Top 17 Smart Contract Hacks in 2021-2022 Found by 4IRE
The DeFi space is quickly growing, attracting millions of adopters. The promise of Web 3.0 is privacy, freedom, democratization, and financial decentralization. These gains result from the absence of regulatory control by the governments and central banks.
But together with a desired lack of custody comes the fruitful ground for abuse, theft, and manipulation that many hackers use. Loose regulation makes the protection of user data and funds the responsibility of every separate DeFi project. Unfortunately, not all of them are diligent enough in security provision. Thus, the number of breaches and hacks rises every year.
DeFi Vulnerability in Numbers
DeFi is an unsafe market where millions of people become victims of large-scale privacy breaches and thefts. Within Q1 of 2022, people lost over $682 million due to hacks.
Over the past year, crypto fund owners and businesses lost $3.3+ billion as a result of hacker attacks and security breaches. Let’s talk about the top 16 disasters that crypto projects experience to see how smart contract errors can ruin everything.
Top 17 Biggest DeFi Hacks of 2021-2022
The team of 4IRE analysts researched the crypto market deep and wide to come up with the list of the most audacious crypto hacks of the past year. Here are the details.
1. Poly Network: $611 Million
Lost: $611 million
The attack on Poly Network was an audacious event that involved compromised smart contracts in three blockchains: BSC, Polygon, and Ethereum. The hacker exposed the security flaws of Poly’s unverified contracts to showcase the magnitude of risks it created. The story ended happily, with the hacker returning the money and getting a job offer for the company’s chief security consultant position. The violator refused the offer and remained anonymous, helping Poly Network enhance its security.
2. Ronin: $552 Million
Lost: $615+ million
Ronin, a bridge that players of the world-famous NFT P2E game Axie Infinity use to move funds and assets from and to the game’s blockchain, experienced a dramatic DeFi hack this March. It uncovered a critical vulnerability of Ronin Bridge’s operations. Just within two transactions, the system lost 173,000+ ETH and over 25 million USDC to an unknown hacker. The theft became possible due to the earlier violation of Sky Mavis’s Ronin and Axie DAO validator nodes. Lazarus Group, later identified as the hacker community responsible for the attack, exploited a security loophole in Ronin’s decentralization validation system, thus completing fake withdrawals.
3. Grim Finance: $30 Million
Lost: $30 million
Type: Exploit (reentrancy attack)
Grim Finance, a yield optimizer protocol, suffered a reentrancy attack costing it $30 million. As a result of a reentrancy attack, the hacker managed to feed a series of fake additional deposits in the system while the previous ones were still incomplete. The trick let the hacker release Fantom tokens for $30 million, thus exposing the absence of a reentrancy guard on the platform. The smart contract audit firm Solidity Finance erroneously identified the guard as active.
4. Meerkat Finance: $31 Million
Lost: $31 million
Type: Exploit (reentrancy attack)
Meerkat Finance, a yield vault project that resulted from the fork of Yearn.Finance, represented one of the Ethereum-native protocols operating on BSC. It experienced a hacker attack one day after its official launch, suffering damage of $31 million in lost user funds. The hacker stole 73,000 BNB coins and $14 million BUSD due to smart contract hacking using specialized internal permissions. The exploit was further dubbed as a test of the system’s safety, which ultimately failed, showing that the platform can be violated hassle-free.
5. Vee Finance: $35 Million
Lost: $35 million
Vee Finance is an Avalanche-based project that had critical vulnerabilities in the approach to slippage checks during leveraged trading. The hackers identified the protocol’s major error – using only one oracle for the traded asset’s price checks. In that case, it was the Pangolin oracle. The hackers thus created several new trading pairs and performed several manipulative trades to distort the actual price of assets on Pangolin. These manipulations helped criminals bypass the slippage check on Vee Finance, forcing the system to approve erroneous transactions. That error caused a total loss of $34 million in different crypto tokens.
6. PancakeBunny: $45 Million
Lost: $45 million
Type: Flash loan hack
Most DeFI attacks of recent months occurred because of the hackers’ ability to manipulate the exchange rates of particular tokens on the exchange, thus initiating exchanges at erroneous prices. In the case of PancakeBunny, the hacker distorted the token price in USDT/BNB and BUNNY/BNB pairs to derive the unbalanced value from the platform. The hacker used the system’s vulnerabilities to steal over 114,000 WBNB, which equaled $5 million at the time of the attack.
