Learning From The Biggest DeFi Hacks of January 2024
Introduction
Decentralized Finance (DeFi) has taken the financial world by storm, offering a more efficient and transparent way to handle transactions without the need for traditional banks. However, as DeFi grows, it’s also becoming a prime target for hackers, leading to significant financial losses. This article aims to shed light on some of the recent security breaches in the DeFi space, detailing the vulnerabilities that were exploited, the fallout from these incidents, and why we all must learn from these experiences to strengthen the security of DeFi platforms.
Deep Dive Into January's Biggest Hacks
- GAMEE token exploit
GAMEE is a blockchain gaming platform backed by Animoca Brands, offering a range of games that allow players to earn cryptocurrency rewards. Its native cryptocurrency is GMEE.
The GAMEE hack on January 22, 2024, targeted its GMEE token. The root cause was unauthorized access to the project’s smart contracts, leading to an estimated $16 million in losses.
The attack was made possible through unauthorized access to the project’s GitLab environment. The attacker identified a vulnerability in GAMEE’s GitLab environment, granting them access to an old version of the project’s repository. Inside this old repository was a copy of the private key used to control the project’s deployer address on the Polygon blockchain. With access to this private key, the attacker was able to execute a recoverERC721s function to transfer approximately 600 million GMEE tokens to attacker-controlled wallets.
The GAMEE team quickly acted to stop the hack. They blocked all unauthorized access to the token contracts and moved them to a new address. They also stopped providing liquidity to all decentralized exchanges and told centralized exchanges to stop accepting new deposits and freeze the tokens linked to the hack.
- Gamma Strategies
Gamma Strategies is a decentralized asset management protocol that operates on Ethereum and other blockchains. It allows users to deposit funds into pools known as “hypervisors”. Users earn a return on their investment through active liquidity management and market-making strategies.
On January 4, 2024, Gamma Strategies was exploited through a series of attack transactions using flash loans from Uniswap and Balancer. This exploit resulted in a loss of approximately $6.4 million.
The primary issue was the deposit proxy settings related to the price change threshold, which was set too high, allowing for a -50% to +100% price change on certain LST and stablecoin vaults.
The attacker revealed a flaw in the deposit proxy configurations, specifically targeting stable and LST vaults. Despite having four primary deposit protection measures against flash loans, the exploit highlighted a vulnerability in one of these safeguards. The hackers bridged stolen funds from the Arbitrum chain to the Ethereum network using the Stargate bridge and deposited part of the stolen funds into TornadoCash.
In response to the attack, the protocol swiftly implemented measures to prevent further losses, temporarily disabling deposits to all public DeFi vaults while keeping withdrawals active for users in need of accessing their funds.
- Radiant Capital
Radiant Capital is a multichain lending protocol that operates on the Ethereum network. Launched in October 2023, Radiant Capital aims to offer the lowest price-to-fee ratio among decentralized protocols.
On January 2, 2024, Radiant Capital was hacked via a flash loan exploit, the protocol lost 1,900 ETH, valued at over $4.5 million. The attacker exploited a vulnerability in the project’s token quantity calculation, involving precision expansion and rounding. By controlling the precision and using rounding to expand profit margins, the attacker drained all USDC from the pool.
The Radiant team received reports of an issue regarding the new USDC market on Arbitrum late on January 2, 2024. Its DAO Council temporarily suspended the protocol’s lending and borrowing markets while they investigated the situation. The team identified the root cause of the exploit and paused the protocol to address the exploit and assess necessary remedial actions.
- Abracadabra
Abracadabra Finance is a DeFi lending and borrowing platform. The platform allows users to deposit various crypto assets as collateral and receive its Magic Internet Money (MIM) token in return.
