A Case Study of DeFi Hacks in Q1 2022
Decentralized finance has come a long way in a surprisingly short period of time. Thanks to the rapid developments in DeFi, we are looking at a more transparent and more accessible future in finance.
According to Statista, there are 4.5 million DeFi users worldwide. Considering the term DeFi was defined in 2018 and has been around for half a decade only, the number is anticipated to reach two and even three-digit millions in the foreseeable future. DefiLlama’s stats show total value locked (TVL) across all DeFi protocols stands at $230 billion which is 170% higher than the year-ago date of $84.91 billion.
While the mainstream adoption of DeFi is inevitable, there is one factor that slows down its growth: lack of security within DeFi space as a consequence of the increasing number of hacker attacks. Since the dawn of decentralized finance, hackers have been around, constantly searching for bugs in smart contracts allowing DeFi protocols to function. At the time of writing, there have been more than 25 known major hacks in 2022 already and we can see that both the severity and frequency of DeFi hacks are increasing exponentially.
Here are some worrying stats regarding the aggressive increase in DeFi hacks:
- The total sum lost to hacks in Q1 2022 is up 695% from the Q1 2021’s losses of $154.6 million.
- 2 out of the 3 biggest ever DeFi hacks- Wormhole hack and Ronin hack, took place in Q1 2022.
- In the first quarter of this year, DeFi hacks have led to a total loss of $1.2 billion.
As seen, DeFi hacks are getting more and more serious, possessing an ever-growing threat to the hard-earned money of DeFi users. This is not a drill — DeFi, with all its parties, must acknowledge the necessity of insurance and protect users’ assets against the danger.
Q1 2022: The darkest 3 months in DeFi history
This conclusion is not based on the number of hacks that took place in the first three months of 2022. It is based on the increasing number of individual DeFi hack victims who lost their assets beyond recovery. To help you better understand the gravity of the situation, here is a comprehensive analysis of DeFi hacks that took place in Q1 2022.
Biggest DeFi hacks in Q1 2022
Ronin Network hack | Over $600 million lost
On March 23, DeFi space took a staggering blow. The biggest crypto hack of all time, the Ronin Network hack resulted in more than $600 million going down the drain.
Hosting one of the most popular crypto games- Axie Infinity, Ronin blockchain was the target. Ronin bridge, which allows users to transfer their assets from other ecosystems into Ronin and vice versa, was attacked. Hackers managed to obtain 5 out of 9 validator keys that allowed them to forge fake withdrawals.
Hackers then wrote the transactions to the chain and validated them using the stolen keys. They withdrew most of the funds from the Ronin bridge in just two transactions.
Sky Mavis- the developer of Axie Infinity, realized the hack 6 days after the it initially occurred. It is reported that more than $600m worth of crypto assets were drained.
For more information about the Ronin Network hack, check out our article.
Wormhole Bridge Hack | $325 million lost
The second biggest DeFi hack in 2022 was the Wormhole bridge hack, which resulted in $325m worth of ETH being stolen from the communication bridge between Solana and other decentralized finance networks.
The hacker exploited the bridge between the Ethereum and Solana blockchains and redirected ETH to their own wallet. This was possible due to the presence of a faulty function in the smart contract which the attacker took advantage of. We published a detailed post-mortem analysis of the hack which can be read here.
Wormhole bridge hack proved doubts about cross-chain bridges right. Only a month prior to the hack Vitalik Buterin, the co-founder of Ethereum, suggested: “the future will be multi-chain, but it will not be cross-chain, in part because there are fundamental limits to the security of bridges that hop across multiple zones of sovereignty.”
Dishonorable Mentions
Before going into other DeFi hacks in Q1 2022, here are some smaller hacks worth mentioning and hacks that don’t fit into categories below:
- Revest Finance hack: $2 million stolen
- OneRing Finance hack: $1,45 million stolen
- Ola Finance hack: $4,7 million lost due to reentrancy bug
- Hundred Finance hack: $11 million lost due to reentrancy bug
- Lympo hack: Sports NFT ecosystem lost $16,5 million to hacker attack
- Cashio hack: $52,8m stolen due to missing validation code
Bridge Hacks
Cross-chain bridge hacks were the biggest issue in the first quarter of 2022 by far. Alongside the devastating Ronin bridge hack and Wormhole bridge hack we mentioned above, there were several other bridge hacks.
