Learning from the Biggest DeFi Hacks of 2023

Introduction

For a while now, DeFi has emerged as a transformative force in the financial sector, promising transparency, efficiency, and inclusivity. However, the growth of DeFi has not been without its challenges, particularly in the form of security threats. In 2023 alone, there were numerous instances of hacks, leading to the whole space losing almost $2 billion. This showed that there are still problems to fix in the DeFi space.

These hacks took advantage of various weaknesses, such as flash loan attacks, manipulation of arbitrage bots, problems with the code, reentrancy flaws, poor access controls, and phishing scams. They made it clear that DeFi security is a big concern and that we need to learn from these mistakes.

This article is going to take a closer look at these major 2023 DeFi hacks and pull out some important lessons for improving DeFi security. We’ll look at the details of these attacks, figure out what went wrong, and spot any patterns or common problems. The goal is to understand why these attacks happened, identify what could lead to similar incidents in the future, and suggest ways to make DeFi safer.

Top 2023 DeFi hacks

Let’s dive into the biggest DeFi hacks of 2023, starting from the beginning of the year and ending in December. We’ll focus on the most eye-catching hacks and give them a thorough look.

January

January was a chaotic start to 2023 for DeFi protocols and projects, with several major hacks leading to significant financial losses. These attacks exploited a variety of vulnerabilities, from flash loan attacks and arbitrage bot manipulation to issues with vulnerable code logic, reentrancy flaws, inadequate access controls, and phishing schemes. The cumulative financial impact of these hacks emphasized the high stakes involved in DeFi security and the urgency of learning from these incidents. In the following section, we will delve into some of the specific attacks that transpired in January, dissecting the technical aspects and extracting crucial lessons for the future.

• GDS Chain

GDS Chain is a public blockchain that aims to utilize blockchain technology to enhance value transmission and contribution distribution approaches for business applications. Its native token, GDS, is a BEP20 token deployed on the Binance Smart Chain.

On January 3, 2023, the GDS chain lost about $187,000 due to a flash loan attack. The BSC lending pool for the project was compromised, thereby leading to an 84% drop in the price of GDS currency.

The root cause of the hack was a vulnerability in the settlementLpMining function of the GDS contract. This function calculates LP mining rewards based solely on the weight of LP tokens held by users, without factoring in time. As a result, an attacker was able to redeem more rewards than entitled, draining liquidity from the GDS-USDT pair. The failure to account for the time component in reward calculations enabled the exploit.

• Mycelium

Previously known as Trecer DAO, Mycelium specializes in providing data via its Mycelium Node and enables users to open leveraged long or short positions on digital assets through its Mycelium Perpetual Swaps derivatives exchange.

On January 7th, 2023, Mycelium’s ETH/USDT pool was attacked by arbitrage bots that detected an excessive spread in ETH prices on the platform and exploited it. The price discrepancy was linked to the Bitfinex API broadcasting highly volatile ETH/USDT trading pair prices around 2:45 AM AEST. The Mycelium pool suffered approximately $300,000 in losses.

Additionally, the IP address of the protocol was blacklisted by the Binance API component. This prevented Mycelium from rebalancing prices through independent feeds.

• BRA Token

BRA is a token on the BSC Chain, available for trading at PancakeSwap. On January 10th, 2023, the BRA token suffered an exploit in which a hacker stole 819 WBNB, equivalent to about $225,000. The root cause was a logical vulnerability in the code that enabled the attacker to call the transfer function in a way that wrongly duplicated rewards if the sender and recipient were a matched pair. After this happened, the value of the BRA token dropped a lot, losing 98% of its value.

• LendHub

LendHub is a cross-chain DeFi lending platform. On January 12, 2023, the lending platform lost about $6,000,000 due to a vulnerability in their smart contract that was exploited by a hacker.

When LendHub updated its system, it rolled out a new version of its IBSV token but didn’t properly disable the old token. There ended up being two IBSV tokens that were both active in the market and identically priced.

The attacker(s) realized they could use the two token contracts separately and take advantage of how they differed. Using the old token, they minted and redeemed assets. Then they took out loans against the new token. With the tokens calculating liabilities differently, the hacker managed to steal about $6 million from the new token’s reserves.

LendHub learned the hard way that leaving old code hanging around during an upgrade can seriously backfire.

• Midas Capital

On the DeFi lending platform, Midas Capital, on January 15, 2023, lost about $650,000 to an exploit by a hacker. The hack happened because of a problem with how token prices were calculated when using certain Curve pools.

The issue had to do with read-only reentrancy, where view methods that are not supposed to change contract storage can be exploited if storage gets altered from a callback. The hacker manipulated this by using flash loans to trick the smart contracts into incorrect price calculations.

• Omm Finance

The OMM protocol is a cross-chain money market. The protocol lost about $1.9 million on January 21, 2023, due to a smart contract exploit. The attacker deployed a malicious contract and, over 18 transactions, drained IUSDC, USDS, and bnUSD collateral that wasn’t theirs. After supplying the stolen USDS as collateral, they took out sICX loans.

The root issue was in Omm’s Redeem function, which accepts an address for the collateral being returned. The hacker injected a harmful contract, letting them bypass normal supply procedures and steal other users’ collateral.

The hacker used Balanced to swap much of it, skewing bnUSD and stablecoins from their $1 pegs. They also bridged IUSDC to Ethereum and Polygon through Orbit. And finally, they cashed out ICX to centralized exchanges.

While hacking for profit may sound glamorous, it severely impacts innocent users and projects. Let’s hope Omm and others learn from this and prioritize patching risky code.

• Azuki

On January 27, the Twitter account of Azuki, a nonfungible token (NFT) project, was compromised, resulting in hackers stealing more than $750,000 worth of USDC. The hackers used a malicious “wallet drainer link” disguised as a virtual land mint to carry out the attack.

Within just 30 minutes of the malicious links being tweeted, the hackers managed to steal $751,321.80 in USDC from a single wallet. Additionally, the hackers also stole $6,752.62 worth of USDC from multiple wallets holding 11 NFTs and over 3.9 Ether (ETH), valued at $2,217.

February

January 2023 was marked by chaos, and February continued in the same vein. DeFi platforms were heavily targeted, resulting in significant losses for the funds held by hackers. These attacks leveraged a multitude of vulnerabilities, including flash loan attacks, Oracle issues, flaws in vulnerable code logic, reentrancy flaws, and inadequate access controls.

These hacks showed just how serious the risks are in DeFi, and it’s important to learn from them. We’ll look at some of the specific attacks from February in more detail.

• BonqDAO

BonqDAO is a non-custodial, over-collateralized lending protocol. It allows any project or protocol to borrow against their token at a zero interest rate. It is deployed on the Polygon blockchain.

BonqDAO and AllianceBlock fell victim to an exploit, resulting in losses of around $120 million. The attack targeted a smart contract within BonqDAO.

On February 1st, 2023, BonqDAO’s protocol suffered a severe exploit, resulting in a $120 million loss. The attack capitalized on a vulnerability in the price feed system, allowing the perpetrators to manipulate the value of the WALBT token. This enabled them to borrow an excessive amount of the protocol’s stablecoin (BEUR) beyond their authorized limit.

Within a brief two-minute window, the attackers executed another crucial manoeuvre. By manipulating the Oracle price downward, they triggered a cascade of liquidations across over 30 undercollateralized borrower positions. This move yielded the attackers a substantial loot of approximately 113 million WALBT, leaving BonqDAO with a significant financial loss.

• Platypus Finance

On February 16, 2023, Platypus Finance, an Automated Market Maker (AMM) protocol operating on the Avalanche network, fell victim to a security hack. The attack resulted in an estimated loss of over $8,500,887 million.

The flaw exploited by the attacker was in the collateral holding contract’s USP Platypus’ stablecoin solvency check mechanism. This vulnerability was a logic error that allowed the attacker to borrow against flash-loaned collateral and then withdraw it without repaying the debt.

The attack caused such significant damage that it led to the de-pegging of the Platypus USD stablecoin from the U.S. dollar, resulting in a 52.2% drop to $0.478 as of February 16.

• Shata Capital EFVault

Shata Capital EFVault is a decentralized protocol that enables users to earn interest on their cryptocurrency holdings by providing liquidity. It operates on the Ethereum blockchain.

On February 24, 2023, an attacker exploited a vulnerability in the smart contract of the EFVault project, successfully draining $5.1 million from the protocol.

Approximately 27 days before the attack, the attacker made a 0.1 Ether deposit into the EFVault contract, acquiring a certain number of shares in the process.

The EF Vault contract underwent an upgrade before the attack, introducing new variables to key functions that were improperly configured. In the upgraded contract, the new redeem function was directly assigned by reading the wrong value from the corresponding storage location of the agent contract before the upgrade. This miscalculation resulted in excessive user withdrawable assets calculated in the redeem function. Consequently, the hacker exploited this vulnerability, calling the redeem function twice and profiting $3.43 million and $1.71 million, respectively.

The vulnerability stemmed from the fact that the initialize function of the newly implemented contract could not be called again after the upgrade, rendering it impossible to initialize the new variables.

