Top 17 Smart Contract Hacks in 2021-2022 Found by 4IRE

The DeFi space is quickly growing, attracting millions of adopters. The promise of Web 3.0 is privacy, freedom, democratization, and financial decentralization. These gains result from the absence of regulatory control by the governments and central banks. 

But together with a desired lack of custody comes the fruitful ground for abuse, theft, and manipulation that many hackers use. Loose regulation makes the protection of user data and funds the responsibility of every separate DeFi project. Unfortunately, not all of them are diligent enough in security provision. Thus, the number of breaches and hacks rises every year. 

DeFi Vulnerability in Numbers

DeFi is an unsafe market where millions of people become victims of large-scale privacy breaches and thefts. Within Q1 of 2022, people lost over $682 million due to hacks.

Over the past year, crypto fund owners and businesses lost $3.3+ billion as a result of hacker attacks and security breaches. Let’s talk about the top 16 disasters that crypto projects experience to see how smart contract errors can ruin everything.

Top 17 Biggest DeFi Hacks of 2021-2022

The team of 4IRE analysts researched the crypto market deep and wide to come up with the list of the most audacious crypto hacks of the past year. Here are the details.

1. Poly Network: $611 Million

Lost: $611 million 

Date: 02/02/2022

Type: Exploit 

The attack on Poly Network was an audacious event that involved compromised smart contracts in three blockchains: BSC, Polygon, and Ethereum. The hacker exposed the security flaws of Poly’s unverified contracts to showcase the magnitude of risks it created. The story ended happily, with the hacker returning the money and getting a job offer for the company’s chief security consultant position. The violator refused the offer and remained anonymous, helping Poly Network enhance its security. 

2. Ronin: $552 Million

Lost: $615+ million

Date: 29/03/2022

Type: Exploit 

Ronin, a bridge that players of the world-famous NFT P2E game Axie Infinity use to move funds and assets from and to the game’s blockchain, experienced a dramatic DeFi hack this March. It uncovered a critical vulnerability of Ronin Bridge’s operations. Just within two transactions, the system lost 173,000+ ETH and over 25 million USDC to an unknown hacker. The theft became possible due to the earlier violation of Sky Mavis’s Ronin and Axie DAO validator nodes. Lazarus Group, later identified as the hacker community responsible for the attack, exploited a security loophole in Ronin’s decentralization validation system, thus completing fake withdrawals. 

3. Grim Finance: $30 Million

Lost: $30 million 

Date: 18/12/2021 

Type: Exploit (reentrancy attack) 

Grim Finance, a yield optimizer protocol, suffered a reentrancy attack costing it $30 million. As a result of a reentrancy attack, the hacker managed to feed a series of fake additional deposits in the system while the previous ones were still incomplete. The trick let the hacker release Fantom tokens for $30 million, thus exposing the absence of a reentrancy guard on the platform. The smart contract audit firm Solidity Finance erroneously identified the guard as active.

4. Meerkat Finance: $31 Million

Lost: $31 million 

Date: 04/03/2021 

Type: Exploit (reentrancy attack)

Meerkat Finance, a yield vault project that resulted from the fork of Yearn.Finance, represented one of the Ethereum-native protocols operating on BSC. It experienced a hacker attack one day after its official launch, suffering damage of $31 million in lost user funds. The hacker stole 73,000 BNB coins and $14 million BUSD due to smart contract hacking using specialized internal permissions. The exploit was further dubbed as a test of the system’s safety, which ultimately failed, showing that the platform can be violated hassle-free.

5. Vee Finance: $35 Million

Lost: $35 million 

Date: 21/09/2021 

Type: Exploit  

Vee Finance is an Avalanche-based project that had critical vulnerabilities in the approach to slippage checks during leveraged trading. The hackers identified the protocol’s major error – using only one oracle for the traded asset’s price checks. In that case, it was the Pangolin oracle. The hackers thus created several new trading pairs and performed several manipulative trades to distort the actual price of assets on Pangolin. These manipulations helped criminals bypass the slippage check on Vee Finance, forcing the system to approve erroneous transactions. That error caused a total loss of $34 million in different crypto tokens.

