Get a quote
Request a project quote - [email protected]
4IRE Labs © 2011 - 2022. All rights reserved

Top 17 Smart Contract Hacks in 2021-2022 Found by 4IRE

04 Nov 2023 updated
11 min

Table of content

The DeFi space is quickly growing, attracting millions of adopters. The promise of Web 3.0 is privacy, freedom, democratization, and financial decentralization. These gains result from the absence of regulatory control by the governments and central banks. 

But together with a desired lack of custody comes the fruitful ground for abuse, theft, and manipulation that many hackers use. Loose regulation makes the protection of user data and funds the responsibility of every separate DeFi project. Unfortunately, not all of them are diligent enough in security provision. Thus, the number of breaches and hacks rises every year. 

DeFi Vulnerability in Numbers

DeFi is an unsafe market where millions of people become victims of large-scale privacy breaches and thefts. Within Q1 of 2022, people lost over $682 million due to hacks.

Top 16 Smart Contract Hacks in 2021-2022 Found by 4IRE_1

Over the past year, crypto fund owners and businesses lost $3.3+ billion as a result of hacker attacks and security breaches. Let’s talk about the top 16 disasters that crypto projects experience to see how smart contract errors can ruin everything.

Top 17 Biggest DeFi Hacks of 2021-2022

The team of 4IRE analysts researched the crypto market deep and wide to come up with the list of the most audacious crypto hacks of the past year. Here are the details.

1. Poly Network: $611 Million

PolyNetwork Hack

Lost: $611 million 

Date: 02/02/2022

Type: Exploit 

The attack on Poly Network was an audacious event that involved compromised smart contracts in three blockchains: BSC, Polygon, and Ethereum. The hacker exposed the security flaws of Poly’s unverified contracts to showcase the magnitude of risks it created. The story ended happily, with the hacker returning the money and getting a job offer for the company’s chief security consultant position. The violator refused the offer and remained anonymous, helping Poly Network enhance its security. 

2. Ronin: $552 Million

Lost: $615+ million

Date: 29/03/2022

Type: Exploit 

Ronin, a bridge that players of the world-famous NFT P2E game Axie Infinity use to move funds and assets from and to the game’s blockchain, experienced a dramatic DeFi hack this March. It uncovered a critical vulnerability of Ronin Bridge’s operations. Just within two transactions, the system lost 173,000+ ETH and over 25 million USDC to an unknown hacker. The theft became possible due to the earlier violation of Sky Mavis’s Ronin and Axie DAO validator nodes. Lazarus Group, later identified as the hacker community responsible for the attack, exploited a security loophole in Ronin’s decentralization validation system, thus completing fake withdrawals. 

3. Grim Finance: $30 Million

Lost: $30 million 

Date: 18/12/2021 

Type: Exploit (reentrancy attack) 

Grim Finance, a yield optimizer protocol, suffered a reentrancy attack costing it $30 million. As a result of a reentrancy attack, the hacker managed to feed a series of fake additional deposits in the system while the previous ones were still incomplete. The trick let the hacker release Fantom tokens for $30 million, thus exposing the absence of a reentrancy guard on the platform. The smart contract audit firm Solidity Finance erroneously identified the guard as active.

4. Meerkat Finance: $31 Million

Lost: $31 million 

Date: 04/03/2021 

Type: Exploit (reentrancy attack)

Meerkat Finance, a yield vault project that resulted from the fork of Yearn.Finance, represented one of the Ethereum-native protocols operating on BSC. It experienced a hacker attack one day after its official launch, suffering damage of $31 million in lost user funds. The hacker stole 73,000 BNB coins and $14 million BUSD due to smart contract hacking using specialized internal permissions. The exploit was further dubbed as a test of the system’s safety, which ultimately failed, showing that the platform can be violated hassle-free.

4IRE Case Ondo

5. Vee Finance: $35 Million

Lost: $35 million 

Date: 21/09/2021 

Type: Exploit  

Vee Finance is an Avalanche-based project that had critical vulnerabilities in the approach to slippage checks during leveraged trading. The hackers identified the protocol’s major error – using only one oracle for the traded asset’s price checks. In that case, it was the Pangolin oracle. The hackers thus created several new trading pairs and performed several manipulative trades to distort the actual price of assets on Pangolin. These manipulations helped criminals bypass the slippage check on Vee Finance, forcing the system to approve erroneous transactions. That error caused a total loss of $34 million in different crypto tokens.

