Review of The Two biggest DeFi hacks in February 2023
The year is young but so far in 2023 hackers have stolen $119 million in crypto in 19 breaches, Crystal Blockchain says in a new report, which includes data ranging from the Mt. Gox crypto exchange hack in 2011 to Feb. 18, 2023.
The biggest DeFi hack so far this year was February’s of Bonq DAO, a decentralized borrowing protocol. Hackers compromised the protocols’ smart contract and manipulated the price of allianceBlock tokens, draining about $88 million of crypto out of the protocol.
The second-largest DeFi-related attack was on the Platypus Finance protocol, which issues the stablecoin USP. A flash loan attack in February led to the stablecoin depegging and a loss of about $9 million in funds by users. However, unlike many similar incidents, this one ended relatively well: The protocol was able to partly refund users and the investigators tracked down the hackers’ wallets to the Binance exchange, found out who they were and arrested two people in France.
Table of Contents
- Bonq DAO Price Oracle Hack
- Platypus Finance Protocol flash loan attack
1. Bonq DAO Price Oracle Hack
The Polygon DeFi protocol BonqDAO fell victim to a price oracle hack due to an error in a smart contract code. At around 18:30 CET on 1 February 2023, lending protocol BonqDAO Protocol was exploited, with the attacker gaining access to ALBT Troves, where AllianceBlock’s native token was used as collateral. Around 113M ALBT tokens were illegally accessed before the hacker attempted to sell these on various exchanges.
The attacker exploited a bug in the price feed smart contract of BonqDAO. The bug allowed the exploiter to change the price of the $ALBT token and use them to borrow 100 million $BEUR stablecoins. The attack was enabled by a vulnerability inside the smart contract for price feed that supplies Bonq protocol with the ALBT price from the Tellor Oracle.
PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO’s smart contracts, which meant that they were able to manipulate the price of the wALBT token.
This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.
@hackenhacker, an on-chain analyst and researcher, indicated that Bonq Protocol was exposed to an oracle hack, where the exploiter increased the $ALBT price and minted large amounts of $BEUR. The $BEUR was then swapped for other tokens on Uniswap.
Let’s take a close look inside the transaction.
There was a forced change to the price of $ALBT. Notice the second argument in the function updatePrice inside one of the smart contracts of Bonq: arg1=5000000000000000000000000000
With a raised $ALBT price, the attacker was able to mint millions of $BEUR essentially for free. While there was still liquidity on Uniswap, they swapped around 2 million $BEUR for $USDC, $DAI, $WALBT, $WETH, and $WMATIC. The hacker has already laundered more than 1,105 $ETH via Tornado.cash, fixing their gain at $1.8M USD.
An independent analysis from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.
While the exploit took effect over several transactions, the largest was $82.19 million at 6:32 pm UTC time on Feb. 1, according to multichain portfolio tracker DeBank.
Most of the high-scale transactions took place on the Polygon network. Currently, more than 98MIL BEUR are still on the attacker’s account on Polygon with no liquidity to exit.
Aftermath of the Attack
Investors lost trust in the Bonq token ($BNQ) and started selling on hearing the news.
Bonq Euro ($BEUR) — a stablecoin pegged to Euro — fell to the all-time low of $0.15 on Feb 3. A decrease of this magnitude is hardly recoverable for any stablecoin.
AllianceBlock Token ($ALBT) also took a major hit as second-hand damage.
Lessons Learned from the Attack
BonqDAO serves as yet another confirmation of triple damage as a consequence of lagging security: direct loss + token price drop + diluted community trust. This hack underscores the importance of having a comprehensive smart contract audit by a professional auditor to have security measures against price oracle manipulation.
The BonqDAO hack was made possible by the lack of security measures in BonqDAO smart contacts against price oracle manipulation. The bug inside the price feed enabled the bad actor to change the price and mint Bonq’s stablecoin. In their case, a Polygon smart contract audit could have prevented the exploit.
Bonq is still looking for what to do next, whereas AllianceBlock announced an airdrop to substitute legacy tokens with newly minted tokens. Users must be especially careful as scammers push phishing scams before and during airdrops.
AllianceBlock also communicated another important development, claiming it would revise the scope of cooperation with less-known crypto projects.
The move underscores the importance of gaining industry trust for Web3 projects. Credible security certification is the battle-tested method of earning trust.
