major exchanges were hit.

Bitmart lost $196 million of customers’ funds across its Ethereum and Binance Smart Chain wallets. And the Japanese crypto exchange Liquid fell victim in August to an attack that left it $96 million in the red.

While DeFi hacks may be the latest trend, as long as exchanges still hold billions of dollars of customer funds in their hot and cold wallets, they’ll be a target too.

As DeFi platforms continue to grow in TVL, they’re likely to attract the most attention from those looking to exploit code and security vulnerabilities. It’s worth noting that we haven’t seen any major exploits of NFT projects, which is something to keep an eye on as we progress through 2022. Cross-chain interoperability is one piece of infrastructure that is likely to make a meaningful debut this year, and, as with any new and complicated technology, all eyes will be on the security of the bridges that aim to make the blockchain world a more connected place.

[To share your insights with us, please write to sghosh@martechseries.com]

Ronghui Gu, co-founder, CertiK. Ronghui Gu is the Tang Family Assistant Professor of Computer Science at Columbia University and Co-Founder of CertiK. He is the primary designer and developer of CertiKOS and SeKVM. Gu has received: an SOSP Best Paper Award, a CACM Research Highlight, and a Yale Distinguished Dissertation Award. Ronghui holds a Ph.D. in Computer Science from Yale University and a Bachelor’s degree from Tsinghua University

Related posts

How Advanced Matching Engines Drive Multi-Asset Trading Platforms

Fintech Staff Writer

Mobile Banking Trends That Are Redefining Digital Payments

Prajakta Ayade

Striking Gold with AI: How AI-Powered FinTech Innovation is Transforming Mining

Abid Ali
1