Decentralized finance (DeFi) was created back in 2015, when the pioneer application, MakerDAO, allowed any crypto holders to take out loans in the DAI stablecoin. Years of steady growth followed and a palpable buzz around DeFi started to emerge in the crypto community, leading to the breakout year that was 2020.
According to DeFi Pulse, value locked up in DeFi protocols grew from roughly $700 million to $14.7 billion during this year. Most of the growth occurred in the latter half of the year, now known as the “DeFi summer”. But not everything went smoothly, as it is to be expected with experimental technologies, especially when said technology is severely tested – as was the case during the Black Thursday market crash in March
The recent boom also attracted the attention of many hackers and bad actors, who sought to take advantage of this new emerging trend. Although cryptocurrency cybercrime is down 60% this year, more than 21% of the volume of all crypto hacks came from the Defi space. In the first half of the year, DeFi was responsible for 45% of all thefts (47.7M), and those stats grew to 50% over the second half (51.5M).
The amount of DeFi hacks in 2019 were negligible, however, this year the amount stolen from these types of protocols has surpassed $100 million. The list below details the most serious cyberattacks on the DeFi space in 2020.
MakerDAO was hit the hardest during the Black Swan event. So much so that an emergency shutdown was even discussed at the time. As the price of Ethereum crashed during the ‘Black Thursday’ saga, the Ethereum network became heavily congested. Panic ensued among investors and bad actors started spamming the network, leading to oracles struggling to give updated prices and liquidation protocols not being able to keep up with liquidations.
Some users were able to exploit the protocol by liquidating some of their loans for free, leading to an $8.32 million loss. Investors have since grouped together and are now filing a lawsuit against MakerDAO for damages totalling $28 million.
Andre Cronje became famous in the cryptosphere for the creation of Yearn.Finance. The platform’s native token rocketed its way to nearly $42,000 in September, becoming the first cryptocurrency to surpass Bitcoin’s price per unit. A flock of investors gathered around Andre, following him to new projects, such was the case of gamified DeFi platform, Eminence.Finance.
The project did not have a website and was not officially live but that did not stop investors from pouring over $15 million into Eminence finance. The money was placed in an unsecured and untested beta contract, which was exploited only 3 hours after it went viral on Twitter.
Hackers ended up showing some benevolence in the end and returned $8 million of the stolen funds to Andre, which was then used to partially cover the user’s losses. Still, that didn’t spare him from receiving several death threats and getting sued.
bZx was the most exploited DeFi platform of the year, being the victim of 3 different cyberattacks. The first two attacks were consecutive, happening only four days apart during late February. Exploiting the interconnectedness of DeFi protocols instead of a flaw in the bZx protocol itself, these “flash attacks” allowed hackers to get away with $954,000 in stolen funds. By taking out flash loans, larger than they would be able to in normal conditions, hackers were then able to influence asset prices and drain the lending pool.
In September, the bZx platform suffered the third cyberattack when someone discovered a bug in the protocol. Roughly $8 million was stolen after the hacker was able to create iTokens for free – a token that needs to be backed by assets in order to be minted and rises in value as the lending pool grows. Fortunately, this last one has a happy ending as the bZx team was able to track down the hacker and retrieve the stolen funds.
Happening roughly a day before the dForce incident, the UniSwap exploit stems from the same vulnerability in Ethereum’s ERC777 token standard. It is estimated that the hacker got away with $300,000, accomplished by exploiting imBTC, a wrapped version of Bitcoin on Ethereum. The only losses came to those providing liquidity to the UniSwap tool, as the Bitcoins backing the imBTC were unaffected.
Lending protocol Lendf.Me, belonging to the Chinese dForce platform, was hacked on April 19. The attacker was able to steal $25 million by exploiting the same Ethereum vulnerability that caused the infamous DAO hack in 2016. After completely draining the money pool, the hacker had difficulties cashing out, which may have caused him to have a change of heart that led to returning $21 million of the stolen funds.
During a “flash attack” on October 26, hackers were able to realize the biggest DeFi heist of the year as $34 million was stolen from the Harvest.Finance protocol. The flash loans were used to manipulate the price of several stablecoins on decentralized exchanges (DEX), creating arbitrage opportunities and allowing hackers to buy more stablecoins than they should be able to under normal circumstances.