Qubit Finance Hack
Qubit Finance’s QBridge protocol was compromised for $80 million worth of BNB. The attacker utilized a deposit option in the QBridge contract to illegally mint 77,162 qXETH, which is an asset representing Ether bridged via Qubit.
Meter.io Cross-chain Bridge Hack
The Meter Passport token bridge platform has incurred $4.4 million in losses due to a smart contract hack. Meter.io’s Meter Passport (MTRG) token bridge that is compatible with Ethereum and its side-chains was attacked.
Multichain Bridge Hack
Cross-chain bridge of Multichain was hacked and users lost a total of $3 million. Users complained for lack of information regarding the process.
Exchange Hacks
Crypto exchanges also had their share of hacker attacks in the past years.
Popular crypto exchange Crypto.com was hacked in January. $30 million was stolen from 483 users’ wallets. Once again, the real victims were no other than users. Crypto.com hack was alarming as it targeted one of the most popular exchanges in the world, indicating the recklessness of hackers.
Exchanges are the first stop for new DeFi users and attacks targeting them cause new users to shy away from further exploring the DeFi space.
Liechtenstein-based crypto exchange LCX also lost $6,8 million to a hot wallet exploit.
Staking Pool Hacks
A huge majority of other DeFi projects adopted the staking pool model to offer their users the chance to utilize their native tokens in rewarding staking pools. This model helps DeFi projects to expand their user base, establish stronger ties with their community, and gather the necessary funds to support their projects.
Unfortunately, the increasing TVL of staking pools attracts the attention of malicious actors as well. There have been multiple staking pool hacks that cause users to lose their staked assets beyond recovery.
In February 2022, Earnhub’s staking pool was compromised due to a logic error in a smart contract function. The amount stolen remains unknown, but it was users who lost their money as it was in other staking pool hacks.
On January 1st, DeFi platform built on Algorand network-Tinyman pools’ was compromised. The attacker exploited a vulnerability in the smart contract code that allowed them to receive the same token twice. Stolen coins were worth $3 million.
DeFi hacks come in different ways and sizes, but the victim never changes. Users are the real sufferers of such incidents as it is their assets at stake. DeFi insurance is the only way to make sure their funds are secure.
DeFi Insurance in Action
Uno Re- the world’s first decentralized insurance and reinsurance platform, dedicates itself to helping DeFi protocols and users stay protected against hacks. At the time of writing, there is no proven way to prevent smart contract exploits, but it is possible to protect users in case their assets are stolen.
DeFi insurance is an emerging concept and many experts believe it will play a vital role in the future of DeFi. While 98,13% of all crypto assets remain uninsured and vulnerable, there are encouraging examples of how DeFi insurance comes to rescue almost immediately following an attack.
On March 20 2022, Uno Re’s partner Umbrella Network fell victim to an attack. Hackers took advantage of an underflow bug and compromised their Polar Stream staking contracts, stealing staked LP tokens. The damage was $700k.
An insured protocol by Uno Re, Umbrella Network filed a claim following the hack. Uno Re Claims Assessment Team immediately started the investigation and accepted the claim. As per the agreement, Uno Re compensated for $500k of the loss and ensured 91% of affected wallet addresses are covered and appropriately compensated as per the cover terms and conditions.
The first claim payout we made showed the efficacy and robustness of our protocol’s risk management framework. Being DeFi users ourselves, helping users recover from this unpleasant incident made us proud and motivated us to work even harder. With an ever-growing partner ecosystem, we hope to give a peace of mind to our partners and their users in the DeFi space which is full of unpredictability.
About Uno Re
Uno Re is the world’s first decentralised insurance and reinsurance platform, allowing the community to invest and trade in ‘risk’ and receive sizable returns on their investments in one of the safest asset classes in the world. The platform will break barriers to entry for the retail investor by doing away with the historic pre-requisite of absurdly high capital generally needed to invest into the market while also introducing much-needed transparency into the industry as a whole. Uno Re will also allow the community to propose innovative insurance products to the space, thus propelling a new generation of Insurtech companies powered by the Uno Re ecosystem.