6. PancakeBunny: $45 Million

Lost: $45 million 

Date: 19/05/2021 

Type: Flash loan hack 

Most DeFI attacks of recent months occurred because of the hackers’ ability to manipulate the exchange rates of particular tokens on the exchange, thus initiating exchanges at erroneous prices. In the case of PancakeBunny, the hacker distorted the token price in USDT/BNB and BUNNY/BNB pairs to derive the unbalanced value from the platform. The hacker used the system’s vulnerabilities to steal over 114,000 WBNB, which equaled $5 million at the time of the attack. 

7. bZx: $55 Million

Lost: $55 million 

Date: 5/11/2021

Type: Flash loan attack 

The hackers used a series of attacks, one with Tornado Cash and another one with ShapeShift, to conduct single atomic transactions and breach the system. The Tornado Cash attack affected 25 smart contracts and several protocols simultaneously (bZx, Compound, dYdx, Uniswap, and Kyber). The attackers used flash loans, but their aim was not to steal money with this technique but to create massive slippages in low-liquidity DEXs. The initial attack caused price slippage on Uniswap, while bZx used this DEX as the only price oracle. By reducing the value of sUSD with this manipulation, the hacker took two unbacked ‘underwater’ loans, forcing the platform to issue money to them to balance the loan and collateral. As a result of such price manipulations, the hackers went away with a total of $55 million in bZx users’ money. 

8. Badger DAO: $120 Million

Lost: $120 million

Date: 02/12/2021 

Type: Exploit 

The Badger DAO yield vault protocol suffered an attack worth $120 million. The system was hacked with malicious contract permissions, resulting in a leak of 2,100 BTC and 151 ETH from the users’ balances within just a few minutes. Immediately after noticing the attack, Badger DAO’s security officials froze the vaults to prevent further fund leakage and investigated the source of malicious permissions. Analysis of the hack showed that the security error was in the system’s UI, not in its core protocol’s architecture and smart contracts.  

9. Cream Finance: $130 Million

Lost: $130 million 

Date: 03/08/2021 

Type: Exploit 

The flash loan hack is a type of attack involving the receipt of a non-collateralized loan due to token pair price manipulations. Hackers repeatedly used the flash loan vulnerability of Cream Finance’s architecture to drain funds from the system. The August attack was the largest in scale, resulting in a cumulative loss of $180 million. A prior flash loan attack happened in February, costing the company $38 million in user funds. 

10. Vulcan Forged: $140 Million

Lost: $140 million 

Date: 12/12/2021 

Type: Access Control 

The December attack on the crypto-gaming platform Vulcan Forged involved theft of private keys from the system. As a result of access to use wallet keys, the hacker managed to breach into 96 wallets and steal 45 million PYR tokens together with some ETH and MATIC assets. The total damage caused by this attack resulted in a loss of over 23% of the game token’s circulating supply. 

11. Compound: $150 Million

Lost: $150 million 

Date: October 2021

Type: Exploit 

There is no exact date of the Compound attack because the funds’ leakage took place for an extended period, with more funds added to the affected vault even after the problem’s identification. 

A critical security error was identified and abused by hackers after a Compound update, allowing them to claim many more COMP tokens than they were entitled to. By enacting a special function, drip0, the users activated a chain of actions triggering an automatic distribution of excessive COMP tokens to wrong crypto addresses. 

The system detected the initial loss of $80 million, forcing the administrators to implement fixes. The system’s governance, however, required voting for the proposal, and the red tape contributed to the leakage of another $68.8 million. The loyal Compound community members returned more than half of the wrongly distributed tokens. 

12. Beanstalk: $182 Million

Lost: $182 million 

Date: 18/04/2022 

Type: Flash Loan 

The governance proposal contract of the company for its native $BEAN token had a 1-day delay in execution. Thus, the unknown hacker exploited this loophole to initiate a flash loan and get access to 70%+ of the platform’s total seeds. As a result of that attack, the hacker could manipulate 150,000,000 USDT, 32,000,000 BEAN, 500,000,000 USDC, and a range of other tokens. The total sum of Beanstalk’s damage equaled $181 million, making it the largest flash loan attack of all time. 

13. Wormhole: $326 Million

Lost: $326 million 

Date: 02/02/2022

Type: Exploit 

The Wormhole platform had a critical security loophole in its signature verification procedure, which enabled an anonymous hacker to forge the users’ signatures and conduct fake transactions on Solana, minting a total of 120,000 wrapped ETH (WeETH). The hacked minted WeETH without providing the required equivalent of Ethereum collateral. The platform’s parent company backed Wormhole by supplying the missing amount of WeETH for cross-chain bridge transactions, thus saving the system from crashing. 