Subsequently, the attacker converted all funds to ETH and transferred them to Tornado Cash.

• dForcenet

dForce is a decentralized protocol offering a range of DeFi services, including assets, lending, and trading.

On February 10, 2023, the protocol experienced a significant loss of over $3.6 million due to a reentrancy attack. The hacker managed to steal funds by taking advantage of a vulnerability in a smart contract function related to calculating Oracle prices when connected to Curve Finance.

The vulnerability in question was a read-only reentrancy flaw. To exploit it, the attacker deposited flash-loaned funds and then withdrew their deposit. During this withdrawal, the attacker could exploit the reentrancy vulnerability, manipulating the perceived virtual price of the asset. By artificially lowering the virtual price, the attacker successfully liquidated positions held by other users in the wstETH/ETH pool, allowing them to siphon off funds.

• Orion Protocol

On February 2, 2023, the Orion Protocol, a liquidity aggregator for both CeFi and DeFi exchanges, experienced a significant hack. The attack exploited a vulnerability known as a “reentrancy bug” in one of its smart contracts.

The hacker used a function called swapThroughOrionPool that allowed anyone with crafted tokens to hijack their transfer by re-entering the deposit asset function. This enabled the hacker to increase their balance without any actual cost of funds.

The attacker used a newly constructed token called ATK and a self-destructing smart contract to manipulate Orion’s pools. The hack began on the Binance Smart Chain (BSC) with an initial fund of 0.4 BNB from TornadoCash. Another part of the hack involved Ethereum and drew an initial fund of 0.4 ETH from SimpleSwap_io. After the hack, the hacker gained 1100 ETH, which they then deposited into TornadoCash while keeping 657 ETH in their account.

The total amount stolen from the hack was over 1700 ETH, which was worth over $3 million at the time of the attack.

• Dexible

Dexible, a decentralized exchange platform, announced on February 16, 2023, that Dexible v2 was live. Just a day later, they were already investigating a hacking attack on their v2 contracts. Michael, one of the co-founders of Dexible, sent a message on Dexible’s Discord, stating that all contract actions had been paused as the company investigated the situation.

Powers, another co-founder of Dexible, later provided additional information, stating that the vulnerability was specific to v2 and that impacted accounts had been granted an infinite allowance to the newest contracts. This allowed the hacker to steal funds from any wallet. As a result, all v2 contracts had been paused until the vulnerabilities could be patched and redeployed.

The Dexible team later disclosed that a total of 17 traders had been affected by the hack, with 4 on Ethereum and 13 on Arbitrum. The total stolen funds stood at $2,047,635.

March

March 2023 was a rough month for the DeFi (Decentralized Finance) world. Several big platforms got hit hard by hackers, causing a lot of money to disappear. These attacks used different ways to break into the systems, including flash loan attacks, problems with oracles, flaws in the code, and more.

We’ll look at some of the attacks that happened in March in more detail.

• Euler Finance

In March 2023, Euler Finance, a decentralized lending protocol, suffered a significant hack. The attack was attributed to a pseudonymous whitehat hacker named Kankodu, who claimed that a fix he proposed inadvertently led to the hack.

Kankodu had previously identified the Euler “first deposit bug” in July 2022 and was awarded $50,000 for his discovery. He reported the bug because it could potentially allow attackers to artificially inflate exchange rates, enabling them to withdraw all tokens.

The fix for this bug introduced an additional function to Euler’s code, “donateToReserves,” intended to bolster reserves. However, this change unintentionally led to a larger vulnerability that was exploited for nearly $200 million.

The March 13 flash-loan attack on Euler resulted in a loss of nearly $200 million across multiple assets, including $136 million in staked ether, $34 million in USDC, $19 million in wrapped bitcoin, and $8.7 million in DAI.

Following the attack, Euler’s EUL token experienced a nearly 70% decrease in value, falling to $2.07. The attacker later returned $177 million in a series of transactions in March and April, accounting for the expected “recoverable funds” from the hack after adjusting for a bounty offered by the project.

• Monkey Drainer

Monkey Drainer was a wallet drainer malware that became active in August 2022 and was involved in crypto phishing scams. According to Scam Sniffer’s report, Monkey Drainer managed to steal $16 million from 18,000 victims before its activities ceased in March 2023.

Monkey Drainer was part of a broader trend of phishing scams that increased in sophistication throughout 2023, causing nearly $300 million in losses from about 320,000 victims. These wallet drainers were deployed on phishing websites, which tricked users into signing malicious transactions and subsequently drained funds from their cryptocurrency wallets.

The trend of wallet drainers saw an alarming escalation in scale and speed, with some drainers like Inferno outpacing Monkey Drainer’s theft amount significantly in a shorter time frame. After ZachXBT exposed Monkey Drainer, it announced its shutdown after six months of operation.

Wallet drainer scams often coincide with significant crypto events, such as airdrops or security breaches, exploiting these occasions to maximize their impact. Drainers typically took a 20% fee for their services.

• SafeMoon

On March 28, 2023, the Safemoon exchange, which operates on the BNB chain, experienced a security breach that led to nearly $9 million being siphoned from its liquidity pool. On-chain data confirmed that approximately $8.9 million worth of assets were moved from the liquidity pool.

The incident was facilitated by a “public burn bug” introduced in a recent update to Safemoon’s system. This bug allowed the hacker to burn a large portion of SFM tokens within the liquidity pool, which artificially inflated the price of the remaining SFM tokens. The attacker exploited this inflated price by first purchasing SFM tokens, then using the public burn bug to further increase their price, and finally selling the tokens back to the liquidity pool at the higher price, effectively draining the pool’s wrapped BNB (WBNB) in a single transaction. The total profit from this exploit was greater than $8.9 million.

• TenderFi

TenderFi, a decentralized finance (DeFi) lending and borrowing platform, experienced a potential hack on March 7, 2023. The platform suspended all borrowing operations due to an “unusual amount of borrowing,” indicating a possible exploit.

A known hacker with the wallet address EOA, 0x896D, gained approximately $1.58 million from the exploit. However, after investigations and attempts to contact the user, TenderFi discovered that the exploit was carried out by a whitehat hacker. In this case, the exploit revealed significant vulnerabilities in TenderFi’s system that needed immediate attention.

The incident caused a notable drop in the value of TenderFi’s token (TND), which declined from a 24-hour high of $3.77 to a seven-day low of $2.22. Despite the exposure, the company maintained that the hack was ethical, so there was no cause for alarm among users.

• Hedera Token

Hedera, a public distributed network governed by 28 major corporations, was targeted by hackers, leading to the network being taken offline. The attackers targeted liquidity pools holding large amounts of tokens to enable trading on decentralized exchanges (DEXs), and some tokens were stolen.

The attack exploited the decompiling process in smart contracts, affecting many smart contracts rather than just one. The attackers used the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service tokens held by victims’ accounts to their account.

The hack occurred between March 9–11, 2023, during which around $600,000 was exploited from the Hedera ecosystem. An ecosystem-wide collaboration led to the pausing, remediation, and replenishment of all user funds.

The hacker used the Hashport bridge to send tokens to Ethereum. When the issue was alerted, Hedera, Stader, and SaucerSwap were notified. The Hedera DevOps team then shut off proxy access to the Hedera mainnet, preventing users from accessing the mainnet and the attacker from draining additional tokens.

The next day, a code change was made for Hedera, preventing a smart contract from using a delegate call to call a precompiled contract. Within hours of the network proxy access being turned on, all USDC/USDT and USDC/WHBAR user tokens were fully restored to user accounts. Pangolin replenished affected user funds with the support of the HBAR Foundation.

• Poolz Finance

March 15, 2023, Poolz Finance, a decentralized cross-chain Initial DEX Offering (IDO) platform, suffered a significant hack. The attack took advantage of an arithmetic overflow issue on the platform, allowing the hacker to drain funds from its smart contract.

The attacker exploited a vulnerability in the CreateMassPools function, which was intended to allow users to create pools in batches, provide initial liquidity, and then create the pools using the CreatePool function. The issue arose with the getArraySum function controlling the amount in the poolTransferInToken, which was used to establish liquidity in the pool. The function iterates through the startamount array and accumulates its values. However, the array sum exceeded uint256, causing the function to return. Despite this, the CreatePool function still used startamount to record the pool attributes, allowing the attacker to deposit only 1 token with an extremely large startamount value.

The attacker was able to make off with various tokens, including POOLZ, Ecio (ECIO), Adaswap (ASW), and World of Defish (WOD). They reportedly converted part of the loot into Binance Coin (BNB) but have yet to transfer it.

The multi-pronged attack happened on the Polygon blockchain and the Binance Smart Chain (BSC), and the hacker made off with more than $390,000 in multiple cryptocurrencies. Following the attack, the price of Poolz Finance’s native token, POOLZ, lost more than 93% of its market value.

April

April 2023 was a challenging period for DeFi, with several high-profile platforms getting hacked. These attacks used a variety of tactics, including flash loan attacks, Oracle issues, and flaws in the code. We will delve deeper into some of the attacks that took place during this time, examining how they unfolded and what steps were taken in response.