On January 30, 2024, Abracadabra Finance was exploited, resulting in a loss of $6,414,205 (2737.48 ETH). The root cause of the exploit was a loss of precision during smart contract operations, specifically a rounding issue. The attacker targeted specific Cauldrons V3 & V4, allowing unauthorized MIM borrowing. The attacker was funded by Tornado Cash and transferred the stolen funds to two other Externally Owned Accounts (EOAs).
In response to the attack, the Abracadabra Money team acknowledged the exploit and stated that they were investigating the situation. To mitigate the impact of the crypto theft, the DAO treasury planned to buy back MIM from the market and burn them.
- Socket Protocol
Socket Protocol is a cross-chain bridge protocol that plays a crucial role in helping different decentralized protocols interact. It is commonly used behind the scenes to bridge the Ethereum network with over a dozen other blockchains that utilize Ethereum Virtual Machine (EVM) infrastructure.
On January 16, 2024, Socket Protocol fell victim to a hack that targeted the approval vulnerability. The security breach originated from wallets with unlimited approvals to Socket contracts, which provided the attacker with the means to exploit vulnerabilities within the protocol’s performAction function. This flaw allowed for a call injection attack, as it enabled inserting the malicious code into the call() function, compromising the contract’s state and enabling unauthorized fund withdrawals.
The total losses incurred during the event were valued at approximately $3.3 million. However, the Socket Protocol team was able to recover over half of the stolen funds, totalling 1,032 ETH, equivalent to almost $2.297 million.
- Goledo Finance
Goledo Finance is a cross-chain lending and borrowing protocol based on Aave. On January 28, 2024, Goledo Finance suffered a $1.7 million hack. The hacker used a flash loan attack to manipulate the price of a token, inflating the amount of collateral for borrowing tokens. The hacker then used the inflated collateral to take loans out on the rest of the tokens in Goledo’s lending pool. This was all executed within a single block hash by setting up a smart contract to execute all of this simultaneously.
The hacker managed to obtain a greater amount of assets than a typical user should have been allowed to borrow. The hacker’s actions resulted in a significant decrease in the value of Goledo Finance’s native token, GOL, which experienced a 35% plunge in value.
- Concentric Finance
Concentric Finance is a yield aggregator protocol that allows users to manage their liquidity across different decentralized finance (DeFi) platforms.
On January 22, 2024, Concentric Finance suffered a security breach where an attacker exploited the protocol’s deployer account. The attacker used a social engineering attack to compromise the private key of the deployer account. Once the attacker gained control of the deployer account, they upgraded the vaults, minted new Liquidity Pool (LP) tokens, and subsequently drained the vaults of their assets. The attacker also minted 0.001 CONE-1 tokens and burnt them to redeem the CONE-1 tokens for funds from the AlgebraPool. This process was repeated several times, allowing the attacker to obtain multiple ERC-20 tokens, which were subsequently swapped for Ether (ETH).
The attack resulted in the loss of over $1.8 million. The attacker’s wallet was linked to the wallet that performed the OKX decentralized exchange exploit in December 2023, suggesting that both attacks may have been carried out by the same person.
In response to the hack, Concentric Finance advised users to revoke all approvals from all vault addresses listed in the protocol’s documents.
- Wise
Wise Lending is a web3 lending application and yield aggregator. It provides various financial services to its users, including lending and borrowing tokens.
On January 12, 2024, Wise Lending suffered an attack due to a precision loss vulnerability, leading to a loss of over $449,413. The attacker exploited a flaw in Wise Lending’s share accounting logic. The attacker inflated share prices in a nearly empty market and then borrowed heavily based on this inflated value. The attacker used a flash loan attack to carry out the exploit.
- Nebula Revelation
Nebula Revelation is a space-themed open-world Web3 game that embeds some elements of blockchain technology. The game includes a staking mechanism where players can earn tokens by participating in the game.
Nebula Revelation suffered a reentrancy attack on its staking contract. This attack happened on January 25, 2024. The attacker exploited a vulnerability in the staking contract, which led to the unauthorized withdrawal of tokens. The attacker used a self-destructing contract to complete all operations in one transaction, exploiting the security vulnerability.
