Blog
According to the Rekt leaderboard, the six biggest DeFi exploits in 2022 so far have a total of $1.8 billion. In 2021 the total value stolen was $1.3 billion.
Every project or user feels a loss. Every type of DeFiprotocol has experienced a hack, from DAOs to NFT marketplaces, but multi-chain bridges are a weak point. Security experts know common DeFi exploits like re-entrancy and learned to defend against them. Cross-chain exploits are still relatively new.
Notorious B.I.G. said, “Mo Money Mo Problems.” With an increasing number of investors throwing their money at DeFi protocols and the open source nature of DeFi. It has become a buffet to potential black hat hackers and increases the need for efficient security audits, bug bounty programs, and security training. Hacks will continue until there is an appropriate standardized defense for DeFi against novel attacks.
Hackers hacked Axie Infinity Ronin Bridge for $625 million, and no one noticed. The Ronin Bridge transfers assets between the Ronin chain and the Ethereum network. Attackers used stolen private keys to sign transactions from five of the nine validators nodes on the network, the minimum needed to approve deposits and withdrawal transactions. They utilized four compromised validator nodes controlled by Sky Mavis. In 2021, Sky Mavis gained access to Axies DAO to sign off on transactions on its behalf. Axie never revoked this access, and hackers utilized this access control during their hacking campaign. Sky Mavis claims the hack didn’t occur due to any technical shortcomings.
Axie has promised that the DAO will vote on future steps if the treasury can not recover all the funds within two years. They have launched a bug bounty program of $1 million to encourage disclosure of security issues, and Sky Mavis had increased the validators threshold to eight out of nine.
Wormhole is a DeFi cross-chain bridge enabling safe token transfers between crypto ecosystems. Hackers hacked the Solana-to-Ethereum bridge on February 2, 2022, and made away with $326 million. Hackers exploited a vulnerability in the smart contract code to mint and cash out on 120,000 wETH (wrapped eth) without depositing collateral.
Before the hack, a bug-fixing update was made on the project’s GitHub but not deployed. The GitHub update didn’t explicitly say what it was for, but with the open nature of DeFi development, industrious hackers could figure out its purpose after reviewing the code.
Warmbole team offered the hackers $10 million as a bounty to return the stolen funds sent in an on-chain message to the hacker’s wallet address. On Wormhole GitHub, it states they have had two audits, one in January before the hack and another in July. They are now running a $ 10 million bug bounty program. Jump Crypto, a venture capital firm and the parent company of Wormhole, bailed them out to keep the platform solvent.
Beanstalk, an Ethereum credit-based algorithmic stablecoin protocol, was hacked on April 17, 2022, for $182 million. Hackers used a flash loan to accumulate enough assets to control the stablecoins governance protocol. The attackers needed two out of three votes for the governance protocol based on donations made to the Beanstalk protocols’ Diamond contract.
The attackers got a supermajority of the governance protocol votes using flash loans, allowing the hacker’s temporary authority to push through their proposals using an emergency commit to drain the funds. The malicious proposal went unnoticed for 24 hours before the act. One proposal the hackers authorized sent funds to a Ukraine donation address, and the rest the hackers kept for themselves after paying back the flash loans; by the end, they only had $76 million.
After the hack, Beanstalk offered 10% of the stolen funds to the hackers if they promised to return the remaining 90%. The hackers kept their loot. The team behind the protocols audit claims the hack was out of the scope of their initial audit.
In April, an independent researcher and blockchain dev @_apedev raised some concerns about Harmony multisig validations. By June, $100 million was magicked away. The bridge multisig used five validators, but only two were required. Hackers managed to access two private keys to initiate their attack on the bridge. They transferred the funds and approved their transactions. Harmony now requires four of the five validator keys to agree on transactions in response to the hack.
Nomad is a cross-chain protocol allowing users to send tokens between networks. The protocol fell victim to an exploit on 2 August 2022, and hackers got away with $190 million, becoming the fifth largest DeFi hack ever. Hackers could call a function that allowed them to process a transaction without proving the existence of funds.
What made this hack unique was after hackers siphoned the initial funds away, many copycats rushed in to repeat the hack. About 41 addresses drained $152 million (~80%) of the stolen funds. Some hackers claimed to be white hats, and others had nefarious intentions as they quickly went to Tornado cash. The Noman team set up a wallet and requested the stolen funds be sent there.
Qubit Finance is a Defi cross-chain bridge between BSC (Binance Smart Chain) and ETH. It also offers lending capabilities. In January 2022, hackers managed to mint wrapped eth valued at $80 million. Attackers inserted malicious data and withdrew tokens on BSC without depositing ETH. Qubit docs state that Peckshield and Theori audited its protocol and the underlying smart contracts.
Now Qubit is left negotiating with the hackers hoping they take the high road.
Multi-chain has become critical to DeFi, and interacting with them safely and efficiently is essential. DeFi users want to move funds between blockchains, but guardrails should be in place against hackers. Most of the hacks I outlined here are vulnerabilities found on bridges. Cross-chain infrastructure has many moving parts to secure. Auditing is a continuous process as well as big bounties. Security should be ongoing, and no matter how small the commits, the development team should ensure it doesn’t interact with the rest of the project negatively.
.png)
.png)