• Mev Boost

On April 2, 2023, a group of MEV bots operating on the Ethereum blockchain suffered a loss of over $25 million due to an attack.

The attacker, who was a validator, tricked some of these MEV bots by replacing their regular transactions with malicious ones, leading to the theft of their funds. The attacker likely set up “bait” transactions to attract the MEV bots. Once the bots interacted with these transactions, the attacker replaced them with new, harmful ones.

Before the attack, the attacker put 32 ETH into a validator position 18 days before the incident. The attacker probably waited until it was their turn to suggest a block as a validator, which happened at the same time as the attack. They then changed the contents of the block and created a new one with their harmful transactions, which let them drain the money.

In response to the incident, the developer of the primary MEV software used on Ethereum, known as MEV-Boost, introduced a fix to prevent such incidents from happening again. The fix involves instructing relayers, a trusted intermediary party between block builders and validators, to publish a signed block before transmitting its contents to a proposer. This step was previously missing and aims to reduce the likelihood of a malicious proposer within MEV-Boost proposing a block that deviates from what they received from a relay.

• Bitrue

The Singapore-based cryptocurrency exchange Bitrue experienced a hack on April 14, 2023, that resulted in the loss of approximately $23 million in digital assets. The hackers were able to exploit one of Bitrue’s hot wallets, allowing them to withdraw assets worth approximately $23 million in various currencies such as ETH, QNT, GALA, SHIB, HOT, and MATIC.

The affected hot wallet contained less than 5% of Bitrue’s overall reserves, leaving the rest of the wallets secure and unaffected by the breach.

This is not the first time Bitrue has experienced a hack. In 2019, the exchange lost around $4.2 million in user assets due to a similar exploitation.

• Yearn Finance

Yearn Finance, a yield aggregator on the Ethereum blockchain, got hacked on April 13, 2023, and lost around $11.54 million. The hack happened because of a mistake in the yUSDT vault. Instead of using the correct token, they used a different one, which let the hacker make lots of yUSDT tokens.

The attack process began with the attacker funding their wallet using Tornado Cash. They took a flash loan of 5M DAI, 5M USDC, and 2M USDT, and deposited these funds into the yUSDT contract. The attacker then redeemed yUSDT and withdrew all assets from the Aave V1 vault. They minted bZxUSDC and sent it to the contract, which increased the price of each share. The attacker triggered a rebalance, which led to the redemption of bZxUSDC into USDC, effectively reducing the value per yUSDT to zero. The attacker then deposited 1 wei of USDT to the yUSDT contract, allowing them to mint over 1 quadrillion yUSDT tokens. The yUSDT was swapped for USDT, USDC, and DAI in Curve pools. After paying back the borrowed flash loan, the attacker kept most of the stolen funds

This hack could have been prevented if proper validation and confirmation of the Fulcrum address had been performed before deployment.

• Hundred Finance

On April 15, 2023, Hundred Finance, a multi-chain lending protocol, lost around $7 million to attackers.

The hack was executed by manipulating the exchange rate between Ethereum ERC-20 and hTOKENS, which are interest-bearing, tokenized representations of user deposits on Hundred Finance’s platform.

The attack process began with the attacker donating a large amount of wrapped Bitcoin to the smart contract on Hundred Finance that determined the exchange rate between wrapped Bitcoin and Hundred Finance wrapped Bitcoin (hwBTC). This inflated the exchange rate, after which the attacker took out a large loan and was then able to get the amount they had donated back by redeeming a relatively small amount of Hundred Finance Wrapped Bitcoin.

The attacker was able to withdraw more tokens than they had deposited to Hundred Finance. The attacker flash-loaned 500 $WBTC, then called the redeem function to redeem the previously staked 0.3 WBTC. Next, Attack Contract 1 sent 500.3 WBTC to Attack Contract 2. Contract 2 used 4 BTC to mint 200 hWBTC. The redeem function was then called to redeem the 4 BTC. Here, the attacker can redeem the 4 WBTC previously staked with less than 200 hWBTC. At this point, the attacker had a very small amount of hWBTC left on contract 2. Attack contract 2 then sent 500.3 WBTC to the hWBTC contract and borrowed 1021.91 ETH via the remaining 2 hWBTCs. Finally, Attack Contract 2 repaid the previous debt by using 1 hWBTC and withdrew 500.3 WBTC from the contract.

After the hack, the attacker bridged most of the stolen funds to ETH, where centralized stables USDT and USDC were swapped or deposited into Curve.

• Terraport Finance

Terraport Finance is a DeFi platform on the Terra Classic Network. It was hacked on April 10, 2023, leading to a loss of approximately $3.9 million. The hack was made possible due to a mathematical weakness in the algorithm used to calculate LP prices.

The attacker exploited this weakness by adding a small amount of liquidity to the protocol and then manipulating the LP share price. This allowed them to withdraw a large amount of liquidity.

Two pools were affected by the hack. The first pool was drained for 9,148,426 TERRA tokens, valued at approximately $1.8 million, and 15,100,861,997 LUNC tokens, worth $1.88 million. The second pool was drained for 576,736 TERRA tokens, valued at approximately $115K, and 5,487,381 USTC tokens, worth $117K.

• Ovix

The OVIX protocol is a polygon-based lending protocol. It fell victim to a major exploit that resulted in a loss of at least $2 million. The attacker manipulated the price of the vGHST token, a staking token for the Aavegotchi blockchain gaming project, to obtain substantial loans.

The attacker exploited the protocol using the vGHST token, initially borrowing stablecoins to gain access to the vGHST lending pool and the OVIX lending platform. This led to a significant increase in the value of the native token $GHST, with its value shooting up by as much as 24.7% in less than half an hour.

• Merlin DEX

Merlin DEX, a decentralized exchange built on zkSync, suffered a hack on its liquidity pool on April 26, 2023, resulting in a loss of approximately $1.82 million. This incident occurred shortly after the platform’s public sale of its token went live.

One of the exploiters, identified as 0x2744, managed to withdraw around $850,000 worth of USDC tokens from the zkSync platform and bridge them to Ethereum. Another address, starting with 0x2744d62, also participated in the exploit, taking away $844,000 USDC.

Additionally, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.

This incident comes after a recent audit by Certik, which completed a re-audit of Merlin’s codebase’s security on April 24. According to Certik’s website, there were no critical findings in the audit report. Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management.

• Sentiment

Sentiment, a decentralized finance (DeFi) lending platform, was hacked in April 2023. The attack resulted in the theft of nearly $1 million in various tokens, including wrapped Bitcoin and Ether.

The attacker exploited a re-entrance vulnerability to steal the tokens and then switch them to the Ethereum chain. The attacker borrowed assets with a tilted price in the fallback function, which reduced demand but left the pool balances of Wrapped Bitcoin (WBTC), Wrapped Ether (WETH), and Uniswap (USDC) unchanged. This allowed the attacker to borrow many assets at the slanted price.

May

May 2023 experienced several hacks on high-profile platforms. These attacks used various strategies, including rug-pulling investors, exploiting technical flaws, flash loans, and manipulating governance systems. We will delve into four key incidents that transpired during this period, detailing the circumstances surrounding each and the responses that followed.

• Fintoch

In May 2023, a popular online investment platform called Fintoch Rug pulled people out of about $31.6 million. Fintoch claimed to be supported by Morgan Stanley, a well-known company and promised high daily returns of 1%. But later, Morgan Stanley said they didn’t support Fintoch, making people doubt the platform.

The people behind Fintoch set up a public sale and collected a lot of USDT in a special smart contract. When they collected enough USDT, they traded these tokens for USDT, causing the token’s price to drop dramatically. This left investors with useless tokens.

The people who did this tricked people into thinking they had a real CEO, Bob Lambert, who was an actor named Mike Provenzano. They used him to pretend that the platform was real.

The Monetary Authority of Singapore warned investors about Fintoch on May 4, 2023. On May 13, 2023, Fintoch held an event in Dubai to announce the launch of their token. But on May 22, 2023, the people behind Fintoch stole over 31 million USDT from the fundraising smart contract.

• Jimbos Protocol

On the 28th of May, Jimbo's Protocol, an arbitrum-based project, was hacked, costing the platform around $7.5 million in stolen Ether. The hack was made possible due to a flaw in the smart contract of the project, specifically a lack of slippage control. Without this control, the liquidity invested in the protocol was allowed to use price ranges that didn’t need to be equal.

The attackers started by creating a swap that was intended to upset the balance of a trading pair. They then used a shift function to push investments into the now-unbalanced pair. With a final reverse swap, they were able to take advantage of the imbalance they had created, extracting profits from the protocol.

Due to the absence of proper slippage controls, the attacker was able to steal $7.5 million from the newly launched protocol, causing the value of its token to drop by 40%. After the attack, the attacker moved their stolen funds to the Ethereum network using the Stargate bridge and Celer Network.