The total losses incurred during the event were valued at approximately $180,264.
- BasketDAO
BasketDAO is a DeFi protocol that allows users to create, manage, and trade token baskets. These token baskets are essentially collections of tokens that represent various digital assets and can be traded as a group, providing a way to diversify investments and reduce risk.
However, on January 17, 2024, BasketDAO was hacked due to a flaw in its smart contracts. The hackers took advantage of these vulnerabilities to steal approved user funds. To be specific, they manipulated the “transferFrom” issue in the BasketDAO contract due to arbitrary low-level calls.
$107,070 (42.55 ETH) was stolen from BasketDAO in this incident.
- Rosa Finance
Rosa Finance is a decentralized non-custodial liquidity market protocol operating on the Arbitrum network.
Rosa Finance was exploited on January 18, 2024, via a flash loan attack. The attacker exploited the protocol by initiating a series of flash loans. These loans were then used to manipulate the market, allowing the attacker to steal various cryptocurrencies. The stolen assets included 12,601 DAI, 2,749 USDC, 0.2317 WBTC, 97.12 GMX, 3,873 ARB, and 3,396 PENDLE. The total loss incurred from the attack was estimated at $44,670.
Unveiling Common Patterns and Pinpointing Overarching Issues
The analysis of the hacks reveals that all of them involved unauthorized access to critical areas of the systems. Each attack exploited vulnerabilities in the smart contracts or the overall design of the protocols. For instance, the GAMEE hack was facilitated by unauthorized access to the project’s GitLab environment and the subsequent misuse of a private key stored in an old repository. Similarly, Gamma Strategies was breached through a series of transactions using flash loans from Uniswap and Balancer, exploiting a flaw in the deposit proxy configurations. These examples illustrate the common pattern of unauthorized access and exploitation of vulnerabilities across all the hacks analyzed.
The hacks have highlighted several systemic issues within DeFi security. Many of the protocols had insufficient security measures in place, making them susceptible to attacks. Additionally, the protocols lacked continuous verification processes, which could have helped identify and rectify vulnerabilities before they were exploited. Furthermore, many DeFi projects focused primarily on growth, and not enough on implementing and maintaining robust security systems. Some protocols also relied on third-party programs for key functionalities, which could potentially be compromised.
Mitigation and Prevention Strategies
To improve the security of DeFi protocols, developers must ensure that their smart contracts and codebases undergo thorough reviews by security experts. This process helps uncover vulnerabilities, potential risks, and areas for improvement. It’s crucial to prioritize modularity and clear code for easy maintenance and future upgrades. Implementing security measures such as reentrancy guards, access control, and so on, is also essential. Implementing very good and advanced toolkits for static analysis and formal verification is crucial for enhancing security.
Engaging with the DeFi community is another key strategy. Developers should actively participate in online forums, social media, and developer channels. This not only builds trust but also helps gather valuable feedback to refine the protocol based on user needs. It’s important to remember that user awareness is a vital aspect of security. Offering educational resources, tutorials, and best practices can help users understand potential risks and how to protect their assets.
Collaboration between DeFi projects and security experts is also essential. Auditors should be engaged to uncover hidden vulnerabilities. Bug bounties can encourage responsible disclosure, promoting this type of collaboration. Additionally, developers should consider using multi-signature wallets for governance and key management, adding an extra layer of security.
Conclusion
The DeFi sector faces significant security challenges that require immediate attention. The experiences of the past few months show the importance of robust security measures and constant vigilance. By learning from these experiences, the DeFi community can develop more resilient and secure protocols, fostering a safer and more trustworthy ecosystem for all participants. Developers must conduct thorough reviews of their smart contracts and codebases by security experts, prioritize modularity and clear code, and implement security measures. Engaging with the DeFi community and collaborating with security experts are also vital steps toward enhancing DeFi security.