6. PancakeBunny: $45 Million

Lost: $45 million 

Date: 19/05/2021 

Type: Flash loan hack 

Most DeFI attacks of recent months occurred because of the hackers’ ability to manipulate the exchange rates of particular tokens on the exchange, thus initiating exchanges at erroneous prices. In the case of PancakeBunny, the hacker distorted the token price in USDT/BNB and BUNNY/BNB pairs to derive the unbalanced value from the platform. The hacker used the system’s vulnerabilities to steal over 114,000 WBNB, which equaled $5 million at the time of the attack. 

7. bZx: $55 Million

BZX Case

Lost: $55 million 

Date: 5/11/2021

Type: Flash loan attack 

The hackers used a series of attacks, one with Tornado Cash and another one with ShapeShift, to conduct single atomic transactions and breach the system. The Tornado Cash attack affected 25 smart contracts and several protocols simultaneously (bZx, Compound, dYdx, Uniswap, and Kyber). The attackers used flash loans, but their aim was not to steal money with this technique but to create massive slippages in low-liquidity DEXs. The initial attack caused price slippage on Uniswap, while bZx used this DEX as the only price oracle. By reducing the value of sUSD with this manipulation, the hacker took two unbacked ‘underwater’ loans, forcing the platform to issue money to them to balance the loan and collateral. As a result of such price manipulations, the hackers went away with a total of $55 million in bZx users’ money. 

8. Badger DAO: $120 Million

Lost: $120 million

Date: 02/12/2021 

Type: Exploit 

The Badger DAO yield vault protocol suffered an attack worth $120 million. The system was hacked with malicious contract permissions, resulting in a leak of 2,100 BTC and 151 ETH from the users’ balances within just a few minutes. Immediately after noticing the attack, Badger DAO’s security officials froze the vaults to prevent further fund leakage and investigated the source of malicious permissions. Analysis of the hack showed that the security error was in the system’s UI, not in its core protocol’s architecture and smart contracts.

Read Also: How Much Does It Cost to Build a DAO

Need help with choosing blockchain for your BIG idea?

 

Contact us to schedule a meeting with our CTO to discuss project milestones, budget, and technical requirements. Let’s make your project more manageable and understandable together.

9. Cream Finance: $130 Million

Lost: $130 million 

Date: 03/08/2021 

Type: Exploit 

The flash loan hack is a type of attack involving the receipt of a non-collateralized loan due to token pair price manipulations. Hackers repeatedly used the flash loan vulnerability of Cream Finance’s architecture to drain funds from the system. The August attack was the largest in scale, resulting in a cumulative loss of $180 million. A prior flash loan attack happened in February, costing the company $38 million in user funds. 

10. Vulcan Forged: $140 Million

Lost: $140 million 

Date: 12/12/2021 

Type: Access Control 

The December attack on the crypto-gaming platform Vulcan Forged involved theft of private keys from the system. As a result of access to use wallet keys, the hacker managed to breach into 96 wallets and steal 45 million PYR tokens together with some ETH and MATIC assets. The total damage caused by this attack resulted in a loss of over 23% of the game token’s circulating supply. 

11. Compound: $150 Million

Lost: $150 million 

Date: October 2021

Type: Exploit 

There is no exact date of the Compound attack because the funds’ leakage took place for an extended period, with more funds added to the affected vault even after the problem’s identification. 

A critical security error was identified and abused by hackers after a Compound update, allowing them to claim many more COMP tokens than they were entitled to. By enacting a special function, drip0, the users activated a chain of actions triggering an automatic distribution of excessive COMP tokens to wrong crypto addresses. 

The system detected the initial loss of $80 million, forcing the administrators to implement fixes. The system’s governance, however, required voting for the proposal, and the red tape contributed to the leakage of another $68.8 million. The loyal Compound community members returned more than half of the wrongly distributed tokens. 