• Deus Finance

On May 5, 2023, the Deus Finance protocol, which operates on the Ethereum Mainnet, Arbitrum, and BNB Chain, experienced a major hack. This incident was caused by an implementation error in the token contract, leading to the unauthorized burning and transfer of tokens.

Deus Finance is a protocol that acts as a peer-to-peer bilateral Over-The-Counter (OTC) infrastructure platform. It facilitates the on-chain trading of digital derivatives, options, and swaps. The stablecoin DEI is integral to its ecosystem, being used as collateral for various third-party financial instruments within the platform.

The core vulnerability that triggered the Deus Finance hack was a coding error within the DEI token contract. Specifically, there was an issue with implementing the token’s allowance mechanism. This error allowed an attacker to burn tokens from any holder’s account without requiring approval. The problem arose in the contract’s burnFrom function, where the _allowances mapping order was incorrectly reversed. Consequently, the attacker could use their allowance to authorize themselves to burn tokens from another user’s address.

This flaw enabled the attacker to manipulate the allowances and extract tokens, resulting in a loss of over $5 million from Arbitrum, about $1.3 million from BNB Chain, and $135,000 from Ethereum.

The stolen funds were initially moved through various addresses, and some were returned following the hacker’s discussions with the Deus Finance team.

• Tornado Cash Governance

Tornado Cash, a decentralized protocol that allows for private transactions on Ethereum, was exploited on May 20, 2023, due to a vulnerability in its governance system. The governance system of Tornado Cash enables the community to vote on proposals, which, if passed, are executed and can change the protocol’s parameters.

The exploit occurred because an attacker was able to leverage the CREATE2 opcode for deterministic deployment and then used the self-destruct function to remove a legitimate proposal. After the legitimate proposal was removed, the attacker deployed a new malicious proposal contract to the same address with parameters that would grant them control over the governance system.

The malicious proposal looked similar to a previously passed proposal but included a self-destruct function that was executed to deploy new, malicious code to the proposal’s address. This malicious code, once executed via a delegate call, allowed the attacker to assign approximately 1.2 million votes to addresses they controlled, which outnumbered the existing 700,000 votes in the contract.

With control over the governance system, the attacker could take various actions, such as draining staked TORN tokens and manipulating the Tornado Classic Router contract to reroute deposits and withdrawals. They also compromised the Nova contracts. In total, the attacker stole approximately $2,173,500 from the protocol by washing away funds worth around 372 ETH via the Tornado Cash Router.

June

In June 2023, a series of hacks affected various DeFi platforms, leading to substantial losses. These attacks leveraged a range of vulnerabilities, including flash loan attacks, Oracle issues, flaws in vulnerable code logic, reentrancy flaws, and inadequate access controls.

DeFi platforms were heavily targeted during this period, with some of the major attacks including Atomic Wallet, Pink Drainer, Atlantis Loan, Sturdy Finance, Midas Capital, and Themis Protocol.

We’ll delve deeper into some of the specific attacks in the following sections, examining each case in detail.

• Atomic Wallet

In June 2023, Atomic Wallet suffered a significant security breach, known as the “June 3 hack.”. This hack was reportedly one of the largest of the second quarter of 2023.

The hack resulted in a loss of over $100 million. The victims of the hack reported being blocked by the Atomic Wallet team on social media platforms like Reddit and having their posts removed.

Some victims were also unable to receive compensation for their losses. For example, a user named Steven E. lost $300 due to an extended exchange process that lasted nine hours. When he attempted to get compensation, Atomic Wallet set the Ether price twice lower than its actual value.

The Atomic Wallet team’s handling of the situation has been criticised. They have consistently published the same statement about the hack without providing any detailed information or statistics about the incident. This has led to accusations of the team covering up the extent of the hack and even stealing from its users.

• Pink Drainer

The Pink Drainer is a hacking group that stole approximately $3 million in assets across various blockchain platforms. This criminal group executed their attacks by sending phishing links through compromised Discord accounts and tricking users into opening malicious websites and signing malicious signatures, which led to the loss of their assets.

The hacking incidents involved a large number of Discord and Twitter hacks, including high-profile victims such as the OpenAI CTO and Orbiter Finance. ScamSniffer’s analysis linked Pink Drainer to almost all Discord hacks in the preceding month, with the group having a total of about 1,932 victims across chains like Mainnet, Arbitrum, BNB, Polygon, and Optimism.

Pink Drainer employed social engineering attacks to gain access to many projects. They impersonated well-known media outlets and used a process that included interviews and a final KYC authentication step, which embedded phishing related to Discord. The attacks involved guiding Discord administrators to open a malicious Carl verification bot and convincing them to add bookmarks containing malicious JavaScript code, which stole the user’s Discord token.

After successfully gaining access, the group took steps to extend their control: they eliminated other administrators, made the malicious account an administrator, and participated in actions that caused Discord to block the main account, making it difficult to remove phishing messages.

Among the notable victims was the address 0xf529127107c91bbf6c141304718491a437fb2f5f, which lost nearly $320,000 in NFTs, including Otherside Koda, BoredApeYachtClub, MutantApeYachtClub, and Otherdeed. The address that transferred the assets was resolved as pink-drainer.eth a few hours after the incident, which led to the group being named Pink Drainer.

• Atlantis Loan

The Atlantis Loans hack occurred on June 7, 2023, causing a loss of approximately $2.5 million. Atlantis Loans was a lending protocol on the Binance Smart Chain (BSC) that was abandoned earlier in 2023. The hack was executed through a governance attack, taking advantage of the project’s abandoned status and limited attention.

The attacker designated themselves as the administrator of the token’s proxy contract. On June 7, 2023, the attacker initiated a harmful governance proposal within the GovernorBravo contract, which resulted in setting multiple ABep20Delegator contracts’ administrators as malicious contracts. The attacker was able to execute the proposal once the time lock expired. After a lockup period of 172,800 seconds, the malicious contract was appointed as the proxy contract administrator for all tokens. Subsequently, the attacker modified the ABep20Delegate implementation address to the contract containing the backdoor.

As a result of the project being abandoned, there were no user deposits left in the system, but there were still many users that had active approvals granted to the Atlantis Loans smart contracts. The attackers were able to drain over $2.5 million from these users by using the updated smart contracts to drain the approved funds.

• Sturdy Finance

The Sturdy Finance hack occurred on June 12, 2023. It was a reentrancy attack that resulted in a loss of approximately 442 ETH, equivalent to $800k in value. Sturdy Finance is a decentralized finance (DeFi) lending protocol that allows lenders to earn yields from the farming profits that borrowers make.

The attacker exploited a vulnerability in the Balancer Vault, which was discovered in February 2023. The attacker used a flash loan of 110,000 ETH tokens to manipulate the price of B-wst-ETH, causing it to surge from approximately 1 ETH to 3 ETH. Then, the attacker used B-wst-ETH as collateral to borrow WETH from Sturdy Finance. The attacker executed this operation five times in a single transaction.

The attacker’s contract had a fallback method that was triggered when the liquidation process was nearing completion. Within this method, the attacker used their 233.348 B-wst-ETH as collateral. At this point, the price of B-wst-ETH skyrocketed to 3.008 ETH, allowing the attacker to easily secure collateral at 2.2 times their borrowed WETH.

The attacker’s strategy involved creating a new contract each time and draining the pool’s entire balance. As a result, Sturdy Finance’s contract had to liquidate the collateral to minimize losses. The attacker repeated this process until the pool’s balance was depleted.

This attack highlighted several vulnerabilities in Sturdy Finance’s contracts. The getAssetPrice function in SturdyOracle.sol was manipulated by the attacker to inflate the price of B-wst-ETH. The getRate function, which was called within the _get function, was found to be susceptible to this attack. During the withdrawal process, totalSupply() was not accurately calculated, leading to an artificially inflated price.

• Midas Capital

The Midas Capital on July 6, 2023, was hacked. The attacker exploited a rounding issue in the company’s lending protocol, resulting in a loss of approximately $600,000. The attacker was able to manipulate the system to bypass the debt ceiling on borrowing ankrBNB collateralized by HAY/BUSD LP tokens.

The hacker initially supplied $689,000 worth of ANKR collateral and borrowed 115 ankrBNB (worth approximately $28,700) from the pool, which they supplied back from another contract. This action bypassed the debt ceilings on borrowing ankrBNB collateralized by HAY/BUSD LP Tokens.

Using the newly obtained collateral, the hacker borrowed a smaller amount of ANKR (around $13,500) to repay the flash loan fees. The hacker then redeemed the supplied $689,000 worth of ANKR, leaving $519,000 worth of collateral and $320,000 worth of debt in the pool.

The hacker chose to withdraw 519.13 LP tokens out of the currently held 259,826.61 LP tokens in the market due to a specific calculation. However, there was a bug in the system, causing the calculation to round down to just 1 wei instead of rounding up to 2 wei.

The hacker then performed self-liquidations. When the value of the partially damaged LP tokens reached approximately $30,000, they utilized 90.9 out of the 115 ankrBNB they had supplied to settle their outstanding debt. This self-liquidation process allowed them to take possession of the LP tokens and redeem them for the remaining value they held.