7. bZx: $55 Million
Lost: $55 million
Type: Flash loan attack
The hackers used a series of attacks, one with Tornado Cash and another one with ShapeShift, to conduct single atomic transactions and breach the system. The Tornado Cash attack affected 25 smart contracts and several protocols simultaneously (bZx, Compound, dYdx, Uniswap, and Kyber). The attackers used flash loans, but their aim was not to steal money with this technique but to create massive slippages in low-liquidity DEXs. The initial attack caused price slippage on Uniswap, while bZx used this DEX as the only price oracle. By reducing the value of sUSD with this manipulation, the hacker took two unbacked ‘underwater’ loans, forcing the platform to issue money to them to balance the loan and collateral. As a result of such price manipulations, the hackers went away with a total of $55 million in bZx users’ money.
8. Badger DAO: $120 Million
Lost: $120 million
The Badger DAO yield vault protocol suffered an attack worth $120 million. The system was hacked with malicious contract permissions, resulting in a leak of 2,100 BTC and 151 ETH from the users’ balances within just a few minutes. Immediately after noticing the attack, Badger DAO’s security officials froze the vaults to prevent further fund leakage and investigated the source of malicious permissions. Analysis of the hack showed that the security error was in the system’s UI, not in its core protocol’s architecture and smart contracts.
Need help with choosing blockchain for your BIG idea?
Contact us to schedule a meeting with our CTO to discuss project milestones, budget, and technical requirements. Let’s make your project more manageable and understandable together.
9. Cream Finance: $130 Million
Lost: $130 million
The flash loan hack is a type of attack involving the receipt of a non-collateralized loan due to token pair price manipulations. Hackers repeatedly used the flash loan vulnerability of Cream Finance’s architecture to drain funds from the system. The August attack was the largest in scale, resulting in a cumulative loss of $180 million. A prior flash loan attack happened in February, costing the company $38 million in user funds.
10. Vulcan Forged: $140 Million
Lost: $140 million
Type: Access Control
The December attack on the crypto-gaming platform Vulcan Forged involved theft of private keys from the system. As a result of access to use wallet keys, the hacker managed to breach into 96 wallets and steal 45 million PYR tokens together with some ETH and MATIC assets. The total damage caused by this attack resulted in a loss of over 23% of the game token’s circulating supply.
11. Compound: $150 Million
Lost: $150 million
Date: October 2021
There is no exact date of the Compound attack because the funds’ leakage took place for an extended period, with more funds added to the affected vault even after the problem’s identification.
A critical security error was identified and abused by hackers after a Compound update, allowing them to claim many more COMP tokens than they were entitled to. By enacting a special function, drip0, the users activated a chain of actions triggering an automatic distribution of excessive COMP tokens to wrong crypto addresses.
The system detected the initial loss of $80 million, forcing the administrators to implement fixes. The system’s governance, however, required voting for the proposal, and the red tape contributed to the leakage of another $68.8 million. The loyal Compound community members returned more than half of the wrongly distributed tokens.
12. Beanstalk: $182 Million
Lost: $182 million
Type: Flash Loan
The governance proposal contract of the company for its native $BEAN token had a 1-day delay in execution. Thus, the unknown hacker exploited this loophole to initiate a flash loan and get access to 70%+ of the platform’s total seeds. As a result of that attack, the hacker could manipulate 150,000,000 USDT, 32,000,000 BEAN, 500,000,000 USDC, and a range of other tokens. The total sum of Beanstalk’s damage equaled $181 million, making it the largest flash loan attack of all time.
13. Wormhole: $326 Million
Lost: $326 million
The Wormhole platform had a critical security loophole in its signature verification procedure, which enabled an anonymous hacker to forge the users’ signatures and conduct fake transactions on Solana, minting a total of 120,000 wrapped ETH (WeETH). The hacked minted WeETH without providing the required equivalent of Ethereum collateral. The platform’s parent company backed Wormhole by supplying the missing amount of WeETH for cross-chain bridge transactions, thus saving the system from crashing.
14. OpenSea: $1.7 Million
Lost: $1.7+ million
Type: Phishing attack
A large-scale attack was conducted on the OpenSea platform in February 2022, causing the loss of 254 NFTs for a total price of $1.7+ million. The hackers manipulated the official Discord channel of OpenSea by placing a phishing link on it. The announcement contained a fake announcement about a partnership between OpenSea and YouTube, and after clicking the link, users had their OpenSea accounts compromised. A really mindless coin contract bug let hackers steal NFT property from dozens of users. The company’s further investigation revealed the weakness of Wyvern Protocol, allowing the hackers to elicit user authorization in half-filled smart contracts and then fill in the blanks with their wallets.