12. Beanstalk: $182 Million

Beanstalk Hack

Lost: $182 million 

Date: 18/04/2022 

Type: Flash Loan 

The governance proposal contract of the company for its native $BEAN token had a 1-day delay in execution. Thus, the unknown hacker exploited this loophole to initiate a flash loan and get access to 70%+ of the platform’s total seeds. As a result of that attack, the hacker could manipulate 150,000,000 USDT, 32,000,000 BEAN, 500,000,000 USDC, and a range of other tokens. The total sum of Beanstalk’s damage equaled $181 million, making it the largest flash loan attack of all time. 

13. Wormhole: $326 Million

Wormhole Hack

Lost: $326 million 

Date: 02/02/2022

Type: Exploit 

The Wormhole platform had a critical security loophole in its signature verification procedure, which enabled an anonymous hacker to forge the users’ signatures and conduct fake transactions on Solana, minting a total of 120,000 wrapped ETH (WeETH). The hacked minted WeETH without providing the required equivalent of Ethereum collateral. The platform’s parent company backed Wormhole by supplying the missing amount of WeETH for cross-chain bridge transactions, thus saving the system from crashing. 

14. OpenSea: $1.7 Million

Lost: $1.7+ million 

Date: 19/02/2022

Type: Phishing attack 

A large-scale attack was conducted on the OpenSea platform in February 2022, causing the loss of 254 NFTs for a total price of $1.7+ million. The hackers manipulated the official Discord channel of OpenSea by placing a phishing link on it. The announcement contained a fake announcement about a partnership between OpenSea and YouTube, and after clicking the link, users had their OpenSea accounts compromised. A really mindless coin contract bug let hackers steal NFT property from dozens of users. The company’s further investigation revealed the weakness of Wyvern Protocol, allowing the hackers to elicit user authorization in half-filled smart contracts and then fill in the blanks with their wallets. 

15. Qubit DeFi platform: $80 Million

Lost: $80 million 

Date: 27/01/2022 

Type: Exploit 

As a result of a logical flaw in the smart contract design, a famous DeFi platform, Qubit Finance, lost over $80 million in user funds. The platform operated as a swap resource, allowing users to deposit funds in one currency and make withdrawals in a different currency within the Ethereum and BSC blockchains. The hackers conducted a dummy transaction with malicious code backed with no cryptocurrency and used the code’s errors to withdraw 206,000+ BNB in exchange for an empty deposit. 

16. Horizon Bridge: $100 million

Lost: $100 million 

Date: 22/06/2022 

Type: Exploit 

A recent DeFi attack that happened in June 2022 involves a young startup Harmony, the owners of a Horizon bridge that enabled frictionless asset transfers from the Ethereum network to BSC. An attack at Horizon was similar to the earlier hacks of the Ronin Network bridge and Wormhole. The details of the hack are still unknown, but the problem seems to relate to the “private key compromise,” as the bridge’s owners reported no critical errors in the smart contract code. Experts point out the weakness of the “multisig” wallet that uses only two signatures to enable the transaction. 

17. Rari Capital: $80 million

Lost: $80 million 

Date: 30/04/2022 

Type: Exploit 

A popular DeFi project Rari Capital, which merged with Fei Protocol in December of 2021, announced a hack detected by its monitoring system, costing the company $80 million. The hack became possible due to a critical vulnerability of the Fuse lending protocol, allowing the hackers to use a reentrancy trick to drain money from the network. After detecting the problem, Rari Capital froze all lending transactions and turned to the hackers with a $10 million bounty for returning the stolen funds.

Contract Audit Services

How to Stop DeFi Hacks?

As you can see from the list above, DeFi hacks can be disastrous to any business’s reputation and stability. A major hack undermines the users’ trust and ruins the company’s standing in the market, making it next to impossible to recover. 

Remember that you’re responsible for your users’ assets, and a cyber-hack may leave your clients without their belongings. Thus, it is critical to pay attention to smart contract security throughout the development process, hiring a dependable blockchain development provider and conducting regular security checks throughout the project’s existence. Here are the most popular means of DeFi product protection from hefty cybercriminals. 

Smart Contract Security Audits for DeFi

You can protect your DeFi product by conducting a smart contract audit before its launch, after updates, and during regular maintenance and code reviews. An audit company tests your smart contracts for all errors and issues a report with identified vulnerabilities and improvement recommendations. Audits help test your smart contracts for immunity to various attacks, like timestamp dependence, weak protocol code, and malicious external calls. 