In response to the hack, Midas Capital locked the protocol, contacted the authorities, and sent the hacker a message for a bounty in exchange for the returned funds.

• Themis Protocol

The Themis Protocol hack occurred on June 27, 2023, due to a price manipulation vulnerability, leading to a loss of approximately $365,000. The Themis Protocol is a decentralized, multi-chain-supported peer-to-peer lending and borrowing platform.

The attacker initiated a flashloan of 22,000 ETH from Aave, borrowed an additional 10,000 ETH from one Uniswap pool and 8,000 ETH from another Uniswap pool, and deposited the borrowed 22,000 ETH. In return, they borrowed DAI, USDT, USDC, ARB, and WBTC. The attacker then withdrew 55 ETH and created a new contract.

The 55 ETH was added to a Balancer pool, resulting in the attacker obtaining B-wstETH-WETH-Stable-gauge LP tokens. Using the corresponding pool on Balancer, they swapped WETH for wstETH. By manipulating the token quantities in the pool via the swap operation, the attacker could increase the LP token’s price and subsequently borrow 317 ETH.

The attacker then borrowed an additional 10,000 ETH from one Uniswap pool and 8,000 ETH from another Uniswap pool. The borrowed 22,000 ETH was deposited again, and in return, they borrowed DAI, USDT, USDC, ARB, and WBTC. Afterwards, they withdrew 55 ETH and created a new contract.

The attacker’s success was due to his ability to artificially manipulate the price of the token through a flawed oracle. The incident highlights the importance of the security of Price Oracle for DeFi protocols. It suggests that using trusted price oracle services that aggregate price data from multiple sources and guard against manipulation can help mitigate such exploits.

July

Starting in the second half of 2023, the month of July experienced lots of major hacks. These attacks exploited a variety of vulnerabilities, ranging from flash loan attacks, Oracle issues, flaws in vulnerable code logic, reentrancy flaws, and inadequate access controls. Major DeFi platforms like Multichain, Vyper Compiler, CoinsPaid, Bald, Alphapo, Poly Network, and Eralend were among those heavily targeted.

This report will delve deeper into these specific attacks, providing a detailed analysis of each case.

• Multichain

On July 6, 2023, MultiChain faced a significant hack that led to the unauthorized withdrawal of an estimated $126 million in digital assets.

The hack occurred through several token bridges, leading to a significant outflow of assets. The affected bridges included MultiChain’s Moonriver bridge contract, which saw $6.8 million in token outflows with nearly all its wBTC, USDT, USDC, and DAI going to a specific address. Another bridge, identified as MultiChain’s Dogecoin bridge, experienced over $600,000 in outflows of USDC.

One theory proposed for the hack involves a potential compromise of the private keys used to approve transactions travelling over the bridge. Given that the attack impacted multiple bridges and doesn’t appear to be related to vulnerabilities discovered during the project’s smart contract audits, this theory suggests that the private keys might have been compromised.

• Vyper Compiler

On July 30, 2023, a critical vulnerability was identified in the Vyper compiler versions 0.2.15, 0.2.16, and 0.3.0, affecting several DeFi protocols. The vulnerability was related to faulty reentrancy protections, which were supposed to stop smart contracts from making recursive calls. The reentrancy guard failed because it set different storage positions depending on the function that was calling it, rendering them ineffective.

The exploit involved the exploitation of certain Curve pools. The exploiter of these protocols called the add_liquidity and remove_liquidity functions interchangeably, thus bypassing the reentrancy guard. The decompiled Vyper Pools deployed contract code showed that different storage slots in stor_0 and stor_2 were used as reentrancy locks, thus rendering the reentrancy lock ineffective.

The exploit resulted in a total loss of approximately $73.5 million worth of assets. Following the occurrence of the incident, several MEV bots were reported to have front-runned some of the exploits.

• CoinsPaid

CoinsPaid, a leading cryptocurrency payment provider, suffered a significant hack on July 22, 2023, that led to the theft of $37.3 million USD. The attack was suspected to be orchestrated by the Lazarus Group, a powerful hacker organization known for its sophisticated methods and large-scale attacks.

The attack was meticulously planned and involved tricking a critical employee into installing software to gain remote control of a computer, allowing the hackers to infiltrate and access CoinsPaid’s internal systems. The hackers spent six months studying and tracking CoinsPaid, employing tactics such as bribery, fake hiring, and social engineering to achieve their goals.

Once inside, the hackers leveraged a vulnerability in the cluster to open a backdoor. They then used this access to create authorized requests to withdraw funds from CoinsPaid’s hot wallets. Although the hackers could not breach the hot wallets and acquire private keys to access funds directly, they were still able to steal a significant amount of money.

Despite the attack, client funds were not affected and remained fully available. CoinsPaid’s internal security measures triggered an alarm system, allowing the company to swiftly stop malicious activity and remove the hackers from the company’s perimeter.

• Bald Rugpull

The BALD token rug pull happened on July 31, 2023. It was a meme coin that initially saw a surge in value but then experienced a drastic drop. This was attributed to a liquidity drain, with a massive amount of liquidity, equivalent to $22 million, disappearing from the market.

The deployer of the BALD token claimed that they hadn’t sold any tokens since deployment and were not involved in the alleged scam. However, suspicions arose due to their association with Sam Bankman-Fried, the former CEO of FTX, and the movements of large amounts of Ethereum (ETH) between FTX and the BALD project.

• Alphapo

Alphapo, a crypto payment platform used by various gambling services, including Bovada, HypeDrop, and Ignition, was hacked on July 22, 2023, resulting in their losing about $22.8 million.

The hot wallet private keys of Alphapo were leaked to execute the attack. Once the attackers gained access to these keys, they could create transactions transferring value from these wallets to their accounts.

The stolen assets totalled around $22.8 million. This included over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI. Interestingly, all of these funds were consolidated at the same address before being moved across different cryptocurrency blockchains via cross-chain bridges.

• Poly Network

On July 20, 2023, Poly Network was hacked. The attacker exploited a flaw in the smart contracts of the project, allowing them to mint tokens valued at around $43 billion.

The attack was executed by creating a malicious parameter, which included a counterfeit block header and validator signature. This enabled the attacker to circumvent the bridge’s validation process and withdraw tokens from the bridge to their address.

The attack resulted in the attacker withdrawing assets from the bridge contract that didn’t exist. The attacker exploited 57 different cryptocurrencies across 10 different blockchains. Their account ended up holding an estimated $43 billion in stolen assets.

However, despite this massive balance, the attacker couldn’t withdraw it. Limited liquidity meant that the attacker could only steal an estimated $10 million from the protocol.

• Erelend

The decentralized lending protocol Eralend, hosted on zkSync, fell victim to a hack. An attacker leveraged a read-only reentrancy vulnerability in Eralend’s smart contracts, allowing them to repeatedly call a vulnerable function within a single transaction. This exploitation of the reentrancy vulnerability enabled the attacker to manipulate the token values tracked by the project’s internal oracle, draining an estimated $3.4 million from the smart contract’s USDC assets.

The vulnerable smart contract included code taken from SyncSwap that contained vulnerabilities. The vulnerable function included a comment that noted that the function waited to update reserve values, which is what created the read-only reentrancy vulnerability. However, this code was left untouched, leaving the protocol vulnerable to attack.

The attacker took a flash loan of approximately 14,080,109 USDC and 7,566 ETH and deposited them in the SyncSwapVault vault. The read-only reentrancy manipulated the Oracle price, allowing the attacker to borrow more assets than they were supposed to. The loan against this borrowed amount was repaid using the calculations from the updated reserves; thus, the difference amount after repaying the flash loan was held as profits for the attacker.

The stolen funds have so far been bridged to eight different wallets on the Ethereum, Arbitrum, and Optimism chains.

August

August 2023 experienced a series of hacks that led to substantial losses. These attacks exploited various vulnerabilities, including flash loan attacks, oracle issues, flaws in vulnerable code logic, reentrancy flaws, and inadequate access controls. This section will explore some of the notable attacks that occurred in August 2023.

• Exactly Protocol

August 18, 2023, the Exactly Protocol, a DeFi project built on the Optimism blockchain, was hacked, resulting in a loss of over $7 million. The attack was made possible due to a flaw in the protocol’s contracts.

The hack was facilitated by weak validation checks. The attacker managed to circumvent the permit check on the DebtManager peripheral contract by supplying it with the address of a fake market contract.

Once the malicious contract was in place, the attacker performed a malicious deposit function, gaining access to the funds users had deposited into the protocol’s contracts. Consequently, the attacker managed to pilfer approximately $7.3 million worth of ETH from the project.

• Magnet Finance

On August 28, 2023, Magnate Finance, a lending protocol on the BASE chain, rug pulled, resulting in a loss of approximately $5.3 million to its users. Shortly after on-chain analyst ZachXBT issued a warning, the protocol’s website and Telegram group were rendered unavailable.

Magnate Finance altered the provider of the price oracle and removed all the assets.

This event was linked to the deployer of Magnate Finance, who was also involved in the Solfire exit scam. The deployer’s address was found to match that of the Solfire exit scam, further confirming the connection.