2. Platypus Finance Protocol flash loan attack
On Thursday February 16, 2023, Platypus Finance, a decentralized-finance (DeFi) protocol for stablecoins, was exploited via a flash loan attack, resulting in the total loss of approximately $9 million.
The exploit consisted of three consecutive attacks, the post explained. The first and most severe drained a total of $8.5 million in stablecoins, including Circle’s USDC, Tether’s USDT, Maker’s DAI and Paxos’ binance USD from the protocol’s main pool.
The second attack mistakenly transferred $380,000 of stablecoins to lending protocol Aave. Platypus has submitted a proposal to Aave’s governance forum for the release of those assets.
Some $287,000 worth of assets were stolen in the third attack. The protocol considered the funds unrecoverable and lost, as the exploiter ran the stolen assets through crypto mixer Tornado Cash and encryption service Aztec Network, according to the post.
The flash loan attack caused Platypus Finance’s native stablecoin to fall to 48 cents from $1. The potential loss is $8.5 million, according to blockchain security firm CertiK.
Introduction to Platypus
Platypus Finance is a single-sided Automatic Market Maker for stablecoins built on the Avalanche network designed to optimize capital efficiency.
Vulnerability Assessment
The vulnerability occurred due to a logic error in the USP solvency check mechanism of their contract holding the collateral.
Steps
Step 1:
An attempt was made to analyze one of the attack transactions executed by the exploiter.
Step 2:
The flaw existed in the implementation of MasterPlatypusV4 contract, in which the emergencyWithdraw function incorrectly evaluated the insolvency before the removal of the collateral.
Step 3:
The exploiter initially took a flash loan of 44 million $USDC from AAVE, and deposited them to Platypus Finance Pool there by minting ~ 44 million LP-USDC.
Step 4:
The attacker then deposited 44 million LP-USDC to MasterPlatypusV4 as collateral in order to borrow 41.7 million USP from PlatypusTreasury.
Step 5:
This led to an insolvent debt position causing an emergency withdraw of 44 million LP-USDC from MasterPlatypusV4 contract.
Step 6:
They then withdrew earlier deposited 44 million $USDC from Platypus Finance Pool, and swapped 8.75 million USP, which is the Platypus’s stablecoin, to multiple assets consisting of $USDC, $USDC.e, $USDT, $USDT.e, $BUSD, and $DAI.
Step 7:
The swapped assets were kept for profits, while the borrowed flash loan was repaid back to AAVE.
Funds Flow of Platypus’s Attack Transaction. Courtesy of BlockSec
Step 8:
At the time of this writing, the contract deployed by the attacker holds all the stolen assets, which are worth approximately $8.5 million.
Step 9:
The profits from the second attack transaction were $172,064, while yet another attack transaction netted them approximately $380,000.
Aftermath
The Platypus Finance team announced the occurrence of the incident and its root cause on Twitter. They stated that the hacked funds originated from the main pool, while funds in the other pools remained unaffected.
There were losses totaling 8.5M from the main pool. Right now deposits from users are covered up to 35% of their deposits. Funds in other pool are unaffected. The hacker has been contacted to negotiate a bounty in exchange for return of the funds.
According to the team, they are collaborating with third parties, including Binance, Tether, and Circle. The stolen USDT funds have been frozen, and Tether has blacklisted the attacker’s address.
They further mentioned that they are exploring options for compensation and reimbursement for affected investors.
Platypus Finance will repay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week, it said in a blog post Thursday.
The protocol also worked with crypto exchange Binance to confirm the exploiter’s identity. The hacker used a Binance account that went through know-your-customer checks for a withdrawal request. Platypus said it contacted law enforcement and filed a complaint in France.
Solution
One of the most effective ways to mitigate the possible exploit arising from logic-based errors is to thoroughly test the smart contract using every aspect of testing, such as unit testing, integration testing, functional testing, etc. This helps identify any potential issues before the contract is deployed.
Additionally, many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to.
A team should also perform multiple security audits on their protocol to ensure that all potential vulnerabilities are identified and addressed in order to further secure the protocol.
Reference Sources: Platypus, Beosin, Crystal Blockchain, CoinDesk
New to trading? Try crypto trading bots or copy trading on best crypto exchanges
Join Coinmonks Telegram Channel and Youtube Channel get daily Crypto News