15. Qubit DeFi platform: $80 Million
Lost: $80 million
As a result of a logical flaw in the smart contract design, a famous DeFi platform, Qubit Finance, lost over $80 million in user funds. The platform operated as a swap resource, allowing users to deposit funds in one currency and make withdrawals in a different currency within the Ethereum and BSC blockchains. The hackers conducted a dummy transaction with malicious code backed with no cryptocurrency and used the code’s errors to withdraw 206,000+ BNB in exchange for an empty deposit.
16. Horizon Bridge: $100 million
Lost: $100 million
A recent DeFi attack that happened in June 2022 involves a young startup Harmony, the owners of a Horizon bridge that enabled frictionless asset transfers from the Ethereum network to BSC. An attack at Horizon was similar to the earlier hacks of the Ronin Network bridge and Wormhole. The details of the hack are still unknown, but the problem seems to relate to the “private key compromise,” as the bridge’s owners reported no critical errors in the smart contract code. Experts point out the weakness of the “multisig” wallet that uses only two signatures to enable the transaction.
17. Rari Capital: $80 million
Lost: $80 million
A popular DeFi project Rari Capital, which merged with Fei Protocol in December of 2021, announced a hack detected by its monitoring system, costing the company $80 million. The hack became possible due to a critical vulnerability of the Fuse lending protocol, allowing the hackers to use a reentrancy trick to drain money from the network. After detecting the problem, Rari Capital froze all lending transactions and turned to the hackers with a $10 million bounty for returning the stolen funds.
How to Stop DeFi Hacks?
As you can see from the list above, DeFi hacks can be disastrous to any business’s reputation and stability. A major hack undermines the users’ trust and ruins the company’s standing in the market, making it next to impossible to recover.
Remember that you’re responsible for your users’ assets, and a cyber-hack may leave your clients without their belongings. Thus, it is critical to pay attention to smart contract security throughout the development process, hiring a dependable blockchain development provider and conducting regular security checks throughout the project’s existence. Here are the most popular means of DeFi product protection from hefty cybercriminals.
Smart Contract Security Audits for DeFi
You can protect your DeFi product by conducting a smart contract audit before its launch, after updates, and during regular maintenance and code reviews. An audit company tests your smart contracts for all errors and issues a report with identified vulnerabilities and improvement recommendations. Audits help test your smart contracts for immunity to various attacks, like timestamp dependence, weak protocol code, and malicious external calls.
Penetration Tests for DeFi
By organizing penetration tests, you can test your smart contracts’ immutability and hack immunity. The pen test can cover APIs, front-end and back-end servers, or smart contracts. It is a form of ethical hacking; in other words, a security audit firm organizes a controlled attack on your DeFi system to see whether it stands or cracks. You can enhance your firewall to anticipate real-life attacks based on the attack’s outcomes.
Security is a critical aspect of any DeFi project’s functioning. This industry still lacks sufficient regulation, which some consider a benefit and others consider a serious flaw. In security terms, the absence of regulatory oversight means no protection for abused users. Thus, the task of protecting funds and data lies solely on the providers of DeFi services.
When it comes to cyber-security, you can’t go overboard with safety measures. The list of large-scale cyber attacks we’ve analyzed in this article brings the typical vulnerabilities of blockchains to the spotlight. Use this data to evaluate the projects you want to join or improve the quality of your DeFi products.
Blockchain and smart contracts were initially designed with robust security measures in mind. However, even security-proof smart contracts can become the object of hacker attacks, with cybercriminals targeting user assets and personal data. Thus, hackers are always on the hunt for potential security loopholes and critical vulnerabilities. They have sophisticated tools and advance their methods to security safeguards, so no smart contract can be considered 100% hack-proof.
Yes, smart contracts can be hacked in many ways, especially if the blockchain engineer creates an initially flawed contract with bugs and security vulnerabilities. The smart contract within a blockchain cannot be changed, so it’s immutable and immune to manipulation. Still, there are many other ways to hack a blockchain; for instance, hackers use reentrancy to breach a blockchain or conduct a DAO attack on the system.
Statistics say that 1 in 20 smart contracts used in the digital space today is prone to hacking. This means that any user is at risk of popping at a flawed smart contract and experiencing a cyber-attack. Over the past year, over 20 grand cyberattacks took place in the crypto space. Since 2012, there have been 46 cryptocurrency exchange attacks, and many more attacks went unnoticed by the larger community. So, we can say that smart contract hacking is not a rare occasion.
Notwithstanding the claims about blockchain technology’s immutability, end-to-end security, and stability, there are still ways to hack such systems. Criminals have devised many tricks to breach the blockchain’s security and steal money and data. This can be done by committing a 51% attack (overtaking the blockchain’s consensus majority by one person or group of people). Besides, errors in the code logic of smart contracts often cause theft and manipulations inside the blockchain.