Following the incident, Magnate Finance’s MAG token saw an 86% drop in value.

• Zunami Protocol

The Zunami Protocol, a decentralized yield aggregator, experienced a major hack on August 13, resulting in a loss of around $2.1 million. The attacker used price manipulation, exploiting a vulnerability in the protocol’s contracts.

The attack was executed through a series of flash loan attacks. In this case, the attacker manipulated the value of a pool by continuously buying and selling the same asset to artificially inflate its price.

The Zunami Protocol’s smart contract contained a calcTokenPrice function that determined the value of the project’s tokens by dividing the total holdings of its pool by the number of existing tokens. This calculation method made it possible for the attacker to inflate the token value either by increasing the value of the pool or decreasing the total number of tokens.

The attacker inflated the pool’s value by donating to the pool. Once this was done, the tokens that the attacker held would have a much larger perceived value. This enabled the attacker to drain approximately $2.1 million worth of tokens from the project’s pools.

• Balancer Pools

The Balancer team announced a critical vulnerability affecting its boosted pools on August 22, 2023. Assets deployed on Ethereum, Polygon, Arbitrum, Optimism, Avalanche, Gnosis, Fantom, and zkEVM were at risk. Initially, only 1.4% of its total assets were at risk, representing over $5 million worth of asset exposure.

Despite the prompt action of liquidity providers (LPs) to withdraw funds from the affected pools, the vulnerability was exploited for approximately $979,000 less than a week after the initial announcement. This exploit occurred through multiple flash loan attacks, where an attacker borrows a large amount of cryptocurrency from a DeFi platform, manipulates affected pools, and siphons funds from them, all within the same transaction.

As a result, the Balancer team urged users to withdraw funds from the at-risk liquidity pools to protect against further losses. However, 0.08% of the total TVL ($565,199) remained at risk, with users advised to withdraw ASAP using the user interface.

The founder and CTO of the cryptocurrency security company Cyvers, Meir Dolev, discovered the attacker’s Ethereum address, which since the vulnerability was revealed has received three transfers of DAI stablecoin totaling about $979,420.

• Speadefi

On August 7, 2023, Steadefi, a DeFi platform known for its leveraged yield aggregation, fell victim to a hack. The attacker managed to get hold of the private keys used to manage the project’s deployed contract, leading to a loss of nearly $1.1 million.

The attack started with the attacker gaining access to the private key of the protocol’s deployer wallet, which held access to all the project’s smart contracts. This gave the attacker access to functionalities reserved only for the owner.

Once they had access to these owner-exclusive features, the attacker transferred the ownership of the smart contracts to their accounts. They then used these privileges to lend out all the funds in the contract’s lending vaults to their accounts, effectively draining $1.1 million from the protocol.

It’s important to note that the protocol’s depositor and strategy vaults didn’t have these owner-exclusive functionalities. Therefore, funds stored in these vaults remained unaffected by the hack. The attacker also managed to pause certain contracts, leaving the funds stuck inside them.

After the hack was discovered, the Steadefi team offered a bug bounty to the attacker in exchange for the return of the stolen funds.

• Cypher Protocol

The Cypher Protocol was hacked on August 7, 2023. The hacker took advantage of a flaw in the project’s smart contracts to steal around $1 million from the project.

The Cypher Protocol operates on a unique structure where a primary user account, known as CypherAccounts, can attach multiple CypherSubAccounts. These sub-accounts store data linked to the primary account. By default, all sub-accounts are interconnected with the master account, enabling a deposit into one to serve as collateral for a loan from another.

However, the protocol has a feature that allows a sub-account to operate independently, although this function can be disabled. A bug in the system triggered when switching to this independent mode resulted in the master account failing to recognize this change.

Additionally, a coding glitch affected margin checks before granting a loan. This error, coupled with the absence of active Oracle price feeds, enabled users to borrow when they shouldn’t have been able to.

The hacker leveraged this vulnerability across various primary accounts, leading to the extraction of approximately $1 million worth of assets from the Cypher Protocol.

• RocketSwap

RocketSwap, the second-largest decentralized exchange on Base, was hacked on August 14, 2023, for around $866,500 due to a private key compromise from their online servers. The hackers managed to drain the farm of the project’s governance tokens, RCKT and Wrapped Ethereum (WETH), and later converted RCKT tokens to approximately 471 ETH worth $866,500.

The hack was carried out through a brute-force attack on the server where the team stored its private keys. When the launchpad was first deployed, the team used offline signatures and stored the private keys on the server, which turned out to be a vulnerability that the hackers took advantage of.

After the hack, the RocketSwap team took several steps to mitigate the damage and secure their platform. They confirmed the hack and shut down the farm. They also revoked and waived the minting rights for new positions.

• LeetSwap

LeetSwap experienced a hack on August 1, 2023, due to an access control vulnerability on the base platform. This led to a loss of over 342.56 ETH (628,583 USD). To carry out the attack, the public _transferFeesSupportingTaxTokens function was manipulated to change the pool’s behaviour. The attacker transferred token A using this function, invoked the sync function to increase the price of token A, swapped token A back for $WETH, and drained the pool, likely benefiting significantly from this operation.

The vulnerability was caused by an incorrectly assigned public visibility specifier to a function. This allowed anyone to invoke a call to this function to transfer tokens from the contract to the fee-collection address.

September

September 2023 witnessed a series of high-profile hacks. These attacks exploited a range of vulnerabilities, including flash loan attacks, Oracle issues, flaws in vulnerable code logic, reentrancy flaws, and inadequate access controls. This section will delve deeper into some of the notable attacks that took place during this period.

• Mixin Network

The Mixin Network, a protocol designed to address blockchain scalability issues, was hacked in September 2023. The database of Mixin Network’s cloud service provider was attacked by hackers on September 23rd, resulting in the loss of some assets on the mainnet.

The hack resulted in a loss of $142,041,764 million.

Mixin Network is a service similar to a layer-2 protocol, designed to make cross-chain transfers cheaper and more efficient. However, it is reliant on a centralized database, creating a single point of failure.

After the breach, Mixin Network temporarily suspended deposit and withdrawal services. These services were reopened once the vulnerabilities were confirmed and fixed.

This hack is considered the biggest theft in the crypto world in 2023

• CoinEx

In September 2023, the Hong Kong-based cryptocurrency exchange CoinEx suffered a significant security breach, resulting in the theft of over $70 million in tokens. The breach was due to compromised private keys, which allowed hackers to gain access to the exchange’s hot wallets.

The hackers first flagged “anomalous withdrawals” from one of the hot wallets on September 12, starting with a transfer of 4,947 Ether (ETH). They then began withdrawing large amounts of other tokens to the same address. The value of the stolen funds was first estimated at $27 million but has since doubled.

After being notified of the incident, CoinEx suspended its withdrawal service to avoid further losses, patched system vulnerabilities and transferred the remaining assets from the affected hot wallets. The exchange planned to resume withdrawals progressively within seven working days.

The hackers responsible for the breach were suspected to be the North Korean Lazarus Group. Despite the large amount of cryptocurrency stolen, CoinEx claimed that this amount represented a small percentage of its total assets under management. The exchange stated that affected users would be compensated entirely for any lost funds.

• Coindroplet

In September 2023, a phishing scam targeted a crypto whale who lost nearly $24.2 million worth of Rocket Pool ETH (rETH) and Lido Staked ETH (stETH). The phishing attack was executed by an exploiter associated with at least ten phishing sites, including coindroplet.io

• GMBL Computer

The GMBL.COMPUTER crypto casino was exploited shortly after its launch. The casino, which operates on the Arbitrum network and promises to generate yield from casino games, was exploited for around 471 ETH (approximately $770,000).

The exploitation occurred due to a flaw in the platform’s referral system. Users were able to place bets without depositing any funds and use these bets to generate referral bonuses. The GMBL team later confirmed this as the cause of the exploit.

In response to the exploit, the GMBL team offered a “bug bounty” to the attacker. The exploiter later returned 235 ETH (approximately $382,000), which is half of what they had stolen.

• Balancer Frontend

On September 19, 2023, Balancer, a decentralized exchange, experienced a DNS attack, which led to the theft of over $250,000 in cryptocurrency. The attackers compromised Balancer’s domain names, redirecting users to a malicious site where they prompted users to approve a contract that drained their wallets.

The stolen funds were moved to various addresses, with some being bridged to Ethereum and Bitcoin, and over $25,000 was deposited on the MEXC exchange. Balancer has since regained control over its domain and declared its .fi domains safe again, and advised users to avoid interacting with their UI until they confirmed it was secure. This was the second attack on Balancer within a month, following an exploit in August.

October

Just like every other month in 2023, October faced several high-profile hacks. These attacks utilized various vulnerabilities, including flash loan attacks, Oracle issues, and reentrancy flaws, causing significant financial losses. Key incidents include the Fantom Foundation, the Stars Arena reentrancy hack, the Hope Lend DeFi exploit, and the UniBot call injection attack.