Many in the crypto community had already voiced their concerns about the centralization of the project before the incident. The anonymous founders of Harvest refused to give up control over the locked assets, which surmounted to over $1 billion before the hack.
The attackers have since returned approximately $2.5 million of the stolen funds. Not satisfied, the Harvest team is investigating the attackers and has even placed a $100,000 bounty for whoever finds them.
Akropolis was the victim of a “flash attack” on November 12. The hacker discovered a vulnerability in Akropolis smart contracts, enabling him to take out flash loans using a fake ERC-20 token.
Akropolis had to freeze its stablecoin pool and is now looking to reimburse investors and catch the perpetrator. The Akropolis team has already identified the Ethereum wallet the attacker used and notified all major cryptocurrency exchanges.
On November 14, just two days after the Akropolis incident, ValueDeFi became the next target of yet another “flash attack”. The team announced its updated feature on Twitter, the MultiStables Vault. However, less than 24 hours later, the feature was exploited and Value DeFi had been hacked. The update which, among other things, was supposed to increase security against flash loans, ultimately failed.
The attacker was able to manipulate prices in one of the vaults through a flash loan, which he then used to buy those same manipulated assets at a discounted price. The attack also took advantage of the fact that Value DeFi was using a centralized oracle, something they have since corrected by partnering up with Chainlink.
Inspired by Pickle Rick, an episode of the popular Rick and Morty tv show, Pickle.Finance is the most recent hack featured on the list. On November 22, an attacker was able to create what is called an evil jar, containing smart contracts that have the same interface as the original protocol jars. This allowed him to exchange between the 2 jars and steal an estimated $19.7 million.
As of late, flash attacks have definitely been the most popular method. This involves circumventing the loan mechanism, which in turn opens up multiple attack possibilities such as asset price manipulation.
Reentry attacks have also been used with quite some success. In the case of UniSwap and Lendf.me protocol, the reentry attacks were caused by vulnerabilities in Ethereum’s code, namely the ERC-777 token standard. Some suggest the problem does not lie with Ethereum itself, but rather with the combination of Ethereum’s code with the DeFi protocols’ code that inadvertently opens doors for exploits.
It is hard to say if it’s the hacker’s merit or the developer’s downfall whenever a bug is exploited. However, the same can’t be said for bad project management. Retaining centralized features for decentralized protocols creates vulnerabilities. This was the case with Harvest.Finance, where developers held control over the value locked in contracts, and Value DeFi. This has since been rectified.
Lastly, scams are to be expected in a similar fashion to the ICO craze of 2017. From pump and dump schemes, to exit scams, or even UniSwap scam tokens, some have even suggested that 99% of DeFi tokens are actually scams.
As we’ve seen, one needs to be careful threading the DeFi space. Due to its decentralized and anonymous nature, the DeFi market is a safe haven and easy target for scammers, hackers, and money launders. There is no regulatory framework to protect investors and the lack of security audits makes a hacker’s work much easier. Even though not all breaches resulted in permanent losses for investors, security is still a major concern.
Together with Hacken cybersecurity experts, we have prepared some advice for DeFi investors:
Decentralized Exchanges (DEX) are the perfect money-laundering machines, as they preserve the anonymity of its users, no KYC policies, and are unable to freeze any funds, unlike centralized exchanges. This was perfectly illustrated in the largest hack of the year, where KuCoin lost $218 Million to a hacker who was then able to launder the money through DEXs.
Vulnerabilities in smart contracts are also a big issue. One that is expected to continue, as there is a lack of expertise in the field of smart contract development and auditing, and that will definitely keep the hackers coming back for more. It is worth noting that DeFi is in its early stages of development. The issues stated above and others such as low liquidity, regulatory uncertainty, and high volatility are to be expected. Nevertheless, DeFi may have the potential to revolutionize the way people interact with financial services, a much-needed change from the legacy financial system.
Disclaimer: This material is not sponsored by any organization mentioned in the article.
Previously published at https://hacken.io/researches-and-investigations/biggest-defi-hacks-of-2020-report/
Create your free account to unlock your custom reading experience.