14. OpenSea: $1.7 Million

Lost: $1.7+ million 

Date: 19/02/2022

Type: Phishing attack 

A large-scale attack was conducted on the OpenSea platform in February 2022, causing the loss of 254 NFTs for a total price of $1.7+ million. The hackers manipulated the official Discord channel of OpenSea by placing a phishing link on it. The announcement contained a fake announcement about a partnership between OpenSea and YouTube, and after clicking the link, users had their OpenSea accounts compromised. A really mindless coin contract bug let hackers steal NFT property from dozens of users. The company’s further investigation revealed the weakness of Wyvern Protocol, allowing the hackers to elicit user authorization in half-filled smart contracts and then fill in the blanks with their wallets. 

15. Qubit DeFi platform: $80 Million

Lost: $80 million 

Date: 27/01/2022 

Type: Exploit 

As a result of a logical flaw in the smart contract design, a famous DeFi platform, Qubit Finance, lost over $80 million in user funds. The platform operated as a swap resource, allowing users to deposit funds in one currency and make withdrawals in a different currency within the Ethereum and BSC blockchains. The hackers conducted a dummy transaction with malicious code backed with no cryptocurrency and used the code’s errors to withdraw 206,000+ BNB in exchange for an empty deposit. 

16. Horizon Bridge: $100 million

Lost: $100 million 

Date: 22/06/2022 

Type: Exploit 

A recent DeFi attack that happened in June 2022 involves a young startup Harmony, the owners of a Horizon bridge that enabled frictionless asset transfers from the Ethereum network to BSC. An attack at Horizon was similar to the earlier hacks of the Ronin Network bridge and Wormhole. The details of the hack are still unknown, but the problem seems to relate to the “private key compromise,” as the bridge’s owners reported no critical errors in the smart contract code. Experts point out the weakness of the “multisig” wallet that uses only two signatures to enable the transaction. 

17. Rari Capital: $80 million

Lost: $80 million 

Date: 30/04/2022 

Type: Exploit 

A popular DeFi project Rari Capital, which merged with Fei Protocol in December of 2021, announced a hack detected by its monitoring system, costing the company $80 million. The hack became possible due to a critical vulnerability of the Fuse lending protocol, allowing the hackers to use a reentrancy trick to drain money from the network. After detecting the problem, Rari Capital froze all lending transactions and turned to the hackers with a $10 million bounty for returning the stolen funds.

How to Stop DeFi Hacks?

As you can see from the list above, DeFi hacks can be disastrous to any business’s reputation and stability. A major hack undermines the users’ trust and ruins the company’s standing in the market, making it next to impossible to recover. 

Remember that you’re responsible for your users’ assets, and a cyber-hack may leave your clients without their belongings. Thus, it is critical to pay attention to smart contract security throughout the development process, hiring a dependable blockchain development provider and conducting regular security checks throughout the project’s existence. Here are the most popular means of DeFi product protection from hefty cybercriminals. 

Smart Contract Security Audits for DeFi

You can protect your DeFi product by conducting a smart contract audit before its launch, after updates, and during regular maintenance and code reviews. An audit company tests your smart contracts for all errors and issues a report with identified vulnerabilities and improvement recommendations. Audits help test your smart contracts for immunity to various attacks, like timestamp dependence, weak protocol code, and malicious external calls. 

Penetration Tests for DeFi

By organizing penetration tests, you can test your smart contracts’ immutability and hack immunity. The pen test can cover APIs, front-end and back-end servers, or smart contracts. It is a form of ethical hacking; in other words, a security audit firm organizes a controlled attack on your DeFi system to see whether it stands or cracks. You can enhance your firewall to anticipate real-life attacks based on the attack’s outcomes.

Conclusion

Security is a critical aspect of any DeFi project’s functioning. This industry still lacks sufficient regulation, which some consider a benefit and others consider a serious flaw. In security terms, the absence of regulatory oversight means no protection for abused users. Thus, the task of protecting funds and data lies solely on the providers of DeFi services. 

When it comes to cyber-security, you can’t go overboard with safety measures. The list of large-scale cyber attacks we’ve analyzed in this article brings the typical vulnerabilities of blockchains to the spotlight. Use this data to evaluate the projects you want to join or improve the quality of your DeFi products.