• Fantom Foundation

On October 17, 2023, the Fantom Foundation fell victim to a cyber heist that resulted in a loss of over $7 million, with a significant portion of the stolen assets coming from an employee’s wallet. This wallet had formerly been under the foundation’s control but had been reallocated for personal use by the employee.

During the initial investigation, there was speculation that the cybercriminals exploited a heap overflow vulnerability in Google Chrome, identified as CVE-2023–4863. This weakness had been discovered a month before the incident. Despite these early reports, the Fantom Foundation has indicated that further research is needed to confirm the exact cause of the breach.

The incident stands out because it involves the transfer of ownership of blockchain addresses from the Foundation to an individual employee. Such a move is unconventional and raises security concerns, as these addresses may still be recognized as part of the foundation by external parties, potentially leading to trust and security issues.

The Foundation has affirmed that the stolen $550,000 constitutes less than 1% of its total assets. Additionally, they clarified that some funds were incorrectly identified by blockchain explorers and were not removed from wallets directly owned by the Foundation.

• Star Arena

Stars Arena, a blockchain-based social token platform, lost an estimated $2.9 million to a hack that happened on October 7, 2023. The attackers exploited a reentrancy vulnerability in the project’s smart contract.

Stars Arena operates on a model where creators can sell tickets to private chat rooms, providing buyers with increased access to the creators and the potential for exclusive rewards and opportunities. The hack was made possible by a reentrancy vulnerability in the project’s contracts.

In the Stars Arena case, the reentrancy vulnerability was located in the code that managed “shares.”. Normally, these shares should be sold at a specific amount. However, thanks to the reentrancy vulnerability in the contract’s code, the attackers were able to inflate the weight associated with a share, effectively increasing its value. This led to a drastic increase in the price of a share, reaching around $274K.

This vulnerability allowed the attackers to drain value from the smart contract, ultimately leading to the theft of an estimated $2.9 million from the project.

Once the attack was detected, the Stars Arena team acknowledged the issue and temporarily halted the platform to commence repairs. Unfortunately, during this recovery period, the project’s website also fell victim to a distributed denial-of-service (DDoS) attack, hindering its ability to communicate with its users.

• Hope Lend

The Hope Lend DeFi platform was targeted by a hack on October 18, 2023, resulting in a significant loss of assets. Specifically, 526 Ether ($834,616) was taken from the platform. This exploit led to a drop in Hope Lend’s Total Value Locked from just under $1 million to $0.

Crypto analyst Spreek discovered the hack and speculated that it might have something to do with rounding errors and decimals in WBTC. The blockchain security firm SlowMist confirmed the attack.

A second hacker managed to outmanoeuvre the initial attacker by offering them a bribe of 263 ETH. This hacker then proceeded to split the stolen assets evenly with the initial attacker.

However, Hope.money, the developers of the DeFi protocol, reported a slightly different scenario. According to them, a single hacker took 526 ETH from the platform, paying 263.91 ETH in bribes to a validator allegedly managed by Lido Finance. This resulted in a net gain of 264.08 ETH for the hacker.

Despite these events, Hope.money emphasized that all protocols deployed on Hope Lend are independent and will not affect other products and protocols on the platform. They also stated their commitment to protecting the rights of affected users and ensuring the security of the funds.

• UniBot

In October 2023, Unibot, an automated Telegram trading bot, was hacked via a call injection attack. This led to a total loss of over 500,000 dollars.

The root cause of the hack was a call-injection vulnerability. Attackers were able to inject their malicious data into the 0xb2bd16ab() method, enabling them to transfer tokens that were approved to Unibot contracts. The attacker exploited the Unibot contract by obtaining excessively high token allowances for various addresses, surpassing their actual token balances. The exploit contract processed a list of addresses with elevated allowances, examining the balance stored in ’ stor1' within the Unibot contract and the allowance allocated within ’stor1'. For each address in the list, it evaluated the Unibot balance and the allowance. When the allowance exceeded the balance, a callback to itself was initiated, passing along the address, the Unibot contract, balance, and allowance. The self-triggered callback involved the execution of transferFrom() with the excessively high allowance amount, allowing the attacker to drain Unibot tokens from the contract into their account.

As a result of this hack, over $600,000 was stolen from users of Unibot. However, the Unibot team refunded all the affected users after the hack. Affected users remained at risk as long as they hadn’t revoked their approvals, so it was recommended to use tools like Revoke.cash Exploit Checker to ensure safety.

November

In November 2023, many DeFi projects faced serious attacks, leading to big losses. These attacks took advantage of different weak spots, from things like fast loan attacks and bot tricks to problems with how code works, re-entry flaws, poor access controls, and phishing. All these incidents showed how important it is to keep DeFi safe and what we can learn from these events. Let’s take a closer look at some of the specific attacks that happened in November.

• Poloniex

On November 10, 2023, Poloniex experienced a security breach, which resulted in the loss of approximately $126 million from its hot wallets. The Lazarus Group, a cybercrime collective with ties to North Korea, is suspected to be behind the Poloniex attack.

The identification of the Lazarus Group as the likely perpetrator is based on the attack patterns observed in the Poloniex breach. The group’s modus operandi includes sending different types of tokens to various specialized addresses, using an intermediate address to exchange ERC20/TRC20 tokens on a decentralized exchange, and then transferring them to a new address. These actions, while not necessary (since one address can manage multiple token types), are characteristic of the Lazarus Group’s approach.

• Heco Bridge

The Heco Bridge hack occurred in November 2023 and was a significant security breach that affected Huobi Global’s HTX exchange and its HECO Chain’s Ethereum Bridge.

The HECO bridge’s operator account, which had special access to oversee the bridge’s operations, was compromised, and this was the main reason behind the exploit. An attacker gained access to this account, allowing them to perform unauthorized actions on crucial functions.

The attacker used the compromised operator account to initiate unauthorized withdrawals from the HECO bridge, amassing stolen assets worth approximately $86.8 million. The stolen assets included USDT, HBTC, SHIB, UNI, USDC, LINK, ETH, and TUSD.

In response to the incident, Justin Sun, the founder of Tron, acknowledged the incident and confirmed the HTX and HECO Cross-Chain Bridge compromise. HTX committed to fully compensating for the losses of hot wallet addresses, and all deposits and withdrawals were temporarily suspended.

The exploit resulted in a cumulative loss of approximately $99.3 million, split between the HTX hot wallets ($12.5 million) and the HECO bridge ($86.8 million). Upon detecting the breach, the HTX team promptly suspended deposits and withdrawals while initiating efforts to recover the stolen assets.

• KyberSwap

KyberSwap Elastic, a decentralized exchange’s concentrated liquidity protocol, fell victim to a hack on November 23, 2023. The attacker exploited a minor precision error in KyberSwap’s liquidity calculations, enabling them to steal approximately $48 million.

The attack started with a flash loan, but instead of typical price oracle manipulation, the attacker leveraged KyberSwap’s concentrated liquidity model. They used their flash loan to shift the pool price of targeted liquidity pools to a range where no liquidity was present, giving them complete control over liquidity calculations.

Once the pool price was within that range, the attacker created liquidity in the area. They then performed two precise swaps: selling a token (like wstETH) to push the price just below the target range, followed by buying the same token to push the price above their target liquidity range.

The attacker managed to drain the pool by controlling when the updateLiquidityAndCrossTick function was called. This function is meant to execute whenever the pool value crosses a tick value and updates the amount of liquidity available to a user. The issue arose because the first swap (the sell) did not call this function, but the second (the buy) did. This resulted in the double-counting of liquidity, allowing the attacker to manipulate the exchange rate of a token pair.

In the second swap, they received significantly more of the token than they paid in the first, thereby draining multiple liquidity pools and stealing about $48 million.

• Florence Finance

On November 28, 2023, Florence Finance, a lending protocol for real-world assets, was hacked, which led to them losing approximately $1.45 million in USDC. This attack was a clever form of deception known as address poisoning.

Address poisoning works by creating a counterfeit wallet address that closely mirrors a genuine one. When users engage with cryptocurrencies and rely on autofill features or quickly scan their address books, they might mistakenly select a fraudulent, deceiving address. Consequently, the funds are directed to the attacker’s wallet instead of the intended recipient.

The attack on Florence Finance began when the victim sent USDC to a legitimate address. Then, fraudsters contaminated the victim’s address by sending fake tokens from the victim’s address with the same quantity to a destination address that closely resembled the legitimate one. The destination address was a hash of the scammer’s address. This action was designed to poison the transaction history of the victim’s address. In the next step, the victim inadvertently copied the scammer’s address from their transaction history and sent them real tokens like USDT or USDC.

After the initial transaction, the phishing wallet 0xB087 forwarded the funds to another wallet, 0x18d8, which then transferred the funds to 0x88E2. As of the time of the report, 0x88E2 was in the process of transferring the funds to THORChain after converting them to Ethereum (ETH).

• TrustPad

TrustPad, a decentralized finance (DeFi) protocol, suffered a security breach on November 6, 2023, due to a business logic vulnerability in its smart contract, specifically within the staking logic of the LaunchpadLockableStaking contract. This resulted in an approximate loss of $155,000.