Penetration Tests for DeFi

By organizing penetration tests, you can test your smart contracts’ immutability and hack immunity. The pen test can cover APIs, front-end and back-end servers, or smart contracts. It is a form of ethical hacking; in other words, a security audit firm organizes a controlled attack on your DeFi system to see whether it stands or cracks. You can enhance your firewall to anticipate real-life attacks based on the attack’s outcomes.

Read Also: How to Build a DEX Aggregator

Conclusion

Security is a critical aspect of any DeFi project’s functioning. This industry still lacks sufficient regulation, which some consider a benefit and others consider a serious flaw. In security terms, the absence of regulatory oversight means no protection for abused users. Thus, the task of protecting funds and data lies solely on the providers of DeFi services

When it comes to cyber-security, you can’t go overboard with safety measures. The list of large-scale cyber attacks we’ve analyzed in this article brings the typical vulnerabilities of blockchains to the spotlight. Use this data to evaluate the projects you want to join or improve the quality of your DeFi products.

FAQ

How can a smart contract audit help identify vulnerabilities and security flaws?

A smart contract audit is the golden standard of continuous security protection for any blockchain-based project. A series of automated and manual tests, such as penetration tests, unit tests, and timestamp dependency checks, uncover all security issues by analyzing the smart contract’s code logic and finding incorrect or missing coding. A comprehensive audit’s outcome is a set of security improvement recommendations that can resolve the detected problems and ensure the system’s reliable functioning.

Is it necessary to conduct regular smart contract audits?

A one-time check of smart contract code is not enough to ensure flawless operations and ultimate security. A smart contract audit is necessary before the project’s launch, after its full deployment, and after every more or less significant update. It is done to ensure that all aspects of the smart contract code function as they should and don’t have potential vulnerabilities and loopholes.

What should developers or project owners prepare before requesting a smart contract audit?

Proper preparation for the smart contract audit can save your project money, time, and nerves. You should collect all documentation on the project so that the auditors can assess the smart contract code logic and architecture before doing the audit. It’s also advisable to host the source code on a code repository where the audit team can access it safely. A basic round of debugging and code review will also be a good preparatory step to ensure that the system has no evident flaws. After these preparatory steps are finished, you can choose a reliable audit provider and give them access and permissions to your project’s code.

Can a smart contract audit guarantee complete security?

Unfortunately, even a well-performed smart contract audit can’t guarantee comprehensive security protection for your blockchain project. In some cases, you may suffer a zero-day vulnerability, which is a brand-new cyber threat no audit has taken into account before. Other threats may be connected not with the smart contract but rather with the blockchain network, bridge, or oracle used by clients for transactions. Human error also remains a huge uncertainty factor in smart contract design and operations; though smart contracts are self-executing and don’t require human interventions, the wrong design or incomplete coverage of the intended functions in the source code may cause their dysfunction. 



How can project owners or developers choose a reputable smart contract audit provider?

As soon as you need a smart contract audit, we recommend choosing the service provider based on the company’s experience and the methodology they use. Obviously, the budget you possess for this task also matters in the selection process, but we don’t advise choosing the cheapest option. You may end up with a superficial automated audit without thorough manual checks that may uncover more complex errors in the smart contract logic that an automated tool will most likely skip. It would help to consider the company’s reputation, the scope of blockchain technologies it covers, and the industries it specializes in.

CRYPTO BANK SOLUTION
White label NFT Marketplace
Launch your own NFT marketplace x3 faster, cost-effectively

Rate this article

Click on a star to rate it!

Rating 5 / 5. average: 3

No votes so far! Be the first to rate this post.

Share this article

Learn more from us

Our news 11 min

The Manifest Recognized 4IRE as Ukraine’s Top Recommended Blockchain Developer in 2021

We’re pleased to announce that 4IRE is recognized as Ukraine’s top recommended blockchain developer by The Manifest ...
02 Nov, 2021
Data science 11 min

Combining AI, IoT, and Blockchain

Are Blockchain, AI, and IoT a perfect fit? Check our guide on maximizing the value of these innovative technologies ...
23 Nov, 2023
DeFi 11 min

Beginners guide to project IDO launch

In our latest insight, 4IRE explainin what is an IDO in crypto and offers a step-by-step guide to launch your own to ...
21 Mar, 2024
We hope you enjoy reading our blog! If you need help, don't hesitate to contact us.
Tap to book a call