2020, a year that everyone will remember because of Covid-19 and its consequences, will also have a special connotation for those who are immersed in the world of cryptocurrencies. Although during the last month the price of bitcoin (BTC) took center stage for reaching and exceeding historical highs, another thing that marked this year was the great expansion of decentralized finance protocols (DeFi, for its acronym in English).
The eagerness for quickly launch new DeFi services sometimes exceeded the speed with which auditors and security officers work. Many of these platforms, including some that received audits, saw their protection barriers violated and the funds deposited in their smart contracts passed into the hands of those who knew how to take advantage of the flaws in the code.
–
Here are the 10 biggest DeFi platform thefts that occurred this year:
Opyn (USD 361,260)
It was on August 4, 2020 when Opyn users learned that a contract vulnerability ETH Put it had been exploited. The code error allowed the attacker to double-spend options tokens (called oTokens) and misappropriating the collaterals deposited by some sellers of those orders.
361,260 units of the cryptocurrency USD Coin (USDC), which maintains its price parity with the US dollar, were stolen. Because it is a non-permissive and decentralized protocol, the administrators, led by the platform’s founder, Zubin Singh Koticha, were unable to block access to the contracts after the vulnerability was detected.
In order to mitigate losses, what they did was immediately withdraw the liquidity they had deposited in the pools of the exchange decentralized Uniswap. Thus, they avoided the rapid devaluation of the tokens, which offered to buy them from their holders at a price 20% above the market value.
Currently Opyn is still in operation. Among other stuff, claims to provide smart contract hacking protection.
Balancer (USD 450.000)
He exchange decentralized Balancer is in the «Top 10» of the renowned informative website DeFiPulse. But Being one of the best known and most used platforms is not a guarantee of security.
An attacker, who knew how to use a smart contract to automate multiple actions in a single transaction, managed to extract the equivalent of $ 450,000 in Wrapped Bitcoin (WBTC), Synthetix (SNX) and Chainlink (LINK) tokens. It completely emptied the Balancer liquidity pools that contained them. The event occurred in June 2020.
The hacker availed himself of flash loans (flash loans) of the exchange decentralized dYdX, to get the Wrapped Ether (WETH) token, which was later exchanged for the STA token.
Because Balancer has a model with transfer fees of 1% charged to the receiver, each time the attacker exchanged WETH for STA, the Balancer pool received 1% less and thus reduced its liquidity. When the liquidity was close to zero, the price of STA increased greatly and the attacker used it to acquire other WBTC, SNX and LINK in the pool at a very low price.
Mike McDonald, co-founder of Balancer admitted not being aware that such an attack was possible. As a preventive measure, they incorporated a black list in which they included tokens with transfer fees and audited their platform again.
Acropolis (USD 2,000,000)
On November 12, 2020, the liquidity providers of the Akropolis platform received the news that 2,000,000 DAIs (equivalent to the same amount of US dollars) were withdrawn from the pool YCurve-SUSD.
The theft was carried out through the combination of a reentry attack and a flash loan on the dYdX platform. As defined by CriptoNoticias, it is called a reentry attack when it is possible to call the same function repeatedly in a smart contract before previous functions finish executing.
The attacker managed to withdraw the cryptocurrency several times. When the smart contract “realized” that there was no balance left, it was too late.
Though the platform was audited, that vulnerability had not been detected during the code inspection. The auditing company, CertiK, is the same one that audited bZx, a loan protocol that is also included in this list.
Value DeFi (USD 6.000.000)
While the $ 6 million theft from the Value DeFi platform was not the biggest of the year, it is probably the most conspicuous. Is that the hacker sympathized with the pleas of two victims and gave them back some of the spoil.
More precisely, the beneficiaries of the return were a nurse who lost USD 100,000 (his life savings, he said) and a 19-year-old young man who claimed that the loss of USD 200,000 was causing him family problems. Anyway, the money returned was only 95,000 DAI between the two.
The robbery occurred in mid-November. The attacker made a flash loan on the Aave platform for 80,000 ethers (ETH), about $ 36 million at the time. He used them in part to buy 116 million DAI and 31 million USDT.
He then exchanged 25 million DAI for the stablecoin mvUSD, 91 million DAI for USDC and 31 million USDT for 17 million USDC. These unusual operations, duly planned by the hacker, altered the prices and withdrawal methods in the DeFi protocol vault, which had not been audited.
Origin (USD 7.000.000)
As in the aforementioned case of Akropolis, a reentry attack was what allowed an attacker to seize $ 7,000,000 from Origin, a project of stablecoin. Of that amount, USD 1 million was money deposited by the founders and employees of the company, who had believed and invested in the project.
The hacker managed to artificially inflate the supply of the token, to exchange the newly issued tokens for USD Tether in the exchanges decentralized UniSwap and Sushi Swap. After the attack, the Origin Dollar (OUSD) token, thought to always be worth $ 1, did not resist and its price plummeted 85% hours later.