The attack was carried out through the receiveUpPool function in the LaunchpadLockableStaking contract. The attacker was able to control the newLockStartTime state of the contract by depositing TPAD tokens into it.

Once the attacker had control over the newLockStartTime, they were able to repeatedly call receiveUpPool() and withdraw() to collect rewards. The attacker then used the stakePendingRewards function to convert these rewards into staked amounts. Finally, the attacker withdrew the rewards using withdraw()

December

Toward the end of the year 2023, December witnessed a series of high-profile security breaches across the DeFi landscape. Hackers exploited a range of vulnerabilities, such as phishing, access control issues, and smart contract weaknesses, leading to substantial financial losses. Notable events included the Orbit Chain theft, the Herencia Artifex NFT controversy, the OKX DEX exploit, and a phishing attack on Ledger.

• Orbit Chain

Orbit Chain, a blockchain platform designed to support interoperability between various blockchains, decentralized applications (DApps), and services, experienced a significant security breach in December 2023, leading to a loss of approximately $82 million in cryptocurrency. This included Ether, Dai, Tether, and USD Coin.

The first unauthorized transaction of a series of drain attacks involving multiple asset types was performed by unidentified hackers on December 31, 2023. Blockchain intelligence platform Arkham reports that Orbit Chain’s balance went from $115 million to $29 million instantly.

It is still unclear what kind of exploit the hackers used to carry out the attack. However, it is believed that the attackers carry signs of sophisticated state-sponsored attackers, possibly based out of North Korea.

Arkham Intelligence, a blockchain analysis platform, pointed out that a total of $81.68 million in cryptocurrencies were siphoned from the protocol in five separate transactions. The largest transaction made by the attackers was $30 million in Tether, while the others are $10 million in USD Coin, 9,500 Ether worth over $21.6 million, 231 wrapped Bitcoin (WBTC) worth about $9.8 million, and the rest $10 million in the algorithmic stablecoin DAI.

• Herencia Artifex NFT

The Herencia Artifex NFT project, which operated under the native token HXA, faced a significant incident in December 2023. Initially, it appeared that the project had fallen victim to a supply chain attack where an attacker manipulated a signature to transfer over 450 billion HXA tokens from a burning address to their account. This was linked to a flaw in the ThirdWeb development kit, particularly in the msgSender parameter of the multiCall function.

However, the subsequent actions of the Herencia Artifex team led to suspicions that the incident might have been an exit scam rather than a genuine exploit. Indicators of this include the project’s website going offline without explanation, the sudden shutdown of their social media accounts, and the removal of their website for the coin. This series of events culminated in a 90% drop in the value of the HXA coin within 24 hours of the exploit announcement and later the apparent wiping out of the project by the Herencia Artifex team.

• OKX DEX

The OKX DEX experienced a hack on December 12, 2023, causing a loss of around $2.4 million. The incident was triggered by a compromised proxy contract, which was used by the attackers to steal money from users who had authorized it.

The Proxy Admin Owner recently updated the DEX Proxy contract to a newer version. This update altered the contract’s functionality, allowing it to start token transfers directly and bypass regular security checks. Normally, users allow token exchanges through the TokenApprove contract, but the compromised DEX Proxy contract could bypass these permissions.

The problem was caused by a private key leak, which was used against an older version of a smart contract. OKX, a centralized exchange based in the Seychelles, also runs a decentralized exchange (DEX) and a cross-chain bridge aggregator. The DEX Proxy admin of a trusted contract that controls OKX DEX trades was compromised.

After the hack was discovered, OKX confirmed the exploit and committed to reimbursing the affected users. The exchange quickly took steps to secure all user funds and revoke the compromised contract’s permissions.

OKX has also vowed to conduct a thorough security review to prevent such incidents in the future. The exact number of users affected by the breach is not known, but OKX DEX had more than 50,000 active user wallets in the 30 days before the hack.

• Ledger

In December 2023, Ledger, a popular cryptocurrency wallet manufacturer, experienced a serious security breach. One of the former employees of Ledger fell for a phishing scam, which is how the hack got started. The attacker then used the employee’s NPMJS account to publish a malicious version of the Ledger Connect Kit, which affected versions 1.1.5, 1.1.6, and 1.1.7. This allowed the attacker to trick EVM DApp users into signing transactions that emptied their wallets.

The hack was detected on December 14th, 2023, and Ledger responded swiftly. Within 40 minutes of being informed, Ledger deployed a genuine version of the Ledger Connect Kit. Despite the malicious code being present for about five hours due to CDN caching mechanisms, the actual period during which user assets were drained was less than two hours.

The hack sparked mixed reactions within the deFi community. Some suggested switching to other wallet platforms, while others called for Ledger to open-source its code for better transparency. The incident highlighted Ledger’s past security issues and raised concerns about the company’s commitment to operational security.

What are the lessons learned?

Looking at the major hacks of 2023, several common vulnerabilities and attack methods can be identified. The most prevalent ones include:

• Flash Loan Attacks: Flash loans are a type of crypto loan that is instantly filled without requiring collateral. These attacks involve borrowing cryptocurrencies and performing transactions before the loan needs to be paid back. This allows the attacker to perform malicious actions without the risk of their identity being tied to the transaction.
• Arbitrage Bot Manipulation: Arbitrage bots are automated programs designed to take advantage of price differences on different exchanges. Attackers have used these bots to exploit price discrepancies, leading to significant financial losses.
• Vulnerabilities in Code Logic: Many of the hacks involved vulnerabilities in the code logic of the protocols. These could be flaws in the way the system calculates rewards, prices, or other key functions.
• Reentrancy Flaws: Reentrancy flaws occur when a contract calls an external contract before it resolves its state. This can allow an attacker to drain funds from the contract.
• Phishing Schemes: Phishing attacks involve tricking users into revealing sensitive information, such as login credentials or private keys. These attacks have been used to gain unauthorized access to accounts and steal funds.

Secure coding practices, code audits, and vulnerability assessments are very important to prevent these types of attacks. Developers should follow best practices for secure coding, regularly conduct code audits to identify potential vulnerabilities and implement vulnerability assessments to ensure the security of their systems.

Talking about audits, professional security audits play a crucial role in identifying and mitigating risks. Regular audits can help detect vulnerabilities before they can be exploited and provide recommendations for improving security.

However, it is important to note that user education is essential for the security of DeFi. Users should be educated on best practices for protecting their assets. This includes using strong passwords, implementing multi-factor authentication, and being vigilant against phishing scams.

Recommendation for the future

Looking at the major hacks that occurred in 2023, we can identify several key areas that need improvement if we want to enhance the security of DeFi. Let’s break down these improvements into three main categories: smart contract development, auditing methodologies, and user education initiatives.

Firstly, for smart contract development, we need to focus on rigorous testing. We should aim for high test coverage, ideally above 85–90%, to ensure that even minor bugs don’t slip through. Additionally, we should make use of both static and dynamic analysis tools, such as Slither, Mythril, Echidna, 4naly3er etc, to identify potential vulnerabilities in our smart contracts. Another strategy is to adopt formal verification methods, which allow us to mathematically prove the correctness of our smart contracts. Lastly, we should create and stick to security checklists based on industry best practices.

Next, for auditing methodologies, regular audits are crucial. As new attack vectors are constantly emerging, we need to keep our systems up to date. To achieve this, we should engage multiple independent auditors to identify different types of vulnerabilities. Penetration testing, where we simulate attacks to identify weaknesses, should also be part of our routine. Furthermore, we should protect our contracts from unauthorized access or key loss by implementing multisig schemes, where multiple signatures are required for critical transactions.

Lastly, user education plays a vital role in enhancing DeFi security. We need to raise awareness among users about the importance of good security practices, such as avoiding phishing scams and using hardware wallets for better security. Providing educational resources and tutorials on how to interact with DeFi platforms securely is also crucial. Finally, involving the community in finding and reporting security issues can lead to more robust and secure code.

To further strengthen DeFi security, we need to encourage collaboration between developers, auditors, and security researchers. Sharing knowledge and best practices can lead to more robust and secure code. Making smart contracts open-source allows the community to review and contribute to them, leading to more secure code. Lastly, staying updated on the latest security developments and updating protocols and practices accordingly is key to maintaining strong DeFi security.

Conclusion

To wrap it up, the big hacks in 2023 showed that DeFi isn’t safe just yet. We saw a lot of problems with flash loans, bot manipulation, and code flaws. But the good news is, we can fix these problems.

For smart contract development, rigorous testing and the adoption of formal verification can enhance reliability, while the use of tools like Slither, Echidna, and 4naly3er etc, can help identify weaknesses. Regular audits are recommended to keep up with emerging threats.

We also need to educate people on how to use DeFi safely. This means telling them to watch out for phishing scams and use secure wallets. It’s also a good idea to give them resources to learn how to use DeFi safely.

Working together is the key to making DeFi safer. Developers, auditors, and security researchers should share their knowledge and work together. We need to keep learning and updating our security measures to keep up with the changing DeFi world.