The event, which occurred on November 17, did not prevent the project from continuing its course. Origin, according to its developers, is «the first stablecoin You get a return while it’s still in your wallet. ‘ At the time of writing this article, annual yield is 0.00%, as can be seen in its website.
Warp Finance (USD 7.700.000)
The attack on Warp Finance is the most recent of those presented in this selection. It happened on Thursday, December 17, just a day after loan support was enabled on this platform.
The malicious operator requested a flash loan that exceeded the funds available as collateral and that resulted in the loss of USD 7,700,000 in the stablecoins DAI and USDC. The attacker would have carried out the operation without any type of impediment or inconvenience.
The team behind Warp Finance promised a full compensation plan for victims, which should be completed before the end of 2020. This includes the issuance and delivery of a new token (IOU) that would be used in the event that all DAI and USDC cannot be replenished. It was not reported what the value of that token would be, if it is another stablecoin or if it will be subject to the decisions of bidders and demanders.
bZx (USD 8.000.000)
The third attack suffered by bZx during the yearIn mid-September, it cost him the loss of the equivalent of USD 8,000,000, which represented 30% of the funds deposited in his smart contracts.
But, to the reassurance of users who continued to trust bZx despite its track record, their funds were not at risk this time. The attackers did not go directly for users’ money, but instead used vulnerabilities in the platform to generate “artificial money.”
Using the function _internalTransferForm() Of the smart contracts of that protocol, which had a bug, users could artificially increase their balance to double their tokens and then exchange them for others.
According to bZx, their smart contracts had been audited several times prior to this hack. This is a clear example that audits are not necessarily a guarantee of safety on these types of platforms.
Pickle Finance (USD 20.000.000)
“There are reports that our DAI PickleJar strategy has been exploited. We are actively investigating this matter and will provide further updates. With this message on twitter, on November 21 those who had cryptocurrencies deposited in Pickle Finance found out that something was wrong.
Indeed, a hacker knew how to exploit vulnerabilities in the protocol (audited twice independently) to steal, through a reentry attack, 20 million DAIs.
Those who did not suffer the loss directly were affected anyway, because the price of the governance token Pickle fell 50% in 24 hours.
Renowned bitcoiner and Morgan Creek Digital co-founder Anthony Pompliano expressed your opinion on the fact: «Is anyone surprised at this point? Most of these DeFi projects are not audited, have no true governance and are not decentralized. He added that it appears to be an “ICO 2.0”, comparing the “DeFi-mania” of 2020 with the huge expansion that initial coin offerings (ICOs) had in 2017.
Harvest Finance (USD 24.000.000)
On October 26, 2020, the Harvest Finance protocol was hacked and, in just 7 minutes, USD 24,000,000 worth of cryptocurrencies were extracted from its liquidity pools.
The team of developers of this protocol, working from anonymity, reported that the attack took place through flash loans. The perpetrator studied the vulnerabilities in the code and managed to manipulate prices in order to drain the liquidity of the pool.
Following the event, the price of the FARM governance token fell 65% in 24 hours. This protocol, although not a fork, closely resembles Yearn Finance.
Lendf.me (USD 25.000.000)
The No.1 Hacks in DeFi for 2020 goes to Lendf.me. On April 18, this Chinese lending platform suffered an attack in which cryptocurrencies for the equivalent of USD 25,000,000 were stolen.
As CriptoNoticias reported, the theft would be related to a vulnerability in Ethereum’s ERC-777 standard. The flaw originated after the integration of Lendf.me with imBTC, an Ethereum token that maintains parity with bitcoin and uses that standard as a guarantee.
The vulnerability allowed criminals to carry out the aforementioned reentry attacks. Using this technique, they withdrew funds from the liquidity pools prior to a balance sheet update.
The platform is currently decommissioned, the domain Lendf.me is for sale and the social networks of this protocol are abandoned without updates since June.
For the curious and ambitious
These 10 examples show the general state of many decentralized finance protocols. The drive to profit with astronomical annual rates of return sometimes makes investors forget that common sense rule of thumb: “If something is too good to be true, it probably is not.”
/ twitter.com
–
Innovation in DeFi is likely to bring numerous benefits to crypto users and the community at large. Many unbanked people could benefit from access to financial services. Furthermore, unnecessary delays and the payment of expendable commissions could be avoided. But there is still a long way to go.
For the curious and ambitious who are not intimidated by the examples provided here and who will also put their cryptocurrencies in the DeFi protocols that will continue to spring up everywhere, a reminder does not hurt: never invest more money than you are willing to lose.
–
1 thought on “The 10 biggest hacks to DeFi platforms in 2020”
Leave a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Thanks for this Update!